rails_xss 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +5 -0
- data/.gitignore +21 -0
- data/LICENSE +20 -0
- data/README.rdoc +17 -0
- data/Rakefile +53 -0
- data/VERSION +1 -0
- data/lib/rails_xss.rb +3 -0
- data/test/active_record_helper_test.rb +74 -0
- data/test/asset_tag_helper_test.rb +49 -0
- data/test/caching_test.rb +43 -0
- data/test/date_helper_test.rb +29 -0
- data/test/deprecated_output_safety_test.rb +112 -0
- data/test/erb_util_test.rb +36 -0
- data/test/form_helper_test.rb +1447 -0
- data/test/form_tag_helper_test.rb +354 -0
- data/test/helper.rb +10 -0
- data/test/output_safety_test.rb +115 -0
- data/test/rails_xss_test.rb +23 -0
- data/test/test_helper.rb +5 -0
- data/test/test_rails_xss.rb +7 -0
- data/test/text_helper_test.rb +17 -0
- metadata +97 -0
@@ -0,0 +1,354 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class FormTagHelperTest < ActionView::TestCase
|
4
|
+
def setup
|
5
|
+
@controller = Class.new do
|
6
|
+
def url_for(options)
|
7
|
+
"http://www.example.com"
|
8
|
+
end
|
9
|
+
end
|
10
|
+
@controller = @controller.new
|
11
|
+
end
|
12
|
+
|
13
|
+
VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name
|
14
|
+
|
15
|
+
def test_check_box_tag
|
16
|
+
actual = check_box_tag "admin"
|
17
|
+
expected = %(<input id="admin" name="admin" type="checkbox" value="1" />)
|
18
|
+
assert_dom_equal expected, actual
|
19
|
+
end
|
20
|
+
|
21
|
+
def test_check_box_tag_id_sanitized
|
22
|
+
label_elem = root_elem(check_box_tag("project[2][admin]"))
|
23
|
+
assert_match VALID_HTML_ID, label_elem['id']
|
24
|
+
end
|
25
|
+
|
26
|
+
def test_form_tag
|
27
|
+
actual = form_tag
|
28
|
+
expected = %(<form action="http://www.example.com" method="post">)
|
29
|
+
assert_dom_equal expected, actual
|
30
|
+
end
|
31
|
+
|
32
|
+
def test_form_tag_multipart
|
33
|
+
actual = form_tag({}, { 'multipart' => true })
|
34
|
+
expected = %(<form action="http://www.example.com" enctype="multipart/form-data" method="post">)
|
35
|
+
assert_dom_equal expected, actual
|
36
|
+
end
|
37
|
+
|
38
|
+
def test_form_tag_with_method_put
|
39
|
+
actual = form_tag({}, { :method => :put })
|
40
|
+
expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>)
|
41
|
+
assert_dom_equal expected, actual
|
42
|
+
end
|
43
|
+
|
44
|
+
def test_form_tag_with_method_delete
|
45
|
+
actual = form_tag({}, { :method => :delete })
|
46
|
+
expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="delete" /></div>)
|
47
|
+
assert_dom_equal expected, actual
|
48
|
+
end
|
49
|
+
|
50
|
+
def test_form_tag_with_block_in_erb
|
51
|
+
__in_erb_template = ''
|
52
|
+
form_tag("http://example.com") { concat "Hello world!" }
|
53
|
+
|
54
|
+
expected = %(<form action="http://example.com" method="post">Hello world!</form>)
|
55
|
+
assert_dom_equal expected, output_buffer
|
56
|
+
end
|
57
|
+
|
58
|
+
def test_form_tag_with_block_and_method_in_erb
|
59
|
+
__in_erb_template = ''
|
60
|
+
form_tag("http://example.com", :method => :put) { concat "Hello world!" }
|
61
|
+
|
62
|
+
expected = %(<form action="http://example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>Hello world!</form>)
|
63
|
+
assert_dom_equal expected, output_buffer
|
64
|
+
end
|
65
|
+
|
66
|
+
def test_hidden_field_tag
|
67
|
+
actual = hidden_field_tag "id", 3
|
68
|
+
expected = %(<input id="id" name="id" type="hidden" value="3" />)
