1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
require 'abstract_unit'
class OutputSafetyHelperTest < ActionView::TestCase
tests ActionView::Helpers::OutputSafetyHelper
def setup
@string = "hello"
end
test "raw returns the safe string" do
result = raw(@string)
assert_equal @string, result
assert result.html_safe?
end
test "raw handles nil values correctly" do
assert_equal "", raw(nil)
end
test "safe_join should html_escape any items, including the separator, if they are not html_safe" do
joined = safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
assert_equal "<p>foo</p><br /><p>bar</p>", joined
joined = safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
assert_equal "<p>foo</p><br /><p>bar</p>", joined
end
test "safe_join should work recursively similarly to Array.join" do
joined = safe_join(['a',['b','c']], ':')
assert_equal 'a:b:c', joined
joined = safe_join(['"a"',['<b>','<c>']], ' <br/> ')
assert_equal '"a" <br/> <b> <br/> <c>', joined
end
test "to_sentence should escape non-html_safe values" do
actual = to_sentence(%w(< > & ' "))
assert actual.html_safe?
assert_equal("<, >, &, ', and "", actual)
actual = to_sentence(%w(<script>))
assert actual.html_safe?
assert_equal("<script>", actual)
end
test "to_sentence does not double escape if single value is html_safe" do
assert_equal("<script>", to_sentence([ERB::Util.html_escape("<script>")]))
assert_equal("<script>", to_sentence(["<script>".html_safe]))
assert_equal("&lt;script&gt;", to_sentence(["<script>"]))
end
test "to_sentence connector words are checked for html safety" do
assert_equal "one & two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' & '.html_safe)
assert_equal "one & two", to_sentence(['one', 'two'], two_words_connector: ' & '.html_safe)
assert_equal "one, two <script>alert(1)</script> three", to_sentence(['one', 'two', 'three'], last_word_connector: ' <script>alert(1)</script> ')
end
test "to_sentence should not escape html_safe values" do
ptag = content_tag("p") do
safe_join(["<marquee>shady stuff</marquee>", tag("br")])
end
url = "https://example.com"
expected = %(<a href="#{url}">#{url}</a> and <p><marquee>shady stuff</marquee><br /></p>)
actual = to_sentence([link_to(url, url), ptag])
assert actual.html_safe?
assert_equal(expected, actual)
end
test "to_sentence handles blank strings" do
actual = to_sentence(['', 'two', 'three'])
assert actual.html_safe?
assert_equal ", two, and three", actual
end
test "to_sentence handles nil values" do
actual = to_sentence([nil, 'two', 'three'])
assert actual.html_safe?
assert_equal ", two, and three", actual
end
test "to_sentence still supports ActiveSupports Array#to_sentence arguments" do
assert_equal "one two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' ')
assert_equal "one & two, and three", to_sentence(['one', 'two', 'three'], words_connector: ' & '.html_safe)
assert_equal "onetwo, and three", to_sentence(['one', 'two', 'three'], words_connector: nil)
assert_equal "one, two, and also three", to_sentence(['one', 'two', 'three'], last_word_connector: ', and also ')
assert_equal "one, twothree", to_sentence(['one', 'two', 'three'], last_word_connector: nil)
assert_equal "one, two three", to_sentence(['one', 'two', 'three'], last_word_connector: ' ')
assert_equal "one, two and three", to_sentence(['one', 'two', 'three'], last_word_connector: ' and ')
end
end
|
