better_html 0.0.3

data/lib/better_html/test_helper/safety_tester_base.rb

@@ -0,0 +1,34 @@
+module BetterHtml
+  module TestHelper
+    module SafetyTesterBase
+
+      class SafetyError < InterpolatorError
+        attr_reader :token
+
+        def initialize(token, message)
+          @token = token
+          super(message)
+        end
+      end
+
+      private
+
+      def format_safety_error(data, error)
+        loc = error.token.location
+        s = "On line #{loc.line}\n"
+        s << "#{error.message}\n"
+        line = extract_line(data, loc.line)
+        s << "#{line}\n"
+        length = [[loc.stop - loc.start, line.length - loc.column].min, 1].max
+        s << "#{' ' * loc.column}#{'^' * length}\n\n"
+        s
+      end
+
+      def extract_line(data, line)
+        line = data.lines[line-1]
+        line.nil? ? "" : line.gsub(/\n$/, '')
+      end
+
+    end
+  end
+end

data/lib/better_html/tree.rb

@@ -0,0 +1,113 @@
+require 'better_html/node_iterator'
+
+module BetterHtml
+  class Tree
+    attr_reader :errors
+    attr_reader :root
+
+    cattr_accessor :void_elements
+    self.void_elements = %w(area base br col embed hr img
+      input keygen link menuitem meta param source track wbr)
+
+    def initialize(data, **options)
+      @data = data
+      @errors = Errors.new
+      @nodes = BetterHtml::NodeIterator.new(data, **options.slice(:template_language))
+      @root = TreeRoot.new
+      construct!
+      @nodes.parser_errors&.each do |error|
+        @errors.add(error)
+      end
+    end
+
+    private
+
+    class TreeError < HtmlError
+      attr_reader :token
+
+      def initialize(token, message)
+        @token = token
+        super(message)
+      end
+    end
+
+    def add_error(token, message)
+      @errors.add(TreeError.new(token, message))
+    end
+
+    def construct!
+      current = @root
+      @nodes.each do |node|
+        case node.node_type
+        when :text, :comment, :cdata
+          current << node
+        when :element
+          if node.closing?
+            if void_elements.include?(node.name)
+              add_error(node.name_parts.first,
+                "end of tag for void element: </#{node.name}>")
+            elsif current.root?
+              add_error(node.name_parts.first,
+                "mismatched </#{node.name}> at root of tree")
+            else
+              if node.name == current.name
+                current.end_node = node
+                current = current.parent
+              else
+                add_error(node.name_parts.first,
+                  "mismatched </#{node.name}> in <#{current.name}> element")
+              end
+            end
+          else
+            element = Element.new(parent: current, start_node: node)
+            current << element
+            current = element unless element.closed?
+          end
+        end
+      end
+    end
+
+    class NodeContainer
+      attr_accessor :content_nodes
+      delegate :each, :[], :each_with_index, :<<, :push,
+        :size, :empty?, :any?, to: :content_nodes
+
+      def root?
+        false
+      end
+
+      def initialize
+        @content_nodes = []
+      end
+    end
+
+    class TreeRoot < NodeContainer
+      def root?
+        true
+      end
+    end
+
+    class Element < NodeContainer
+      attr_reader :parent
+      attr_accessor :start_node
+      attr_accessor :end_node
+
+      delegate :name, :attributes, :self_closing?, to: :start_node
+      delegate :element?, :text?, :comment?, :cdata?, to: :start_node
+
+      def initialize(parent:, start_node:)
+        super()
+        @parent = parent
+        @start_node = start_node
+      end
+
+      def closed?
+        void? || end_node.present? || self_closing?
+      end
+
+      def void?
+        BetterHtml::Tree.void_elements.include?(name)
+      end
+    end
+  end
+end

data/lib/better_html/version.rb

@@ -0,0 +1,3 @@
+module BetterHtml
+  VERSION = "0.0.3"
+end

data/lib/tasks/better_html_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :better_html do
+#   # Task goes here
+# end

