Jacques Distler a5e08f7bcc Rails_xss Plugin
I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
2010-05-26 00:27:49 -05:00

369 lines
8.9 KiB

## $Release: 2.6.5 $
## copyright(c) 2006-2009 all rights reserved.
require "#{File.dirname(__FILE__)}/test.rb"
require 'erubis'
require 'erubis/engine/eruby'
require 'erubis/engine/ephp'
require 'erubis/engine/ec'
require 'erubis/engine/ejava'
require 'erubis/engine/escheme'
require 'erubis/engine/eperl'
require 'erubis/engine/ejavascript'
class EnginesTest < Test::Unit::TestCase
testdata_list = load_yaml_datafile(__FILE__)
def _test()
klass = Erubis.const_get(@class)
engine =, @options || {})
actual = engine.src
assert_text_equal(@expected, actual)
- name: ruby1
lang: ruby
class: Eruby
input: |
<% i = 0
list.each_with_index do |item, i| %>
<td><%= i+1 %></td>
<td><%== list %></td>
<% end %>
<%=== i+1 %>
expected: |
_buf = ''; _buf << '<table>
'; i = 0
list.each_with_index do |item, i|
_buf << ' <tr>
<td>'; _buf << ( i+1 ).to_s; _buf << '</td>
<td>'; _buf << Erubis::XmlHelper.escape_xml( list ); _buf << '</td>
'; end
_buf << ' </tbody>
'; $stderr.puts("*** debug: i+1=#{(i+1).inspect}"); _buf << '
- name: php1
lang: php
class: Ephp
input: |
$i = 0;
foreach ($list as $item) {
<td><%= $i %></td>
<td><%== $item %></td>
<%=== $i %>
expected: |
$i = 0;
foreach ($list as $item) {
<td><?php echo $i; ?></td>
<td><?php echo htmlspecialchars($item); ?></td>
<?php error_log('*** debug: $i='.($i), 0); ?>
- name: c1
lang: c
class: Ec
options: { :filename: foo.html, :indent: ' ' }
input: |4
<% for (i = 0; i < list; i++) { %>
<td><%= "%d", i %></td>
<td><%== list[i] %></td>
<% } %>
<%=== "%d", i %>
expected: |
#line 1 "foo.html"
" <tbody>\n", stdout);
for (i = 0; i < list; i++) {
fputs(" <tr>\n"
" <td>", stdout); fprintf(stdout, "%d", i); fputs("</td>\n"
" <td>", stdout); escape(list[i], stdout); fputs("</td>\n"
" </tr>\n", stdout);
fputs(" </tbody>\n"
"</table>\n", stdout);
fprintf(stderr, "*** debug: i=" "%d", i); fputs("\n", stdout);
- name: java1
lang: java
class: Ejava
options: { :buf: _buf, :bufclass: StringBuilder, :indent: ' ' }
input: |
int i = 0;
for (Iterator it = list.iterator(); it.hasNext(); ) {
String s = (String);
<tr class="<%= i%2==0 ? "even" : "odd" %>">
<td><%= i %></td>
<td><%== s %></td>
<%=== i %>
expected: |4
StringBuilder _buf = new StringBuilder(); _buf.append("<table>\n"
+ " <tbody>\n");
int i = 0;
for (Iterator it = list.iterator(); it.hasNext(); ) {
String s = (String);
_buf.append(" <tr class=\""); _buf.append(i%2==0 ? "even" : "odd"); _buf.append("\">\n"
+ " <td>"); _buf.append(i); _buf.append("</td>\n"
+ " <td>"); _buf.append(escape(s)); _buf.append("</td>\n"
+ " </tr>\n");
_buf.append(" <tbody>\n"
+ "</table>\n");
System.err.println("*** debug: i="+(i)); _buf.append("\n");
return _buf.toString();
- name: scheme1
lang: scheme
class: Escheme
input: &scheme1_input|
<% (let ((i 0)) %>
(lambda (item)
