better_html 0.0.8 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -8,6 +8,9 @@ module BetterHtml
8
8
  BetterHtml.config
9
9
  .stubs(:javascript_safe_methods)
10
10
  .returns(['j', 'escape_javascript', 'to_json'])
11
+ BetterHtml.config
12
+ .stubs(:javascript_attribute_names)
13
+ .returns([/\Aon/i, 'data-eval'])
11
14
  end
12
15
 
13
16
  test "string without interpolation is safe" do
@@ -15,9 +18,7 @@ module BetterHtml
15
18
  <a onclick="alert('<%= "something" %>')">
16
19
  EOF
17
20
 
18
- assert_equal 1, errors.size
19
- assert_equal '<%= "something" %>', errors.first.token.text
20
- assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
21
+ assert_equal 0, errors.size
21
22
  end
22
23
 
23
24
  test "string with interpolation" do
@@ -26,7 +27,7 @@ module BetterHtml
26
27
  EOF
27
28
 
28
29
  assert_equal 1, errors.size
29
- assert_equal '<%= "hello #{name}" %>', errors.first.token.text
30
+ assert_equal '"hello #{name}"', errors.first.location.source
30
31
  assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
31
32
  end
32
33
 
@@ -37,10 +38,10 @@ module BetterHtml
37
38
 
38
39
  assert_equal 2, errors.size
39
40
 
40
- assert_equal '<%= "hello #{foo ? bar : baz}" if bla? %>', errors.first.token.text
41
+ assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
41
42
  assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
42
43
 
43
- assert_equal '<%= "hello #{foo ? bar : baz}" if bla? %>', errors.first.token.text
44
+ assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
44
45
  assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
45
46
  end
46
47
 
@@ -50,7 +51,7 @@ module BetterHtml
50
51
  EOF
51
52
 
52
53
  assert_equal 1, errors.size
53
- assert_equal '<%= unsafe %>', errors.first.token.text
54
+ assert_equal 'unsafe', errors.first.location.source
54
55
  assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
55
56
  end
56
57
 
@@ -74,7 +75,7 @@ module BetterHtml
74
75
  EOF
75
76
 
76
77
  assert_equal 1, errors.size
77
- assert_equal '<%= foo ? bar : j(baz) %>', errors.first.token.text
78
+ assert_equal 'foo ? bar : j(baz)', errors.first.location.source
78
79
  assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
79
80
  end
80
81
 
@@ -112,7 +113,7 @@ module BetterHtml
112
113
  EOF
113
114
 
114
115
  assert_equal 1, errors.size
115
- assert_equal '<%= unsafe.html_safe %>', errors.first.token.text
116
+ assert_equal 'unsafe.html_safe', errors.first.location.source
116
117
  assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
117
118
  end
118
119
 
@@ -122,7 +123,7 @@ module BetterHtml
122
123
  EOF
123
124
 
124
125
  assert_equal 1, errors.size
125
- assert_equal '<%= unsafe.to_json.html_safe %>', errors.first.token.text
126
+ assert_equal 'unsafe.to_json.html_safe', errors.first.location.source
126
127
  assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
127
128
  end
128
129
 
@@ -132,7 +133,7 @@ module BetterHtml
132
133
  EOF
133
134
 
134
135
  assert_equal 1, errors.size
135
- assert_equal '<%== unsafe %>', errors.first.token.text
136
+ assert_equal '<%== unsafe %>', errors.first.location.source
136
137
  assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
137
138
  end
138
139
 
@@ -142,7 +143,7 @@ module BetterHtml
142
143
  EOF
143
144
 
144
145
  assert_equal 1, errors.size
145
- assert_equal '<%== unsafe.to_json %>', errors.first.token.text
146
+ assert_equal '<%== unsafe.to_json %>', errors.first.location.source
146
147
  assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
147
148
  end
148
149
 
@@ -152,7 +153,7 @@ module BetterHtml
152
153
  EOF
153
154
 
154
155
  assert_equal 1, errors.size
155
- assert_equal '<%= raw unsafe %>', errors.first.token.text
156
+ assert_equal 'raw unsafe', errors.first.location.source
156
157
  assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
157
158
  end
158
159
 
@@ -162,7 +163,7 @@ module BetterHtml
162
163
  EOF
163
164
 
164
165
  assert_equal 1, errors.size
165
- assert_equal '<%= raw unsafe.to_json %>', errors.first.token.text
166
+ assert_equal 'raw unsafe.to_json', errors.first.location.source
166
167
  assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
167
168
  end
168
169
 
