RubyGems - rails_xss - Versions diffs - 0.1.3 → 0.3.0 - Mend

rails_xss 0.1.3 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

data/Rakefile +1 -1
data/VERSION +1 -1
data/lib/rails_xss/erubis.rb +7 -1
metadata +41 -63
data/test/active_record_helper_test.rb +0 -74
data/test/asset_tag_helper_test.rb +0 -49
data/test/caching_test.rb +0 -43
data/test/date_helper_test.rb +0 -29
data/test/deprecated_output_safety_test.rb +0 -112
data/test/erb_util_test.rb +0 -36
data/test/form_helper_test.rb +0 -1447
data/test/form_tag_helper_test.rb +0 -354
data/test/output_safety_test.rb +0 -115
data/test/rails_xss_test.rb +0 -23
data/test/test_helper.rb +0 -5
data/test/text_helper_test.rb +0 -17

data/test/form_tag_helper_test.rb DELETED Viewed

@@ -1,354 +0,0 @@
-require 'test_helper'
-class FormTagHelperTest < ActionView::TestCase
-  def setup
-    @controller = Class.new do
-      def url_for(options)
-        "http://www.example.com"
-      end
-    end
-    @controller = @controller.new
-  end
-  VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name
-  def test_check_box_tag
-    actual = check_box_tag "admin"
-    expected = %(<input id="admin" name="admin" type="checkbox" value="1" />)
-    assert_dom_equal expected, actual
-  end
-  def test_check_box_tag_id_sanitized
-    label_elem = root_elem(check_box_tag("project[2][admin]"))
-    assert_match VALID_HTML_ID, label_elem['id']
-  end
-  def test_form_tag
-    actual = form_tag
-    expected = %(<form action="http://www.example.com" method="post">)
-    assert_dom_equal expected, actual
-  end
-  def test_form_tag_multipart
-    actual = form_tag({}, { 'multipart' => true })
-    expected = %(<form action="http://www.example.com" enctype="multipart/form-data" method="post">)
-    assert_dom_equal expected, actual
-  end
-  def test_form_tag_with_method_put
-    actual = form_tag({}, { :method => :put })
-    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>)
-    assert_dom_equal expected, actual
-  end
-  def test_form_tag_with_method_delete
-    actual = form_tag({}, { :method => :delete })
-    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="delete" /></div>)
-    assert_dom_equal expected, actual
-  end
-  def test_form_tag_with_block_in_erb
-    __in_erb_template = ''
-    form_tag("http://example.com") { concat "Hello world!" }
-    expected = %(<form action="http://example.com" method="post">Hello world!</form>)
-    assert_dom_equal expected, output_buffer
-  end
-  def test_form_tag_with_block_and_method_in_erb
-    __in_erb_template = ''
-    form_tag("http://example.com", :method => :put) { concat "Hello world!" }
-    expected = %(<form action="http://example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>Hello world!</form>)
-    assert_dom_equal expected, output_buffer
-  end
-  def test_hidden_field_tag
-    actual = hidden_field_tag "id", 3
-    expected = %(<input id="id" name="id" type="hidden" value="3" />)
-    assert_dom_equal expected, actual
-  end
-  def test_hidden_field_tag_id_sanitized
-    input_elem = root_elem(hidden_field_tag("item[][title]"))
-    assert_match VALID_HTML_ID, input_elem['id']
-  end
-  def test_file_field_tag
-    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" />", file_field_tag("picsplz")
-  end
-  def test_file_field_tag_with_options
-    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" class=\"pix\"/>", file_field_tag("picsplz", :class => "pix")
-  end
-  def test_password_field_tag
-    actual = password_field_tag
-    expected = %(<input id="password" name="password" type="password" />)
-    assert_dom_equal expected, actual
-  end
-  def test_radio_button_tag
-    actual = radio_button_tag "people", "david"
-    expected = %(<input id="people_david" name="people" type="radio" value="david" />)
-    assert_dom_equal expected, actual
-    actual = radio_button_tag("num_people", 5)
-    expected = %(<input id="num_people_5" name="num_people" type="radio" value="5" />)
-    assert_dom_equal expected, actual
-    actual = radio_button_tag("gender", "m") + radio_button_tag("gender", "f")
-    expected = %(<input id="gender_m" name="gender" type="radio" value="m" /><input id="gender_f" name="gender" type="radio" value="f" />)
