4b6c68dfb8
The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
108 lines
3.2 KiB
Ruby
108 lines
3.2 KiB
Ruby
require "abstract_unit"
|
|
require "active_support/json"
|
|
|
|
class ErbUtilTest < ActiveSupport::TestCase
|
|
include ERB::Util
|
|
|
|
ERB::Util::HTML_ESCAPE.each do |given, expected|
|
|
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
|
|
assert_equal expected, html_escape(given)
|
|
end
|
|
end
|
|
|
|
ERB::Util::JSON_ESCAPE.each do |given, expected|
|
|
define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
|
|
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
|
|
end
|
|
end
|
|
|
|
HTML_ESCAPE_TEST_CASES = [
|
|
["<br>", "<br>"],
|
|
["a & b", "a & b"],
|
|
['"quoted" string', ""quoted" string"],
|
|
["'quoted' string", "'quoted' string"],
|
|
[
|
|
'<script type="application/javascript">alert("You are \'pwned\'!")</script>',
|
|
"<script type="application/javascript">alert("You are 'pwned'!")</script>"
|
|
]
|
|
]
|
|
|
|
JSON_ESCAPE_TEST_CASES = [
|
|
["1", "1"],
|
|
["null", "null"],
|
|
['"&"', '"\u0026"'],
|
|
['"</script>"', '"\u003c/script\u003e"'],
|
|
['["</script>"]', '["\u003c/script\u003e"]'],
|
|
['{"name":"</script>"}', '{"name":"\u003c/script\u003e"}'],
|
|
[%({"name":"d\u2028h\u2029h"}), '{"name":"d\u2028h\u2029h"}']
|
|
]
|
|
|
|
def test_html_escape
|
|
HTML_ESCAPE_TEST_CASES.each do |(raw, expected)|
|
|
assert_equal expected, html_escape(raw)
|
|
end
|
|
end
|
|
|
|
def test_json_escape
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, expected)|
|
|
assert_equal expected, json_escape(raw)
|
|
end
|
|
end
|
|
|
|
def test_json_escape_does_not_alter_json_string_meaning
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
|
|
assert_equal ActiveSupport::JSON.decode(raw), ActiveSupport::JSON.decode(json_escape(raw))
|
|
end
|
|
end
|
|
|
|
def test_json_escape_is_idempotent
|
|
JSON_ESCAPE_TEST_CASES.each do |(raw, _)|
|
|
assert_equal json_escape(raw), json_escape(json_escape(raw))
|
|
end
|
|
end
|
|
|
|
def test_json_escape_returns_unsafe_strings_when_passed_unsafe_strings
|
|
value = json_escape("asdf")
|
|
assert !value.html_safe?
|
|
end
|
|
|
|
def test_json_escape_returns_safe_strings_when_passed_safe_strings
|
|
value = json_escape("asdf".html_safe)
|
|
assert value.html_safe?
|
|
end
|
|
|
|
def test_html_escape_is_html_safe
|
|
escaped = h("<p>")
|
|
assert_equal "<p>", escaped
|
|
assert escaped.html_safe?
|
|
end
|
|
|
|
def test_html_escape_passes_html_escape_unmodified
|
|
escaped = h("<p>".html_safe)
|
|
assert_equal "<p>", escaped
|
|
assert escaped.html_safe?
|
|
end
|
|
|
|
def test_rest_in_ascii
|
|
(0..127).to_a.map(&:chr).each do |chr|
|
|
next if %('"&<>).include?(chr)
|
|
assert_equal chr, html_escape(chr)
|
|
end
|
|
end
|
|
|
|
def test_html_escape_once
|
|
assert_equal "1 <>&"' 2 & 3", html_escape_once('1 <>&"\' 2 & 3')
|
|
assert_equal " ' ' λ λ " ' < > ", html_escape_once(" ' ' λ λ \" ' < > ")
|
|
end
|
|
|
|
def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
|
|
value = html_escape_once("1 < 2 & 3")
|
|
assert !value.html_safe?
|
|
end
|
|
|
|
def test_html_escape_once_returns_safe_strings_when_passed_safe_strings
|
|
value = html_escape_once("1 < 2 & 3".html_safe)
|
|
assert value.html_safe?
|
|
end
|
|
end
|