# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
xml = "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" \
- '<tag k="#{@user.inspect}" v="0"/>' \
+ "<tag k='\#{@user.inspect}' v='0'/>" \
"</node></osm>"
put node_create_path, :params => xml, :headers => auth_header
assert_require_public_data "Shouldn't be able to create with non-public user"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" \
- '<tag k="#{@user.inspect}" v="0"/>' \
+ "<tag k='\#{@user.inspect}' v='0'/>" \
"</node></osm>"
put node_create_path, :params => xml, :headers => auth_header
assert_response :success
assert_includes apinode.tags, "\#{@user.inspect}"
end
+ private
+
##
# update the changeset_id of a node element
def update_changeset(xml, changeset_id)