Makes text_helper methods sanitize the input if the input is not safe or :safe => true option is not provided

1 files changed, 96 insertions, 6 deletions

diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
index bb808b77a5..9d7106b2e5 100644
--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -45,19 +45,42 @@ class TextHelperTest < ActionView::TestCase
     assert simple_format("<b> test with html tags </b>").html_safe?
   end
 
-  def test_simple_format_should_escape_unsafe_input
-    assert_equal "<p>&lt;b&gt; test with unsafe string &lt;/b&gt;</p>", simple_format("<b> test with unsafe string </b>")
+  def test_simple_format_should_sanitize_unsafe_input
+    assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
   end
 
-  def test_simple_format_should_not_escape_safe_input
+  def test_simple_format_should_not_sanitize_input_if_safe_option
+    assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :safe => true)
+  end
+
+  def test_simple_format_should_not_sanitize_safe_input
     assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
   end
 
+  def test_truncate_should_be_html_safe
+    assert truncate("Hello World!", :length => 12).html_safe?
+  end
+  
   def test_truncate
     assert_equal "Hello World!", truncate("Hello World!", :length => 12)
     assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
   end
 
+  def test_truncate_should_sanitize_unsafe_input
+    assert_equal "Hello World!", truncate("Hello <script>code!</script>World!", :length => 12)
+    assert_equal "Hello Wor...", truncate("Hello <script>code!</script>World!!", :length => 12)
+  end
+
+  def test_truncate_should_not_sanitize_input_if_safe_option
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
+  end
+
+  def test_truncate_should_not_sanitize_safe_input
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
+  end
+
   def test_truncate_should_use_default_length_of_30
     str = "This is a string that will go longer then the default truncate length of 30"
     assert_equal str[0...27] + "...", truncate(str)
@@ -93,7 +116,11 @@ class TextHelperTest < ActionView::TestCase
     end
   end
 
-  def test_highlighter
+  def test_highlight_should_be_html_safe
+    assert highlight("This is a beautiful morning", "beautiful").html_safe?
+  end
+ 
+  def test_highlight
     assert_equal(
       "This is a <strong class=\"highlight\">beautiful</strong> morning",
       highlight("This is a beautiful morning", "beautiful")
@@ -117,6 +144,27 @@ class TextHelperTest < ActionView::TestCase
     assert_equal '   ', highlight('   ', 'blank text is returned verbatim')
   end
 
+  def test_highlight_should_sanitize_unsafe_input
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning",
+      highlight("This is a beautiful morning<script>code!</script>", "beautiful")
+    )
+  end
+
+  def test_highlight_should_not_sanitize_input_if_safe_option
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>",
+      highlight("This is a beautiful morning<script>code!</script>", "beautiful", :safe => true)
+    )
+  end
+
+  def test_highlight_should_not_sanitize_safe_input
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>",
+      highlight("This is a beautiful morning<script>code!</script>".html_safe, "beautiful")
+    )
+  end
+
   def test_highlight_with_regexp
     assert_equal(
       "This is a <strong class=\"highlight\">beautiful!</strong> morning",
@@ -163,7 +211,7 @@ class TextHelperTest < ActionView::TestCase
       highlight("<p class=\"beautiful\">This is a beautiful morning, but also a beautiful day</p>", "beautiful")
     )
     assert_equal(
-      "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
+      "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&amp;when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
       highlight("<p>This is a beautiful <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a beautiful day</p>", "beautiful")
     )
   end
@@ -286,7 +334,17 @@ class TextHelperTest < ActionView::TestCase
     %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
   end
 
-  def test_auto_linking
+  def test_auto_link_should_be_html_safe
+    email_raw    = 'santiago@wyeworks.com'
+    link_raw     = 'http://www.rubyonrails.org'
+
+    assert auto_link(nil).html_safe?
+    assert auto_link('').html_safe?
+    assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
+    assert auto_link("hello #{email_raw}").html_safe?
+  end
+
+  def test_auto_link
     email_raw    = 'david@loudthinking.com'
     email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
     link_raw     = 'http://www.rubyonrails.com'
@@ -378,6 +436,21 @@ class TextHelperTest < ActionView::TestCase
     assert_equal %(<p>#{link10_result} Link</p>), auto_link("<p>#{link10_raw} Link</p>")
   end
 
+  def test_auto_link_should_sanitize_unsafe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&amp;num=2">http://www.rubyonrails.com?id=1&amp;num=2</a>}, auto_link(link_raw)
+  end
+
+  def test_auto_link_should_sanitize_unsafe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw, :safe => true)
+  end
+
+  def test_auto_link_should_not_sanitize_safe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw.html_safe)
+  end
+
   def test_auto_link_other_protocols
     ftp_raw = 'ftp://example.com/file.txt'
     assert_equal %(Download #{generate_result(ftp_raw)}), auto_link("Download #{ftp_raw}")
@@ -587,7 +660,12 @@ class TextHelperTest < ActionView::TestCase
     assert_equal(%w{Specialized Fuji Giant}, @cycles)
   end
 
+  # TODO test textilize_without_paragraph and markdown
   if defined? RedCloth
+    def test_textilize_should_be_html_safe
+      assert textilize("*This is Textile!*  Rejoice!").html_safe?
+    end
+
     def test_textilize
       assert_equal("<p><strong>This is Textile!</strong>  Rejoice!</p>", textilize("*This is Textile!*  Rejoice!"))
     end
@@ -600,6 +678,18 @@ class TextHelperTest < ActionView::TestCase
       assert_equal("<p>This is worded &lt;strong&gt;strongly&lt;/strong&gt;</p>", textilize("This is worded <strong>strongly</strong>", :filter_html))
     end
 
+    def test_textilize_should_sanitize_unsafe_input
+      assert_equal("<p>This is worded <strong>strongly</strong></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_textilize_should_not_sanitize_input_if_safe_option
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_textilize_should_not_sanitize_safe_input
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
     def test_textilize_with_hard_breaks
       assert_equal("<p>This is one scary world.<br />\n True.</p>", textilize("This is one scary world.\n True."))
     end