diff options
| author | Godfrey Chan <godfreykfc@gmail.com> | 2013-11-27 01:49:25 -0800 |
|---|---|---|
| committer | Godfrey Chan <godfreykfc@gmail.com> | 2013-12-04 09:26:14 -0800 |
| commit | 039f9b37b9e90e7a36b1290dbab33606ea7549ab (patch) | |
| tree | 13392eb724c10951e529a02671f02a2101d90ec1 /actionview | |
| parent | ef2ef5cb93a87b4631d7de085c235a4bf354a640 (diff) | |
| download | rails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.tar.gz rails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.tar.bz2 rails-039f9b37b9e90e7a36b1290dbab33606ea7549ab.zip | |
Added failing test for json_escape striping quotation marks
Expanded test coverage for html_escape and json_escape
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/test/template/erb_util_test.rb | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/actionview/test/template/erb_util_test.rb b/actionview/test/template/erb_util_test.rb index 9a7c617eb3..94552a6d9b 100644 --- a/actionview/test/template/erb_util_test.rb +++ b/actionview/test/template/erb_util_test.rb @@ -1,4 +1,5 @@ require 'abstract_unit' +require 'active_support/json' class ErbUtilTest < ActiveSupport::TestCase include ERB::Util @@ -15,6 +16,50 @@ class ErbUtilTest < ActiveSupport::TestCase end end + HTML_ESCAPE_TEST_CASES = [ + ['<br>', '<br>'], + ['a & b', 'a & b'], + ['"quoted" string', '"quoted" string'], + ["'quoted' string", ''quoted' string'], + [ + '<script type="application/javascript">alert("You are \'pwned\'!")</script>', + '<script type="application/javascript">alert("You are 'pwned'!")</script>' + ] + ] + + JSON_ESCAPE_TEST_CASES = [ + ['1', '1'], + ['null', 'null'], + ['"&"', '"\u0026"'], + ['"</script>"', '"\u003C/script\u003E"'], + ['["</script>"]', '["\u003C/script\u003E"]'], + ['{"name":"</script>"}', '{"name":"\u003C/script\u003E"}'] + ] + + def test_html_escape + HTML_ESCAPE_TEST_CASES.each do |(raw, expected)| + assert_equal expected, html_escape(raw) + end + end + + def test_json_escape + JSON_ESCAPE_TEST_CASES.each do |(raw, expected)| + assert_equal expected, json_escape(raw) + end + end + + def test_json_escape_does_not_alter_json_string_meaning + JSON_ESCAPE_TEST_CASES.each do |(raw, _)| + assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw)) + end + end + + def test_json_escape_is_idempotent + JSON_ESCAPE_TEST_CASES.each do |(raw, _)| + assert_equal json_escape(raw), json_escape(json_escape(raw)) + end + end + def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings value = json_escape("asdf") assert !value.html_safe? |