-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test for safe_erb in ActionView::Template, not in ERB
We've been installing safe_erb in all ERB templates, which breaks script/generate and lots of other important stuff. But before we can fix this bug in our custom-hacked safe_erb, we need to narrow our Mephisto unit tests down so that they only test ActionView::Template. A safe_erb update will be along shortly.
- Loading branch information
Showing
2 changed files
with
9 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,20 @@ | ||
require File.dirname(__FILE__) + '/../spec_helper' | ||
|
||
# Verify that our safe_erb patches are working. | ||
describe "An ERB template" do | ||
describe ActionView::Template do | ||
before :each do | ||
@template = ERB.new('<%= var %>') | ||
path = File.join(File.dirname(__FILE__), 'safe_erb_template.html.erb') | ||
@template = ActionView::Template.new(path) | ||
@view = ActionView::Base.new | ||
end | ||
|
||
it "should not raise an error when untained values are interpolated" do | ||
var = "foo" | ||
assert_equal var, @template.result(binding) | ||
assert_equal "foo\n", @template.render_template(@view, :var => 'foo') | ||
end | ||
|
||
it "should raise an error when tained values are interpolated" do | ||
assert_raise RuntimeError do | ||
var = "foo".taint | ||
@template.result(binding) | ||
it "should fail when tainted values are interpolated into HTML" do | ||
assert_raise ActionView::TemplateError do | ||
@template.render_template(@view, :var => 'foo'.taint) | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
<%= var %> |