rails--rails/actionpack/test/controller/output_escaping_test.rb

require 'abstract_unit'

class OutputEscapingTest < ActiveSupport::TestCase

  test "escape_html shouldn't die when passed nil" do
    assert_blank ERB::Util.h(nil)
  end

  test "escapeHTML should escape strings" do
    assert_equal "&lt;&gt;&quot;", ERB::Util.h("<>\"")
  end

  test "escapeHTML shouldn't touch explicitly safe strings" do
    # TODO this seems easier to compose and reason about, but
    # this should be verified
    assert_equal "<", ERB::Util.h("<".html_safe)
  end

end
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 16:31:20 -04:00			`require 'abstract_unit'`

			`class OutputEscapingTest < ActiveSupport::TestCase`

			`test "escape_html shouldn't die when passed nil" do`
code gardening: we have assert_(nil\|blank\|present), more concise, with better default failure messages - let's use them 2010-08-16 21:29:57 -04:00			`assert_blank ERB::Util.h(nil)`
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 16:31:20 -04:00			`end`

			`test "escapeHTML should escape strings" do`
			`assert_equal "<>"", ERB::Util.h("<>\"")`
			`end`

			`test "escapeHTML shouldn't touch explicitly safe strings" do`
			`# TODO this seems easier to compose and reason about, but`
			`# this should be verified`
For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe. 2010-01-31 22:17:42 -05:00			`assert_equal "<", ERB::Util.h("<".html_safe)`
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 16:31:20 -04:00			`end`

			`end`