aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/test/safe_buffer_test.rb
blob: 9456bb87537d53109e285c0ea8edc7e53679a5f0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# frozen_string_literal: true

require "abstract_unit"
require "active_support/core_ext/string/inflections"
require "yaml"

class SafeBufferTest < ActiveSupport::TestCase
  def setup
    @buffer = ActiveSupport::SafeBuffer.new
  end

  def test_titleize
    assert_equal "Foo", "foo".html_safe.titleize
  end

  test "Should look like a string" do
    assert @buffer.is_a?(String)
    assert_equal "", @buffer
  end

  test "Should escape a raw string which is passed to them" do
    @buffer << "<script>"
    assert_equal "&lt;script&gt;", @buffer
  end

  test "Should NOT escape a safe value passed to it" do
    @buffer << "<script>".html_safe
    assert_equal "<script>", @buffer
  end

  test "Should not mess with an innocuous string" do
    @buffer << "Hello"
    assert_equal "Hello", @buffer
  end

  test "Should not mess with a previously escape test" do
    @buffer << ERB::Util.html_escape("<script>")
    assert_equal "&lt;script&gt;", @buffer
  end

  test "Should be considered safe" do
    assert_predicate @buffer, :html_safe?
  end

  test "Should return a safe buffer when calling to_s" do
    new_buffer = @buffer.to_s
    assert_equal ActiveSupport::SafeBuffer, new_buffer.class
  end

  test "Should be converted to_yaml" do
    str  = "hello!"
    buf  = ActiveSupport::SafeBuffer.new str
    yaml = buf.to_yaml

    assert_match(/^--- #{str}/, yaml)
    assert_equal "hello!", YAML.load(yaml)
  end

  test "Should work in nested to_yaml conversion" do
    str  = "hello!"
    data = { "str" => ActiveSupport::SafeBuffer.new(str) }
    yaml = YAML.dump data
    assert_equal({ "str" => str }, YAML.load(yaml))
  end

  test "Should work with primitive-like-strings in to_yaml conversion" do
    assert_equal "true",  YAML.load(ActiveSupport::SafeBuffer.new("true").to_yaml)
    assert_equal "false", YAML.load(ActiveSupport::SafeBuffer.new("false").to_yaml)
    assert_equal "1",     YAML.load(ActiveSupport::SafeBuffer.new("1").to_yaml)
    assert_equal "1.1",   YAML.load(ActiveSupport::SafeBuffer.new("1.1").to_yaml)
  end

  test "Should work with underscore" do
    str = "MyTest".html_safe.underscore
    assert_equal "my_test", str
  end

  test "Should not return safe buffer from gsub" do
    altered_buffer = @buffer.gsub("", "asdf")
    assert_equal "asdf", altered_buffer
    assert_not_predicate altered_buffer, :html_safe?
  end

  test "Should not return safe buffer from gsub!" do
    @buffer.gsub!("", "asdf")
    assert_equal "asdf", @buffer
    assert_not_predicate @buffer, :html_safe?
  end

  test "Should escape dirty buffers on add" do
    clean = "hello".html_safe
    @buffer.gsub!("", "<>")
    assert_equal "hello&lt;&gt;", clean + @buffer
  end

  test "Should concat as a normal string when safe" do
    clean = "hello".html_safe
    @buffer.gsub!("", "<>")
    assert_equal "<>hello", @buffer + clean
  end

  test "Should preserve html_safe? status on copy" do
    @buffer.gsub!("", "<>")
    assert_not_predicate @buffer.dup, :html_safe?
  end

  test "Should return safe buffer when added with another safe buffer" do
    clean = "<script>".html_safe
    result_buffer = @buffer + clean
    assert_predicate result_buffer, :html_safe?
    assert_equal "<script>", result_buffer
  end

  test "Should raise an error when safe_concat is called on unsafe buffers" do
    @buffer.gsub!("", "<>")
    assert_raise ActiveSupport::SafeBuffer::SafeConcatError do
      @buffer.safe_concat "BUSTED"
    end
  end

  test "Should not fail if the returned object is not a string" do
    assert_kind_of NilClass, @buffer.slice("chipchop")
  end

  test "clone_empty returns an empty buffer" do
    assert_equal "", ActiveSupport::SafeBuffer.new("foo").clone_empty
  end

  test "clone_empty keeps the original dirtyness" do
    assert_predicate @buffer.clone_empty, :html_safe?
    assert_not_predicate @buffer.gsub!("", "").clone_empty, :html_safe?
  end

  test "Should be safe when sliced if original value was safe" do
    new_buffer = @buffer[0, 0]
    assert_not_nil new_buffer
    assert new_buffer.html_safe?, "should be safe"
  end

  test "Should continue unsafe on slice" do
    x = "foo".html_safe.gsub!("f", '<script>alert("lolpwnd");</script>')

    # calling gsub! makes the dirty flag true
    assert_not x.html_safe?, "should not be safe"

    # getting a slice of it
    y = x[0..-1]

    # should still be unsafe
    assert_not y.html_safe?, "should not be safe"
  end

  test "Should work with interpolation (array argument)" do
    x = "foo %s bar".html_safe % ["qux"]
    assert_equal "foo qux bar", x
  end

  test "Should work with interpolation (hash argument)" do
    x = "foo %{x} bar".html_safe % { x: "qux" }
    assert_equal "foo qux bar", x
  end

  test "Should escape unsafe interpolated args" do
    x = "foo %{x} bar".html_safe % { x: "<br/>" }
    assert_equal "foo &lt;br/&gt; bar", x
  end

  test "Should not escape safe interpolated args" do
    x = "foo %{x} bar".html_safe % { x: "<br/>".html_safe }
    assert_equal "foo <br/> bar", x
  end

  test "Should interpolate to a safe string" do
    x = "foo %{x} bar".html_safe % { x: "qux" }
    assert x.html_safe?, "should be safe"
  end

  test "Should not affect frozen objects when accessing characters" do
    x = "Hello".html_safe
    assert_nil x[/a/, 1]
  end
end