@@ -174,7 +175,7 @@ module BetterHtml
174
175
  EOF
175
176
 
176
177
  assert_equal 1, errors.size
177
- assert_equal '<%= unsafe %>', errors.first.token.text
178
+ assert_equal '<%= unsafe %>', errors.first.location.source
178
179
  assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
179
180
  end
180
181
 
@@ -184,7 +185,7 @@ module BetterHtml
184
185
  JS
185
186
 
186
187
  assert_equal 1, errors.size
187
- assert_equal '<%= unsafe %>', errors.first.token.text
188
+ assert_equal '<%= unsafe %>', errors.first.location.source
188
189
  assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
189
190
  end
190
191
 
@@ -196,7 +197,7 @@ module BetterHtml
196
197
  EOF
197
198
 
198
199
  assert_equal 1, errors.size
199
- assert_equal '<%= "unsafe" %>', errors.first.token.text
200
+ assert_equal '<%= "unsafe" %>', errors.first.location.source
200
201
  assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
201
202
  end
202
203
 
@@ -206,7 +207,7 @@ module BetterHtml
206
207
  JS
207
208
 
208
209
  assert_equal 1, errors.size
209
- assert_equal '<%= "unsafe" %>', errors.first.token.text
210
+ assert_equal '<%= "unsafe" %>', errors.first.location.source
210
211
  assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
211
212
  end
212
213
 
@@ -218,7 +219,7 @@ module BetterHtml
218
219
  EOF
219
220
 
220
221
  assert_equal 1, errors.size
221
- assert_equal '<%= javascript_tag do %>', errors.first.token.text
222
+ assert_equal '<%= javascript_tag do %>', errors.first.location.source
222
223
  assert_includes "'javascript_tag do' syntax is deprecated; use inline <script> instead", errors.first.message
223
224
  end
224
225
 
@@ -230,7 +231,7 @@ module BetterHtml
230
231
  EOF
231
232
 
232
233
  assert_equal 1, errors.size
233
- assert_equal '<%= unsafe %>', errors.first.token.text
234
+ assert_equal '<%= unsafe %>', errors.first.location.source
234
235
  assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
235
236
  end
236
237
 
@@ -254,7 +255,7 @@ module BetterHtml
254
255
  EOF
255
256
 
256
257
  assert_equal 1, errors.size
257
- assert_equal "<% if foo? %>", errors.first.token.text
258
+ assert_equal "<% if foo? %>", errors.first.location.source
258
259
  assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
259
260
  end
260
261
 
@@ -266,7 +267,7 @@ module BetterHtml
266
267
  JS
267
268
 
268
269
  assert_equal 1, errors.size
269
- assert_equal "<% if foo %>", errors.first.token.text
270
+ assert_equal "<% if foo %>", errors.first.location.source
270
271
  assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
271
272
  end
272
273
 
@@ -349,6 +350,46 @@ module BetterHtml
349
350
  assert_predicate errors, :empty?
350
351
  end
351
352
 
353
+ test "unsafe javascript methods in helper calls with new hash syntax" do
354
+ errors = parse(<<-EOF).errors
355
+ <%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
356
+ EOF
357
+
358
+ assert_equal 1, errors.size
359
+ assert_equal "\#{unsafe}", errors[0].location.source
360
+ assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors[0].message
361
+ end
362
+
363
+ test "unsafe javascript methods in helper calls with old hash syntax" do
364
+ errors = parse(<<-EOF).errors
365
+ <%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
366
+ EOF
367
+
368
+ assert_equal 1, errors.size
369
+ assert_equal "\#{unsafe}", errors.first.location.source
370
+ assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
371
+ end
372
+
373
+ test "unsafe javascript methods in helper calls with string as key" do
374
+ errors = parse(<<-EOF).errors
375
+ <%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
376
+ EOF
377
+
378
+ assert_equal 1, errors.size
379
+ assert_equal "\#{unsafe}", errors.first.location.source
380
+ assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
381
+ end
382
+
383
+ test "unsafe javascript methods in helper calls with nested data key" do
384
+ errors = parse(<<-EOF).errors
385
+ <%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
386
+ EOF
387
+
388
+ assert_equal 1, errors.size
389
+ assert_equal "\#{unsafe}", errors.first.location.source
390
+ assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
391
+ end
392
+
352
393
  private
353
394
  def parse(data, template_language: :html)
354
395
  SafeErbTester::Tester.new(data, template_language: template_language)
@@ -10,7 +10,7 @@ module BetterHtml
10
10
  EOF
11
11
 
12
12
  assert_equal 1, errors.size
13
- assert_equal '[%! foo %]', errors.first.token.text
13
+ assert_equal '[%! foo %]', errors.first.location.source
14
14
  assert_equal "lodash interpolation with '[%!' inside html attribute is never safe", errors.first.message
15
15
  end
16
16
 