|
69
|
+
assert_dom_equal expected, actual
|
70
|
+
end
|
71
|
+
|
72
|
+
def test_hidden_field_tag_id_sanitized
|
73
|
+
input_elem = root_elem(hidden_field_tag("item[][title]"))
|
74
|
+
assert_match VALID_HTML_ID, input_elem['id']
|
75
|
+
end
|
76
|
+
|
77
|
+
def test_file_field_tag
|
78
|
+
assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" />", file_field_tag("picsplz")
|
79
|
+
end
|
80
|
+
|
81
|
+
def test_file_field_tag_with_options
|
82
|
+
assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" class=\"pix\"/>", file_field_tag("picsplz", :class => "pix")
|
83
|
+
end
|
84
|
+
|
85
|
+
def test_password_field_tag
|
86
|
+
actual = password_field_tag
|
87
|
+
expected = %(<input id="password" name="password" type="password" />)
|
88
|
+
assert_dom_equal expected, actual
|
89
|
+
end
|
90
|
+
|
91
|
+
def test_radio_button_tag
|
92
|
+
actual = radio_button_tag "people", "david"
|
93
|
+
expected = %(<input id="people_david" name="people" type="radio" value="david" />)
|
94
|
+
assert_dom_equal expected, actual
|
95
|
+
|
96
|
+
actual = radio_button_tag("num_people", 5)
|
97
|
+
expected = %(<input id="num_people_5" name="num_people" type="radio" value="5" />)
|
98
|
+
assert_dom_equal expected, actual
|
99
|
+
|
100
|
+
actual = radio_button_tag("gender", "m") + radio_button_tag("gender", "f")
|
101
|
+
expected = %(<input id="gender_m" name="gender" type="radio" value="m" /><input id="gender_f" name="gender" type="radio" value="f" />)
|
102
|
+
assert_dom_equal expected, actual
|
103
|
+
|
104
|
+
actual = radio_button_tag("opinion", "-1") + radio_button_tag("opinion", "1")
|
105
|
+
expected = %(<input id="opinion_-1" name="opinion" type="radio" value="-1" /><input id="opinion_1" name="opinion" type="radio" value="1" />)
|
106
|
+
assert_dom_equal expected, actual
|
107
|
+
|
108
|
+
actual = radio_button_tag("person[gender]", "m")
|
109
|
+
expected = %(<input id="person_gender_m" name="person[gender]" type="radio" value="m" />)
|
110
|
+
assert_dom_equal expected, actual
|
111
|
+
end
|
112
|
+
|
113
|
+
def test_select_tag
|
114
|
+
actual = select_tag "people", "<option>david</option>".html_safe
|
115
|
+
expected = %(<select id="people" name="people"><option>david</option></select>)
|
116
|
+
assert_dom_equal expected, actual
|
117
|
+
end
|
118
|
+
|
119
|
+
def test_select_tag_with_multiple
|
120
|
+
actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>".html_safe, :multiple => :true
|
121
|
+
expected = %(<select id="colors" multiple="multiple" name="colors"><option>Red</option><option>Blue</option><option>Green</option></select>)
|
122
|
+
assert_dom_equal expected, actual
|
123
|
+
end
|
124
|
+
|
125
|
+
def test_select_tag_disabled
|
126
|
+
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :disabled => :true
|
127
|
+
expected = %(<select id="places" disabled="disabled" name="places"><option>Home</option><option>Work</option><option>Pub</option></select>)
|
128
|
+
assert_dom_equal expected, actual
|
129
|
+
end
|
130
|
+
|
131
|
+
def test_select_tag_id_sanitized
|
132
|
+
input_elem = root_elem(select_tag("project[1]people", "<option>david</option>"))
|
133
|
+
assert_match VALID_HTML_ID, input_elem['id']
|
134
|
+
end
|
135
|
+
|
136
|
+
def test_select_tag_with_array_options
|
137
|
+
assert_deprecated /array/ do
|
138
|
+
