better_html 0.0.8 → 0.0.9

data/test/better_html/test_helper/safe_erb_tester_test.rb

@@ -8,6 +8,9 @@ module BetterHtml
         BetterHtml.config
           .stubs(:javascript_safe_methods)
           .returns(['j', 'escape_javascript', 'to_json'])
+        BetterHtml.config
+          .stubs(:javascript_attribute_names)
+          .returns([/\Aon/i, 'data-eval'])
       end
 
       test "string without interpolation is safe" do
@@ -15,9 +18,7 @@ module BetterHtml
           <a onclick="alert('<%= "something" %>')">
         EOF
 
-        assert_equal 1, errors.size
-        assert_equal '<%= "something" %>', errors.first.token.text
-        assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
+        assert_equal 0, errors.size
       end
 
       test "string with interpolation" do
@@ -26,7 +27,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= "hello #{name}" %>', errors.first.token.text
+        assert_equal '"hello #{name}"', errors.first.location.source
         assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
       end
 
@@ -37,10 +38,10 @@ module BetterHtml
 
         assert_equal 2, errors.size
 
-        assert_equal '<%= "hello #{foo ? bar : baz}" if bla? %>', errors.first.token.text
+        assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
         assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
 
-        assert_equal '<%= "hello #{foo ? bar : baz}" if bla? %>', errors.first.token.text
+        assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
         assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
       end
 
@@ -50,7 +51,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe %>', errors.first.token.text
+        assert_equal 'unsafe', errors.first.location.source
         assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
       end
 
@@ -74,7 +75,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= foo ? bar : j(baz) %>', errors.first.token.text
+        assert_equal 'foo ? bar : j(baz)', errors.first.location.source
         assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
       end
 
@@ -112,7 +113,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe.html_safe %>', errors.first.token.text
+        assert_equal 'unsafe.html_safe', errors.first.location.source
         assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
       end
 
@@ -122,7 +123,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe.to_json.html_safe %>', errors.first.token.text
+        assert_equal 'unsafe.to_json.html_safe', errors.first.location.source
         assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
       end
 
@@ -132,7 +133,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%== unsafe %>', errors.first.token.text
+        assert_equal '<%== unsafe %>', errors.first.location.source
         assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
       end
 
@@ -142,7 +143,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%== unsafe.to_json %>', errors.first.token.text
+        assert_equal '<%== unsafe.to_json %>', errors.first.location.source
         assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
       end
 
@@ -152,7 +153,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= raw unsafe %>', errors.first.token.text
+        assert_equal 'raw unsafe', errors.first.location.source
         assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
       end
 
@@ -162,7 +163,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= raw unsafe.to_json %>', errors.first.token.text
+        assert_equal 'raw unsafe.to_json', errors.first.location.source
         assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
       end
 
@@ -174,7 +175,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe %>', errors.first.token.text
+        assert_equal '<%= unsafe %>', errors.first.location.source
         assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
       end
 
@@ -184,7 +185,7 @@ module BetterHtml
         JS
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe %>', errors.first.token.text
+        assert_equal '<%= unsafe %>', errors.first.location.source
         assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
       end
 
@@ -196,7 +197,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= "unsafe" %>', errors.first.token.text
+        assert_equal '<%= "unsafe" %>', errors.first.location.source
         assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
       end
 
@@ -206,7 +207,7 @@ module BetterHtml
         JS
 
         assert_equal 1, errors.size
-        assert_equal '<%= "unsafe" %>', errors.first.token.text
+        assert_equal '<%= "unsafe" %>', errors.first.location.source
         assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
       end
 
@@ -218,7 +219,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= javascript_tag do %>', errors.first.token.text
+        assert_equal '<%= javascript_tag do %>', errors.first.location.source
         assert_includes "'javascript_tag do' syntax is deprecated; use inline <script> instead", errors.first.message
       end
 
@@ -230,7 +231,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '<%= unsafe %>', errors.first.token.text
+        assert_equal '<%= unsafe %>', errors.first.location.source
         assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
       end
 
@@ -254,7 +255,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal "<% if foo? %>", errors.first.token.text
+        assert_equal "<% if foo? %>", errors.first.location.source
         assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
       end
 
@@ -266,7 +267,7 @@ module BetterHtml
         JS
 
         assert_equal 1, errors.size
-        assert_equal "<% if foo %>", errors.first.token.text
+        assert_equal "<% if foo %>", errors.first.location.source
         assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
       end
 
@@ -349,6 +350,46 @@ module BetterHtml
         assert_predicate errors, :empty?
       end
 
