sinatra/rack-protection/spec/lib/rack/protection/escaped_params_spec.rb

describe Rack::Protection::EscapedParams do
  it_behaves_like "any rack application"

  context 'escaping' do
    it 'escapes html entities' do
      mock_app do |env|
        request = Rack::Request.new(env)
        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
      end
      get '/', :foo => "<bar>"
      expect(body).to eq('&lt;bar&gt;')
    end

    it 'leaves normal params untouched' do
      mock_app do |env|
        request = Rack::Request.new(env)
        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
      end
      get '/', :foo => "bar"
      expect(body).to eq('bar')
    end

    it 'copes with nested arrays' do
      mock_app do |env|
        request = Rack::Request.new(env)
        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
      end
      get '/', :foo => {:bar => "<bar>"}
      expect(body).to eq('&lt;bar&gt;')
    end

    it 'leaves cache-breaker params untouched' do
      mock_app do |env|
        [200, {'Content-Type' => 'text/plain'}, ['hi']]
      end

      get '/?95df8d9bf5237ad08df3115ee74dcb10'
      expect(body).to eq('hi')
    end

    it 'leaves TempFiles untouched' do
      mock_app do |env|
        request = Rack::Request.new(env)
        [200, {'Content-Type' => 'text/plain'}, [request.params['file'][:filename] + "\n" + \
                                                 request.params['file'][:tempfile].read + "\n" + \
                                                 request.params['other']]]
      end

      temp_file = File.open('_escaped_params_tmp_file', 'w')
      begin
        temp_file.write('hello world')
        temp_file.close

        post '/', :file => Rack::Test::UploadedFile.new(temp_file.path), :other => '<bar>'
        expect(body).to eq("_escaped_params_tmp_file\nhello world\n&lt;bar&gt;")
      ensure
        File.unlink(temp_file.path)
      end
    end
  end
end