better_html 0.0.8 → 0.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/better_html/node_iterator/html_erb.rb +6 -3
- data/lib/better_html/node_iterator/html_lodash.rb +1 -1
- data/lib/better_html/node_iterator/javascript_erb.rb +8 -7
- data/lib/better_html/node_iterator/location.rb +38 -2
- data/lib/better_html/test_helper/ruby_expr.rb +89 -64
- data/lib/better_html/test_helper/safe_erb_tester.rb +134 -31
- data/lib/better_html/test_helper/safe_lodash_tester.rb +25 -12
- data/lib/better_html/test_helper/safety_error.rb +12 -0
- data/lib/better_html/version.rb +1 -1
- data/test/better_html/node_iterator/location_test.rb +36 -0
- data/test/better_html/test_helper/ruby_expr_test.rb +163 -86
- data/test/better_html/test_helper/safe_erb_tester_test.rb +63 -22
- data/test/better_html/test_helper/safe_lodash_tester_test.rb +5 -5
- metadata +19 -3
- data/lib/better_html/test_helper/safety_tester_base.rb +0 -34
@@ -8,6 +8,9 @@ module BetterHtml
|
|
8
8
|
BetterHtml.config
|
9
9
|
.stubs(:javascript_safe_methods)
|
10
10
|
.returns(['j', 'escape_javascript', 'to_json'])
|
11
|
+
BetterHtml.config
|
12
|
+
.stubs(:javascript_attribute_names)
|
13
|
+
.returns([/\Aon/i, 'data-eval'])
|
11
14
|
end
|
12
15
|
|
13
16
|
test "string without interpolation is safe" do
|
@@ -15,9 +18,7 @@ module BetterHtml
|
|
15
18
|
<a onclick="alert('<%= "something" %>')">
|
16
19
|
EOF
|
17
20
|
|
18
|
-
assert_equal
|
19
|
-
assert_equal '<%= "something" %>', errors.first.token.text
|
20
|
-
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
21
|
+
assert_equal 0, errors.size
|
21
22
|
end
|
22
23
|
|
23
24
|
test "string with interpolation" do
|
@@ -26,7 +27,7 @@ module BetterHtml
|
|
26
27
|
EOF
|
27
28
|
|
28
29
|
assert_equal 1, errors.size
|
29
|
-
assert_equal '
|
30
|
+
assert_equal '"hello #{name}"', errors.first.location.source
|
30
31
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
31
32
|
end
|
32
33
|
|
@@ -37,10 +38,10 @@ module BetterHtml
|
|
37
38
|
|
38
39
|
assert_equal 2, errors.size
|
39
40
|
|
40
|
-
assert_equal '
|
41
|
+
assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
|
41
42
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
42
43
|
|
43
|
-
assert_equal '
|
44
|
+
assert_equal '"hello #{foo ? bar : baz}" if bla?', errors.first.location.source
|
44
45
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
45
46
|
end
|
46
47
|
|
@@ -50,7 +51,7 @@ module BetterHtml
|
|
50
51
|
EOF
|
51
52
|
|
52
53
|
assert_equal 1, errors.size
|
53
|
-
assert_equal '
|
54
|
+
assert_equal 'unsafe', errors.first.location.source
|
54
55
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
55
56
|
end
|
56
57
|
|
@@ -74,7 +75,7 @@ module BetterHtml
|
|
74
75
|
EOF
|
75
76
|
|
76
77
|
assert_equal 1, errors.size
|
77
|
-
assert_equal '
|
78
|
+
assert_equal 'foo ? bar : j(baz)', errors.first.location.source
|
78
79
|
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
79
80
|
end
|
80
81
|
|
@@ -112,7 +113,7 @@ module BetterHtml
|
|
112
113
|
EOF
|
113
114
|
|
114
115
|
assert_equal 1, errors.size
|
115
|
-
assert_equal '
|
116
|
+
assert_equal 'unsafe.html_safe', errors.first.location.source
|
116
117
|
assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
|
117
118
|
end
|
118
119
|
|
@@ -122,7 +123,7 @@ module BetterHtml
|
|
122
123
|
EOF
|
123
124
|
|
124
125
|
assert_equal 1, errors.size
|
125
|
-
assert_equal '
|
126
|
+
assert_equal 'unsafe.to_json.html_safe', errors.first.location.source
|
126
127
|
assert_equal "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe", errors.first.message
|
127
128
|
end
|
128
129
|
|
@@ -132,7 +133,7 @@ module BetterHtml
|
|
132
133
|
EOF
|
133
134
|
|
134
135
|
assert_equal 1, errors.size
|
135
|
-
assert_equal '<%== unsafe %>', errors.first.