@@ -28,7 +28,7 @@ module BetterHtml
28
28
  EOF
29
29
 
30
30
  assert_equal 1, errors.size
31
- assert_equal '[%= foo %]', errors.first.token.text
31
+ assert_equal '[%= foo %]', errors.first.location.source
32
32
  assert_equal "lodash interpolation in javascript attribute `onclick` must call `JSON.stringify(foo)`", errors.first.message
33
33
  end
34
34
 
@@ -46,7 +46,7 @@ module BetterHtml
46
46
  EOF
47
47
 
48
48
  assert_equal 1, errors.size
49
- assert_equal 'script', errors.first.token.text
49
+ assert_equal 'script', errors.first.location.source
50
50
  assert_equal "No script tags allowed nested in lodash templates", errors.first.message
51
51
  end
52
52
 
@@ -56,7 +56,7 @@ module BetterHtml
56
56
  EOF
57
57
 
58
58
  assert_equal 1, errors.size
59
- assert_equal '[% if (foo) %]', errors.first.token.text
59
+ assert_equal '[% if (foo) %]', errors.first.location.source
60
60
  assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
61
61
  end
62
62
 
@@ -66,7 +66,7 @@ module BetterHtml
66
66
  EOF
67
67
 
68
68
  assert_equal 1, errors.size
69
- assert_equal '[% if (foo) %]', errors.first.token.text
69
+ assert_equal '[% if (foo) %]', errors.first.location.source
70
70
  assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
71
71
  end
72
72
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: better_html
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.8
4
+ version: 0.0.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Francois Chagnon
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-10-31 00:00:00.000000000 Z
11
+ date: 2017-11-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: erubi
@@ -52,6 +52,20 @@ dependencies:
52
52
  - - ">="
53
53
  - !ruby/object:Gem::Version
54
54
  version: '4.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: parser
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '2.4'
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '2.4'
55
69
  - !ruby/object:Gem::Dependency
56
70
  name: rake
57
71
  requirement: !ruby/object:Gem::Requirement
@@ -102,7 +116,7 @@ files:
102
116
  - lib/better_html/test_helper/ruby_expr.rb
103
117
  - lib/better_html/test_helper/safe_erb_tester.rb
104
118
  - lib/better_html/test_helper/safe_lodash_tester.rb
105
- - lib/better_html/test_helper/safety_tester_base.rb
119
+ - lib/better_html/test_helper/safety_error.rb
106
120
  - lib/better_html/tree.rb
107
121
  - lib/better_html/version.rb
108
122
  - lib/tasks/better_html_tasks.rake
@@ -110,6 +124,7 @@ files:
110
124
  - test/better_html/helpers_test.rb
111
125
  - test/better_html/node_iterator/html_erb_test.rb
112
126
  - test/better_html/node_iterator/html_lodash_test.rb
127
+ - test/better_html/node_iterator/location_test.rb
113
128
  - test/better_html/node_iterator_test.rb
114
129
  - test/better_html/test_helper/ruby_expr_test.rb
115
130
  - test/better_html/test_helper/safe_erb_tester_test.rb
@@ -212,6 +227,7 @@ test_files:
212
227
  - test/test_helper.rb
213
228
  - test/better_html/helpers_test.rb
214
229
  - test/better_html/node_iterator_test.rb
230
+ - test/better_html/node_iterator/location_test.rb
215
231
  - test/better_html/node_iterator/html_lodash_test.rb
216
232
  - test/better_html/node_iterator/html_erb_test.rb
217
233
  - test/better_html/better_erb/implementation_test.rb
@@ -1,34 +0,0 @@
1
- module BetterHtml
2
- module TestHelper
3
- module SafetyTesterBase
4
-
5
- class SafetyError < InterpolatorError
6
- attr_reader :token
7
-
8
- def initialize(token, message)
9
- @token = token
10
- super(message)
11
- end
12
- end
13
-
14
- private
15
-
16
- def format_safety_error(data, error)
17
- loc = error.token.location
18
- s = "On line #{loc.line}\n"
19
- s << "#{error.message}\n"
20
- line = extract_line(data, loc.line)
21
- s << "#{line}\n"
22
- length = [[loc.stop - loc.start, line.length - loc.column].min, 1].max
23
- s << "#{' ' * loc.column}#{'^' * length}\n\n"
24
- s
25
- end
26
-
27
- def extract_line(data, line)
28
- line = data.lines[line-1]
29
- line.nil? ? "" : line.gsub(/\n$/, '')
30
- end
31
-
32
- end
33
- end
34
- end