instiki/vendor/plugins/rails_xss/test/output_safety_test.rb
Jacques Distler 9e909d5be3 Update Rails, rails_xss and Bundler
Update Bundler to 1.0.15.
Update Rails to 2.3.12.
Update rails_xss plugin.

The latter two were the
source of a considerable
amount of grief, as rails_xss
is now MUCH stricter about what
string methods can be used.

Also made it possible to use
rake 0.9.x with Instiki. But
you probably REALLY want to use

 ruby bundle exec rake ...

instead of just saying

 rake ....
2011-06-15 00:43:38 -05:00

115 lines
2.9 KiB
Ruby

require 'test_helper'
class OutputSafetyTest < ActiveSupport::TestCase
def setup
@string = "hello"
@object = Class.new(Object) do
def to_s
"other"
end
end.new
end
test "A string is unsafe by default" do
assert !@string.html_safe?
end
test "A string can be marked safe" do
string = @string.html_safe
assert string.html_safe?
end
test "Marking a string safe returns the string" do
assert_equal @string, @string.html_safe
end
test "A fixnum is safe by default" do
assert 5.html_safe?
end
test "An object is unsafe by default" do
assert !@object.html_safe?
end
test "Adding an object to a safe string returns a safe string" do
string = @string.html_safe
string << @object
assert_equal "helloother", string
assert string.html_safe?
end
test "Adding a safe string to another safe string returns a safe string" do
@other_string = "other".html_safe
string = @string.html_safe
@combination = @other_string + string
assert_equal "otherhello", @combination
assert @combination.html_safe?
end
test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
@other_string = "other".html_safe
@combination = @other_string + "<foo>"
@other_combination = @string + "<foo>"
assert_equal "other&lt;foo&gt;", @combination
assert_equal "hello<foo>", @other_combination
assert @combination.html_safe?
assert !@other_combination.html_safe?
end
test "Concatting safe onto unsafe yields unsafe" do
@other_string = "other"
string = @string.html_safe
@other_string.concat(string)
assert !@other_string.html_safe?
end
test "Concatting unsafe onto safe yields escaped safe" do
@other_string = "other".html_safe
string = @other_string.concat("<foo>")
assert_equal "other&lt;foo&gt;", string
assert string.html_safe?
end
test "Concatting safe onto safe yields safe" do
@other_string = "other".html_safe
string = @string.html_safe
@other_string.concat(string)
assert @other_string.html_safe?
end
test "Concatting safe onto unsafe with << yields unsafe" do
@other_string = "other"
string = @string.html_safe
@other_string << string
assert !@other_string.html_safe?
end
test "Concatting unsafe onto safe with << yields escaped safe" do
@other_string = "other".html_safe
string = @other_string << "<foo>"
assert_equal "other&lt;foo&gt;", string
assert string.html_safe?
end
test "Concatting safe onto safe with << yields safe" do
@other_string = "other".html_safe
string = @string.html_safe
@other_string << string
assert @other_string.html_safe?
end
test "Concatting a fixnum to safe always yields safe" do
string = @string.html_safe
string = string.concat(13)
assert_equal "hello".concat(13), string
assert string.html_safe?
end
end