|
136
|
+
assert_equal '<%== unsafe %>', errors.first.location.source
|
136
137
|
assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
|
137
138
|
end
|
138
139
|
|
@@ -142,7 +143,7 @@ module BetterHtml
|
|
142
143
|
EOF
|
143
144
|
|
144
145
|
assert_equal 1, errors.size
|
145
|
-
assert_equal '<%== unsafe.to_json %>', errors.first.
|
146
|
+
assert_equal '<%== unsafe.to_json %>', errors.first.location.source
|
146
147
|
assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
|
147
148
|
end
|
148
149
|
|
@@ -152,7 +153,7 @@ module BetterHtml
|
|
152
153
|
EOF
|
153
154
|
|
154
155
|
assert_equal 1, errors.size
|
155
|
-
assert_equal '
|
156
|
+
assert_equal 'raw unsafe', errors.first.location.source
|
156
157
|
assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
|
157
158
|
end
|
158
159
|
|
@@ -162,7 +163,7 @@ module BetterHtml
|
|
162
163
|
EOF
|
163
164
|
|
164
165
|
assert_equal 1, errors.size
|
165
|
-
assert_equal '
|
166
|
+
assert_equal 'raw unsafe.to_json', errors.first.location.source
|
166
167
|
assert_equal "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe", errors.first.message
|
167
168
|
end
|
168
169
|
|
@@ -174,7 +175,7 @@ module BetterHtml
|
|
174
175
|
EOF
|
175
176
|
|
176
177
|
assert_equal 1, errors.size
|
177
|
-
assert_equal '<%= unsafe %>', errors.first.
|
178
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
178
179
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
179
180
|
end
|
180
181
|
|
@@ -184,7 +185,7 @@ module BetterHtml
|
|
184
185
|
JS
|
185
186
|
|
186
187
|
assert_equal 1, errors.size
|
187
|
-
assert_equal '<%= unsafe %>', errors.first.
|
188
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
188
189
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
189
190
|
end
|
190
191
|
|
@@ -196,7 +197,7 @@ module BetterHtml
|
|
196
197
|
EOF
|
197
198
|
|
198
199
|
assert_equal 1, errors.size
|
199
|
-
assert_equal '<%= "unsafe" %>', errors.first.
|
200
|
+
assert_equal '<%= "unsafe" %>', errors.first.location.source
|
200
201
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
201
202
|
end
|
202
203
|
|
@@ -206,7 +207,7 @@ module BetterHtml
|
|
206
207
|
JS
|
207
208
|
|
208
209
|
assert_equal 1, errors.size
|
209
|
-
assert_equal '<%= "unsafe" %>', errors.first.
|
210
|
+
assert_equal '<%= "unsafe" %>', errors.first.location.source
|
210
211
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
211
212
|
end
|
212
213
|
|
@@ -218,7 +219,7 @@ module BetterHtml
|
|
218
219
|
EOF
|
219
220
|
|
220
221
|
assert_equal 1, errors.size
|
221
|
-
assert_equal '<%= javascript_tag do %>', errors.first.
|
222
|
+
assert_equal '<%= javascript_tag do %>', errors.first.location.source
|
222
223
|
assert_includes "'javascript_tag do' syntax is deprecated; use inline <script> instead", errors.first.message
|
223
224
|
end
|
224
225
|
|
@@ -230,7 +231,7 @@ module BetterHtml
|
|
230
231
|
EOF
|
231
232
|
|
232
233
|
assert_equal 1, errors.size
|
233
|
-
assert_equal '<%= unsafe %>', errors.first.
