aboutsummaryrefslogtreecommitdiffstats
path: root/actionview
diff options
context:
space:
mode:
authorGodfrey Chan <godfreykfc@gmail.com>2013-11-27 01:49:25 -0800
committerGodfrey Chan <godfreykfc@gmail.com>2013-12-04 09:26:14 -0800
commit039f9b37b9e90e7a36b1290dbab33606ea7549ab (patch)
tree13392eb724c10951e529a02671f02a2101d90ec1 /actionview
parentef2ef5cb93a87b4631d7de085c235a4bf354a640 (diff)
downloadrails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.tar.gz
rails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.tar.bz2
rails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.zip
Added failing test for json_escape striping quotation marks
Expanded test coverage for html_escape and json_escape
Diffstat (limited to 'actionview')
-rw-r--r--actionview/test/template/erb_util_test.rb45
1 files changed, 45 insertions, 0 deletions
diff --git a/actionview/test/template/erb_util_test.rb b/actionview/test/template/erb_util_test.rb
index 9a7c617eb3..94552a6d9b 100644
--- a/actionview/test/template/erb_util_test.rb
+++ b/actionview/test/template/erb_util_test.rb
@@ -1,4 +1,5 @@
require 'abstract_unit'
+require 'active_support/json'
class ErbUtilTest < ActiveSupport::TestCase
include ERB::Util
@@ -15,6 +16,50 @@ class ErbUtilTest < ActiveSupport::TestCase
end
end
+ HTML_ESCAPE_TEST_CASES = [
+ ['<br>', '&lt;br&gt;'],
+ ['a & b', 'a &amp; b'],
+ ['"quoted" string', '&quot;quoted&quot; string'],
+ ["'quoted' string", '&#39;quoted&#39; string'],
+ [
+ '<script type="application/javascript">alert("You are \'pwned\'!")</script>',
+ '&lt;script type=&quot;application/javascript&quot;&gt;alert(&quot;You are &#39;pwned&#39;!&quot;)&lt;/script&gt;'
+ ]
+ ]
+
+ JSON_ESCAPE_TEST_CASES = [
+ ['1', '1'],
+ ['null', 'null'],
+ ['"&"', '"\u0026"'],
+ ['"</script>"', '"\u003C/script\u003E"'],
+ ['["</script>"]', '["\u003C/script\u003E"]'],
+ ['{"name":"</script>"}', '{"name":"\u003C/script\u003E"}']
+ ]
+
+ def test_html_escape
+ HTML_ESCAPE_TEST_CASES.each do |(raw, expected)|
+ assert_equal expected, html_escape(raw)
+ end
+ end
+
+ def test_json_escape
+ JSON_ESCAPE_TEST_CASES.each do |(raw, expected)|
+ assert_equal expected, json_escape(raw)
+ end
+ end
+
+ def test_json_escape_does_not_alter_json_string_meaning
+ JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
+ assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw))
+ end
+ end
+
+ def test_json_escape_is_idempotent
+ JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
+ assert_equal json_escape(raw), json_escape(json_escape(raw))
+ end
+ end
+
def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
value = json_escape("asdf")
assert !value.html_safe?