Merge remote-tracking branch 'upstream/pull/3768'

[rails.git] / test / controllers / api / nodes_controller_test.rb

diff --git a/test/controllers/api/nodes_controller_test.rb b/test/controllers/api/nodes_controller_test.rb
index 645408dd433d04236e76a5048582916ef5ce34a0..95658842b8e498212acf6610e3aaf92ef8d52866 100644 (file)
--- a/test/controllers/api/nodes_controller_test.rb
+++ b/test/controllers/api/nodes_controller_test.rb
@@ -86,7 +86,7 @@ module Api
     end
 
     def test_create_invalid_xml
-      ## Only test public user here, as test_create should cover what's the forbiddens
+      ## Only test public user here, as test_create should cover what's the forbidden
       ## that would occur here
 
       user = create(:user)
@@ -527,7 +527,7 @@ module Api
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...
       xml = "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" \
-            '<tag k="#{@user.inspect}" v="0"/>' \
+            "<tag k='\#{@user.inspect}' v='0'/>" \
             "</node></osm>"
       put node_create_path, :params => xml, :headers => auth_header
       assert_require_public_data "Shouldn't be able to create with non-public user"
@@ -538,7 +538,7 @@ module Api
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...
       xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" \
-            '<tag k="#{@user.inspect}" v="0"/>' \
+            "<tag k='\#{@user.inspect}' v='0'/>" \
             "</node></osm>"
       put node_create_path, :params => xml, :headers => auth_header
       assert_response :success
@@ -559,6 +559,8 @@ module Api
       assert_includes apinode.tags, "\#{@user.inspect}"
     end
 
+    private
+
     ##
     # update the changeset_id of a node element
     def update_changeset(xml, changeset_id)