better_html 1.0.1 → 1.0.2

data/test/better_html/test_helper/safe_erb/allowed_script_type_test.rb

@@ -0,0 +1,45 @@
+require 'test_helper'
+require 'better_html/test_helper/safe_erb/allowed_script_type'
+
+module BetterHtml
+  module TestHelper
+    module SafeErb
+      class AllowedScriptTypeTest < ActiveSupport::TestCase
+        setup do
+          @config = BetterHtml::Config.new(
+            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
+            javascript_attribute_names: [/\Aon/i, 'data-eval'],
+          )
+        end
+
+        test "allowed script type" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "disallowed script types" do
+          errors = validate(<<-EOF).errors
+            <script type="text/bogus">
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'type="text/bogus"', errors.first.location.source
+          assert_equal "text/bogus is not a valid type, valid types are text/javascript, text/template, text/html", errors.first.message
+        end
+
+        private
+        def validate(data, template_language: :html)
+          parser = BetterHtml::Parser.new(data, template_language: template_language)
+          tester = BetterHtml::TestHelper::SafeErb::AllowedScriptType.new(parser, config: @config)
+          tester.validate
+          tester
+        end
+      end
+    end
+  end
+end

data/test/better_html/test_helper/safe_erb/no_javascript_tag_helper_test.rb

@@ -0,0 +1,37 @@
+require 'test_helper'
+require 'better_html/test_helper/safe_erb/no_javascript_tag_helper'
+
+module BetterHtml
+  module TestHelper
+    module SafeErb
+      class NoJavascriptTagHelperTest < ActiveSupport::TestCase
+        setup do
+          @config = BetterHtml::Config.new(
+            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
+            javascript_attribute_names: [/\Aon/i, 'data-eval'],
+          )
+        end
+
+        test "javascript_tag helper is not allowed because it parses as text and unsafe erb cannot be detected" do
+          errors = validate(<<-EOF).errors
+            <%= javascript_tag do %>
+              if (a < 1) { <%= unsafe %> }
+            <% end %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%= javascript_tag do %>', errors.first.location.source
+          assert_includes "'javascript_tag do' syntax is deprecated; use inline <script> instead", errors.first.message
+        end
+
+        private
+        def validate(data, template_language: :html)
+          parser = BetterHtml::Parser.new(data, template_language: template_language)
+          tester = BetterHtml::TestHelper::SafeErb::NoJavascriptTagHelper.new(parser, config: @config)
+          tester.validate
+          tester
+        end
+      end
+    end
+  end
+end

data/test/better_html/test_helper/safe_erb/no_statements_test.rb

@@ -0,0 +1,128 @@
+require 'test_helper'
+require 'better_html/test_helper/safe_erb/no_statements'
+
+module BetterHtml
+  module TestHelper
+    module SafeErb
+      class NoStatementsTest < ActiveSupport::TestCase
+        setup do
+          @config = BetterHtml::Config.new(
+            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
+            javascript_attribute_names: [/\Aon/i, 'data-eval'],
+          )
+        end
+
+        test "<script> tag with non executable content type is ignored" do
+          errors = validate(<<-EOF).errors
+            <script type="text/html">
+              <a onclick="<%= unsafe %>">
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "statements not allowed in script tags" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              <% if foo? %>
+                bla
+              <% end %>
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "<% if foo? %>", errors.first.location.source
+          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
+        end
+
+        test "statements not allowed in script without specified type" do
+          errors = validate(<<-EOF).errors
+            <script>
+              <% if foo? %>
+                bla
+              <% end %>
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "<% if foo? %>", errors.first.location.source
+          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
+        end
+
+        test "statements not allowed in javascript template" do
+          errors = validate(<<-JS, template_language: :javascript).errors
+            <% if foo %>
+              bla
+            <% end %>
+          JS
+
+          assert_equal 1, errors.size
+          assert_equal "<% if foo %>", errors.first.location.source
+          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
+        end
+
+        test "erb comments allowed in scripts" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              <%# comment %>
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "script tag without content" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript"></script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "statement after script regression" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              foo()
+            </script>
+            <% if condition? %>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "end statements are allowed in script tags" do
+          errors = validate(<<-EOF).errors
+            <script type="text/template">
+              <%= ui_form do %>
+                <div></div>
+              <% end %>
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "statements are allowed in text/html tags" do
+          errors = validate(<<-EOF).errors
+            <script type="text/html">
+              <% if condition? %>
+                <div></div>
+              <% end %>
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        private
+        def validate(data, template_language: :html)
+          parser = BetterHtml::Parser.new(data, template_language: template_language)
+          tester = BetterHtml::TestHelper::SafeErb::NoStatements.new(parser, config: @config)
+          tester.validate
+          tester
+        end
+      end
+    end
+  end
+end