select_tag "people", ["<option>david</option>"]
|
139
|
+
end
|
140
|
+
end
|
141
|
+
|
142
|
+
def test_text_area_tag_size_string
|
143
|
+
actual = text_area_tag "body", "hello world", "size" => "20x40"
|
144
|
+
expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
|
145
|
+
assert_dom_equal expected, actual
|
146
|
+
end
|
147
|
+
|
148
|
+
def test_text_area_tag_size_symbol
|
149
|
+
actual = text_area_tag "body", "hello world", :size => "20x40"
|
150
|
+
expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
|
151
|
+
assert_dom_equal expected, actual
|
152
|
+
end
|
153
|
+
|
154
|
+
def test_text_area_tag_should_disregard_size_if_its_given_as_an_integer
|
155
|
+
actual = text_area_tag "body", "hello world", :size => 20
|
156
|
+
expected = %(<textarea id="body" name="body">hello world</textarea>)
|
157
|
+
assert_dom_equal expected, actual
|
158
|
+
end
|
159
|
+
|
160
|
+
def test_text_area_tag_id_sanitized
|
161
|
+
input_elem = root_elem(text_area_tag("item[][description]"))
|
162
|
+
assert_match VALID_HTML_ID, input_elem['id']
|
163
|
+
end
|
164
|
+
|
165
|
+
def test_text_area_tag_escape_content
|
166
|
+
actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
|
167
|
+
expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
|
168
|
+
assert_dom_equal expected, actual
|
169
|
+
end
|
170
|
+
|
171
|
+
def test_text_area_tag_unescaped_content
|
172
|
+
actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
|
173
|
+
expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
|
174
|
+
assert_dom_equal expected, actual
|
175
|
+
end
|
176
|
+
|
177
|
+
def test_text_area_tag_unescaped_nil_content
|
178
|
+
actual = text_area_tag "body", nil, :escape => false
|
179
|
+
expected = %(<textarea id="body" name="body"></textarea>)
|
180
|
+
assert_dom_equal expected, actual
|
181
|
+
end
|
182
|
+
|
183
|
+
def test_text_field_tag
|
184
|
+
actual = text_field_tag "title", "Hello!"
|
185
|
+
expected = %(<input id="title" name="title" type="text" value="Hello!" />)
|
186
|
+
assert_dom_equal expected, actual
|
187
|
+
end
|
188
|
+
|
189
|
+
def test_text_field_tag_class_string
|
190
|
+
actual = text_field_tag "title", "Hello!", "class" => "admin"
|
191
|
+
expected = %(<input class="admin" id="title" name="title" type="text" value="Hello!" />)
|
192
|
+
assert_dom_equal expected, actual
|
193
|
+
end
|
194
|
+
|
195
|
+
def test_text_field_tag_size_symbol
|
196
|
+
actual = text_field_tag "title", "Hello!", :size => 75
|
197
|
+
expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
|
198
|
+
assert_dom_equal expected, actual
|
199
|
+
end
|
200
|
+
|
201
|
+
def test_text_field_tag_size_string
|
202
|
+
actual = text_field_tag "title", "Hello!", "size" => "75"
|
203
|
+
expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
|
204
|
+
assert_dom_equal expected, actual
|
205
|
+
end
|
206
|
+
|
207
|
+
def test_text_field_tag_maxlength_symbol
|
208
|
+
actual = text_field_tag "title", "Hello!", :maxlength => 75
|
209
|
+
expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
|
210
|
+
assert_dom_equal expected, actual
|
211
|
+
end
|
212
|
+
|
213
|
+
def test_text_field_tag_maxlength_string
|
214
|
+
actual = text_field_tag "title", "Hello!", "maxlength" => "75"
|
215
|
+
expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
|
216
|
+
assert_dom_equal expected, actual
|
217
|
+
end
