rails--rails/actionview/test/template/erb_util_test.rb

require 'abstract_unit'
require 'active_support/json'

class ErbUtilTest < ActiveSupport::TestCase
  include ERB::Util

  ERB::Util::HTML_ESCAPE.each do |given, expected|
    define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
      assert_equal expected, html_escape(given)
    end
  end

  ERB::Util::JSON_ESCAPE.each do |given, expected|
    define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
      assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
    end
  end

  HTML_ESCAPE_TEST_CASES = [
    ['<br>', '&lt;br&gt;'],
    ['a & b', 'a &amp; b'],
    ['"quoted" string', '&quot;quoted&quot; string'],
    ["'quoted' string", '&#39;quoted&#39; string'],
    [
      '<script type="application/javascript">alert("You are \'pwned\'!")</script>',
      '&lt;script type=&quot;application/javascript&quot;&gt;alert(&quot;You are &#39;pwned&#39;!&quot;)&lt;/script&gt;'
    ]
  ]

  JSON_ESCAPE_TEST_CASES = [
    ['1', '1'],
    ['null', 'null'],
    ['"&"', '"\u0026"'],
    ['"</script>"', '"\u003c/script\u003e"'],
    ['["</script>"]', '["\u003c/script\u003e"]'],
    ['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],
    [%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']
  ]

  def test_html_escape
    HTML_ESCAPE_TEST_CASES.each do |(raw, expected)|
      assert_equal expected, html_escape(raw)
    end
  end

  def test_json_escape
    JSON_ESCAPE_TEST_CASES.each do |(raw, expected)|
      assert_equal expected, json_escape(raw)
    end
  end

  def test_json_escape_does_not_alter_json_string_meaning
    JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
      assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw))
    end
  end

  def test_json_escape_is_idempotent
    JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
      assert_equal json_escape(raw), json_escape(json_escape(raw))
    end
  end

  def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
    value = json_escape("asdf")
    assert !value.html_safe?
  end

  def test_json_escape_returns_safe_strings_when_passed_safe_strings
    value = json_escape("asdf".html_safe)
    assert value.html_safe?
  end

  def test_html_escape_is_html_safe
    escaped = h("<p>")
    assert_equal "&lt;p&gt;", escaped
    assert escaped.html_safe?
  end

  def test_html_escape_passes_html_escape_unmodified
    escaped = h("<p>".html_safe)
    assert_equal "<p>", escaped
    assert escaped.html_safe?
  end

  def test_rest_in_ascii
    (0..127).to_a.map {|int| int.chr }.each do |chr|
      next if %('"&<>).include?(chr)
      assert_equal chr, html_escape(chr)
    end
  end

  def test_html_escape_once
    assert_equal '1 &lt;&gt;&amp;&quot;&#39; 2 &amp; 3', html_escape_once('1 <>&"\' 2 &amp; 3')
  end

  def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
    value = html_escape_once('1 < 2 &amp; 3')
    assert !value.html_safe?
  end

  def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
    value = html_escape_once('1 < 2 &amp; 3'.html_safe)
    assert value.html_safe?
  end
end
require abstract_unit directly since test is in load path git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-01-05 13:32:06 +00:00			`require 'abstract_unit'`
Added failing test for json_escape striping quotation marks Expanded test coverage for html_escape and json_escape 2013-11-27 09:49:25 +00:00			`require 'active_support/json'`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00
AP tests should inherit from AS::TestCase 2012-01-06 01:01:45 +00:00			`class ErbUtilTest < ActiveSupport::TestCase`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00			`include ERB::Util`

add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-04-08 04:52:01 +00:00			`ERB::Util::HTML_ESCAPE.each do \|given, expected\|`
fisting codes so it will parse [#4430 state:resolved] Signed-off-by: wycats <wycats@gmail.com> 2010-04-17 19:54:52 +00:00			`define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do`
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-04-08 04:52:01 +00:00			`assert_equal expected, html_escape(given)`
			`end`
html_escape should escape single quotes https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 2012-08-01 01:25:54 +00:00			`end`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00
html_escape should escape single quotes https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 2012-08-01 01:25:54 +00:00			`ERB::Util::JSON_ESCAPE.each do \|given, expected\|`
			`define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do`
			`assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)`
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-04-08 04:52:01 +00:00			`end`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00			`end`
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 05:13:00 +00:00
Added failing test for json_escape striping quotation marks Expanded test coverage for html_escape and json_escape 2013-11-27 09:49:25 +00:00			`HTML_ESCAPE_TEST_CASES = [`
			`['<br>', '<br>'],`
			`['a & b', 'a & b'],`
			`['"quoted" string', '"quoted" string'],`
			`["'quoted' string", ''quoted' string'],`
			`[`
			`'<script type="application/javascript">alert("You are \'pwned\'!")</script>',`
			`'<script type="application/javascript">alert("You are 'pwned'!")</script>'`
			`]`
			`]`