(set! i (+ i 1))
<td><%= i %></td>
<td><%== item %></td>
); lambda end
list); for-each end
<%=== i %>
<% ); let end %>
expected: |4
(let ((_buf '())) (define (_add x) (set! _buf (cons x _buf))) (let ((i 0))
(_add "<table>
(lambda (item)
(set! i (+ i 1))
(_add " <tr>
<td>")(_add i)(_add "</td>
<td>")(_add (escape item))(_add "</td>
); lambda end
list); for-each end
(_add " </tbody>
(display "*** debug: i=")(display i)(display "\n")(_add "\n")
); let end
(reverse _buf))
- name: scheme2
lang: scheme
class: Escheme
options: { :func: 'display' }
input: *scheme1_input
expected: |4
(let ((i 0))
(display "<table>
(lambda (item)
(set! i (+ i 1))
(display " <tr>
<td>")(display i)(display "</td>
<td>")(display (escape item))(display "</td>
); lambda end
list); for-each end
(display " </tbody>
(display "*** debug: i=")(display i)(display "\n")(display "\n")
); let end
- name: perl1
lang: perl
class: Eperl
input: |
my $user = 'Erubis';
my @list = ('<aaa>', 'b&b', '"ccc"');
<p>Hello <%= $user %>!</p>
<% $i = 0; %>
<% for $item (@list) { %>
<tr bgcolor=<%= ++$i % 2 == 0 ? '#FFCCCC' : '#CCCCFF' %>">
<td><%= $i %></td>
<td><%== $item %></td>
<% } %>
<%=== $i %>
expected: |4
use HTML::Entities;
my $user = 'Erubis';
my @list = ('<aaa>', 'b&b', '"ccc"');
print('<p>Hello '); print($user); print('!</p>
'); $i = 0;
for $item (@list) {
print(' <tr bgcolor='); print(++$i % 2 == 0 ? '#FFCCCC' : '#CCCCFF'); print('">
<td>'); print($i); print('</td>
<td>'); print(encode_entities($item)); print('</td>
'); }
print(' </tbody>
'); print('*** debug: $i=', $i, "\n");print('
- name: javascript1
lang: javascript
class: Ejavascript
input: &javascript_input |
var user = 'Erubis';
var list = ['<aaa>', 'b&b', '"ccc"'];
<p>Hello <%= user %>!</p>
<% var i; %>
<% for (i = 0; i < list.length; i++) { %>
<tr bgcolor=<%= ++i % 2 == 0 ? '#FFCCCC' : '#CCCCFF' %>">
<td><%= i %></td>
<td><%= list[i] %></td>
<% } %>
<%=== i %>
expected: |4
var _buf = [];
var user = 'Erubis';
var list = ['<aaa>', 'b&b', '"ccc"'];
_buf.push("<p>Hello "); _buf.push(user); _buf.push("!</p>\n\
var i;
for (i = 0; i < list.length; i++) {
_buf.push(" <tr bgcolor="); _buf.push(++i % 2 == 0 ? '#FFCCCC' : '#CCCCFF'); _buf.push("\">\n\
<td>"); _buf.push(i); _buf.push("</td>\n\
<td>"); _buf.push(list[i]); _buf.push("</td>\n\
_buf.push(" </tbody>\n\
alert("*** debug: i="+(i)); _buf.push("\n");
- name: javascript2
lang: javascript
class: Ejavascript
options: { :docwrite: false }
input: *javascript_input
expected: |4
var _buf = [];
var user = 'Erubis';
var list = ['<aaa>', 'b&b', '"ccc"'];
_buf.push("<p>Hello "); _buf.push(user); _buf.push("!</p>\n\
var i;
for (i = 0; i < list.length; i++) {
_buf.push(" <tr bgcolor="); _buf.push(++i % 2 == 0 ? '#FFCCCC' : '#CCCCFF'); _buf.push("\">\n\
<td>"); _buf.push(i); _buf.push("</td>\n\
<td>"); _buf.push(list[i]); _buf.push("</td>\n\
_buf.push(" </tbody>\n\
alert("*** debug: i="+(i)); _buf.push("\n");