rails--rails/actionview/test/template/sanitize_helper_test.rb

# frozen_string_literal: true

require "abstract_unit"

# The exhaustive tests are in the rails-html-sanitizer gem.
# This tests that the helpers hook up correctly to the sanitizer classes.
class SanitizeHelperTest < ActionView::TestCase
  tests ActionView::Helpers::SanitizeHelper

  def test_strip_links
    assert_equal "Don't touch me", strip_links("Don't touch me")
    assert_equal "on my mind\nall day long", strip_links("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>")
    assert_equal "Magic", strip_links("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
    assert_equal "My mind\nall <b>day</b> long", strip_links("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>")
    assert_equal "&lt;malformed &amp; link", strip_links('<<a href="https://example.org">malformed & link</a>')
  end

  def test_sanitize_form
    assert_equal "", sanitize("<form action=\"/foo/bar\" method=\"post\"><input></form>")
  end

  def test_should_sanitize_illegal_style_properties
    raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
    expected = %r(\Adisplay:\s?block;\s?width:\s?100%;\s?height:\s?100%;\s?background-color:\s?black;\s?background-x:\s?center;\s?background-y:\s?center;\z)
    assert_match expected, sanitize_css(raw)
  end

  def test_strip_tags
    assert_equal("Don't touch me", strip_tags("Don't touch me"))
    assert_equal("This is a test.", strip_tags("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>"))
    assert_equal "This has a  here.", strip_tags("This has a <!-- comment --> here.")
    assert_equal("Jekyll &amp; Hyde", strip_tags("Jekyll & Hyde"))
    assert_equal "", strip_tags("<script>")
  end

  def test_strip_tags_will_not_encode_special_characters
    assert_equal "test\r\n\r\ntest", strip_tags("test\r\n\r\ntest")
  end

  def test_sanitize_is_marked_safe
    assert_predicate sanitize("<html><script></script></html>"), :html_safe?
  end

  def test_sanitized_allowed_tags_class_method
    expected = Set.new(["strong", "em", "b", "i", "p", "code", "pre", "tt", "samp", "kbd", "var",
      "sub", "sup", "dfn", "cite", "big", "small", "address", "hr", "br", "div", "span", "h1", "h2",
      "h3", "h4", "h5", "h6", "ul", "ol", "li", "dl", "dt", "dd", "abbr", "acronym", "a", "img",
      "blockquote", "del", "ins"])
    assert_equal(expected, self.class.sanitized_allowed_tags)
  end

  def test_sanitized_allowed_attributes_class_method
    expected = Set.new(["href", "src", "width", "height", "alt", "cite", "datetime", "title", "class", "name", "xml:lang", "abbr"])
    assert_equal(expected, self.class.sanitized_allowed_attributes)
  end
end
Use frozen string literal in actionview/ 2017-07-23 11:36:41 -04:00			`# frozen_string_literal: true`

applies new string literal convention in actionview/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:50:17 -04:00			`require "abstract_unit"`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00
Update comment in sanitizer helper test [skip ci] The previously referenced file no longer appears to exist in the project. 2017-03-29 21:28:07 -04:00			`# The exhaustive tests are in the rails-html-sanitizer gem.`
Fixed: spelling mistake in SanitizeHelperTest. 2013-08-16 10:31:24 -04:00			`# This tests that the helpers hook up correctly to the sanitizer classes.`
Introduce ActionView::TestCase for testing view helpers. 2008-04-19 14:06:57 -04:00			`class SanitizeHelperTest < ActionView::TestCase`
			`tests ActionView::Helpers::SanitizeHelper`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00
			`def test_strip_links`
chore: fix grammar and spelling 2021-04-15 02:57:01 -04:00			`assert_equal "Don't touch me", strip_links("Don't touch me")`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`assert_equal "on my mind\nall day long", strip_links("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>")`
Include all helpers into ActionView::Helper 2008-08-25 22:24:48 -04:00			`assert_equal "Magic", strip_links("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`assert_equal "My mind\nall <b>day</b> long", strip_links("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>")`
Remove `encode_special_chars` option from `strip_tags` 2017-02-27 13:51:26 -05:00			`assert_equal "<malformed & link", strip_links('<<a href="https://example.org">malformed & link</a>')`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`end`

