better_html 1.0.15 → 2.0.1

data/test/better_html/test_helper/safe_erb/no_statements_test.rb

@@ -1,129 +0,0 @@
-require 'test_helper'
-require 'better_html/parser'
-require 'better_html/test_helper/safe_erb/no_statements'
-
-module BetterHtml
-  module TestHelper
-    module SafeErb
-      class NoStatementsTest < ActiveSupport::TestCase
-        setup do
-          @config = BetterHtml::Config.new(
-            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
-            javascript_attribute_names: [/\Aon/i, 'data-eval'],
-          )
-        end
-
-        test "<script> tag with non executable content type is ignored" do
-          errors = validate(<<-EOF).errors
-            <script type="text/html">
-              <a onclick="<%= unsafe %>">
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "statements not allowed in script tags" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              <% if foo? %>
-                bla
-              <% end %>
-            </script>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "<% if foo? %>", errors.first.location.source
-          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
-        end
-
-        test "statements not allowed in script without specified type" do
-          errors = validate(<<-EOF).errors
-            <script>
-              <% if foo? %>
-                bla
-              <% end %>
-            </script>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "<% if foo? %>", errors.first.location.source
-          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
-        end
-
-        test "statements not allowed in javascript template" do
-          errors = validate(<<-JS, template_language: :javascript).errors
-            <% if foo %>
-              bla
-            <% end %>
-          JS
-
-          assert_equal 1, errors.size
-          assert_equal "<% if foo %>", errors.first.location.source
-          assert_equal "erb statement not allowed here; did you mean '<%=' ?", errors.first.message
-        end
-
-        test "erb comments allowed in scripts" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              <%# comment %>
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "script tag without content" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript"></script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "statement after script regression" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              foo()
-            </script>
-            <% if condition? %>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "end statements are allowed in script tags" do
-          errors = validate(<<-EOF).errors
-            <script type="text/template">
-              <%= ui_form do %>
-                <div></div>
-              <% end %>
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "statements are allowed in text/html tags" do
-          errors = validate(<<-EOF).errors
-            <script type="text/html">
-              <% if condition? %>
-                <div></div>
-              <% end %>
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        private
-        def validate(data, template_language: :html)
-          parser = BetterHtml::Parser.new(buffer(data), template_language: template_language)
-          tester = BetterHtml::TestHelper::SafeErb::NoStatements.new(parser, config: @config)
-          tester.validate
-          tester
-        end
-      end
-    end
-  end
-end

data/test/better_html/test_helper/safe_erb/script_interpolation_test.rb

@@ -1,149 +0,0 @@
-require 'test_helper'
-require 'better_html/test_helper/safe_erb/script_interpolation'
-
-module BetterHtml
-  module TestHelper
-    module SafeErb
-      class ScriptInterpolationTest < ActiveSupport::TestCase
-        setup do
-          @config = BetterHtml::Config.new(
-            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
-            javascript_attribute_names: [/\Aon/i, 'data-eval'],
-          )
-        end
-
-        test "multi line erb comments in text" do
-          errors = validate(<<-EOF).errors
-            text
-            <%#
-               this is a nice comment
-               !@\#{$%?&*()}
-            %>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "multi line erb comments in html attribute" do
-          errors = validate(<<-EOF).errors
-            <div title="
-              <%#
-                 this is a comment right in the middle of an attribute for some reason
-              %>
-              ">
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "unsafe erb in <script> tag without type" do
-          errors = validate(<<-EOF).errors
-            <script>
-              if (a < 1) { <%= unsafe %> }
-            </script>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal '<%= unsafe %>', errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        test "unsafe erb in javascript template" do
-          errors = validate(<<-JS, template_language: :javascript).errors
-            if (a < 1) { <%= unsafe %> }
-          JS
-
-          assert_equal 1, errors.size
-          assert_equal '<%= unsafe %>', errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        test "<script> tag without calls is unsafe" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              if (a < 1) { <%= "unsafe" %> }
-            </script>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal '<%= "unsafe" %>', errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        test "javascript template without calls is unsafe" do
-          errors = validate(<<-JS, template_language: :javascript).errors
-            if (a < 1) { <%= "unsafe" %> }
-          JS
-
-          assert_equal 1, errors.size
-          assert_equal '<%= "unsafe" %>', errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        test "unsafe erb in <script> tag with text/javascript content type" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              if (a < 1) { <%= unsafe %> }
-            </script>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal '<%= unsafe %>', errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        test "<script> with to_json is safe" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              <%= unsafe.to_json %>
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "javascript template with to_json is safe" do
-          errors = validate(<<-JS, template_language: :javascript).errors
-            <%= unsafe.to_json %>
-          JS
-
-          assert_predicate errors, :empty?
-        end
-
-        test "<script> with raw and to_json is safe" do
-          errors = validate(<<-EOF).errors
-            <script type="text/javascript">
-              <%= raw unsafe.to_json %>
-            </script>
-          EOF
-
-          assert_predicate errors, :empty?
-        end
-
-        test "javascript template with raw and to_json is safe" do
-          errors = validate(<<-JS, template_language: :javascript).errors
-            <%= raw unsafe.to_json %>
-          JS
-
-          assert_predicate errors, :empty?
-        end
-
-        test "ivar missing .to_json is unsafe" do
-          errors = validate('<script><%= @feature.html_safe %></script>').errors
-
-          assert_equal 1, errors.size
-          assert_equal "<%= @feature.html_safe %>", errors.first.location.source
-          assert_equal "erb interpolation in javascript tag must call '(...).to_json'", errors.first.message
-        end
-
-        private
-        def validate(data, template_language: :html)
-          parser = BetterHtml::Parser.new(buffer(data), template_language: template_language)
-          tester = BetterHtml::TestHelper::SafeErb::ScriptInterpolation.new(parser, config: @config)
-          tester.validate
-          tester
-        end
-      end
-    end
-  end
-end

