1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
require "abstract_unit"
require "active_support/json"
class ErbUtilTest < ActiveSupport::TestCase
include ERB::Util
ERB::Util::HTML_ESCAPE.each do |given, expected|
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
assert_equal expected, html_escape(given)
end
end
ERB::Util::JSON_ESCAPE.each do |given, expected|
define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
HTML_ESCAPE_TEST_CASES = [
["<br>", "<br>"],
["a & b", "a & b"],
['"quoted" string', ""quoted" string"],
["'quoted' string", "'quoted' string"],
[
'<script type="application/javascript">alert("You are \'pwned\'!")</script>',
"<script type="application/javascript">alert("You are 'pwned'!")</script>"
]
]
JSON_ESCAPE_TEST_CASES = [
["1", "1"],
["null", "null"],
['"&"', '"\u0026"'],
['"</script>"', '"\u003c/script\u003e"'],
['["</script>"]', '["\u003c/script\u003e"]'],
['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],
[%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']
]
def test_html_escape
HTML_ESCAPE_TEST_CASES.each do |(raw, expected)|
assert_equal expected, html_escape(raw)
end
end
def test_json_escape
JSON_ESCAPE_TEST_CASES.each do |(raw, expected)|
assert_equal expected, json_escape(raw)
end
end
def test_json_escape_does_not_alter_json_string_meaning
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
expected = ActiveSupport::JSON.decode(raw)
if expected.nil?
assert_nil ActiveSupport::JSON.decode(json_escape(raw))
else
assert_equal expected, ActiveSupport::JSON.decode(json_escape(raw))
end
end
end
def test_json_escape_is_idempotent
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
assert_equal json_escape(raw), json_escape(json_escape(raw))
end
end
def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
value = json_escape("asdf")
assert !value.html_safe?
end
def test_json_escape_returns_safe_strings_when_passed_safe_strings
value = json_escape("asdf".html_safe)
assert value.html_safe?
end
def test_html_escape_is_html_safe
escaped = h("<p>")
assert_equal "<p>", escaped
assert escaped.html_safe?
end
def test_html_escape_passes_html_escape_unmodified
escaped = h("<p>".html_safe)
assert_equal "<p>", escaped
assert escaped.html_safe?
end
def test_rest_in_ascii
(0..127).to_a.map(&:chr).each do |chr|
next if %('"&<>).include?(chr)
assert_equal chr, html_escape(chr)
end
end
def test_html_escape_once
assert_equal "1 <>&"' 2 & 3", html_escape_once('1 <>&"\' 2 & 3')
assert_equal " ' ' λ λ " ' < > ", html_escape_once(" ' ' λ λ \" ' < > ")
end
def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
value = html_escape_once("1 < 2 & 3")
assert !value.html_safe?
end
def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
value = html_escape_once("1 < 2 & 3".html_safe)
assert value.html_safe?
end
end
|