|
218
|
+
|
219
|
+
def test_text_field_disabled
|
220
|
+
actual = text_field_tag "title", "Hello!", :disabled => :true
|
221
|
+
expected = %(<input id="title" name="title" disabled="disabled" type="text" value="Hello!" />)
|
222
|
+
assert_dom_equal expected, actual
|
223
|
+
end
|
224
|
+
|
225
|
+
def test_text_field_tag_with_multiple_options
|
226
|
+
actual = text_field_tag "title", "Hello!", :size => 70, :maxlength => 80
|
227
|
+
expected = %(<input id="title" name="title" size="70" maxlength="80" type="text" value="Hello!" />)
|
228
|
+
assert_dom_equal expected, actual
|
229
|
+
end
|
230
|
+
|
231
|
+
def test_text_field_tag_id_sanitized
|
232
|
+
input_elem = root_elem(text_field_tag("item[][title]"))
|
233
|
+
assert_match VALID_HTML_ID, input_elem['id']
|
234
|
+
end
|
235
|
+
|
236
|
+
def test_label_tag_without_text
|
237
|
+
actual = label_tag "title"
|
238
|
+
expected = %(<label for="title">Title</label>)
|
239
|
+
assert_dom_equal expected, actual
|
240
|
+
end
|
241
|
+
|
242
|
+
def test_label_tag_with_symbol
|
243
|
+
actual = label_tag :title
|
244
|
+
expected = %(<label for="title">Title</label>)
|
245
|
+
assert_dom_equal expected, actual
|
246
|
+
end
|
247
|
+
|
248
|
+
def test_label_tag_with_text
|
249
|
+
actual = label_tag "title", "My Title"
|
250
|
+
expected = %(<label for="title">My Title</label>)
|
251
|
+
assert_dom_equal expected, actual
|
252
|
+
end
|
253
|
+
|
254
|
+
def test_label_tag_class_string
|
255
|
+
actual = label_tag "title", "My Title", "class" => "small_label"
|
256
|
+
expected = %(<label for="title" class="small_label">My Title</label>)
|
257
|
+
assert_dom_equal expected, actual
|
258
|
+
end
|
259
|
+
|
260
|
+
def test_label_tag_id_sanitized
|
261
|
+
label_elem = root_elem(label_tag("item[title]"))
|
262
|
+
assert_match VALID_HTML_ID, label_elem['for']
|
263
|
+
end
|
264
|
+
|
265
|
+
def test_boolean_options
|
266
|
+
assert_dom_equal %(<input checked="checked" disabled="disabled" id="admin" name="admin" readonly="readonly" type="checkbox" value="1" />), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes")
|
267
|
+
assert_dom_equal %(<input checked="checked" id="admin" name="admin" type="checkbox" value="1" />), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil)
|
268
|
+
assert_dom_equal %(<input type="checkbox" />), tag(:input, :type => "checkbox", :checked => false)
|
269
|
+
assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => true)
|
270
|
+
assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>".html_safe, :multiple => true)
|
271
|
+
assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => nil)
|
272
|
+
end
|
273
|
+
|
274
|
+
def test_stringify_symbol_keys
|
275
|
+
actual = text_field_tag "title", "Hello!", :id => "admin"
|
276
|
+
expected = %(<input id="admin" name="title" type="text" value="Hello!" />)
|
277
|
+
assert_dom_equal expected, actual
|
278
|
+
end
|
279
|
+
|
280
|
+
def test_submit_tag
|
281
|
+
assert_dom_equal(
|
282
|
+
%(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
|
283
|
+
submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
|
284
|
+
)
|
285
|
+
end
|
286
|
+
|
287
|
+
def test_submit_tag_with_no_onclick_options
|
288
|
+
assert_dom_equal(
|
289
|
+
%(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
|
290
|
+
submit_tag("Save", :disable_with => "Saving...")