|
234
|
+
assert_equal '<%= unsafe %>', errors.first.location.source
|
234
235
|
assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
|
235
236
|
end
|
236
237
|
|
@@ -254,7 +255,7 @@ module BetterHtml
|
|
254
255
|
EOF
|
255
256
|
|
256
257
|
assert_equal 1, errors.size
|
257
|
-
assert_equal "<% if foo? %>", errors.first.
|
258
|
+
assert_equal "<% if foo? %>", errors.first.location.source
|
258
259
|
assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
|
259
260
|
end
|
260
261
|
|
@@ -266,7 +267,7 @@ module BetterHtml
|
|
266
267
|
JS
|
267
268
|
|
268
269
|
assert_equal 1, errors.size
|
269
|
-
assert_equal "<% if foo %>", errors.first.
|
270
|
+
assert_equal "<% if foo %>", errors.first.location.source
|
270
271
|
assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
|
271
272
|
end
|
272
273
|
|
@@ -349,6 +350,46 @@ module BetterHtml
|
|
349
350
|
assert_predicate errors, :empty?
|
350
351
|
end
|
351
352
|
|
353
|
+
test "unsafe javascript methods in helper calls with new hash syntax" do
|
354
|
+
errors = parse(<<-EOF).errors
|
355
|
+
<%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
|
356
|
+
EOF
|
357
|
+
|
358
|
+
assert_equal 1, errors.size
|
359
|
+
assert_equal "\#{unsafe}", errors[0].location.source
|
360
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors[0].message
|
361
|
+
end
|
362
|
+
|
363
|
+
test "unsafe javascript methods in helper calls with old hash syntax" do
|
364
|
+
errors = parse(<<-EOF).errors
|
365
|
+
<%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
|
366
|
+
EOF
|
367
|
+
|
368
|
+
assert_equal 1, errors.size
|
369
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
370
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
371
|
+
end
|
372
|
+
|
373
|
+
test "unsafe javascript methods in helper calls with string as key" do
|
374
|
+
errors = parse(<<-EOF).errors
|
375
|
+
<%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
|
376
|
+
EOF
|
377
|
+
|
378
|
+
assert_equal 1, errors.size
|
379
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
380
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
381
|
+
end
|
382
|
+
|
383
|
+
test "unsafe javascript methods in helper calls with nested data key" do
|
384
|
+
errors = parse(<<-EOF).errors
|
385
|
+
<%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
|
386
|
+
EOF
|
387
|
+
|
388
|
+
assert_equal 1, errors.size
|
389
|
+
assert_equal "\#{unsafe}", errors.first.location.source
|
390
|
+
assert_equal "erb interpolation in javascript attribute must call '(...).to_json'", errors.first.message
|
391
|
+
end
|
392
|
+
|
352
393
|
private
|
353
394
|
def parse(data, template_language: :html)
|
354
395
|
SafeErbTester::Tester.new(data, template_language: template_language)
|
@@ -10,7 +10,7 @@ module BetterHtml
|
|
10
10
|
EOF
|
11
11
|
|
12
12
|
assert_equal 1, errors.size
|
13
|
-
assert_equal '[%! foo %]', errors.first.
|
13
|
+
assert_equal '[%! foo %]', errors.first.location.source
|
14
14
|
assert_equal "lodash interpolation with '[%!' inside html attribute is never safe", errors.first.message
|
15
15
|
end
|
16
16
|
|
@@ -28,7 +28,7 @@ module BetterHtml
|
|
28
28
|
EOF
|
29
29
|
|
30
30
|
assert_equal 1, errors.size
|
31
|
-
assert_equal '[%= foo %]', errors.first.
|
31
|
+
assert_equal '[%= foo %]', errors.first.location.source
|
32
32
|
assert_equal "lodash interpolation in javascript attribute `onclick` must call `JSON.stringify(foo)`", errors.first.message
|
33
33
|
end
|
34
34
|
|
@@ -46,7 +46,7 @@ module BetterHtml
|
|
46
46
|
EOF
|
47
47
|
|
48
48
|
assert_equal 1, errors.size
|
49
|
-
assert_equal 'script', errors.first.
