better_html 0.0.8 → 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/better_html/node_iterator/html_erb.rb +6 -3
- data/lib/better_html/node_iterator/html_lodash.rb +1 -1
- data/lib/better_html/node_iterator/javascript_erb.rb +8 -7
- data/lib/better_html/node_iterator/location.rb +38 -2
- data/lib/better_html/test_helper/ruby_expr.rb +89 -64
- data/lib/better_html/test_helper/safe_erb_tester.rb +134 -31
- data/lib/better_html/test_helper/safe_lodash_tester.rb +25 -12
- data/lib/better_html/test_helper/safety_error.rb +12 -0
- data/lib/better_html/version.rb +1 -1
- data/test/better_html/node_iterator/location_test.rb +36 -0
- data/test/better_html/test_helper/ruby_expr_test.rb +163 -86
- data/test/better_html/test_helper/safe_erb_tester_test.rb +63 -22
- data/test/better_html/test_helper/safe_lodash_tester_test.rb +5 -5
- metadata +19 -3
- data/lib/better_html/test_helper/safety_tester_base.rb +0 -34
@@ -8,6 +8,9 @@ module BetterHtml
|
|
8
8
|
BetterHtml.config
|
9
9
|
.stubs(:javascript_safe_methods)
|
10
10
|
.returns(['j', 'escape_javascript', 'to_json'])
|
11
|
+
BetterHtml.config
|
12
|
+
.stubs(:javascript_attribute_names)
|
13
|
+
.returns([/\Aon/i, 'data-eval'])
|
11
14
|
end
|
12
15
|
|
13
16
|
test "string without interpolation is safe" do
|
@@ -15,9 +18,7 @@ module BetterHtml
|
|
15
18
|
<a onclick="alert('<%= "something" %>')">
|
16
19
|
EOF
|
17
20
|
|
18
|
-
assert_equal
|
19
|
-
assert_equal '<%= "something" %>', errors.first.token.text
|
20
|
-
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
21
|
+
assert_equal 0, errors.size
|
21
22
|
end
|
22
23
|
|
23
24
|
test "string with interpolation" do
|
@@ -26,7 +27,7 @@ module BetterHtml
|
|
26
27
|
EOF
|
27
28
|
|
28
29
|
assert_equal 1, errors.size
|
29
|
-
assert_equal '
|
30
|
+
assert_equal '"hello #{name}"', errors.first.location.source
|
30
31
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
31
32
|
end
|
32
33
|
|
@@ -37,10 +38,10 @@ module BetterHtml
|
|
37
38
|
|
38
39
|
assert_equal 2, errors.size
|
39
40
|
|
40
|
-
assert_equal '
|
41
|
+
assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
|
41
42
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
42
43
|
|
43
|
-
assert_equal '
|
44
|
+
assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
|
44
45
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
45
46
|
end
|
46
47
|
|
@@ -50,7 +51,7 @@ module BetterHtml
|
|
50
51
|
EOF
|
51
52
|
|
52
53
|
assert_equal 1, errors.size
|
53
|
-
assert_equal '
|
54
|
+
assert_equal 'unsafe', errors.first.location.source
|
54
55
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
55
56
|
end
|
56
57
|
|
@@ -74,7 +75,7 @@ module BetterHtml
|
|
74
75
|
EOF
|
75
76
|
|
76
77
|
assert_equal 1, errors.size
|
77
|
-
assert_equal '
|
78
|
+
assert_equal 'foo ? bar : j(baz)', errors.first.location.source
|
78
79
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
79
80
|
end
|
80
81
|
|
@@ -112,7 +113,7 @@ module BetterHtml
|
|
112
113
|
EOF
|
113
114
|
|
114
115
|
assert_equal 1, errors.size
|
115
|
-
assert_equal '
|
116
|
+
assert_equal 'unsafe.html_safe', errors.first.location.source
|
116
117
|
assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
|
117
118
|
end
|
118
119
|
|
@@ -122,7 +123,7 @@ module BetterHtml
|
|
122
123
|
EOF
|
123
124
|
|
124
125
|
assert_equal 1, errors.size
|
125
|
-
assert_equal '
|
126
|
+
assert_equal 'unsafe.to_json.html_safe', errors.first.location.source
|
126
127
|
assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
|
127
128
|
end
|
128
129
|
|
@@ -132,7 +133,7 @@ module BetterHtml
|
|
132
133
|
EOF
|
133
134
|
|
134
135
|
assert_equal 1, errors.size
|
135
|
-
assert_equal '<%== unsafe %>', errors.first.