|
291
|
+
)
|
292
|
+
end
|
293
|
+
|
294
|
+
def test_submit_tag_with_confirmation
|
295
|
+
assert_dom_equal(
|
296
|
+
%(<input name='commit' type='submit' value='Save' onclick="if (!confirm('Are you sure?')) return false; return true;"/>),
|
297
|
+
submit_tag("Save", :confirm => "Are you sure?")
|
298
|
+
)
|
299
|
+
end
|
300
|
+
|
301
|
+
def test_submit_tag_with_confirmation_and_with_disable_with
|
302
|
+
assert_dom_equal(
|
303
|
+
%(<input name="commit" onclick="if (!confirm('Are you sure?')) return false; if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
|
304
|
+
submit_tag("Save", :disable_with => "Saving...", :confirm => "Are you sure?")
|
305
|
+
)
|
306
|
+
end
|
307
|
+
|
308
|
+
def test_image_submit_tag_with_confirmation
|
309
|
+
assert_dom_equal(
|
310
|
+
%(<input type="image" src="/images/save.gif" onclick="return confirm('Are you sure?');"/>),
|
311
|
+
image_submit_tag("save.gif", :confirm => "Are you sure?")
|
312
|
+
)
|
313
|
+
end
|
314
|
+
|
315
|
+
def test_pass
|
316
|
+
assert_equal 1, 1
|
317
|
+
end
|
318
|
+
|
319
|
+
def test_field_set_tag_in_erb
|
320
|
+
__in_erb_template = ''
|
321
|
+
field_set_tag("Your details") { concat "Hello world!" }
|
322
|
+
|
323
|
+
expected = %(<fieldset><legend>Your details</legend>Hello world!</fieldset>)
|
324
|
+
assert_dom_equal expected, output_buffer
|
325
|
+
|
326
|
+
self.output_buffer = ''.html_safe
|
327
|
+
field_set_tag { concat "Hello world!" }
|
328
|
+
|
329
|
+
expected = %(<fieldset>Hello world!</fieldset>)
|
330
|
+
assert_dom_equal expected, output_buffer
|
331
|
+
|
332
|
+
self.output_buffer = ''.html_safe
|
333
|
+
field_set_tag('') { concat "Hello world!" }
|
334
|
+
|
335
|
+
expected = %(<fieldset>Hello world!</fieldset>)
|
336
|
+
assert_dom_equal expected, output_buffer
|
337
|
+
|
338
|
+
self.output_buffer = ''.html_safe
|
339
|
+
field_set_tag('', :class => 'format') { concat "Hello world!" }
|
340
|
+
|
341
|
+
expected = %(<fieldset class="format">Hello world!</fieldset>)
|
342
|
+
assert_dom_equal expected, output_buffer
|
343
|
+
end
|
344
|
+
|
345
|
+
def protect_against_forgery?
|
346
|
+
false
|
347
|
+
end
|
348
|
+
|
349
|
+
private
|
350
|
+
|
351
|
+
def root_elem(rendered_content)
|
352
|
+
HTML::Document.new(rendered_content).root.children[0]
|
353
|
+
end
|
354
|
+
end
|
data/test/helper.rb
ADDED
@@ -0,0 +1,115 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class OutputSafetyTest < ActiveSupport::TestCase
|
4
|
+
def setup
|
5
|
+
@string = "hello"
|
6
|
+
@object = Class.new(Object) do
|
7
|
+
def to_s
|
8
|
+
"other"
|
9
|
+
end
|
10
|
+
end.new
|
11
|
+
end
|
12
|
+
|
13
|
+
test "A string is unsafe by default" do
|
14
|
+
assert !@string.html_safe?
|
15
|
+
end
|
16
|
+
|
17
|
+
test "A string can be marked safe" do
|
18
|
+
string = @string.html_safe
|
19
|
+
assert string.html_safe?