-    assert_dom_equal expected, actual
-    actual = radio_button_tag("opinion", "-1") + radio_button_tag("opinion", "1")
-    expected = %(<input id="opinion_-1" name="opinion" type="radio" value="-1" /><input id="opinion_1" name="opinion" type="radio" value="1" />)
-    assert_dom_equal expected, actual
-    actual = radio_button_tag("person[gender]", "m")
-    expected = %(<input id="person_gender_m" name="person[gender]" type="radio" value="m" />)
-    assert_dom_equal expected, actual
-  end
-  def test_select_tag
-    actual = select_tag "people", "<option>david</option>".html_safe
-    expected = %(<select id="people" name="people"><option>david</option></select>)
-    assert_dom_equal expected, actual
-  end
-  def test_select_tag_with_multiple
-    actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>".html_safe, :multiple => :true
-    expected = %(<select id="colors" multiple="multiple" name="colors"><option>Red</option><option>Blue</option><option>Green</option></select>)
-    assert_dom_equal expected, actual
-  end
-  def test_select_tag_disabled
-    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :disabled => :true
-    expected = %(<select id="places" disabled="disabled" name="places"><option>Home</option><option>Work</option><option>Pub</option></select>)
-    assert_dom_equal expected, actual
-  end
-  def test_select_tag_id_sanitized
-    input_elem = root_elem(select_tag("project[1]people", "<option>david</option>"))
-    assert_match VALID_HTML_ID, input_elem['id']
-  end
-  def test_select_tag_with_array_options
-    assert_deprecated /array/ do
-      select_tag "people", ["<option>david</option>"]
-    end
-  end
-  def test_text_area_tag_size_string
-    actual = text_area_tag "body", "hello world", "size" => "20x40"
-    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_area_tag_size_symbol
-    actual = text_area_tag "body", "hello world", :size => "20x40"
-    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_area_tag_should_disregard_size_if_its_given_as_an_integer
-    actual = text_area_tag "body", "hello world", :size => 20
-    expected = %(<textarea id="body" name="body">hello world</textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_area_tag_id_sanitized
-    input_elem = root_elem(text_area_tag("item[][description]"))
-    assert_match VALID_HTML_ID, input_elem['id']
-  end
-  def test_text_area_tag_escape_content
-    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
-    expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_area_tag_unescaped_content
-    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
-    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_area_tag_unescaped_nil_content
-    actual = text_area_tag "body", nil, :escape => false
-    expected = %(<textarea id="body" name="body"></textarea>)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag
-    actual = text_field_tag "title", "Hello!"
-    expected = %(<input id="title" name="title" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_class_string
-    actual = text_field_tag "title", "Hello!", "class" => "admin"
-    expected = %(<input class="admin" id="title" name="title" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_size_symbol
-    actual = text_field_tag "title", "Hello!", :size => 75
-    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_size_string
-    actual = text_field_tag "title", "Hello!", "size" => "75"
-    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_maxlength_symbol
-    actual = text_field_tag "title", "Hello!", :maxlength => 75
-    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_maxlength_string
-    actual = text_field_tag "title", "Hello!", "maxlength" => "75"
-    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_disabled
-    actual = text_field_tag "title", "Hello!", :disabled => :true
-    expected = %(<input id="title" name="title" disabled="disabled" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_with_multiple_options
-    actual = text_field_tag "title", "Hello!", :size => 70, :maxlength => 80
-    expected = %(<input id="title" name="title" size="70" maxlength="80" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_text_field_tag_id_sanitized