			`JSON_ESCAPE_TEST_CASES = [`
			`['1', '1'],`
			`['null', 'null'],`
			`['"&"', '"\u0026"'],`
Use lower case letters in unicodes sequences to match the new encoder's output 2013-11-27 10:46:51 +00:00			`['"</script>"', '"\u003c/script\u003e"'],`
			`['["</script>"]', '["\u003c/script\u003e"]'],`
Added \u2028 \u2029 to json_escape 2013-12-04 17:43:42 +00:00			`['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],`
			`[%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']`
Added failing test for json_escape striping quotation marks Expanded test coverage for html_escape and json_escape 2013-11-27 09:49:25 +00:00			`]`

			`def test_html_escape`
			`HTML_ESCAPE_TEST_CASES.each do \|(raw, expected)\|`
			`assert_equal expected, html_escape(raw)`
			`end`
			`end`

			`def test_json_escape`
			`JSON_ESCAPE_TEST_CASES.each do \|(raw, expected)\|`
			`assert_equal expected, json_escape(raw)`
			`end`
			`end`

			`def test_json_escape_does_not_alter_json_string_meaning`
			`JSON_ESCAPE_TEST_CASES.each do \|(raw, _)\|`
			`assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw))`
			`end`
			`end`

			`def test_json_escape_is_idempotent`
			`JSON_ESCAPE_TEST_CASES.each do \|(raw, _)\|`
			`assert_equal json_escape(raw), json_escape(json_escape(raw))`
			`end`
			`end`

ensuring that json_escape returns html safe strings when passed an html safe string 2011-06-09 22:29:17 +00:00			`def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings`
			`value = json_escape("asdf")`
			`assert !value.html_safe?`
			`end`

			`def test_json_escape_returns_safe_strings_when_passed_safe_strings`
			`value = json_escape("asdf".html_safe)`
			`assert value.html_safe?`
			`end`

Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 20:31:20 +00:00			`def test_html_escape_is_html_safe`
			`escaped = h("<p>")`
			`assert_equal "<p>", escaped`
			`assert escaped.html_safe?`
			`end`

Minor typo fixes 2013-11-26 16:34:19 +00:00			`def test_html_escape_passes_html_escape_unmodified`
For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe. 2010-02-01 03:17:42 +00:00			`escaped = h("<p>".html_safe)`
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 20:31:20 +00:00			`assert_equal "<p>", escaped`
			`assert escaped.html_safe?`
			`end`

Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00			`def test_rest_in_ascii`
ActionPack components should no longer have undeclared dependencies. * Tests can be run in isolation * Dependencies added * A few tests modified to avoid depending on AS deps not depended on my files they were testing 2009-06-08 20:33:18 +00:00			`(0..127).to_a.map {\|int\| int.chr }.each do \|chr\|`
removes usage of Object#in? from the code base (the method remains defined by Active Support) Selecting which key extensions to include in active_support/rails made apparent the systematic usage of Object#in? in the code base. After some discussion in https://github.com/rails/rails/commit/5ea6b0df9a36d033f21b52049426257a4637028d we decided to remove it and use plain Ruby, which seems enough for this particular idiom. In this commit the refactor has been made case by case. Sometimes include? is the natural alternative, others a simple \|\| is the way you actually spell the condition in your head, others a case statement seems more appropriate. I have chosen the one I liked the most in each case. 2012-08-05 22:27:56 +00:00			`next if %('"&<>).include?(chr)`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00			`assert_equal chr, html_escape(chr)`
			`end`
			`end`
Move escape_once logic to ERB::Util, where it belongs to All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it. 2012-01-12 23:04:02 +00:00
			`def test_html_escape_once`
&#39 dates back to SGML when &#x27 was introduced in HTML 4.0 2012-09-03 09:42:24 +00:00			`assert_equal '1 <>&"' 2 & 3', html_escape_once('1 <>&"\' 2 & 3')`
Move escape_once logic to ERB::Util, where it belongs to All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it. 2012-01-12 23:04:02 +00:00			`end`

			`def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings`
			`value = html_escape_once('1 < 2 & 3')`
			`assert !value.html_safe?`
			`end`

			`def test_html_escape_once_returns_safe_strings_when_passed_safe_strings`
			`value = html_escape_once('1 < 2 & 3'.html_safe)`
			`assert value.html_safe?`
			`end`
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-12-16 23:53:45 +00:00			`end`