diff options
| author | Michael Koziarski <michael@koziarski.com> | 2009-10-08 09:31:20 +1300 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2009-10-08 09:31:20 +1300 |
| commit | 9415935902f120a9bac0bfce7129725a0db38ed3 (patch) | |
| tree | 654d184caccfd7e1de4d60236fb7813bf1177d84 /activesupport/test/core_ext | |
| parent | f27e7ebc0e2a55a268631c78d49a5b70b06ad59a (diff) | |
| download | rails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.gz rails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.bz2 rails-9415935902f120a9bac0bfce7129725a0db38ed3.zip | |
Switch to on-by-default XSS escaping for rails.
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
Diffstat (limited to 'activesupport/test/core_ext')
| -rw-r--r-- | activesupport/test/core_ext/string_ext_test.rb | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index db9073e298..584a41b631 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -356,3 +356,89 @@ class StringBytesizeTest < Test::Unit::TestCase assert_equal 3, 'foo'.bytesize end end + +class OutputSafetyTest < ActiveSupport::TestCase + def setup + @string = "hello" + end + + test "A string is unsafe by default" do + assert !@string.html_safe? + end + + test "A string can be marked safe" do + @string.html_safe! + assert @string.html_safe? + end + + test "Marking a string safe returns the string" do + assert_equal @string, @string.html_safe! + end + + test "Adding a safe string to another safe string returns a safe string" do + @other_string = "other".html_safe! + @string.html_safe! + @combination = @other_string + @string + + assert_equal "otherhello", @combination + assert @combination.html_safe? + end + + test "Adding an unsafe string to a safe string returns an unsafe string" do + @other_string = "other".html_safe! + @combination = @other_string + @string + @other_combination = @string + @other_string + + assert_equal "otherhello", @combination + assert_equal "helloother", @other_combination + + assert !@combination.html_safe? + assert !@other_combination.html_safe? + end + + test "Concatting safe onto unsafe yields unsafe" do + @other_string = "other" + @string.html_safe! + + @other_string.concat(@string) + assert !@other_string.html_safe? + end + + test "Concatting unsafe onto safe yields unsafe" do + @other_string = "other".html_safe! + + @other_string.concat(@string) + assert !@other_string.html_safe? + end + + test "Concatting safe onto safe yields safe" do + @other_string = "other".html_safe! + @string.html_safe! + + @other_string.concat(@string) + assert @other_string.html_safe? + end + + test "Concatting safe onto unsafe with << yields unsafe" do + @other_string = "other" + @string.html_safe! + + @other_string << @string + assert !@other_string.html_safe? + end + + test "Concatting unsafe onto safe with << yields unsafe" do + @other_string = "other".html_safe! + + @other_string << @string + assert !@other_string.html_safe? + end + + test "Concatting safe onto safe with << yields safe" do + @other_string = "other".html_safe! + @string.html_safe! + + @other_string << @string + assert @other_string.html_safe? + end +end |