|
136
|
+
assert_equal '<%== unsafe %>', errors.first.location.source
|
136
137
|
assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
|
137
138
|
end
|
138
139
|
|
@@ -142,7 +143,7 @@ module BetterHtml
|
|
142
143
|
EOF
|
143
144
|
|
144
145
|
assert_equal 1, errors.size
|
145
|
-
assert_equal '<%== unsafe.to_json %>', errors.first.
|
146
|
+
assert_equal '<%== unsafe.to_json %>', errors.first.location.source
|
146
147
|
assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
|
147
148
|
end
|
148
149
|
|
@@ -152,7 +153,7 @@ module BetterHtml
|
|
152
153
|
EOF
|
153
154
|
|
154
155
|
assert_equal 1, errors.size
|
155
|
-
assert_equal '
|
156
|
+
assert_equal 'raw unsafe', errors.first.location.source
|
156
157
|
assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
|
157
158
|
end
|
158
159
|
|
@@ -162,7 +163,7 @@ module BetterHtml
|
|
162
163
|
EOF
|
163
164
|
|
164
165
|
assert_equal 1, errors.size
|
165
|
-
assert_equal '
|
166
|
+
assert_equal 'raw unsafe.to_json', errors.first.location.source
|
166
167
|
assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
|
167
168
|
end
|
168
169
|
|
@@ -174,7 +175,7 @@ module BetterHtml
|
|
174
175
|
EOF
|
175
176
|
|
176
177
|
assert_equal 1, errors.size
|
177
|
-
assert_equal '<%= unsafe %>', errors.first.
|
178
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
178
179
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
179
180
|
end
|
180
181
|
|
@@ -184,7 +185,7 @@ module BetterHtml
|
|
184
185
|
JS
|
185
186
|
|
186
187
|
assert_equal 1, errors.size
|
187
|
-
assert_equal '<%= unsafe %>', errors.first.
|
188
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
188
189
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
189
190
|
end
|
190
191
|
|
@@ -196,7 +197,7 @@ module BetterHtml
|
|
196
197
|
EOF
|
197
198
|
|
198
199
|
assert_equal 1, errors.size
|
199
|
-
assert_equal '<%= "unsafe" %>', errors.first.
|
200
|
+
assert_equal '<%= "unsafe" %>', errors.first.location.source
|
200
201
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
201
202
|
end
|
202
203
|
|
@@ -206,7 +207,7 @@ module BetterHtml
|
|
206
207
|
JS
|
207
208
|
|
208
209
|
assert_equal 1, errors.size
|
209
|
-
assert_equal '<%= "unsafe" %>', errors.first.
|
210
|
+
assert_equal '<%= "unsafe" %>', errors.first.location.source
|
210
211
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
211
212
|
end
|
212
213
|
|
@@ -218,7 +219,7 @@ module BetterHtml
|
|
218
219
|
EOF
|
219
220
|
|
220
221
|
assert_equal 1, errors.size
|
221
|
-
assert_equal '<%= javascript_tag do %>', errors.first.
|
222
|
+
assert_equal '<%= javascript_tag do %>', errors.first.location.source
|
222
223
|
assert_includes "'javascript_tag do' syntax is deprecated; use inline <script> instead", errors.first.message
|
223
224
|
end
|
224
225
|
|
@@ -230,7 +231,7 @@ module BetterHtml
|
|
230
231
|
EOF
|
231
232
|
|
232
233
|
assert_equal 1, errors.size
|
233
|
-
assert_equal '<%= unsafe %>', errors.first.
