diff options
Diffstat (limited to 'actionview/test/template/output_safety_helper_test.rb')
| -rw-r--r-- | actionview/test/template/output_safety_helper_test.rb | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/actionview/test/template/output_safety_helper_test.rb b/actionview/test/template/output_safety_helper_test.rb index 8de0ae2f6f..b940c9dd36 100644 --- a/actionview/test/template/output_safety_helper_test.rb +++ b/actionview/test/template/output_safety_helper_test.rb @@ -32,4 +32,59 @@ class OutputSafetyHelperTest < ActionView::TestCase joined = safe_join(['"a"',['<b>','<c>']], ' <br/> ') assert_equal '"a" <br/> <b> <br/> <c>', joined end + + test "to_sentence should escape non-html_safe values" do + actual = to_sentence(%w(< > & ' ")) + assert actual.html_safe? + assert_equal("<, >, &, ', and "", actual) + + actual = to_sentence(%w(<script>)) + assert actual.html_safe? + assert_equal("<script>", actual) + end + + test "to_sentence does not double escape if single value is html_safe" do + assert_equal("<script>", to_sentence([ERB::Util.html_escape("<script>")])) + assert_equal("<script>", to_sentence(["<script>".html_safe])) + assert_equal("&lt;script&gt;", to_sentence(["<script>"])) + end + + test "to_sentence connector words are checked for html safety" do + assert_equal "one & two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' & '.html_safe) + assert_equal "one & two", to_sentence(['one', 'two'], two_words_connector: ' & '.html_safe) + assert_equal "one, two <script>alert(1)</script> three", to_sentence(['one', 'two', 'three'], last_word_connector: ' <script>alert(1)</script> ') + end + + test "to_sentence should not escape html_safe values" do + ptag = content_tag("p") do + safe_join(["<marquee>shady stuff</marquee>", tag("br")]) + end + url = "https://example.com" + expected = %(<a href="#{url}">#{url}</a> and <p><marquee>shady stuff</marquee><br /></p>) + actual = to_sentence([link_to(url, url), ptag]) + assert actual.html_safe? + assert_equal(expected, actual) + end + + test "to_sentence handles blank strings" do + actual = to_sentence(['', 'two', 'three']) + assert actual.html_safe? + assert_equal ", two, and three", actual + end + + test "to_sentence handles nil values" do + actual = to_sentence([nil, 'two', 'three']) + assert actual.html_safe? + assert_equal ", two, and three", actual + end + + test "to_sentence still supports ActiveSupports Array#to_sentence arguments" do + assert_equal "one two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' ') + assert_equal "one & two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' & '.html_safe) + assert_equal "onetwo, and three", to_sentence(['one', 'two', 'three'], words_connector: nil) + assert_equal "one, two, and also three", to_sentence(['one', 'two', 'three'], last_word_connector: ', and also ') + assert_equal "one, twothree", to_sentence(['one', 'two', 'three'], last_word_connector: nil) + assert_equal "one, two three", to_sentence(['one', 'two', 'three'], last_word_connector: ' ') + assert_equal "one, two and three", to_sentence(['one', 'two', 'three'], last_word_connector: ' and ') + end end |