1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack/test/template/erb_util_test.rb
Michael Koziarski 9415935902 Switch to on-by-default XSS escaping for rails.
This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.
2009-10-08 09:31:20 +13:00

36 lines
917 B
Ruby

require 'abstract_unit'
class ErbUtilTest < Test::Unit::TestCase
include ERB::Util
ERB::Util::HTML_ESCAPE.each do |given, expected|
define_method "test_html_escape_#{expected.gsub /\W/, ''}" do
assert_equal expected, html_escape(given)
end
unless given == '"'
define_method "test_json_escape_#{expected.gsub /\W/, ''}" do
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
end
def test_html_escape_is_html_safe
escaped = h("<p>")
assert_equal "&lt;p&gt;", escaped
assert escaped.html_safe?
end
def test_html_escape_passes_html_escpe_unmodified
escaped = h("<p>".html_safe!)
assert_equal "<p>", escaped
assert escaped.html_safe?
end
def test_rest_in_ascii
(0..127).to_a.map {|int| int.chr }.each do |chr|
next if %w(& " < >).include?(chr)
assert_equal chr, html_escape(chr)
end
end
end