diff options
author | Jon Jensen <jenseng@gmail.com> | 2011-12-02 12:55:33 -0700 |
---|---|---|
committer | José Valim <jose.valim@gmail.com> | 2011-12-03 10:36:52 +0100 |
commit | 0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3 (patch) | |
tree | b1cf0dc4056526df4db2ebfdb8e3fc735ac3939a /activesupport/test/core_ext | |
parent | 9ac6310bd988f19b02e375f1f9594df4d469f624 (diff) | |
download | rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.tar.gz rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.tar.bz2 rails-0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3.zip |
Restore performance of ERB::Util.html_escape
Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: José Valim <jose.valim@gmail.com>
Diffstat (limited to 'activesupport/test/core_ext')
-rw-r--r-- | activesupport/test/core_ext/string_ext_test.rb | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index ade09efc56..47b9f68ed0 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -21,12 +21,6 @@ class StringInflectionsTest < Test::Unit::TestCase include InflectorTestCases include ConstantizeTestCases - def test_erb_escape - string = [192, 60].pack('CC') - expected = 192.chr + "<" - assert_equal expected, ERB::Util.html_escape(string) - end - def test_strip_heredoc_on_an_empty_string assert_equal '', ''.strip_heredoc end @@ -497,6 +491,23 @@ class OutputSafetyTest < ActiveSupport::TestCase assert string.html_safe? assert !string.to_param.html_safe? end + + test "ERB::Util.html_escape should escape unsafe characters" do + string = '<>&"' + expected = '<>&"' + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do + string = [192, 60].pack('CC') + expected = 192.chr + "<" + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should not escape safe strings" do + string = "<b>hello</b>".html_safe + assert_equal string, ERB::Util.html_escape(string) + end end class StringExcludeTest < ActiveSupport::TestCase |