diff options
| author | Timm <kaspth@gmail.com> | 2013-07-15 21:54:43 +0200 |
|---|---|---|
| committer | Timm <kaspth@gmail.com> | 2014-06-15 23:40:54 +0200 |
| commit | 6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e (patch) | |
| tree | cb52e8ec488f8d7f169033fbcd624808fb2220d5 /actionview/test/template | |
| parent | c88d573739186c344f39a068a6f972804b17efe8 (diff) | |
| download | rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.tar.gz rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.tar.bz2 rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.zip | |
Added ability to pass a custom scrubber to sanitize. Includes test coverage.
Diffstat (limited to 'actionview/test/template')
| -rw-r--r-- | actionview/test/template/sanitizers_test.rb | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb index 8b91dd9c5a..9d64a659b1 100644 --- a/actionview/test/template/sanitizers_test.rb +++ b/actionview/test/template/sanitizers_test.rb @@ -222,6 +222,42 @@ class SanitizersTest < ActionController::TestCase assert_equal "You should pass :attributes as an Enumerable", e.message end + def test_should_not_accept_non_loofah_inheriting_scrubber + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Object.new + scrubber.class_eval do + def scrub(node); node.name = 'h1'; end + end + + assert_raise Loofah::ScrubberNotFound do + sanitizer.sanitize('', :scrubber => scrubber) + end + end + + def test_should_accept_loofah_inheriting_scrubber + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new + scrubber.class_eval do + def scrub(node); node.name = 'h1'; end + end + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber) + end + + def test_should_accept_loofah_scrubber_that_wraps_a_block + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' } + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber) + end + + def test_custom_scrubber_takes_precedence_over_other_options + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' } + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber, :tags => ['foo']) + end + [%w(img src), %w(a href)].each do |(tag, attr)| define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>) |