loofah-activerecord 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.gemtest +0 -0
- data/CHANGELOG.rdoc +8 -1
- data/Gemfile +19 -1
- data/Manifest.txt +3 -3
- data/README.rdoc +24 -21
- data/Rakefile +7 -8
- data/lib/loofah-activerecord.rb +6 -6
- data/lib/{loofah-activerecord → loofah/activerecord}/active_record.rb +0 -0
- data/lib/{loofah-activerecord → loofah/activerecord}/railtie.rb +2 -2
- data/lib/{loofah-activerecord → loofah/activerecord}/xss_foliate.rb +28 -4
- data/rails_test/Rakefile +102 -47
- data/rails_test/generate_test_directory +1 -1
- data/test/helper.rb +13 -3
- data/test/unit/test_active_record.rb +34 -38
- data/test/unit/test_xss_foliate.rb +66 -66
- metadata +178 -144
data/test/helper.rb
CHANGED
|
@@ -1,9 +1,19 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
3
|
-
require '
|
|
4
|
-
require '
|
|
2
|
+
require 'rr'
|
|
3
|
+
require 'minitest/unit'
|
|
4
|
+
require 'minitest/spec'
|
|
5
|
+
require 'minitest/autorun'
|
|
5
6
|
require 'acts_as_fu'
|
|
7
|
+
|
|
6
8
|
require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah-activerecord"))
|
|
7
9
|
|
|
8
10
|
puts "=> testing with Nokogiri #{Nokogiri::VERSION_INFO.inspect}"
|
|
9
11
|
puts "=> testing with Loofah #{Loofah::VERSION}"
|
|
12
|
+
|
|
13
|
+
class Loofah::ActiveRecord::TestCase < MiniTest::Spec
|
|
14
|
+
include RR::Adapters::TestUnit
|
|
15
|
+
|
|
16
|
+
class << self
|
|
17
|
+
alias_method :context, :describe
|
|
18
|
+
end
|
|
19
|
+
end
|
|
@@ -1,12 +1,12 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class TestActiveRecord <
|
|
3
|
+
class TestActiveRecord < Loofah::ActiveRecord::TestCase
|
|
4
4
|
|
|
5
5
|
HTML_STRING = "<div>omgwtfbbq</div>"
|
|
6
6
|
PLAIN_TEXT = "vanilla text"
|
|
7
7
|
|
|
8
8
|
context "with a Post model" do
|
|
9
|
-
|
|
9
|
+
before do
|
|
10
10
|
ActsAsFu.build_model(:posts) do
|
|
11
11
|
string :plain_text
|
|
12
12
|
string :html_string
|
|
@@ -15,24 +15,24 @@ class TestActiveRecord < Test::Unit::TestCase
|
|
|
15
15
|
|
|
16
16
|
context "scrubbing a single field as a fragment" do
|
|
17
17
|
context "using a symbol to indicate the attribute" do
|
|
18
|
-
|
|
18
|
+
before do
|
|
19
19
|
Post.html_fragment :html_string, :scrub => :prune
|
|
20
20
|
assert ! Post.xss_foliated?
|
|
21
21
|
@post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
|
|
25
|
-
Loofah.
|
|
26
|
-
Loofah.
|
|
24
|
+
it "scrub the specified field" do
|
|
25
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :prune).once
|
|
26
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).never
|
|
27
27
|
@post.valid?
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
|
|
31
|
-
Loofah.
|
|
30
|
+
it "only call scrub_fragment once" do
|
|
31
|
+
mock(Loofah).scrub_fragment(anything, anything).once
|
|
32
32
|
@post.valid?
