Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 144 lines (115 sloc) 3.894 kb
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
1 require 'abstract_unit'
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
2 require 'active_support/core_ext/string/inflections'
c87fb22 @tenderlove make sure we play nicely when syck is activated
tenderlove authored
3 require 'yaml'
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
4
1adfb92 @spastorino Deleted all references to ActionView::SafeBuffer in favor of ActiveSu…
spastorino authored
5 class SafeBufferTest < ActiveSupport::TestCase
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
6 def setup
1adfb92 @spastorino Deleted all references to ActionView::SafeBuffer in favor of ActiveSu…
spastorino authored
7 @buffer = ActiveSupport::SafeBuffer.new
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
8 end
9
ef7fc6e @tenderlove global variables may not be set depending on the match. fixes #4703
tenderlove authored
10 def test_titleize
11 assert_equal 'Foo', "foo".html_safe.titleize
12 end
13
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
14 test "Should look like a string" do
15 assert @buffer.is_a?(String)
16 assert_equal "", @buffer
17 end
18
19 test "Should escape a raw string which is passed to them" do
20 @buffer << "<script>"
21 assert_equal "&lt;script&gt;", @buffer
22 end
23
24 test "Should NOT escape a safe value passed to it" do
4cbb9db For performance reasons, you can no longer call html_safe! on Strings…
Yehuda Katz authored
25 @buffer << "<script>".html_safe
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
26 assert_equal "<script>", @buffer
27 end
28
29 test "Should not mess with an innocuous string" do
30 @buffer << "Hello"
31 assert_equal "Hello", @buffer
32 end
33
34 test "Should not mess with a previously escape test" do
e61bc8e @josh Fix failing safe buffer test. We don't patch CGI.escapeHTML, only ERB…
josh authored
35 @buffer << ERB::Util.html_escape("<script>")
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
36 assert_equal "&lt;script&gt;", @buffer
37 end
38
39 test "Should be considered safe" do
40 assert @buffer.html_safe?
41 end
42
43 test "Should return a safe buffer when calling to_s" do
44 new_buffer = @buffer.to_s
1adfb92 @spastorino Deleted all references to ActionView::SafeBuffer in favor of ActiveSu…
spastorino authored
45 assert_equal ActiveSupport::SafeBuffer, new_buffer.class
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
46 end
c87fb22 @tenderlove make sure we play nicely when syck is activated
tenderlove authored
47
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
48 test "Should be converted to_yaml" do
c87fb22 @tenderlove make sure we play nicely when syck is activated
tenderlove authored
49 str = 'hello!'
50 buf = ActiveSupport::SafeBuffer.new str
51 yaml = buf.to_yaml
52
53 assert_match(/^--- #{str}/, yaml)
54 assert_equal 'hello!', YAML.load(yaml)
55 end
56
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
57 test "Should work in nested to_yaml conversion" do
c87fb22 @tenderlove make sure we play nicely when syck is activated
tenderlove authored
58 str = 'hello!'
59 data = { 'str' => ActiveSupport::SafeBuffer.new(str) }
60 yaml = YAML.dump data
61 assert_equal({'str' => str}, YAML.load(yaml))
62 end
1300c03 @NZKoz Ensure that the strings returned by SafeBuffer#gsub and friends aren'…
NZKoz authored
63
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
64 test "Should work with underscore" do
65 str = "MyTest".html_safe.underscore
66 assert_equal "my_test", str
67 end
68
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
69 test "Should not return safe buffer from gsub" do
70 altered_buffer = @buffer.gsub('', 'asdf')
71 assert_equal 'asdf', altered_buffer
1300c03 @NZKoz Ensure that the strings returned by SafeBuffer#gsub and friends aren'…
NZKoz authored
72 assert !altered_buffer.html_safe?
73 end
74
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
75 test "Should not return safe buffer from gsub!" do
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
76 @buffer.gsub!('', 'asdf')
77 assert_equal 'asdf', @buffer
78 assert !@buffer.html_safe?
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
79 end
80
81 test "Should escape dirty buffers on add" do
82 clean = "hello".html_safe
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
83 @buffer.gsub!('', '<>')
84 assert_equal "hello&lt;&gt;", clean + @buffer
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
85 end
86
8ccaa34 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
87 test "Should concat as a normal string when safe" do
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
88 clean = "hello".html_safe
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
89 @buffer.gsub!('', '<>')
90 assert_equal "<>hello", @buffer + clean
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
91 end
92
8ccaa34 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
93 test "Should preserve html_safe? status on copy" do
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
94 @buffer.gsub!('', '<>')
95 assert !@buffer.dup.html_safe?
1300c03 @NZKoz Ensure that the strings returned by SafeBuffer#gsub and friends aren'…
NZKoz authored
96 end
f44db45 @josevalim safe_concat should not work on dirty buffers.
josevalim authored
97
73a0f9d @rafaelfranca Add test to make sure that add two safe buffers always return a safe …
rafaelfranca authored
98 test "Should return safe buffer when added with another safe buffer" do
99 clean = "<script>".html_safe
100 result_buffer = @buffer + clean
101 assert result_buffer.html_safe?
102 assert_equal "<script>", result_buffer
103 end
104
8ccaa34 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
105 test "Should raise an error when safe_concat is called on unsafe buffers" do
6b010c2 @josevalim Revert removing gsub and sub from safe buffer.
josevalim authored
106 @buffer.gsub!('', '<>')
f44db45 @josevalim safe_concat should not work on dirty buffers.
josevalim authored
107 assert_raise ActiveSupport::SafeBuffer::SafeConcatError do
108 @buffer.safe_concat "BUSTED"
109 end
110 end
38b9fbf @rafaelfranca Whitespaces :scissors:
rafaelfranca authored
111
8ccaa34 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
112 test "Should not fail if the returned object is not a string" do
deb60a7 @arunagw Using slice for instead of gsub to pass with 1.8.7
arunagw authored
113 assert_kind_of NilClass, @buffer.slice("chipchop")
9fadf38 @dmathieu calling unsafe methods which don't return a string shouldn't fail
dmathieu authored
114 end
6ef1079 @bcardarella Reset @dirty to false when slicing an instance of SafeBuffer
bcardarella authored
115
71b95bd @amatsuda add AS::SafeBuffer#clone_empty
amatsuda authored
116 test "clone_empty returns an empty buffer" do
117 assert_equal '', ActiveSupport::SafeBuffer.new('foo').clone_empty
118 end
119
120 test "clone_empty keeps the original dirtyness" do
121 assert @buffer.clone_empty.html_safe?
122 assert !@buffer.gsub!('', '').clone_empty.html_safe?
123 end
8ccaa34 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
124
125 test "Should be safe when sliced if original value was safe" do
126 new_buffer = @buffer[0,0]
127 assert_not_nil new_buffer
128 assert new_buffer.html_safe?, "should be safe"
129 end
130
131 test "Should continue unsafe on slice" do
132 x = 'foo'.html_safe.gsub!('f', '<script>alert("lolpwnd");</script>')
133
134 # calling gsub! makes the dirty flag true
135 assert !x.html_safe?, "should not be safe"
136
137 # getting a slice of it
138 y = x[0..-1]
139
140 # should still be unsafe
141 assert !y.html_safe?, "should not be safe"
142 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
143 end
Something went wrong with that request. Please try again.