data/test/better_html/better_erb/implementation_test.rb

@@ -0,0 +1,402 @@
+require 'test_helper'
+require 'ostruct'
+require 'better_html/better_erb'
+require 'json'
+
+class BetterHtml::BetterErb::ImplementationTest < ActiveSupport::TestCase
+  test "simple template rendering" do
+    assert_equal "<foo>some value<foo>",
+      render("<foo><%= bar %><foo>", { bar: 'some value' })
+  end
+
+  test "html_safe interpolation" do
+    assert_equal "<foo><bar /><foo>",
+      render("<foo><%= bar %><foo>", { bar: '<bar />'.html_safe })
+  end
+
+  test "non html_safe interpolation" do
+    assert_equal "<foo>&lt;bar /&gt;<foo>",
+      render("<foo><%= bar %><foo>", { bar: '<bar />' })
+  end
+
+  test "interpolate non-html_safe inside attribute is escaped" do
+    assert_equal "<a href=\" &#39;&quot;&gt;x \">",
+      render("<a href=\"<%= value %>\">", { value: ' \'">x ' })
+  end
+
+  test "interpolate html_safe inside attribute is magically force-escaped" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<a href=\"<%= value %>\">", { value: ' \'">x '.html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a quoted attribute value. The value cannot contain the character \".", e.message
+  end
+
+  test "interpolate html_safe inside single quoted attribute" do
+    BetterHtml.config.stubs(:allow_single_quoted_attributes).returns(true)
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<a href=\'<%= value %>\'>", { value: ' \'">x '.html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a quoted attribute value. The value cannot contain the character '.", e.message
+  end
+
+  test "interpolate in attribute name" do
+    assert_equal "<a data-safe-foo>",
+      render("<a data-<%= value %>-foo>", { value: "safe" })
+  end
+
+  test "interpolate in attribute name with unsafe value with spaces" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<a data-<%= value %>-foo>", { value: "un safe" })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a attribute name around 'data-<%= value %>'.", e.message
+  end
+
+  test "interpolate in attribute name with unsafe value with equal sign" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<a data-<%= value %>-foo>", { value: "un=safe" })
+    end
+    assert_equal "Detected invalid characters as part of the "\
+      "interpolation into a attribute name around 'data-<%= value %>'.", e.message
+  end
+
+  test "interpolate in attribute name with unsafe value with quote" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<a data-<%= value %>-foo>", { value: "un\"safe" })
+    end
+    assert_equal "Detected invalid characters as part of the "\
+      "interpolation into a attribute name around 'data-<%= value %>'.", e.message
+  end
+
+  test "interpolate after an attribute name without a value" do
+    assert_equal '<a data-foo foo="bar">',
+      render("<a data-foo <%= html_attributes(foo: 'bar') %>>")
+  end
+
+  test "interpolate after an attribute name with equal sign" do
+    BetterHtml.config.stubs(:allow_unquoted_attributes).returns(true)
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render("<a data-foo= <%= html_attributes(foo: 'bar') %>>")
+    end
+    assert_equal "Do not interpolate without quotes after "\
+      "attribute around 'data-foo=<%= html_attributes(foo: 'bar') %>'.", e.message
+  end
+
+  test "interpolate after an attribute value" do
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render("<a foo=\"xx\"<%= html_attributes(foo: 'bar') %>>")
+    end
+    assert_equal "Add a space after this attribute value. "\
+      "Instead of <a foo=\"xx\"<%= html_attributes(foo: 'bar') %>>"\
+      " try <a foo=\"xx\" <%= html_attributes(foo: 'bar') %>>.", e.message
+  end
+
+  test "interpolate in attribute without quotes" do
+    BetterHtml.config.stubs(:allow_unquoted_attributes).returns(true)
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render("<a href=<%= value %>>", { value: "un safe" })
+    end
+    assert_equal "Do not interpolate without quotes after "\
+      "attribute around 'href=<%= value %>'.", e.message
+  end
+
+  test "interpolate in attribute after value" do
+    BetterHtml.config.stubs(:allow_unquoted_attributes).returns(true)
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render("<a href=something<%= value %>>", { value: "" })
+    end
+    assert_equal "Do not interpolate without quotes around this "\
+      "attribute value. Instead of <a href=something<%= value %>> "\
+      "try <a href=\"something<%= value %>\">.", e.message
+  end
+
+  test "interpolate in tag name" do
+    assert_equal "<tag-safe-foo>",
+      render("<tag-<%= value %>-foo>", { value: "safe" })
+  end
+