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
|
|
35
|
+
it "generate strings" do
|
|
36
36
|
@post.valid?
|
|
37
37
|
assert_equal String, @post.html_string.class
|
|
38
38
|
assert_equal HTML_STRING, @post.html_string
|
|
@@ -40,15 +40,15 @@ class TestActiveRecord < Test::Unit::TestCase
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
context "using a string to indicate the attribute" do
|
|
43
|
-
|
|
43
|
+
before do
|
|
44
44
|
Post.html_fragment 'html_string', :scrub => :prune
|
|
45
45
|
assert ! Post.xss_foliated?
|
|
46
46
|
@post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
-
|
|
50
|
-
Loofah.
|
|
51
|
-
Loofah.
|
|
49
|
+
it "scrub the specified field" do
|
|
50
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :prune).once
|
|
51
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).never
|
|
52
52
|
@post.valid?
|
|
53
53
|
end
|
|
54
54
|
end
|
|
@@ -56,44 +56,44 @@ class TestActiveRecord < Test::Unit::TestCase
|
|
|
56
56
|
|
|
57
57
|
context "scrubbing a single field as a document" do
|
|
58
58
|
context "using a symbol to indicate the attribute" do
|
|
59
|
-
|
|
59
|
+
before do
|
|
60
60
|
Post.html_document :html_string, :scrub => :strip
|
|
61
61
|
@post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
|
|
62
62
|
end
|
|
63
63
|
|
|
64
|
-
|
|
65
|
-
Loofah.
|
|
66
|
-
Loofah.
|
|
64
|
+
it "scrub the specified field, but not other fields" do
|
|
65
|
+
mock(Loofah).scrub_document(HTML_STRING, :strip).once
|
|
66
|
+
mock(Loofah).scrub_document(PLAIN_TEXT, :strip).never
|
|
67
67
|
@post.valid?
|
|
68
68
|
end
|
|
69
69
|
|
|
70
|
-
|
|
71
|
-
Loofah.
|
|
70
|
+
it "only call scrub_document once" do
|
|
71
|
+
mock(Loofah).scrub_document(anything, anything).once
|
|
72
72
|
@post.valid?
|
|
73
73
|
end
|
|
74
74
|
|
|
75
|
-
|
|
75
|
+
it "generate strings" do
|
|
76
76
|
@post.valid?
|
|
77
77
|
assert_equal String, @post.html_string.class
|
|
78
78
|
end
|
|
79
79
|
end
|
|
80
80
|
|
|
81
81
|
context "using a string to indicate the attribute" do
|
|
82
|
-
|
|
82
|
+
before do
|
|
83
83
|
Post.html_document 'html_string', :scrub => :strip
|
|
84
84
|
@post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
|
|
85
85
|
end
|
|
86
86
|
|
|
87
|
-
|
|
88
|
-
Loofah.
|
|
89
|
-
Loofah.
|
|
87
|
+
it "scrubs the specified field, but not other fields" do
|
|
88
|
+
mock(Loofah).scrub_document(HTML_STRING, :strip).once
|
|
89
|
+
mock(Loofah).scrub_document(PLAIN_TEXT, :strip).never
|
|
90
90
|
@post.valid?
|
|
91
91
|
end
|
|
92
92
|
end
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
context "not passing any options" do
|
|
96
|
-
|
|
96
|
+
it "raises ArgumentError" do
|
|
97
97
|
assert_raises(ArgumentError) {
|
|
98
98
|
Post.html_fragment :foo
|
|
99
99
|
}
|
|
@@ -101,36 +101,32 @@ class TestActiveRecord < Test::Unit::TestCase
|
|
|
101
101
|
end
|
|
102
102
|
|
|
103
103
|
context "not passing :scrub option" do
|
|
104
|
-
|
|
105
|
-
|
|
104
|
+
it "raises ArgumentError" do
|
|
105
|
+
assert_raises(ArgumentError) {
|
|
106
106
|
Post.html_fragment :foo, :bar => :quux
|
|
107
107
|
}
|
|
108
108
|
end
|
|
109
109
|
end
|
|
110
110
|
|
|
111
111
|
context "passing a :scrub option" do
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
Post.html_fragment :foo, :scrub => :quux
|
|
115
|
-
}
|
|
112
|
+
it "does not raise ArgumentError" do
|
|
113
|
+
Post.html_fragment :foo, :scrub => :quux
|
|
116
114
|
end
|
|
117
115
|
end
|
|
118
116
|
|
|
119
117
|
context "passing a Scrubber" do
|
|
120
|
-
|
|
118
|
+
before do
|
|
121
119
|
@called = false
|
|
122
120
|
@scrubber = Loofah::Scrubber.new do |node|
|
|
123
121
|
@called = true
|
|
124
122
|
end
|
|
125
123
|
end
|
|
126
124
|
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
Post.html_fragment :html_string, :scrub => @scrubber
|
|
130
|
-
}
|
|
125
|
+
it "does not raise ArgumentError" do
|
|
126
|
+
Post.html_fragment :html_string, :scrub => @scrubber
|
|
131
127
|
end
|
|
132
128
|
|
|
133
|
-
|
|
129
|
+
it "scrubs properly" do
|
|
134
130
|
Post.html_fragment :html_string, :scrub => @scrubber
|
|
135
131
|
post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
|
|
136
132
|
post.valid?