			`def test_sanitize_form`
applies new string literal convention in actionview/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 12:50:17 -04:00			`assert_equal "", sanitize("<form action=\"/foo/bar\" method=\"post\"><input></form>")`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`end`

			`def test_should_sanitize_illegal_style_properties`
			`raw = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)`
Fix `test_should_sanitize_illegal_style_properties` failure https://travis-ci.org/rails/rails/jobs/279300966#L2600 The result of `Loofah::HTML5::Scrub.scrub_css` was changed since v2.1.0.rc1. https://github.com/flavorjones/loofah/commit/ca56295ff9e802018ea18d23ed49be235a95ccad 2017-09-24 18:15:52 -04:00			`expected = %r(\Adisplay:\s?block;\s?width:\s?100%;\s?height:\s?100%;\s?background-color:\s?black;\s?background-x:\s?center;\s?background-y:\s?center;\z)`
			`assert_match expected, sanitize_css(raw)`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`end`

Marked tests in sanitize_helper_test.rb as pending. 2013-07-10 11:54:26 -04:00			`def test_strip_tags`
chore: fix grammar and spelling 2021-04-15 02:57:01 -04:00			`assert_equal("Don't touch me", strip_tags("Don't touch me"))`
Marked tests in sanitize_helper_test.rb as pending. 2013-07-10 11:54:26 -04:00			`assert_equal("This is a test.", strip_tags("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>"))`
			`assert_equal "This has a here.", strip_tags("This has a <!-- comment --> here.")`
Remove `encode_special_chars` option from `strip_tags` 2017-02-27 13:51:26 -05:00			`assert_equal("Jekyll & Hyde", strip_tags("Jekyll & Hyde"))`
Marked tests in sanitize_helper_test.rb as pending. 2013-07-10 11:54:26 -04:00			`assert_equal "", strip_tags("<script>")`
			`end`

Let strip_tags leave HTML escaping to Rails. Prevents double escaping errors, such as "&" becoming "&amp;". 2015-03-07 12:48:06 -05:00			`def test_strip_tags_will_not_encode_special_characters`
			`assert_equal "test\r\n\r\ntest", strip_tags("test\r\n\r\ntest")`
			`end`

Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. 2009-10-07 16:31:20 -04:00			`def test_sanitize_is_marked_safe`
Use assert_predicate and assert_not_predicate 2018-01-25 18:14:09 -05:00			`assert_predicate sanitize("<html><script></script></html>"), :html_safe?`
Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2007-10-10 13:35:10 -04:00			`end`
Call class method since sanitizer's instance method is private and add tests revert back to earlier version that call class method of class returned by #sanitizer_vendor.safe_list_sanitizer 2020-06-10 01:30:06 -04:00
			`def test_sanitized_allowed_tags_class_method`
			`expected = Set.new(["strong", "em", "b", "i", "p", "code", "pre", "tt", "samp", "kbd", "var",`
			`"sub", "sup", "dfn", "cite", "big", "small", "address", "hr", "br", "div", "span", "h1", "h2",`
			`"h3", "h4", "h5", "h6", "ul", "ol", "li", "dl", "dt", "dd", "abbr", "acronym", "a", "img",`
			`"blockquote", "del", "ins"])`
			`assert_equal(expected, self.class.sanitized_allowed_tags)`
			`end`

			`def test_sanitized_allowed_attributes_class_method`
			`expected = Set.new(["href", "src", "width", "height", "alt", "cite", "datetime", "title", "class", "name", "xml:lang", "abbr"])`
			`assert_equal(expected, self.class.sanitized_allowed_attributes)`
			`end`
require abstract_unit directly since test is in load path git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de 2008-01-05 08:32:06 -05:00			`end`