+      test "unsafe javascript methods in helper calls with new hash syntax" do
+        errors = parse(<<-EOF).errors
+          <%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
+        EOF
+
+        assert_equal 1, errors.size
+        assert_equal "\#{unsafe}", errors[0].location.source
+        assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors[0].message
+      end
+
+      test "unsafe javascript methods in helper calls with old hash syntax" do
+        errors = parse(<<-EOF).errors
+          <%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
+        EOF
+
+        assert_equal 1, errors.size
+        assert_equal "\#{unsafe}", errors.first.location.source
+        assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
+      end
+
+      test "unsafe javascript methods in helper calls with string as key" do
+        errors = parse(<<-EOF).errors
+          <%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
+        EOF
+
+        assert_equal 1, errors.size
+        assert_equal "\#{unsafe}", errors.first.location.source
+        assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
+      end
+
+      test "unsafe javascript methods in helper calls with nested data key" do
+        errors = parse(<<-EOF).errors
+          <%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
+        EOF
+
+        assert_equal 1, errors.size
+        assert_equal "\#{unsafe}", errors.first.location.source
+        assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
+      end
+
       private
       def parse(data, template_language: :html)
         SafeErbTester::Tester.new(data, template_language: template_language)

data/test/better_html/test_helper/safe_lodash_tester_test.rb

@@ -10,7 +10,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '[%! foo %]', errors.first.token.text
+        assert_equal '[%! foo %]', errors.first.location.source
         assert_equal "lodash interpolation with '[%!' inside html attribute is never safe", errors.first.message
       end
 
@@ -28,7 +28,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '[%= foo %]', errors.first.token.text
+        assert_equal '[%= foo %]', errors.first.location.source
         assert_equal "lodash interpolation in javascript attribute `onclick` must call `JSON.stringify(foo)`", errors.first.message
       end
 
@@ -46,7 +46,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal 'script', errors.first.token.text
+        assert_equal 'script', errors.first.location.source
         assert_equal "No script tags allowed nested in lodash templates", errors.first.message
       end
 
@@ -56,7 +56,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '[% if (foo) %]', errors.first.token.text
+        assert_equal '[% if (foo) %]', errors.first.location.source
         assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
       end
 
@@ -66,7 +66,7 @@ module BetterHtml
         EOF
 
         assert_equal 1, errors.size
-        assert_equal '[% if (foo) %]', errors.first.token.text
+        assert_equal '[% if (foo) %]', errors.first.location.source
         assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: better_html
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9
 platform: ruby
 authors:
 - Francois Chagnon
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-31 00:00:00.000000000 Z
+date: 2017-11-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erubi
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.4'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,7 +116,7 @@ files:
 - lib/better_html/test_helper/ruby_expr.rb
 - lib/better_html/test_helper/safe_erb_tester.rb
 - lib/better_html/test_helper/safe_lodash_tester.rb
-- lib/better_html/test_helper/safety_tester_base.rb
+- lib/better_html/test_helper/safety_error.rb
 - lib/better_html/tree.rb
 - lib/better_html/version.rb
 - lib/tasks/better_html_tasks.rake
@@ -110,6 +124,7 @@ files:
 - test/better_html/helpers_test.rb
 - test/better_html/node_iterator/html_erb_test.rb
 - test/better_html/node_iterator/html_lodash_test.rb
+- test/better_html/node_iterator/location_test.rb
 - test/better_html/node_iterator_test.rb
 - test/better_html/test_helper/ruby_expr_test.rb
 - test/better_html/test_helper/safe_erb_tester_test.rb
@@ -212,6 +227,7 @@ test_files:
 - test/test_helper.rb
 - test/better_html/helpers_test.rb
 - test/better_html/node_iterator_test.rb
+- test/better_html/node_iterator/location_test.rb
 - test/better_html/node_iterator/html_lodash_test.rb
 - test/better_html/node_iterator/html_erb_test.rb
 - test/better_html/better_erb/implementation_test.rb

data/lib/better_html/test_helper/safety_tester_base.rb

@@ -1,34 +0,0 @@
-module BetterHtml
-  module TestHelper
-    module SafetyTesterBase
-
-      class SafetyError < InterpolatorError
-        attr_reader :token
-
-        def initialize(token, message)
-          @token = token
-          super(message)
-        end
-      end
-
-      private
-
-      def format_safety_error(data, error)
-        loc = error.token.location
-        s = "On line #{loc.line}\n"
-        s << "#{error.message}\n"
-        line = extract_line(data, loc.line)
-        s << "#{line}\n"
-        length = [[loc.stop - loc.start, line.length - loc.column].min, 1].max
-        s << "#{' ' * loc.column}#{'^' * length}\n\n"
-        s
-      end
-
-      def extract_line(data, line)
-        line = data.lines[line-1]
-        line.nil? ? "" : line.gsub(/\n$/, '')
-      end
-
-    end
-  end
-end