|
234
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
234
235
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
235
236
|
end
|
236
237
|
|
@@ -254,7 +255,7 @@ module BetterHtml
|
|
254
255
|
EOF
|
255
256
|
|
256
257
|
assert_equal 1, errors.size
|
257
|
-
assert_equal "<% if foo? %>", errors.first.
|
258
|
+
assert_equal "<% if foo? %>", errors.first.location.source
|
258
259
|
assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
|
259
260
|
end
|
260
261
|
|
@@ -266,7 +267,7 @@ module BetterHtml
|
|
266
267
|
JS
|
267
268
|
|
268
269
|
assert_equal 1, errors.size
|
269
|
-
assert_equal "<% if foo %>", errors.first.
|
270
|
+
assert_equal "<% if foo %>", errors.first.location.source
|
270
271
|
assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
|
271
272
|
end
|
272
273
|
|
@@ -349,6 +350,46 @@ module BetterHtml
|
|
349
350
|
assert_predicate errors, :empty?
|
350
351
|
end
|
351
352
|
|
353
|
+
test "unsafe javascript methods in helper calls with new hash syntax" do
|
354
|
+
errors = parse(<<-EOF).errors
|
355
|
+
<%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
|
356
|
+
EOF
|
357
|
+
|
358
|
+
assert_equal 1, errors.size
|
359
|
+
assert_equal "\#{unsafe}", errors[0].location.source
|
360
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors[0].message
|
361
|
+
end
|
362
|
+
|
363
|
+
test "unsafe javascript methods in helper calls with old hash syntax" do
|
364
|
+
errors = parse(<<-EOF).errors
|
365
|
+
<%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
|
366
|
+
EOF
|
367
|
+
|
368
|
+
assert_equal 1, errors.size
|
369
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
370
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
371
|
+
end
|
372
|
+
|
373
|
+
test "unsafe javascript methods in helper calls with string as key" do
|
374
|
+
errors = parse(<<-EOF).errors
|
375
|
+
<%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
|
376
|
+
EOF
|
377
|
+
|
378
|
+
assert_equal 1, errors.size
|
379
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
380
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
381
|
+
end
|
382
|
+
|
383
|
+
test "unsafe javascript methods in helper calls with nested data key" do
|
384
|
+
errors = parse(<<-EOF).errors
|
385
|
+
<%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
|
386
|
+
EOF
|
387
|
+
|
388
|
+
assert_equal 1, errors.size
|
389
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
390
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
391
|
+
end
|
392
|
+
|
352
393
|
private
|
353
394
|
def parse(data, template_language: :html)
|
354
395
|
SafeErbTester::Tester.new(data, template_language: template_language)
|
@@ -10,7 +10,7 @@ module BetterHtml
|
|
10
10
|
EOF
|
11
11
|
|
12
12
|
assert_equal 1, errors.size
|
13
|
-
assert_equal '[%! foo %]', errors.first.
|
13
|
+
assert_equal '[%! foo %]', errors.first.location.source
|
14
14
|
assert_equal "lodash interpolation with '[%!' inside html attribute is never safe", errors.first.message
|
15
15
|
end
|
16
16
|
|
@@ -28,7 +28,7 @@ module BetterHtml
|
|
28
28
|
EOF
|
29
29
|
|
30
30
|
assert_equal 1, errors.size
|
31
|
-
assert_equal '[%= foo %]', errors.first.
|
31
|
+
assert_equal '[%= foo %]', errors.first.location.source
|
32
32
|
assert_equal "lodash interpolation in javascript attribute `onclick` must call `JSON.stringify(foo)`", errors.first.message
|
33
33
|
end
|
34
34
|
|
@@ -46,7 +46,7 @@ module BetterHtml
|
|
46
46
|
EOF
|
47
47
|
|
48
48
|
assert_equal 1, errors.size
|
49
|
-
assert_equal 'script', errors.first.
