From a2c4f46c2614a7115426cea08a0d030f4d081923 Mon Sep 17 00:00:00 2001
From: cktricky <cktricky@gmail.com>
Date: Mon, 6 Jul 2015 13:25:46 -0400
Subject: [PATCH] I have changed the second visit statement from the root path
 (/) to the account settings page. The reason is that the submit button is
 changed via JS but you need to be at the account settings page to see that
 change

---
 spec/vulnerabilities/xss_spec.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb
index 325da0b..9549f4d 100644
--- a/spec/vulnerabilities/xss_spec.rb
+++ b/spec/vulnerabilities/xss_spec.rb
@@ -20,10 +20,11 @@ feature 'xss' do
     click_on 'Submit'
     
     sleep(1)
-    visit '/'
-
-    pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' }
-
+    
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    
+    pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
+    
     # might be nice to demonstrate posting cookie contents or somesuch, but
     # this at least shows the vulnerability still exists.
   end