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class TestXssFoliate <
|
|
3
|
+
class TestXssFoliate < Loofah::ActiveRecord::TestCase
|
|
4
4
|
|
|
5
5
|
HTML_STRING = "<div>omgwtfbbq</div>"
|
|
6
6
|
PLAIN_TEXT = "vanilla text"
|
|
@@ -12,7 +12,7 @@ class TestXssFoliate < Test::Unit::TestCase
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
context "with a Post model" do
|
|
15
|
-
|
|
15
|
+
before do
|
|
16
16
|
ActsAsFu.build_model(:posts) do
|
|
17
17
|
string :plain_text
|
|
18
18
|
string :html_string
|
|
@@ -22,27 +22,27 @@ class TestXssFoliate < Test::Unit::TestCase
|
|
|
22
22
|
|
|
23
23
|
context "#xss_foliated?" do
|
|
24
24
|
context "when xss_foliate has not been called" do
|
|
25
|
-
|
|
25
|
+
it "return false" do
|
|
26
26
|
assert ! Post.xss_foliated?
|
|
27
27
|
end
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
context "when xss_foliate has been called with no options" do
|
|
31
|
-
|
|
31
|
+
before do
|
|
32
32
|
Post.xss_foliate
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
|
|
35
|
+
it "return true" do
|
|
36
36
|
assert Post.xss_foliated?
|
|
37
37
|
end
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
context "when xss_foliate has been called with options" do
|
|
41
|
-
|
|
41
|
+
before do
|
|
42
42
|
Post.xss_foliate :prune => :plain_text
|
|
43
43
|
end
|
|
44
44
|
|
|
45
|
-
|
|
45
|
+
it "return true" do
|
|
46
46
|
assert Post.xss_foliated?
|
|
47
47
|
end
|
|
48
48
|
end
|
|
@@ -50,47 +50,43 @@ class TestXssFoliate < Test::Unit::TestCase
|
|
|
50
50
|
|
|
51
51
|
context "#xss_foliate" do
|
|
52
52
|
context "when passed invalid option" do
|
|
53
|
-
|
|
54
|
-
|
|
53
|
+
it "raise ArgumentError" do
|
|
54
|
+
assert_raises(ArgumentError) { Post.xss_foliate :quux => [:foo] }
|
|
55
55
|
end
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
context "when passed a symbol" do
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
Loofah.
|
|
62
|
-
Loofah.
|
|
59
|
+
it "calls the right scrubber" do
|
|
60
|
+
Post.xss_foliate :prune => :plain_text
|
|
61
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip).once
|
|
62
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).once
|
|
63
63
|
new_post.valid?