data/test/better_html/test_helper/safe_erb/script_interpolation_test.rb

@@ -0,0 +1,149 @@
+require 'test_helper'
+require 'better_html/test_helper/safe_erb/script_interpolation'
+
+module BetterHtml
+  module TestHelper
+    module SafeErb
+      class ScriptInterpolationTest < ActiveSupport::TestCase
+        setup do
+          @config = BetterHtml::Config.new(
+            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
+            javascript_attribute_names: [/\Aon/i, 'data-eval'],
+          )
+        end
+
+        test "multi line erb comments in text" do
+          errors = validate(<<-EOF).errors
+            text
+            <%#
+               this is a nice comment
+               !@\#{$%?&*()}
+            %>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "multi line erb comments in html attribute" do
+          errors = validate(<<-EOF).errors
+            <div title="
+              <%#
+                 this is a comment right in the middle of an attribute for some reason
+              %>
+              ">
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "unsafe erb in <script> tag without type" do
+          errors = validate(<<-EOF).errors
+            <script>
+              if (a < 1) { <%= unsafe %> }
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%= unsafe %>', errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        test "unsafe erb in javascript template" do
+          errors = validate(<<-JS, template_language: :javascript).errors
+            if (a < 1) { <%= unsafe %> }
+          JS
+
+          assert_equal 1, errors.size
+          assert_equal '<%= unsafe %>', errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        test "<script> tag without calls is unsafe" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              if (a < 1) { <%= "unsafe" %> }
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%= "unsafe" %>', errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        test "javascript template without calls is unsafe" do
+          errors = validate(<<-JS, template_language: :javascript).errors
+            if (a < 1) { <%= "unsafe" %> }
+          JS
+
+          assert_equal 1, errors.size
+          assert_equal '<%= "unsafe" %>', errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        test "unsafe erb in <script> tag with text/javascript content type" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              if (a < 1) { <%= unsafe %> }
+            </script>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%= unsafe %>', errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        test "<script> with to_json is safe" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              <%= unsafe.to_json %>
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "javascript template with to_json is safe" do
+          errors = validate(<<-JS, template_language: :javascript).errors
+            <%= unsafe.to_json %>
+          JS
+
+          assert_predicate errors, :empty?
+        end
+
+        test "<script> with raw and to_json is safe" do
+          errors = validate(<<-EOF).errors
+            <script type="text/javascript">
+              <%= raw unsafe.to_json %>
+            </script>
+          EOF
+
+          assert_predicate errors, :empty?
+        end
+
+        test "javascript template with raw and to_json is safe" do
+          errors = validate(<<-JS, template_language: :javascript).errors
+            <%= raw unsafe.to_json %>
+          JS
+
+          assert_predicate errors, :empty?
+        end
+
+        test "ivar missing .to_json is unsafe" do
+          errors = validate('<script><%= @feature.html_safe %></script>').errors
+
+          assert_equal 1, errors.size
+          assert_equal "<%= @feature.html_safe %>", errors.first.location.source
+          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
+        end
+
+        private
+        def validate(data, template_language: :html)
+          parser = BetterHtml::Parser.new(data, template_language: template_language)
+          tester = BetterHtml::TestHelper::SafeErb::ScriptInterpolation.new(parser, config: @config)
+          tester.validate
+          tester
+        end
+      end
+    end
+  end
+end

