Switch to on-by-default XSS escaping for rails.

  This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.

1 files changed, 41 insertions, 0 deletions

diff --git a/actionpack/test/view/safe_buffer_test.rb b/actionpack/test/view/safe_buffer_test.rb
new file mode 100644
index 0000000000..2236709627
--- /dev/null
+++ b/actionpack/test/view/safe_buffer_test.rb
@@ -0,0 +1,41 @@
+require 'abstract_unit'
+
+class SafeBufferTest < ActionView::TestCase
+  def setup
+    @buffer = ActionView::SafeBuffer.new
+  end
+
+  test "Should look like a string" do
+    assert @buffer.is_a?(String)
+    assert_equal "", @buffer
+  end
+
+  test "Should escape a raw string which is passed to them" do
+    @buffer << "<script>"
+    assert_equal "&lt;script&gt;", @buffer
+  end
+
+  test "Should NOT escape a safe value passed to it" do
+    @buffer << "<script>".html_safe!
+    assert_equal "<script>", @buffer
+  end
+
+  test "Should not mess with an innocuous string" do
+    @buffer << "Hello"
+    assert_equal "Hello", @buffer
+  end
+
+  test "Should not mess with a previously escape test" do
+    @buffer << CGI.escapeHTML("<script>")
+    assert_equal "&lt;script&gt;", @buffer
+  end
+
+  test "Should be considered safe" do
+    assert @buffer.html_safe?
+  end
+
+  test "Should return a safe buffer when calling to_s" do
+    new_buffer = @buffer.to_s
+    assert_equal ActionView::SafeBuffer, new_buffer.class
+  end
+end