require "abstract_unit" require "active_support/json" class ErbUtilTest < ActiveSupport::TestCase include ERB::Util ERB::Util::HTML_ESCAPE.each do |given, expected| define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do assert_equal expected, html_escape(given) end end ERB::Util::JSON_ESCAPE.each do |given, expected| define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given) end end HTML_ESCAPE_TEST_CASES = [ ["
", "<br>"], ["a & b", "a & b"], ['"quoted" string', ""quoted" string"], ["'quoted' string", "'quoted' string"], [ '', "<script type="application/javascript">alert("You are 'pwned'!")</script>" ] ] JSON_ESCAPE_TEST_CASES = [ ["1", "1"], ["null", "null"], ['"&"', '"\u0026"'], ['""', '"\u003c/script\u003e"'], ['[""]', '["\u003c/script\u003e"]'], ['{"name":""}', '{"name":"\u003c/script\u003e"}'], [%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}'] ] def test_html_escape HTML_ESCAPE_TEST_CASES.each do |(raw, expected)| assert_equal expected, html_escape(raw) end end def test_json_escape JSON_ESCAPE_TEST_CASES.each do |(raw, expected)| assert_equal expected, json_escape(raw) end end def test_json_escape_does_not_alter_json_string_meaning JSON_ESCAPE_TEST_CASES.each do |(raw, _)| assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw)) end end def test_json_escape_is_idempotent JSON_ESCAPE_TEST_CASES.each do |(raw, _)| assert_equal json_escape(raw), json_escape(json_escape(raw)) end end def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings value = json_escape("asdf") assert !value.html_safe? end def test_json_escape_returns_safe_strings_when_passed_safe_strings value = json_escape("asdf".html_safe) assert value.html_safe? end def test_html_escape_is_html_safe escaped = h("

") assert_equal "<p>", escaped assert escaped.html_safe? end def test_html_escape_passes_html_escape_unmodified escaped = h("

".html_safe) assert_equal "

", escaped assert escaped.html_safe? end def test_rest_in_ascii (0..127).to_a.map(&:chr).each do |chr| next if %('"&<>).include?(chr) assert_equal chr, html_escape(chr) end end def test_html_escape_once assert_equal "1 <>&"' 2 & 3", html_escape_once('1 <>&"\' 2 & 3') assert_equal " ' ' λ λ " ' < > ", html_escape_once(" ' ' λ λ \" ' < > ") end def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings value = html_escape_once("1 < 2 & 3") assert !value.html_safe? end def test_html_escape_once_returns_safe_strings_when_passed_safe_strings value = html_escape_once("1 < 2 & 3".html_safe) assert value.html_safe? end end