Rails_xss Plugin

I installed the rails_xss plugin, for the main purpose of seeing what will break with Rails 3.0 (where the behaviour of the plugin is the default). I think I've fixed everything, but let me know if you see stuff that is HTML-escaped, which shouldn't be. As a side benefit, we now use Erubis, rather than ERB, to render templates. They tell me it's faster ...
2010-05-26 00:27:49 -05:00 · 2010-05-26 00:27:49 -05:00 · a5e08f7bcc
commit a5e08f7bcc
parent d6be09e0f0
343 changed files with 43874 additions and 37 deletions
--- a/vendor/plugins/rails_xss/test/rails_xss_test.rb
+++ b/vendor/plugins/rails_xss/test/rails_xss_test.rb
@ -0,0 +1,134 @@
+require 'test_helper'
+
+class RailsXssTest < ActiveSupport::TestCase
+  test "ERB::Util.h should mark its return value as safe and escape it" do
+    escaped = ERB::Util.h("<p>")
+    assert_equal "&lt;p&gt;", escaped
+    assert escaped.html_safe?
+  end
+
+  test "ERB::Util.h should leave previously safe strings alone " do
+    # TODO this seems easier to compose and reason about, but
+    # this should be verified
+    escaped = ERB::Util.h("<p>".html_safe)
+    assert_equal "<p>", escaped
+    assert escaped.html_safe?
+  end
+
+  test "ERB::Util.h should not implode when passed a non-string" do
+    assert_nothing_raised do
+      assert_equal "1", ERB::Util.h(1)
+    end
+  end
+end
+
+class DeprecatedOutputSafetyTest < ActiveSupport::TestCase
+  def setup
+    @string = "hello"
+  end
+
+  test "A string can be marked safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      assert @string.html_safe?
+    end
+  end
+
+  test "Marking a string safe returns the string using html_safe!" do
+    assert_deprecated do
+      assert_equal @string, @string.html_safe!
+    end
+  end
+
+  test "Adding a safe string to another safe string returns a safe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+      @combination = @other_string + @string
+
+      assert_equal "otherhello", @combination
+      assert @combination.html_safe?
+    end
+  end
+
+  test "Adding an unsafe string to a safe string returns an unsafe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @combination = @other_string + "<foo>"
+      @other_combination = @string + "<foo>"
+
+      assert_equal "other<foo>", @combination
+      assert_equal "hello<foo>", @other_combination
+
+      assert !@combination.html_safe?
+      assert !@other_combination.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string.concat("<foo>")
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string << @string
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string << "<foo>"
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe with << yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string << @string
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting a fixnum to safe always yields safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      @string.concat(13)
+      assert_equal "hello".concat(13), @string
+      assert @string.html_safe?
+    end
+  end
+end
--- a/vendor/plugins/rails_xss/test/test_helper.rb
+++ b/vendor/plugins/rails_xss/test/test_helper.rb
@ -0,0 +1,5 @@
+abort 'RAILS_ROOT=/path/to/rails/2.3/app rake test' unless ENV['RAILS_ROOT']
+require File.expand_path('config/environment', ENV['RAILS_ROOT'])
+require File.expand_path('../../init', __FILE__)
+require 'active_support/test_case'
+require 'test/unit'