2017-07-23 11:36:41 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-06 12:50:17 -04:00
|
|
|
require "abstract_unit"
|
2011-02-10 10:45:39 -05:00
|
|
|
|
|
|
|
class OutputSafetyHelperTest < ActionView::TestCase
|
|
|
|
tests ActionView::Helpers::OutputSafetyHelper
|
|
|
|
|
|
|
|
def setup
|
|
|
|
@string = "hello"
|
|
|
|
end
|
|
|
|
|
|
|
|
test "raw returns the safe string" do
|
|
|
|
result = raw(@string)
|
|
|
|
assert_equal @string, result
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate result, :html_safe?
|
2011-02-10 10:45:39 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
test "raw handles nil values correctly" do
|
|
|
|
assert_equal "", raw(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "safe_join should html_escape any items, including the separator, if they are not html_safe" do
|
2016-01-20 01:55:06 -05:00
|
|
|
joined = safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
|
2011-02-10 10:45:39 -05:00
|
|
|
assert_equal "<p>foo</p><br /><p>bar</p>", joined
|
|
|
|
|
2016-01-20 01:55:06 -05:00
|
|
|
joined = safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
|
2011-02-10 10:45:39 -05:00
|
|
|
assert_equal "<p>foo</p><br /><p>bar</p>", joined
|
|
|
|
end
|
|
|
|
|
2014-06-10 20:33:34 -04:00
|
|
|
test "safe_join should work recursively similarly to Array.join" do
|
2016-10-28 23:05:58 -04:00
|
|
|
joined = safe_join(["a", ["b", "c"]], ":")
|
2016-08-06 12:50:17 -04:00
|
|
|
assert_equal "a:b:c", joined
|
2014-06-10 20:33:34 -04:00
|
|
|
|
2016-10-28 23:05:58 -04:00
|
|
|
joined = safe_join(['"a"', ["<b>", "<c>"]], " <br/> ")
|
2016-08-06 12:50:17 -04:00
|
|
|
assert_equal ""a" <br/> <b> <br/> <c>", joined
|
2014-06-10 20:33:34 -04:00
|
|
|
end
|
2016-03-15 15:22:11 -04:00
|
|
|
|
2017-01-14 22:45:13 -05:00
|
|
|
test "safe_join should return the safe string separated by $, when second argument is not passed" do
|
2021-04-15 02:57:01 -04:00
|
|
|
default_delimiter = $,
|
2017-01-30 05:44:17 -05:00
|
|
|
|
|
|
|
begin
|
|
|
|
$, = nil
|
|
|
|
joined = safe_join(["a", "b"])
|
|
|
|
assert_equal "ab", joined
|
|
|
|
|
2019-07-28 21:46:06 -04:00
|
|
|
silence_warnings do
|
|
|
|
$, = "|"
|
|
|
|
end
|
2017-01-30 05:44:17 -05:00
|
|
|
joined = safe_join(["a", "b"])
|
|
|
|
assert_equal "a|b", joined
|
|
|
|
ensure
|
2021-04-15 02:57:01 -04:00
|
|
|
$, = default_delimiter
|
2017-01-30 05:44:17 -05:00
|
|
|
end
|
2017-01-14 22:45:13 -05:00
|
|
|
end
|
|
|
|
|
2016-03-15 15:22:11 -04:00
|
|
|
test "to_sentence should escape non-html_safe values" do
|
|
|
|
actual = to_sentence(%w(< > & ' "))
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate actual, :html_safe?
|
2016-03-15 15:22:11 -04:00
|
|
|
assert_equal("<, >, &, ', and "", actual)
|
|
|
|
|
|
|
|
actual = to_sentence(%w(<script>))
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate actual, :html_safe?
|
2016-03-15 15:22:11 -04:00
|
|
|
assert_equal("<script>", actual)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence does not double escape if single value is html_safe" do
|
|
|
|
assert_equal("<script>", to_sentence([ERB::Util.html_escape("<script>")]))
|
|
|
|
assert_equal("<script>", to_sentence(["<script>".html_safe]))
|
|
|
|
assert_equal("&lt;script&gt;", to_sentence(["<script>"]))
|
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence connector words are checked for html safety" do
|
2016-08-06 12:50:17 -04:00
|
|
|
assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
|
|
|
|
assert_equal "one & two", to_sentence(["one", "two"], two_words_connector: " & ".html_safe)
|
|
|
|
assert_equal "one, two <script>alert(1)</script> three", to_sentence(["one", "two", "three"], last_word_connector: " <script>alert(1)</script> ")
|
2016-03-15 15:22:11 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence should not escape html_safe values" do
|
|
|
|
ptag = content_tag("p") do
|
|
|
|
safe_join(["<marquee>shady stuff</marquee>", tag("br")])
|
|
|
|
end
|
|
|
|
url = "https://example.com"
|
|
|
|
expected = %(<a href="#{url}">#{url}</a> and <p><marquee>shady stuff</marquee><br /></p>)
|
|
|
|
actual = to_sentence([link_to(url, url), ptag])
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate actual, :html_safe?
|
2016-03-15 15:22:11 -04:00
|
|
|
assert_equal(expected, actual)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence handles blank strings" do
|
2016-08-06 12:50:17 -04:00
|
|
|
actual = to_sentence(["", "two", "three"])
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate actual, :html_safe?
|
2016-03-15 15:22:11 -04:00
|
|
|
assert_equal ", two, and three", actual
|
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence handles nil values" do
|
2016-08-06 12:50:17 -04:00
|
|
|
actual = to_sentence([nil, "two", "three"])
|
2018-01-25 18:14:09 -05:00
|
|
|
assert_predicate actual, :html_safe?
|
2016-03-15 15:22:11 -04:00
|
|
|
assert_equal ", two, and three", actual
|
|
|
|
end
|
|
|
|
|
|
|
|
test "to_sentence still supports ActiveSupports Array#to_sentence arguments" do
|
2016-08-06 12:50:17 -04:00
|
|
|
assert_equal "one two, and three", to_sentence(["one", "two", "three"], words_connector: " ")
|
|
|
|
assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
|
|
|
|
assert_equal "onetwo, and three", to_sentence(["one", "two", "three"], words_connector: nil)
|
|
|
|
assert_equal "one, two, and also three", to_sentence(["one", "two", "three"], last_word_connector: ", and also ")
|
|
|
|
assert_equal "one, twothree", to_sentence(["one", "two", "three"], last_word_connector: nil)
|
|
|
|
assert_equal "one, two three", to_sentence(["one", "two", "three"], last_word_connector: " ")
|
|
|
|
assert_equal "one, two and three", to_sentence(["one", "two", "three"], last_word_connector: " and ")
|
2016-03-15 15:22:11 -04:00
|
|
|
end
|
2017-01-15 07:10:05 -05:00
|
|
|
|
|
|
|
test "to_sentence is not affected by $," do
|
2017-01-24 19:35:39 -05:00
|
|
|
separator_was = $,
|
2019-07-28 21:46:06 -04:00
|
|
|
silence_warnings do
|
|
|
|
$, = "|"
|
|
|
|
end
|
2017-01-15 07:10:05 -05:00
|
|
|
begin
|
|
|
|
assert_equal "one and two", to_sentence(["one", "two"])
|
|
|
|
assert_equal "one, two, and three", to_sentence(["one", "two", "three"])
|
|
|
|
ensure
|
2017-01-24 19:35:39 -05:00
|
|
|
$, = separator_was
|
2017-01-15 07:10:05 -05:00
|
|
|
end
|
|
|
|
end
|
2014-06-10 20:33:34 -04:00
|
|
|
end
|