+  test "interpolate in tag name with space" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<tag-<%= value %>-foo>", { value: "un safe" })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a tag name around: <tag-<%= value %>>.", e.message
+  end
+
+  test "interpolate in tag name with slash" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<tag-<%= value %>-foo>", { value: "un/safe" })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a tag name around: <tag-<%= value %>>.", e.message
+  end
+
+  test "interpolate in tag name with end of tag" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<tag-<%= value %>-foo>", { value: "><script>" })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a tag name around: <tag-<%= value %>>.", e.message
+  end
+
+  test "interpolate in comment" do
+    assert_equal "<!-- safe -->",
+      render("<!-- <%= value %> -->", { value: "safe" })
+  end
+
+  test "interpolate in comment with end-of-comment" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<!-- <%= value %> -->", { value: "-->".html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a html comment around: <!-- <%= value %>.", e.message
+  end
+
+  test "non html_safe interpolation into comment tag" do
+    assert_equal "<!-- --&gt; -->",
+      render("<!-- <%= value %> -->", value: '-->')
+  end
+
+  test "interpolate in script tag" do
+    assert_equal "<script> foo safe bar<script>",
+      render("<script> foo <%= value %> bar<script>", { value: "safe" })
+  end
+
+  test "interpolate in script tag with start of comment" do
+    skip "skip for now; causing problems"
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<script> foo <%= value %> bar<script>", { value: "<!--".html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a script tag around: <script> foo <%= value %>. "\
+      "A script tag cannot contain <script or </script anywhere inside of it.", e.message
+  end
+
+  test "interpolate in script tag with start of script" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<script> foo <%= value %> bar<script>", { value: "<script".html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a script tag around: <script> foo <%= value %>. "\
+      "A script tag cannot contain <script or </script anywhere inside of it.", e.message
+  end
+
+  test "interpolate in script tag with raw interpolation" do
+    assert_equal "<script> x = \"foo\" </script>",
+      render("<script> x = <%== value %> </script>", { value: JSON.dump("foo") })
+  end
+
+  test "interpolate in script tag with start of script case insensitive" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<script> foo <%= value %> bar<script>", { value: "<ScRIpT".html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a script tag around: <script> foo <%= value %>. "\
+      "A script tag cannot contain <script or </script anywhere inside of it.", e.message
+  end
+
+  test "interpolate in script tag with end of script" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<script> foo <%= value %> bar<script>", { value: "</script".html_safe })
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a script tag around: <script> foo <%= value %>. "\
+      "A script tag cannot contain <script or </script anywhere inside of it.", e.message
+  end
+
+  test "interpolate html_attributes" do
+    assert_equal "<a foo=\"bar\">",
+      render("<a <%= html_attributes(foo: 'bar') %>>")
+  end
+
+  test "interpolate without html_attributes" do
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render("<a <%= 'foo=\"bar\"' %>>")
+    end
+    assert_equal "Do not interpolate String in a tag. Instead "\
+      "of <a <%= 'foo=\"bar\"' %>> please try <a <%= html_attributes(attr: value) %>>.", e.message
+  end
+
+  test "non html_safe interpolation into rawtext tag" do
+    assert_equal "<title>&lt;/title&gt;</title>",
+      render("<title><%= value %></title>", value: '</title>')
+  end
+
+  test "html_safe interpolation into rawtext tag" do
+    assert_equal "<title><safe></title>",
+      render("<title><%= value %></title>", value: '<safe>'.html_safe)
+  end
+
+  test "html_safe interpolation terminating the current tag" do
+    e = assert_raises(BetterHtml::UnsafeHtmlError) do
+      render("<title><%= value %></title>", value: '</title>'.html_safe)
+    end
+    assert_equal "Detected invalid characters as part of the interpolation "\
+      "into a title tag around: <title><%= value %>.", e.message
+  end
+
+  test "interpolate block in middle of tag" do
+    e = assert_raises(BetterHtml::DontInterpolateHere) do
+      render(<<-HTML)
+        <a href="" <%= something do %>
+          foo
+        <% end %>
+      HTML
+    end
+    assert_equal "Ruby statement not allowed.\n"\