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
66
|
|
|
67
67
|
context "when passed an array of symbols" do
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
|
|
73
|
-
Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :prune).once
|
|
68
|
+
it "calls the right scrubbers" do
|
|
69
|
+
Post.xss_foliate :prune => [:plain_text, :html_string]
|
|
70
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :prune).once
|
|
71
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).once
|
|
74
72
|
new_post.valid?
|
|
75
73
|
end
|
|
76
74
|
end
|
|
77
75
|
|
|
78
76
|
context "when passed a string" do
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
Loofah.
|
|
82
|
-
Loofah.
|
|
77
|
+
it "calls the right scrubber" do
|
|
78
|
+
Post.xss_foliate :prune => 'plain_text'
|
|
79
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip).once
|
|
80
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).once
|
|
83
81
|
new_post.valid?
|
|
84
82
|
end
|
|
85
83
|
end
|
|
86
84
|
|
|
87
85
|
context "when passed an array of strings" do
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
|
|
93
|
-
Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :prune).once
|
|
86
|
+
it "calls the right scrubbers" do
|
|
87
|
+
Post.xss_foliate :prune => ['plain_text', 'html_string']
|
|
88
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :prune).once
|
|
89
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :prune).once
|
|
94
90
|
new_post.valid?
|
|
95
91
|
end
|
|
96
92
|
end
|
|
@@ -98,85 +94,85 @@ class TestXssFoliate < Test::Unit::TestCase
|
|
|
98
94
|
|
|
99
95
|
context "declaring scrubbed fields" do
|
|
100
96
|
context "on all fields" do
|
|
101
|
-
|
|
97
|
+
before do
|
|
102
98
|
Post.xss_foliate
|
|
103
99
|
end
|
|
104
100
|
|
|
105
|
-
|
|
106
|
-
mock_doc =
|
|
107
|
-
Loofah.
|
|
108
|
-
Loofah.
|
|
109
|
-
Loofah.
|
|
110
|
-
mock_doc.
|
|
101
|
+
it "scrub all fields" do
|
|
102
|
+
mock_doc = Object.new
|
|
103
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip).once.returns(mock_doc)
|
|
104
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :strip).once.returns(mock_doc)
|
|
105
|
+
mock(Loofah).scrub_fragment(INTEGER_VALUE, :strip).never
|
|
106
|
+
mock(mock_doc).text.times(2)
|
|
111
107
|
assert new_post.valid?
|
|
112
108
|
end
|
|
113
109
|
end
|
|
114
110
|
|
|
115
111
|
context "omitting one field" do
|
|
116
|
-
|
|
112
|
+
before do
|
|
117
113
|
Post.xss_foliate :except => [:plain_text]
|
|
118
114
|
end
|
|
119
115
|
|
|
120
|
-
|
|
121
|
-
mock_doc =
|
|
122
|
-
Loofah.
|
|
123
|
-
Loofah.
|
|
124
|
-
Loofah.
|
|
125
|
-
mock_doc.
|
|
116
|
+
it "not scrub omitted field" do
|
|
117
|
+
mock_doc = Object.new
|
|
118
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip).once.returns(mock_doc)
|
|
119
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :strip).never
|
|
120
|
+
mock(Loofah).scrub_fragment(INTEGER_VALUE, :strip).never
|
|
121
|
+
mock(mock_doc).text.once
|
|
126
122
|
new_post.valid?
|
|
127
123
|
end
|
|
128
124
|
end
|
|
129
125
|
|
|
130
126
|
Loofah::Scrubbers.scrubber_symbols.each do |method|
|
|
131
127
|
context "declaring one field to be scrubbed with #{method}" do
|
|
132
|
-
|
|
128
|
+
before do
|
|
133
129
|
Post.xss_foliate method => [:plain_text]
|
|
134
130
|
end
|
|
135
131
|
|
|
136
|
-
|
|
137
|
-
mock_doc =
|
|
138
|
-
Loofah.
|
|
139
|
-
Loofah.
|
|
140
|
-
Loofah.
|
|
141
|
-
mock_doc.
|
|
132
|
+
it "scrub that field appropriately" do
|
|
133
|
+
mock_doc = Object.new
|
|
134
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip).once
|
|
135
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, method).once.returns(mock_doc)
|
|
136
|
+
mock(Loofah).scrub_fragment(INTEGER_VALUE, :strip).never
|
|
137
|
+
mock(mock_doc).to_s
|
|
142
138
|
new_post.valid?