data/test/better_html/test_helper/safe_erb/tag_interpolation_test.rb

@@ -1,303 +0,0 @@
-require 'test_helper'
-require 'better_html/test_helper/safe_erb/tag_interpolation'
-
-module BetterHtml
-  module TestHelper
-    module SafeErb
-      class TagInterpolationTest < ActiveSupport::TestCase
-        setup do
-          @config = BetterHtml::Config.new(
-            javascript_safe_methods: ['j', 'escape_javascript', 'to_json'],
-            javascript_attribute_names: [/\Aon/i, 'data-eval'],
-          )
-        end
-
-        test "raw in <script> tag" do
-          errors = validate(<<-EOF).errors
-            <script>var myData = <%= raw(foo.to_json) %>;</script>
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "raw in <style> tag" do
-          errors = validate(<<-EOF).errors
-            <style>@import url(<%= raw url_for("all.css") %>);</style>
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "html_safe in <script> tag" do
-          errors = validate(<<-EOF).errors
-            <script>var myData = <%= foo.to_json.html_safe %>;</script>
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "<%== in <script> tag" do
-          errors = validate(<<-EOF).errors
-            <script>var myData = <%== foo.to_json %>;</script>
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "string without interpolation is safe" do
-          errors = validate(<<-EOF).errors
-            <a onclick="alert('<%= "something" %>')">
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "string with interpolation" do
-          errors = validate(<<-EOF).errors
-            <a onclick="<%= "hello \#{name}" %>">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal 'name', errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "string with interpolation and ternary" do
-          errors = validate(<<-EOF).errors
-            <a onclick="<%= "hello \#{foo ? bar : baz}" if bla? %>">
-          EOF
-
-          assert_equal 2, errors.size
-
-          assert_equal 'bar', errors[0].location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[0].message
-
-          assert_equal 'baz', errors[1].location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
-        end
-
-        test "plain erb tag in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= unsafe %>)">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal 'unsafe', errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "to_json is safe in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= unsafe.to_json %>)">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "ternary with safe javascript escaping" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= foo ? bar.to_json : j(baz) %>)">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "ternary with unsafe javascript escaping" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= foo ? bar : j(baz) %>)">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal 'bar', errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "j is safe in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method('<%= j unsafe %>')">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "j() is safe in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method('<%= j(unsafe) %>')">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "escape_javascript is safe in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= escape_javascript unsafe %>)">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "escape_javascript() is safe in html attribute" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= escape_javascript(unsafe) %>)">
-          EOF
-          assert_predicate errors, :empty?
-        end
-
-        test "html_safe is never safe in html attribute, even non javascript attributes like href" do
-          errors = validate(<<-EOF).errors
-            <a href="<%= unsafe.html_safe %>">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal 'unsafe.html_safe', errors.first.location.source
-          assert_equal "erb interpolation with '<%= (...).html_safe %>' in this context is never safe", errors.first.message
-        end
-
-        test "html_safe is never safe in html attribute, even with to_json" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= unsafe.to_json.html_safe %>)">
-          EOF
-
-          assert_equal 2, errors.size
-          assert_equal 'unsafe.to_json.html_safe', errors[0].location.source
-          assert_equal "erb interpolation with '<%= (...).html_safe %>' in this context is never safe", errors[0].message
-          assert_equal 'unsafe.to_json.html_safe', errors[1].location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
-        end
-
-        test "<%== is never safe in html attribute, even non javascript attributes like href" do
-          errors = validate(<<-EOF).errors
-            <a href="<%== unsafe %>">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal '<%== unsafe %>', errors.first.location.source
-          assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
-        end
-
-        test "<%== is never safe in html attribute, even with to_json" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%== unsafe.to_json %>)">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal '<%== unsafe.to_json %>', errors.first.location.source
-          assert_includes "erb interpolation with '<%==' inside html attribute is never safe", errors.first.message
-        end
-
-        test "raw is never safe in html attribute, even non javascript attributes like href" do
-          errors = validate(<<-EOF).errors
-            <a href="<%= raw unsafe %>">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal 'raw unsafe', errors.first.location.source
-          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
-        end
-
-        test "raw is never safe in html attribute, even with to_json" do
-          errors = validate(<<-EOF).errors
-            <a onclick="method(<%= raw unsafe.to_json %>)">
-          EOF
-
-          assert_equal 2, errors.size
-          assert_equal 'raw unsafe.to_json', errors[0].location.source
-          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors[0].message
-          assert_equal 'raw unsafe.to_json', errors[1].location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[1].message
-        end
-
-        test "unsafe javascript methods in helper calls with new hash syntax" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, onclick: "alert(\#{unsafe})", onmouseover: "alert(\#{unsafe.to_json})") %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors[0].location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors[0].message
-        end
-
-        test "unsafe javascript methods in helper calls with old hash syntax" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, :onclick => "alert(\#{unsafe})") %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "unsafe javascript methods in helper calls with more than one level of nested hash and :dstr" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, inner_html: { onclick: "foo \#{unsafe}" }) %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "safe javascript methods in helper calls with more than one level of nested hash and :dstr" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, inner_html: { onclick: "foo \#{unsafe.to_json}" }) %>
-          EOF
-
-          assert_equal 0, errors.size
-        end
-
-        test "unsafe javascript methods in helper calls with string as key" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, 'data-eval' => "alert(\#{unsafe})") %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "unsafe javascript methods in helper calls with nested data key" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, data: { eval: "alert(\#{unsafe})" }) %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "unsafe javascript methods in helper calls with more than one level of nested data key" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, inner_html: { data: { eval: "alert(\#{unsafe})" } }) %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "unsafe", errors.first.location.source
-          assert_equal "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'", errors.first.message
-        end
-
-        test "using raw anywhere in helpers" do
-          errors = validate(<<-EOF).errors
-            <%= ui_my_helper(:foo, help_text: raw("foo")) %>
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "ui_my_helper(:foo, help_text: raw(\"foo\"))", errors.first.location.source
-          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
-        end
-
-        test "using raw anywhere in html tags" do
-          errors = validate(<<-EOF).errors
-            <a "<%= raw("hello") %>">
-          EOF
-
-          assert_equal 1, errors.size
-          assert_equal "raw(\"hello\")", errors.first.location.source
-          assert_equal "erb interpolation with '<%= raw(...) %>' in this context is never safe", errors.first.message
-        end
-
-        private
-        def validate(data, template_language: :html)
-          parser = BetterHtml::Parser.new(buffer(data), template_language: template_language)
-          tester = BetterHtml::TestHelper::SafeErb::TagInterpolation.new(parser, config: @config)
-          tester.validate
-          tester
-        end
-      end
-    end
-  end
-end

