aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/view
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2009-10-08 09:31:20 +1300
committerMichael Koziarski <michael@koziarski.com>2009-10-08 09:31:20 +1300
commit9415935902f120a9bac0bfce7129725a0db38ed3 (patch)
tree654d184caccfd7e1de4d60236fb7813bf1177d84 /actionpack/test/view
parentf27e7ebc0e2a55a268631c78d49a5b70b06ad59a (diff)
downloadrails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.gz
rails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.bz2
rails-9415935902f120a9bac0bfce7129725a0db38ed3.zip
Switch to on-by-default XSS escaping for rails.
This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
Diffstat (limited to 'actionpack/test/view')
-rw-r--r--actionpack/test/view/safe_buffer_test.rb41
1 files changed, 41 insertions, 0 deletions
diff --git a/actionpack/test/view/safe_buffer_test.rb b/actionpack/test/view/safe_buffer_test.rb
new file mode 100644
index 0000000000..2236709627
--- /dev/null
+++ b/actionpack/test/view/safe_buffer_test.rb
@@ -0,0 +1,41 @@
+require 'abstract_unit'
+
+class SafeBufferTest < ActionView::TestCase
+ def setup
+ @buffer = ActionView::SafeBuffer.new
+ end
+
+ test "Should look like a string" do
+ assert @buffer.is_a?(String)
+ assert_equal "", @buffer
+ end
+
+ test "Should escape a raw string which is passed to them" do
+ @buffer << "<script>"
+ assert_equal "&lt;script&gt;", @buffer
+ end
+
+ test "Should NOT escape a safe value passed to it" do
+ @buffer << "<script>".html_safe!
+ assert_equal "<script>", @buffer
+ end
+
+ test "Should not mess with an innocuous string" do
+ @buffer << "Hello"
+ assert_equal "Hello", @buffer
+ end
+
+ test "Should not mess with a previously escape test" do
+ @buffer << CGI.escapeHTML("<script>")
+ assert_equal "&lt;script&gt;", @buffer
+ end
+
+ test "Should be considered safe" do
+ assert @buffer.html_safe?
+ end
+
+ test "Should return a safe buffer when calling to_s" do
+ new_buffer = @buffer.to_s
+ assert_equal ActionView::SafeBuffer, new_buffer.class
+ end
+end