-    input_elem = root_elem(text_field_tag("item[][title]"))
-    assert_match VALID_HTML_ID, input_elem['id']
-  end
-  def test_label_tag_without_text
-    actual = label_tag "title"
-    expected = %(<label for="title">Title</label>)
-    assert_dom_equal expected, actual
-  end
-  def test_label_tag_with_symbol
-    actual = label_tag :title
-    expected = %(<label for="title">Title</label>)
-    assert_dom_equal expected, actual
-  end
-  def test_label_tag_with_text
-    actual = label_tag "title", "My Title"
-    expected = %(<label for="title">My Title</label>)
-    assert_dom_equal expected, actual
-  end
-  def test_label_tag_class_string
-    actual = label_tag "title", "My Title", "class" => "small_label"
-    expected = %(<label for="title" class="small_label">My Title</label>)
-    assert_dom_equal expected, actual
-  end
-  def test_label_tag_id_sanitized
-    label_elem = root_elem(label_tag("item[title]"))
-    assert_match VALID_HTML_ID, label_elem['for']
-  end
-  def test_boolean_options
-    assert_dom_equal %(<input checked="checked" disabled="disabled" id="admin" name="admin" readonly="readonly" type="checkbox" value="1" />), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes")
-    assert_dom_equal %(<input checked="checked" id="admin" name="admin" type="checkbox" value="1" />), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil)
-    assert_dom_equal %(<input type="checkbox" />), tag(:input, :type => "checkbox", :checked => false)
-    assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => true)
-    assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>".html_safe, :multiple => true)
-    assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => nil)
-  end
-  def test_stringify_symbol_keys
-    actual = text_field_tag "title", "Hello!", :id => "admin"
-    expected = %(<input id="admin" name="title" type="text" value="Hello!" />)
-    assert_dom_equal expected, actual
-  end
-  def test_submit_tag
-    assert_dom_equal(
-      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
-      submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
-    )
-  end
-  def test_submit_tag_with_no_onclick_options
-    assert_dom_equal(
-      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
-      submit_tag("Save", :disable_with => "Saving...")
-    )
-  end
-  def test_submit_tag_with_confirmation
-    assert_dom_equal(
-      %(<input name='commit' type='submit' value='Save' onclick="if (!confirm('Are you sure?')) return false; return true;"/>),
-      submit_tag("Save", :confirm => "Are you sure?")
-    )
-  end
-  def test_submit_tag_with_confirmation_and_with_disable_with
-    assert_dom_equal(
-      %(<input name="commit" onclick="if (!confirm('Are you sure?')) return false; if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
-      submit_tag("Save", :disable_with => "Saving...", :confirm => "Are you sure?")
-    )
-  end
-  def test_image_submit_tag_with_confirmation
-    assert_dom_equal(
-      %(<input type="image" src="/images/save.gif" onclick="return confirm('Are you sure?');"/>),
-      image_submit_tag("save.gif", :confirm => "Are you sure?")
-    )
-  end
-  def test_pass
-    assert_equal 1, 1
-  end
-  def test_field_set_tag_in_erb
-    __in_erb_template = ''
-    field_set_tag("Your details") { concat "Hello world!" }
-    expected = %(<fieldset><legend>Your details</legend>Hello world!</fieldset>)
-    assert_dom_equal expected, output_buffer
-    self.output_buffer = ''.html_safe
-    field_set_tag { concat "Hello world!" }
-    expected = %(<fieldset>Hello world!</fieldset>)
-    assert_dom_equal expected, output_buffer
-    self.output_buffer = ''.html_safe
-    field_set_tag('') { concat "Hello world!" }
-    expected = %(<fieldset>Hello world!</fieldset>)
-    assert_dom_equal expected, output_buffer
-    self.output_buffer = ''.html_safe
-    field_set_tag('', :class => 'format') { concat "Hello world!" }
-    expected = %(<fieldset class="format">Hello world!</fieldset>)
-    assert_dom_equal expected, output_buffer
-  end
-  def protect_against_forgery?
-    false
-  end
-  private
-  def root_elem(rendered_content)
-    HTML::Document.new(rendered_content).root.children[0]
-  end
-end