|
49
|
+
assert_equal 'script', errors.first.location.source
|
50
50
|
assert_equal "No script tags allowed nested in lodash templates", errors.first.message
|
51
51
|
end
|
52
52
|
|
@@ -56,7 +56,7 @@ module BetterHtml
|
|
56
56
|
EOF
|
57
57
|
|
58
58
|
assert_equal 1, errors.size
|
59
|
-
assert_equal '[% if (foo) %]', errors.first.
|
59
|
+
assert_equal '[% if (foo) %]', errors.first.location.source
|
60
60
|
assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
|
61
61
|
end
|
62
62
|
|
@@ -66,7 +66,7 @@ module BetterHtml
|
|
66
66
|
EOF
|
67
67
|
|
68
68
|
assert_equal 1, errors.size
|
69
|
-
assert_equal '[% if (foo) %]', errors.first.
|
69
|
+
assert_equal '[% if (foo) %]', errors.first.location.source
|
70
70
|
assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
|
71
71
|
end
|
72
72
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: better_html
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Francois Chagnon
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-11-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: erubi
|
@@ -52,6 +52,20 @@ dependencies:
|
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '4.0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: parser
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '2.4'
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '2.4'
|
55
69
|
- !ruby/object:Gem::Dependency
|
56
70
|
name: rake
|
57
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -102,7 +116,7 @@ files:
|
|
102
116
|
- lib/better_html/test_helper/ruby_expr.rb
|
103
117
|
- lib/better_html/test_helper/safe_erb_tester.rb
|
104
118
|
- lib/better_html/test_helper/safe_lodash_tester.rb
|
105
|
-
- lib/better_html/test_helper/
|
119
|
+
- lib/better_html/test_helper/safety_error.rb
|
106
120
|
- lib/better_html/tree.rb
|
107
121
|
- lib/better_html/version.rb
|
108
122
|
- lib/tasks/better_html_tasks.rake
|
@@ -110,6 +124,7 @@ files:
|
|
110
124
|
- test/better_html/helpers_test.rb
|
111
125
|
- test/better_html/node_iterator/html_erb_test.rb
|
112
126
|
- test/better_html/node_iterator/html_lodash_test.rb
|
127
|
+
- test/better_html/node_iterator/location_test.rb
|
113
128
|
- test/better_html/node_iterator_test.rb
|
114
129
|
- test/better_html/test_helper/ruby_expr_test.rb
|
115
130
|
- test/better_html/test_helper/safe_erb_tester_test.rb
|
@@ -212,6 +227,7 @@ test_files:
|
|
212
227
|
- test/test_helper.rb
|
213
228
|
- test/better_html/helpers_test.rb
|
214
229
|
- test/better_html/node_iterator_test.rb
|
230
|
+
- test/better_html/node_iterator/location_test.rb
|
215
231
|
- test/better_html/node_iterator/html_lodash_test.rb
|
216
232
|
- test/better_html/node_iterator/html_erb_test.rb
|
217
233
|
- test/better_html/better_erb/implementation_test.rb
|
@@ -1,34 +0,0 @@
|
|
1
|
-
module BetterHtml
|
2
|
-
module TestHelper
|
3
|
-
module SafetyTesterBase
|
4
|
-
|
5
|
-
class SafetyError < InterpolatorError
|
6
|
-
attr_reader :token
|
7
|
-
|
8
|
-
def initialize(token, message)
|
9
|
-
@token = token
|
10
|
-
super(message)
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
private
|
15
|
-
|
16
|
-
def format_safety_error(data, error)
|
17
|
-
loc = error.token.location
|
18
|
-
s = "On line #{loc.line}\n"
|
19
|
-
s << "#{error.message}\n"
|
20
|
-
line = extract_line(data, loc.line)
|
21
|
-
s << "#{line}\n"
|
22
|
-
length = [[loc.stop - loc.start, line.length - loc.column].min, 1].max
|
23
|
-
s << "#{' ' * loc.column}#{'^' * length}\n\n"
|
24
|
-
s
|
25
|
-
end
|
26
|
-
|
27
|
-
def extract_line(data, line)
|
28
|
-
line = data.lines[line-1]
|
29
|
-
line.nil? ? "" : line.gsub(/\n$/, '')
|
30
|
-
end
|
31
|
-
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|