kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/actionpack/test/template/erb_util_test.rb

62 lines
1.6 KiB
Ruby
Raw Normal View History

require abstract_unit directly since test is in load path git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-05 08:32:06 -05:00
require 'abstract_unit'
Using Object#in? and Object#either? in various places There're a lot of places in Rails source code which make a lot of sense to switching to Object#in? or Object#either? instead of using [].include?.
2011-04-10 12:52:42 -04:00
require 'active_support/core_ext/object/inclusion'
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
AP tests should inherit from AS::TestCase
2012-01-05 20:01:45 -05:00
class ErbUtilTest < ActiveSupport::TestCase
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
include ERB::Util
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-04-08 00:52:01 -04:00
ERB::Util::HTML_ESCAPE.each do |given, expected|
fisting codes so it will parse [#4430 state:resolved] Signed-off-by: wycats <wycats@gmail.com>
2010-04-17 15:54:52 -04:00
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-04-08 00:52:01 -04:00
assert_equal expected, html_escape(given)
end
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-04-08 00:52:01 -04:00
unless given == '"'
fisting codes so it will parse [#4430 state:resolved] Signed-off-by: wycats <wycats@gmail.com>
2010-04-17 15:54:52 -04:00
define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-04-08 00:52:01 -04:00
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
end
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;)
2010-08-14 01:13:00 -04:00
ensuring that json_escape returns html safe strings when passed an html safe string
2011-06-09 18:29:17 -04:00
def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
value = json_escape("asdf")
assert !value.html_safe?
end
def test_json_escape_returns_safe_strings_when_passed_safe_strings
value = json_escape("asdf".html_safe)
assert value.html_safe?
end
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
2009-10-07 16:31:20 -04:00
def test_html_escape_is_html_safe
escaped = h("<p>")
assert_equal "&lt;p&gt;", escaped
assert escaped.html_safe?
end
def test_html_escape_passes_html_escpe_unmodified
For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
2010-01-31 22:17:42 -05:00
escaped = h("<p>".html_safe)
Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
2009-10-07 16:31:20 -04:00
assert_equal "<p>", escaped
assert escaped.html_safe?
end
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
def test_rest_in_ascii
ActionPack components should no longer have undeclared dependencies. * Tests can be run in isolation * Dependencies added * A few tests modified to avoid depending on AS deps not depended on my files they were testing
2009-06-08 16:33:18 -04:00
(0..127).to_a.map {|int| int.chr }.each do |chr|
Using Object#in? and Object#either? in various places There're a lot of places in Rails source code which make a lot of sense to switching to Object#in? or Object#either? instead of using [].include?.
2011-04-10 12:52:42 -04:00
next if chr.in?('&"<>')
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
assert_equal chr, html_escape(chr)
end
end
Move escape_once logic to ERB::Util, where it belongs to All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it.
2012-01-12 18:04:02 -05:00
def test_html_escape_once
assert_equal '1 &lt; 2 &amp; 3', html_escape_once('1 < 2 &amp; 3')
end
def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
value = html_escape_once('1 < 2 &amp; 3')
assert !value.html_safe?
end
def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
value = html_escape_once('1 < 2 &amp; 3'.html_safe)
assert value.html_safe?
end
Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 18:53:45 -05:00
end
Copy permalink