|
49
|
+
assert_equal 'script', errors.first.location.source
|
50
50
|
assert_equal "No script tags allowed nested in lodash templates", errors.first.message
|
51
51
|
end
|
52
52
|
|
@@ -56,7 +56,7 @@ module BetterHtml
|
|
56
56
|
EOF
|
57
57
|
|
58
58
|
assert_equal 1, errors.size
|
59
|
-
assert_equal '[% if (foo) %]', errors.first.
|
59
|
+
assert_equal '[% if (foo) %]', errors.first.location.source
|
60
60
|
assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
|
61
61
|
end
|
62
62
|
|
@@ -66,7 +66,7 @@ module BetterHtml
|
|
66
66
|
EOF
|
67
67
|
|
68
68
|
assert_equal 1, errors.size
|
69
|
-
assert_equal '[% if (foo) %]', errors.first.
|
69
|
+
assert_equal '[% if (foo) %]', errors.first.location.source
|
70
70
|
assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
|
71
71
|
end
|
72
72
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: better_html
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Francois Chagnon
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-11-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: erubi
|
@@ -52,6 +52,20 @@ dependencies:
|
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '4.0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: parser
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '2.4'
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '2.4'
|
55
69
|
- !ruby/object:Gem::Dependency
|
56
70
|
name: rake
|
57
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -102,7 +116,7 @@ files:
|
|
102
116
|
- lib/better_html/test_helper/ruby_expr.rb
|
103
117
|
- lib/better_html/test_helper/safe_erb_tester.rb
|
104
118
|
- lib/better_html/test_helper/safe_lodash_tester.rb
|
105
|
-
- lib/better_html/test_helper/
|
119
|
+
- lib/better_html/test_helper/safety_error.rb
|
106
120
|
- lib/better_html/tree.rb
|
107
121
|
- lib/better_html/version.rb
|
108
122
|
- lib/tasks/better_html_tasks.rake
|
@@ -110,6 +124,7 @@ files:
|
|
110
124
|
- test/better_html/helpers_test.rb
|
111
125
|
- test/better_html/node_iterator/html_erb_test.rb
|
112
126
|
- test/better_html/node_iterator/html_lodash_test.rb
|
127
|
+
- test/better_html/node_iterator/location_test.rb
|
113
128
|
- test/better_html/node_iterator_test.rb
|
114
129
|
- test/better_html/test_helper/ruby_expr_test.rb
|
115
130
|
- test/better_html/test_helper/safe_erb_tester_test.rb
|
@@ -212,6 +227,7 @@ test_files:
|
|
212
227
|
- test/test_helper.rb
|
213
228
|
- test/better_html/helpers_test.rb
|
214
229
|
- test/better_html/node_iterator_test.rb
|
230
|
+
- test/better_html/node_iterator/location_test.rb
|
215
231
|
- test/better_html/node_iterator/html_lodash_test.rb
|
216
232
|
- test/better_html/node_iterator/html_erb_test.rb
|
217
233
|
- test/better_html/better_erb/implementation_test.rb
|
@@ -1,34 +0,0 @@
|
|
1
|
-
module BetterHtml
|
2
|
-
module TestHelper
|
3
|
-
module SafetyTesterBase
|
4
|
-
|
5
|
-
class SafetyError < InterpolatorError
|
6
|
-
attr_reader :token
|
7
|
-
|
8
|
-
def initialize(token, message)
|
9
|
-
@token = token
|
10
|
-
super(message)
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
private
|
15
|
-
|
16
|
-
def format_safety_error(data, error)
|
17
|
-
loc = error.token.location
|
18
|
-
s = "On line #{loc.line}\n"
|
19
|
-
s << "#{error.message}\n"
|
20
|
-
line = extract_line(data, loc.line)
|
21
|
-
s << "#{line}\n"
|
22
|
-
length = [[loc.stop - loc.start, line.length - loc.column].min, 1].max
|
23
|
-
s << "#{' ' * loc.column}#{'^' * length}\n\n"
|
24
|
-
s
|
25
|
-
end
|
26
|
-
|
27
|
-
def extract_line(data, line)
|
28
|
-
line = data.lines[line-1]
|
29
|
-
line.nil? ? "" : line.gsub(/\n$/, '')
|
30
|
-
end
|
31
|
-
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|