2016-08-06 12:50:17 -04:00
|
|
|
require "abstract_unit"
|
|
|
|
|
require "active_support/json"
|
2007-12-16 18:53:45 -05:00
|
|
|
|
2012-01-05 20:01:45 -05:00
|
|
|
class ErbUtilTest < ActiveSupport::TestCase
|
2007-12-16 18:53:45 -05:00
|
|
|
include ERB::Util
|
|
|
|
|
|
2008-04-08 00:52:01 -04:00
|
|
|
ERB::Util::HTML_ESCAPE.each do |given, expected|
|
2010-04-17 15:54:52 -04:00
|
|
|
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
|
2008-04-08 00:52:01 -04:00
|
|
|
assert_equal expected, html_escape(given)
|
|
|
|
|
end
|
2012-07-31 21:25:54 -04:00
|
|
|
end
|
2007-12-16 18:53:45 -05:00
|
|
|
|
2012-07-31 21:25:54 -04:00
|
|
|
ERB::Util::JSON_ESCAPE.each do |given, expected|
|
|
|
|
|
define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
|
|
|
|
|
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
|
2008-04-08 00:52:01 -04:00
|
|
|
end
|
2007-12-16 18:53:45 -05:00
|
|
|
end
|
2010-08-14 01:13:00 -04:00
|
|
|
|
2013-11-27 04:49:25 -05:00
|
|
|
HTML_ESCAPE_TEST_CASES = [
|
2016-08-06 12:50:17 -04:00
|
|
|
["<br>", "<br>"],
|
|
|
|
|
["a & b", "a & b"],
|
|
|
|
|
['"quoted" string', ""quoted" string"],
|
|
|
|
|
["'quoted' string", "'quoted' string"],
|
2013-11-27 04:49:25 -05:00
|
|
|
[
|
|
|
|
|
'<script type="application/javascript">alert("You are \'pwned\'!")</script>',
|
2016-08-06 12:50:17 -04:00
|
|
|
"<script type="application/javascript">alert("You are 'pwned'!")</script>"
|
2013-11-27 04:49:25 -05:00
|
|
|
]
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
JSON_ESCAPE_TEST_CASES = [
|
2016-08-06 12:50:17 -04:00
|
|
|
["1", "1"],
|
|
|
|
|
["null", "null"],
|
2013-11-27 04:49:25 -05:00
|
|
|
['"&"', '"\u0026"'],
|
2013-11-27 05:46:51 -05:00
|
|
|
['"</script>"', '"\u003c/script\u003e"'],
|
|
|
|
|
['["</script>"]', '["\u003c/script\u003e"]'],
|
2013-12-04 12:43:42 -05:00
|
|
|
['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],
|
|
|
|
|
[%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']
|
2013-11-27 04:49:25 -05:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def test_html_escape
|
|
|
|
|
HTML_ESCAPE_TEST_CASES.each do |(raw, expected)|
|
|
|
|
|
assert_equal expected, html_escape(raw)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_json_escape
|
|
|
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, expected)|
|
|
|
|
|
assert_equal expected, json_escape(raw)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_json_escape_does_not_alter_json_string_meaning
|
|
|
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
|
2017-01-18 02:09:58 -05:00
|
|
|
expected = ActiveSupport::JSON.decode(raw)
|
|
|
|
|
if expected.nil?
|
|
|
|
|
assert_nil ActiveSupport::JSON.decode(json_escape(raw))
|
|
|
|
|
else
|
|
|
|
|
assert_equal expected, ActiveSupport::JSON.decode(json_escape(raw))
|
|
|
|
|
end
|
2013-11-27 04:49:25 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_json_escape_is_idempotent
|
|
|
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
|
|
|
|
|
assert_equal json_escape(raw), json_escape(json_escape(raw))
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2011-06-09 18:29:17 -04:00
|
|
|
def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
|
|
|
|
|
value = json_escape("asdf")
|
|
|
|
|
assert !value.html_safe?
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_json_escape_returns_safe_strings_when_passed_safe_strings
|
|
|
|
|
value = json_escape("asdf".html_safe)
|
|
|
|
|
assert value.html_safe?
|
|
|
|
|
end
|
|
|
|
|
|
2009-10-07 16:31:20 -04:00
|
|
|
def test_html_escape_is_html_safe
|
|
|
|
|
escaped = h("<p>")
|
|
|
|
|
assert_equal "<p>", escaped
|
|
|
|
|
assert escaped.html_safe?
|
|
|
|
|
end
|
|
|
|
|
|
2013-11-26 11:34:19 -05:00
|
|
|
def test_html_escape_passes_html_escape_unmodified
|
For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
safe_concat("</form>"), which will skip both the flag set, and the flag
check.
* For the first pass, I converted virtually all #html_safe!s to #html_safe,
and the tests pass. A further optimization would be to try to use
#safe_concat as much as possible, reducing the performance impact if
we know up front that a String is safe.
2010-01-31 22:17:42 -05:00
|
|
|
escaped = h("<p>".html_safe)
|
2009-10-07 16:31:20 -04:00
|
|
|
assert_equal "<p>", escaped
|
|
|
|
|
assert escaped.html_safe?
|
|
|
|
|
end
|
|
|
|
|
|
2007-12-16 18:53:45 -05:00
|
|
|
def test_rest_in_ascii
|
2014-10-27 12:28:53 -04:00
|
|
|
(0..127).to_a.map(&:chr).each do |chr|
|
2012-08-05 18:27:56 -04:00
|
|
|
next if %('"&<>).include?(chr)
|
2007-12-16 18:53:45 -05:00
|
|
|
assert_equal chr, html_escape(chr)
|
|
|
|
|
end
|
|
|
|
|
end
|
2012-01-12 18:04:02 -05:00
|
|
|
|
|
|
|
|
def test_html_escape_once
|
2016-08-06 12:50:17 -04:00
|
|
|
assert_equal "1 <>&"' 2 & 3", html_escape_once('1 <>&"\' 2 & 3')
|
2013-01-28 17:26:12 -05:00
|
|
|
assert_equal " ' ' λ λ " ' < > ", html_escape_once(" ' ' λ λ \" ' < > ")
|
2012-01-12 18:04:02 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
|
2016-08-06 12:50:17 -04:00
|
|
|
value = html_escape_once("1 < 2 & 3")
|
2012-01-12 18:04:02 -05:00
|
|
|
assert !value.html_safe?
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
|
2016-08-06 12:50:17 -04:00
|
|
|
value = html_escape_once("1 < 2 & 3".html_safe)
|
2012-01-12 18:04:02 -05:00
|
|
|
assert value.html_safe?
|
|
|
|
|
end
|
2007-12-16 18:53:45 -05:00
|
|
|
end
|