+      "In 'tag' on line 1 column 19:\n"\
+      "        <a href=\"\" <%= something do %>\n"\
+      "                   ^^^^^^^^^^^^^^^^^^^", e.message
+  end
+
+  test "interpolate with output block is valid syntax" do
+    assert_nothing_raised do
+      render(<<-HTML)
+        <%= capture do %>
+          <foo>
+        <% end %>
+      HTML
+    end
+  end
+
+  test "interpolate with statement block is valid syntax" do
+    assert_nothing_raised do
+      render(<<-HTML)
+        <% capture do %>
+          <foo>
+        <% end %>
+      HTML
+    end
+  end
+
+  test "can interpolate method calls without parenthesis" do
+    assert_equal "<div>foo</div>",
+      render("<div><%= send 'value' %></div>", value: 'foo')
+  end
+
+  test "tag names are validated against tag_name_pattern regexp" do
+    e = assert_raises(BetterHtml::HtmlError) do
+      render("<foo~bar></foo~bar>")
+    end
+    assert_equal "Invalid tag name \"foo~bar\" does not match regular expression /\\A[a-z0-9\\-\\:]+\\z/\n"\
+      "On line 1 column 1:\n"\
+      "<foo~bar></foo~bar>\n"\
+      " ^^^^^^^", e.message
+  end
+
+  test "attribute names are validated against attribute_name_pattern regexp" do
+    e = assert_raises(BetterHtml::HtmlError) do
+      render("<foo bar_baz=\"1\">")
+    end
+    assert_equal "Invalid attribute name \"bar_baz\" does not match regular expression #{BetterHtml.config.partial_attribute_name_pattern.inspect}\n"\
+      "On line 1 column 5:\n"\
+      "<foo bar_baz=\"1\">\n"\
+      "     ^^^^^^^", e.message
+  end
+
+  test "single quotes are disallowed when allow_single_quoted_attributes=false" do
+    BetterHtml.config.stubs(:allow_single_quoted_attributes).returns(false)
+    e = assert_raises(BetterHtml::HtmlError) do
+      render("<foo bar='1'>")
+    end
+    assert_equal "Single-quoted attributes are not allowed\n"\
+      "On line 1 column 9:\n"\
+      "<foo bar='1'>\n"\
+      "         ^", e.message
+  end
+
+  test "single quotes are allowed when allow_single_quoted_attributes=true" do
+    BetterHtml.config.stubs(:allow_single_quoted_attributes).returns(true)
+    assert_nothing_raised do
+      render("<foo bar='1'>")
+    end
+  end
+
+  test "unquoted values are disallowed when allow_unquoted_attributes=false" do
+    BetterHtml.config.stubs(:allow_unquoted_attributes).returns(false)
+    e = assert_raises(BetterHtml::HtmlError) do
+      render("<foo bar=1>")
+    end
+    assert_equal "Unquoted attribute values are not allowed\n"\
+      "On line 1 column 9:\n"\
+      "<foo bar=1>\n"\
+      "         ^", e.message
+  end
+
+  test "unquoted values are allowed when allow_unquoted_attributes=true" do
+    BetterHtml.config.stubs(:allow_unquoted_attributes).returns(true)
+    assert_nothing_raised do
+      render("<foo bar=1>")
+    end
+  end
+
+  test "capture works as intended" do
+    output = render(<<-HTML)
+      <%- foo = capture do -%>
+        <foo>
+      <%- end -%>
+      <bar><%= foo %></bar>
+    HTML
+
+    assert_equal "      <bar>        <foo>\n</bar>\n", output
+  end
+
+  test "validate! raises when tag is not terminated at end of document" do
+    document = compile("<foo")
+    e = assert_raises(BetterHtml::HtmlError) do
+      document.validate!
+    end
+    assert_equal "Detected an open tag at the end of this document.", e.message
+  end
+
+  test "validate! raises when rawtext tag is not terminated at end of document" do
+    document = compile("<script>")
+    e = assert_raises(BetterHtml::HtmlError) do
+      document.validate!
+    end
+    assert_equal "Detected an open tag at the end of this document.", e.message
+  end
+
+  test "validate! raises parsing error for attribute name" do
+    document = compile("<foo bar~baz=\"1\">")
+    e = assert_raises(BetterHtml::HtmlError) do
+      document.validate!
+    end
+    assert_equal "expected whitespace, '>', attribute name or value\n"\
+      "On line 1 column 8:\n"\
+      "<foo bar~baz=\"1\">\n"\
+      "        ^^^^^^^^^", e.message
+  end
+
+  private
+
+  class ViewContext < OpenStruct
+    include(ActionView::Helpers)
+    include(BetterHtml::Helpers)
+    attr_accessor :output_buffer
+
+    def get_binding
+      binding
+    end
+  end
+
+  def render(source, locals={})
+    context = ViewContext.new(locals)
+    impl = compile(source)
+    if ActionView.version < Gem::Version.new("5.1")
+      impl.result(context.get_binding)
+    else
+      impl.evaluate(context)
+    end
+  end
+
+  def compile(source)
+    if ActionView.version < Gem::Version.new("5.1")
+      BetterHtml::BetterErb::ErubisImplementation.new(source)
+    else
+      BetterHtml::BetterErb::ErubiImplementation.new(source)
+    end
+  end
+end