forked from rails/rails_xss
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathoutput_safety_test.rb
115 lines (91 loc) · 2.88 KB
/
output_safety_test.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
require 'test_helper'
class OutputSafetyTest < ActiveSupport::TestCase
def setup
@string = "hello"
@object = Class.new(Object) do
def to_s
"other"
end
end.new
end
test "A string is unsafe by default" do
assert [email protected]_safe?
end
test "A string can be marked safe" do
string = @string.html_safe
assert string.html_safe?
end
test "Marking a string safe returns the string" do
assert_equal @string, @string.html_safe
end
test "A fixnum is safe by default" do
assert 5.html_safe?
end
test "An object is unsafe by default" do
assert [email protected]_safe?
end
test "Adding an object to a safe string returns a safe string" do
string = @string.html_safe
string << @object
assert_equal "helloother", string
assert string.html_safe?
end
test "Adding a safe string to another safe string returns a safe string" do
@other_string = "other".html_safe
string = @string.html_safe
@combination = @other_string + string
assert_equal "otherhello", @combination
assert @combination.html_safe?
end
test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
@other_string = "other".html_safe
@combination = @other_string + "<foo>"
@other_combination = @string + "<foo>"
assert_equal "other<foo>", @combination
assert_equal "hello<foo>", @other_combination
assert @combination.html_safe?
assert !@other_combination.html_safe?
end
test "Concatting safe onto unsafe yields unsafe" do
@other_string = "other"
string = @string.html_safe
@other_string.concat(string)
assert !@other_string.html_safe?
end
test "Concatting unsafe onto safe yields escaped safe" do
@other_string = "other".html_safe
string = @other_string.concat("<foo>")
assert_equal "other<foo>", string
assert string.html_safe?
end
test "Concatting safe onto safe yields safe" do
@other_string = "other".html_safe
string = @string.html_safe
@other_string.concat(string)
assert @other_string.html_safe?
end
test "Concatting safe onto unsafe with << yields unsafe" do
@other_string = "other"
string = @string.html_safe
@other_string << string
assert !@other_string.html_safe?
end
test "Concatting unsafe onto safe with << yields escaped safe" do
@other_string = "other".html_safe
string = @other_string << "<foo>"
assert_equal "other<foo>", string
assert string.html_safe?
end
test "Concatting safe onto safe with << yields safe" do
@other_string = "other".html_safe
string = @string.html_safe
@other_string << string
assert @other_string.html_safe?
end
test "Concatting a fixnum to safe always yields safe" do
string = @string.html_safe
string = string.concat(13)
assert_equal "hello".concat(13), string
assert string.html_safe?
end
end