data/test/better_html/test_helper/safe_erb/tag_interpolation_test.rb

@@ -0,0 +1,295 @@
+require 'test_helper'
+require 'better_html/test_helper/safe_erb/tag_interpolation'
+
+module BetterHtml
+  module TestHelper
+    module SafeErb
+      class TagInterpolationTest < ActiveSupport::TestCase
+        setup do
+          @config = BetterHtml::Config.new(
+            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
+            javascript_attribute_names: [/\Aon/i, 'data-eval'],
+          )
+        end
+
+        test "raw in <script> tag" do
+          errors = validate(<<-EOF).errors
+            <script>var myData = <%= raw(foo.to_json) %>;</script>
+          EOF
+
+          assert_equal 0, errors.size
+        end
+
+        test "html_safe in <script> tag" do
+          errors = validate(<<-EOF).errors
+            <script>var myData = <%= foo.to_json.html_safe %>;</script>
+          EOF
+
+          assert_equal 0, errors.size
+        end
+
+        test "<%== in <script> tag" do
+          errors = validate(<<-EOF).errors
+            <script>var myData = <%== foo.to_json %>;</script>
+          EOF
+
+          assert_equal 0, errors.size
+        end
+
+        test "string without interpolation is safe" do
+          errors = validate(<<-EOF).errors
+            <a onclick="alert('<%= "something" %>')">
+          EOF
+
+          assert_equal 0, errors.size
+        end
+
+        test "string with interpolation" do
+          errors = validate(<<-EOF).errors
+            <a onclick="<%= "hello \#{name}" %>">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'name', errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "string with interpolation and ternary" do
+          errors = validate(<<-EOF).errors
+            <a onclick="<%= "hello \#{foo ? bar : baz}" if bla? %>">
+          EOF
+
+          assert_equal 2, errors.size
+
+          assert_equal 'bar', errors[0].location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[0].message
+
+          assert_equal 'baz', errors[1].location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
+        end
+
+        test "plain erb tag in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= unsafe %>)">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'unsafe', errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "to_json is safe in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= unsafe.to_json %>)">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "ternary with safe javascript escaping" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= foo ? bar.to_json : j(baz) %>)">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "ternary with unsafe javascript escaping" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= foo ? bar : j(baz) %>)">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'bar', errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "j is safe in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method('<%= j unsafe %>')">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "j() is safe in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method('<%= j(unsafe) %>')">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "escape_javascript is safe in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= escape_javascript unsafe %>)">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "escape_javascript() is safe in html attribute" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= escape_javascript(unsafe) %>)">
+          EOF
+          assert_predicate errors, :empty?
+        end
+
+        test "html_safe is never safe in html attribute, even non javascript attributes like href" do
+          errors = validate(<<-EOF).errors
+            <a href="<%= unsafe.html_safe %>">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'unsafe.html_safe', errors.first.location.source
+          assert_equal "erb interpolation with '<%= (...).html_safe %>' in this context is never safe", errors.first.message
+        end
+
+        test "html_safe is never safe in html attribute, even with to_json" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= unsafe.to_json.html_safe %>)">
+          EOF
+
+          assert_equal 2, errors.size
+          assert_equal 'unsafe.to_json.html_safe', errors[0].location.source
+          assert_equal "erb interpolation with '<%= (...).html_safe %>' in this context is never safe", errors[0].message
+          assert_equal 'unsafe.to_json.html_safe', errors[1].location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
+        end
+
+        test "<%== is never safe in html attribute, even non javascript attributes like href" do
+          errors = validate(<<-EOF).errors
+            <a href="<%== unsafe %>">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%== unsafe %>', errors.first.location.source
+          assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
+        end
+
+        test "<%== is never safe in html attribute, even with to_json" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%== unsafe.to_json %>)">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal '<%== unsafe.to_json %>', errors.first.location.source
+          assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
+        end
+
+        test "raw is never safe in html attribute, even non javascript attributes like href" do
+          errors = validate(<<-EOF).errors
+            <a href="<%= raw unsafe %>">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal 'raw unsafe', errors.first.location.source
+          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
+        end
+
+        test "raw is never safe in html attribute, even with to_json" do
+          errors = validate(<<-EOF).errors
+            <a onclick="method(<%= raw unsafe.to_json %>)">
+          EOF
+
+          assert_equal 2, errors.size
+          assert_equal 'raw unsafe.to_json', errors[0].location.source
+          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors[0].message
+          assert_equal 'raw unsafe.to_json', errors[1].location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
+        end
+
+        test "unsafe javascript methods in helper calls with new hash syntax" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors[0].location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[0].message
+        end
+
+        test "unsafe javascript methods in helper calls with old hash syntax" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "unsafe javascript methods in helper calls with more than one level of nested hash and :dstr" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, inner_html: { onclick: "foo \#{unsafe}" }) %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "safe javascript methods in helper calls with more than one level of nested hash and :dstr" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, inner_html: { onclick: "foo \#{unsafe.to_json}" }) %>
+          EOF
+
+          assert_equal 0, errors.size
+        end
+
+        test "unsafe javascript methods in helper calls with string as key" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "unsafe javascript methods in helper calls with nested data key" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "unsafe javascript methods in helper calls with more than one level of nested data key" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, inner_html: { data: { eval: "alert(\#{unsafe})" } }) %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "unsafe", errors.first.location.source
+          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
+        end
+
+        test "using raw anywhere in helpers" do
+          errors = validate(<<-EOF).errors
+            <%= ui_my_helper(:foo, help_text: raw("foo")) %>
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "ui_my_helper(:foo, help_text: raw(\"foo\"))", errors.first.location.source
+          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
+        end
+
+        test "using raw anywhere in html tags" do
+          errors = validate(<<-EOF).errors
+            <a "<%= raw("hello") %>">
+          EOF
+
+          assert_equal 1, errors.size
+          assert_equal "raw(\"hello\")", errors.first.location.source
+          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
+        end
+
+        private
+        def validate(data, template_language: :html)
+          parser = BetterHtml::Parser.new(data, template_language: template_language)
+          tester = BetterHtml::TestHelper::SafeErb::TagInterpolation.new(parser, config: @config)
+          tester.validate
+          tester
+        end
+      end
+    end
+  end
+end