data/test/better_html/test_helper/safe_lodash_tester_test.rb

@@ -1,90 +0,0 @@
-require 'test_helper'
-require 'better_html/test_helper/safe_lodash_tester'
-
-module BetterHtml
-  module TestHelper
-    class SafeLodashTesterTest < ActiveSupport::TestCase
-      test "interpolate in attribute not allowed" do
-        errors = parse(<<-EOF).errors
-          <div class="[%! foo %]">
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '[%! foo %]', errors.first.location.source
-        assert_equal "lodash interpolation with '[%!' inside html attribute is never safe", errors.first.message
-      end
-
-      test "escape in attribute is allowed" do
-        errors = parse(<<-EOF).errors
-          <div class="[%= foo %]">
-        EOF
-
-        assert_predicate errors, :empty?
-      end
-
-      test "escape in javascript attribute not allowed" do
-        errors = parse(<<-EOF).errors
-          <div onclick="[%= foo %]">
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '[%= foo %]', errors.first.location.source
-        assert_equal "lodash interpolation in javascript attribute `onclick` must call `JSON.stringify(foo)`", errors.first.message
-      end
-
-      test "escape in javascript attribute with JSON.stringify is allowed" do
-        errors = parse(<<-EOF).errors
-          <div onclick="[%= JSON.stringify(foo) %]">
-        EOF
-
-        assert_predicate errors, :empty?
-      end
-
-      test "script tag is not allowed" do
-        errors = parse(<<-EOF).errors
-          <script type="text/javascript"></script>
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '<script type="text/javascript">', errors.first.location.source
-        assert_equal "No script tags allowed nested in lodash templates", errors.first.message
-      end
-
-      test "script tag names are unescaped" do
-        errors = parse(<<-EOF).errors
-          <script type="text/j&#x61;v&#x61;script"></script>
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '<script type="text/j&#x61;v&#x61;script">', errors.first.location.source
-        assert_equal "No script tags allowed nested in lodash templates", errors.first.message
-      end
-
-      test "statement not allowed in attribute name" do
-        errors = parse(<<-EOF).errors
-          <div class[% if (foo) %]="foo">
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '[% if (foo) %]', errors.first.location.source
-        assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
-      end
-
-      test "statement not allowed in attribute value" do
-        errors = parse(<<-EOF).errors
-          <div class="foo[% if (foo) %]">
-        EOF
-
-        assert_equal 1, errors.size
-        assert_equal '[% if (foo) %]', errors.first.location.source
-        assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
-      end
-
-      private
-
-      def parse(data)
-        SafeLodashTester::Tester.new(buffer(data))
-      end
-    end
-  end
-end