instiki/vendor/plugins/rails_xss/test/rails_xss_test.rb

require 'test_helper'

class RailsXssTest < ActiveSupport::TestCase
  test "ERB::Util.h should mark its return value as safe and escape it" do
    escaped = ERB::Util.h("<p>")
    assert_equal "&lt;p&gt;", escaped
    assert escaped.html_safe?
  end

  test "ERB::Util.h should leave previously safe strings alone " do
    # TODO this seems easier to compose and reason about, but
    # this should be verified
    escaped = ERB::Util.h("<p>".html_safe)
    assert_equal "<p>", escaped
    assert escaped.html_safe?
  end

  test "ERB::Util.h should not implode when passed a non-string" do
    assert_nothing_raised do
      assert_equal "1", ERB::Util.h(1)
    end
  end
end
Rails_xss Plugin I installed the rails_xss plugin, for the main purpose of seeing what will break with Rails 3.0 (where the behaviour of the plugin is the default). I think I've fixed everything, but let me know if you see stuff that is HTML-escaped, which shouldn't be. As a side benefit, we now use Erubis, rather than ERB, to render templates. They tell me it's faster ... 2010-05-26 07:27:49 +02:00			`require 'test_helper'`

			`class RailsXssTest < ActiveSupport::TestCase`
			`test "ERB::Util.h should mark its return value as safe and escape it" do`
			`escaped = ERB::Util.h("<p>")`
			`assert_equal "<p>", escaped`
			`assert escaped.html_safe?`
			`end`

			`test "ERB::Util.h should leave previously safe strings alone " do`
			`# TODO this seems easier to compose and reason about, but`
			`# this should be verified`
			`escaped = ERB::Util.h("<p>".html_safe)`
			`assert_equal "<p>", escaped`
			`assert escaped.html_safe?`
			`end`

			`test "ERB::Util.h should not implode when passed a non-string" do`
			`assert_nothing_raised do`
			`assert_equal "1", ERB::Util.h(1)`
			`end`
			`end`
			`end`