|
20
|
+
end
|
21
|
+
|
22
|
+
test "Marking a string safe returns the string" do
|
23
|
+
assert_equal @string, @string.html_safe
|
24
|
+
end
|
25
|
+
|
26
|
+
test "A fixnum is safe by default" do
|
27
|
+
assert 5.html_safe?
|
28
|
+
end
|
29
|
+
|
30
|
+
test "An object is unsafe by default" do
|
31
|
+
assert !@object.html_safe?
|
32
|
+
end
|
33
|
+
|
34
|
+
test "Adding an object to a safe string returns a safe string" do
|
35
|
+
string = @string.html_safe
|
36
|
+
string << @object
|
37
|
+
|
38
|
+
assert_equal "helloother", string
|
39
|
+
assert string.html_safe?
|
40
|
+
end
|
41
|
+
|
42
|
+
test "Adding a safe string to another safe string returns a safe string" do
|
43
|
+
@other_string = "other".html_safe
|
44
|
+
string = @string.html_safe
|
45
|
+
@combination = @other_string + string
|
46
|
+
|
47
|
+
assert_equal "otherhello", @combination
|
48
|
+
assert @combination.html_safe?
|
49
|
+
end
|
50
|
+
|
51
|
+
test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
|
52
|
+
@other_string = "other".html_safe
|
53
|
+
@combination = @other_string + "<foo>"
|
54
|
+
@other_combination = @string + "<foo>"
|
55
|
+
|
56
|
+
assert_equal "other<foo>", @combination
|
57
|
+
assert_equal "hello<foo>", @other_combination
|
58
|
+
|
59
|
+
assert @combination.html_safe?
|
60
|
+
assert !@other_combination.html_safe?
|
61
|
+
end
|
62
|
+
|
63
|
+
test "Concatting safe onto unsafe yields unsafe" do
|
64
|
+
@other_string = "other"
|
65
|
+
|
66
|
+
string = @string.html_safe
|
67
|
+
@other_string.concat(string)
|
68
|
+
assert !@other_string.html_safe?
|
69
|
+
end
|
70
|
+
|
71
|
+
test "Concatting unsafe onto safe yields escaped safe" do
|
72
|
+
@other_string = "other".html_safe
|
73
|
+
string = @other_string.concat("<foo>")
|
74
|
+
assert_equal "other<foo>", string
|
75
|
+
assert string.html_safe?
|
76
|
+
end
|
77
|
+
|
78
|
+
test "Concatting safe onto safe yields safe" do
|
79
|
+
@other_string = "other".html_safe
|
80
|
+
string = @string.html_safe
|
81
|
+
|
82
|
+
@other_string.concat(string)
|
83
|
+
assert @other_string.html_safe?
|
84
|
+
end
|
85
|
+
|
86
|
+
test "Concatting safe onto unsafe with << yields unsafe" do
|
87
|
+
@other_string = "other"
|
88
|
+
string = @string.html_safe
|
89
|
+
|
90
|
+
@other_string << string
|
91
|
+
assert !@other_string.html_safe?
|
92
|
+
end
|
93
|
+
|
94
|
+
test "Concatting unsafe onto safe with << yields escaped safe" do
|
95
|
+
@other_string = "other".html_safe
|
96
|
+
string = @other_string << "<foo>"
|
97
|
+
assert_equal "other<foo>", string
|
98
|
+
assert string.html_safe?
|
99
|
+
end
|
100
|
+
|
101
|
+
test "Concatting safe onto safe with << yields safe" do
|
102
|
+
@other_string = "other".html_safe
|
103
|
+
string = @string.html_safe
|
104
|
+
|
105
|
+
@other_string << string
|
106
|
+
assert @other_string.html_safe?
|
107
|
+
end
|
108
|
+
|
109
|
+
test "Concatting a fixnum to safe always yields safe" do
|
110
|
+
string = @string.html_safe
|
111
|
+
string = string.concat(13)
|
112
|
+
assert_equal "hello".concat(13), string
|
113
|
+
assert string.html_safe?
|
114
|
+
end
|
115
|
+
end
|