|
|
143
139
|
end
|
|
144
140
|
end
|
|
145
141
|
end
|
|
146
142
|
|
|
147
143
|
context "declaring one field to be scrubbed with html5lib_sanitize" do
|
|
148
|
-
|
|
144
|
+
before do
|
|
149
145
|
Post.xss_foliate :html5lib_sanitize => [:plain_text]
|
|
150
146
|
end
|
|
151
147
|
|
|
152
|
-
|
|
153
|
-
Loofah.
|
|
154
|
-
Loofah.
|
|
155
|
-
Loofah.
|
|
148
|
+
it "not that field appropriately" do
|
|
149
|
+
mock(Loofah).scrub_fragment(HTML_STRING, :strip) .once
|
|
150
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :escape).once
|
|
151
|
+
mock(Loofah).scrub_fragment(INTEGER_VALUE, :strip) .never
|
|
156
152
|
new_post.valid?
|
|
157
153
|
end
|
|
158
154
|
end
|
|
159
155
|
end
|
|
160
156
|
|
|
161
157
|
context "invalid model data" do
|
|
162
|
-
|
|
158
|
+
before do
|
|
163
159
|
Post.validates_presence_of :html_string
|
|
164
160
|
Post.xss_foliate
|
|
165
161
|
end
|
|
166
162
|
|
|
167
|
-
|
|
168
|
-
Loofah.
|
|
169
|
-
Loofah.
|
|
163
|
+
it "not be valid after sanitizing" do
|
|
164
|
+
mock(Loofah).scrub_fragment(WHITESPACEY, :strip).once
|
|
165
|
+
mock(Loofah).scrub_fragment(PLAIN_TEXT, :strip).once
|
|
170
166
|
assert ! new_post(:html_string => WHITESPACEY).valid?
|
|
171
167
|
end
|
|
172
168
|
end
|
|
173
169
|
|
|
174
170
|
context "given an XSS attempt" do
|
|
175
|
-
|
|
171
|
+
before do
|
|
176
172
|
Post.xss_foliate :strip => :html_string
|
|
177
173
|
end
|
|
178
174
|
|
|
179
|
-
|
|
175
|
+
it "escape html entities" do
|
|
180
176
|
hackattack = "<div><script>alert('evil')</script></div>"
|
|
181
177
|
post = new_post :html_string => hackattack, :plain_text => hackattack
|
|
182
178
|
post.valid?
|
|
@@ -186,25 +182,29 @@ class TestXssFoliate < Test::Unit::TestCase
|
|
|
186
182
|
end
|
|
187
183
|
|
|
188
184
|
context "these tests should pass for libxml 2.7.5 and later" do
|
|
189
|
-
|
|
185
|
+
before do
|
|
186
|
+
Post.xss_foliate
|
|
187
|
+
end
|
|
188
|
+
|
|
189
|
+
it "not scrub double quotes into html entities" do
|
|
190
190
|
answer = new_post(:plain_text => "\"something\"")
|
|
191
191
|
answer.valid?
|
|
192
192
|
assert_equal "\"something\"", answer.plain_text
|
|
193
193
|
end
|
|
194
194
|
|
|
195
|
-
|
|
195
|
+
it "not scrub ampersands into html entities" do
|
|
196
196
|
answer = new_post(:plain_text => "& Something")
|
|
197
197
|
answer.valid?
|
|
198
198
|
assert_equal "& Something", answer.plain_text
|
|
199
199
|
end
|
|
200
200
|
|
|
201
|
-
|
|
201
|
+
it "not scrub \\r html entities" do
|
|
202
202
|
answer = new_post(:plain_text => "Another \r Something")
|
|
203
203
|
answer.valid?
|
|
204
204
|
assert_equal "Another \r Something", answer.plain_text
|
|
205
205
|
end
|
|
206
206
|
|
|
207
|
-
|
|
207
|
+
it "not scrub \\n html entities" do
|
|
208
208
|
answer = new_post(:plain_text => "Another \n Something")
|
|
209
209
|
answer.valid?
|
|
210
210
|
assert_equal "Another \n Something", answer.plain_text
|