data/test/output_safety_test.rb DELETED Viewed

@@ -1,115 +0,0 @@
-require 'test_helper'
-class OutputSafetyTest < ActiveSupport::TestCase
-  def setup
-    @string = "hello"
-    @object = Class.new(Object) do
-      def to_s
-        "other"
-      end
-    end.new
-  end
-  test "A string is unsafe by default" do
-    assert !@string.html_safe?
-  end
-  test "A string can be marked safe" do
-    string = @string.html_safe
-    assert string.html_safe?
-  end
-  test "Marking a string safe returns the string" do
-    assert_equal @string, @string.html_safe
-  end
-  test "A fixnum is safe by default" do
-    assert 5.html_safe?
-  end
-  test "An object is unsafe by default" do
-    assert !@object.html_safe?
-  end
-  test "Adding an object to a safe string returns a safe string" do
-    string = @string.html_safe
-    string << @object
-    assert_equal "helloother", string
-    assert string.html_safe?
-  end
-  test "Adding a safe string to another safe string returns a safe string" do
-    @other_string = "other".html_safe
-    string = @string.html_safe
-    @combination = @other_string + string
-    assert_equal "otherhello", @combination
-    assert @combination.html_safe?
-  end
-  test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
-    @other_string = "other".html_safe
-    @combination = @other_string + "<foo>"
-    @other_combination = @string + "<foo>"
-    assert_equal "other&lt;foo&gt;", @combination
-    assert_equal "hello<foo>", @other_combination
-    assert @combination.html_safe?
-    assert !@other_combination.html_safe?
-  end
-  test "Concatting safe onto unsafe yields unsafe" do
-    @other_string = "other"
-    string = @string.html_safe
-    @other_string.concat(string)
-    assert !@other_string.html_safe?
-  end
-  test "Concatting unsafe onto safe yields escaped safe" do
-    @other_string = "other".html_safe
-    string = @other_string.concat("<foo>")
-    assert_equal "other&lt;foo&gt;", string
-    assert string.html_safe?
-  end
-  test "Concatting safe onto safe yields safe" do
-    @other_string = "other".html_safe
-    string = @string.html_safe
-    @other_string.concat(string)
-    assert @other_string.html_safe?
-  end
-  test "Concatting safe onto unsafe with << yields unsafe" do
-    @other_string = "other"
-    string = @string.html_safe
-    @other_string << string
-    assert !@other_string.html_safe?
-  end
-  test "Concatting unsafe onto safe with << yields escaped safe" do
-    @other_string = "other".html_safe
-    string = @other_string << "<foo>"
-    assert_equal "other&lt;foo&gt;", string
-    assert string.html_safe?
-  end
-  test "Concatting safe onto safe with << yields safe" do
-    @other_string = "other".html_safe
-    string = @string.html_safe
-    @other_string << string
-    assert @other_string.html_safe?
-  end
-  test "Concatting a fixnum to safe always yields safe" do
-    string = @string.html_safe
-    string = string.concat(13)
-    assert_equal "hello".concat(13), string
-    assert string.html_safe?
-  end
-end

data/test/rails_xss_test.rb DELETED Viewed

@@ -1,23 +0,0 @@
-require 'test_helper'
-class RailsXssTest < ActiveSupport::TestCase
-  test "ERB::Util.h should mark its return value as safe and escape it" do
-    escaped = ERB::Util.h("<p>")
-    assert_equal "&lt;p&gt;", escaped
-    assert escaped.html_safe?
-  end
-  test "ERB::Util.h should leave previously safe strings alone " do
-    # TODO this seems easier to compose and reason about, but
-    # this should be verified
-    escaped = ERB::Util.h("<p>".html_safe)
-    assert_equal "<p>", escaped
-    assert escaped.html_safe?
-  end
-  test "ERB::Util.h should not implode when passed a non-string" do
-    assert_nothing_raised do
-      assert_equal "1", ERB::Util.h(1)
-    end
-  end
-end

data/test/test_helper.rb DELETED Viewed

@@ -1,5 +0,0 @@
-abort 'RAILS_ROOT=/path/to/rails/2.3/app rake test' unless ENV['RAILS_ROOT']
-require File.expand_path('config/environment', ENV['RAILS_ROOT'])
-require File.expand_path('../../init', __FILE__)
-require 'active_support/test_case'
-require 'test/unit'

data/test/text_helper_test.rb DELETED Viewed

@@ -1,17 +0,0 @@
-require 'test_helper'
-class TextHelperTest < ActionView::TestCase
-  def setup
-    @controller = Class.new do
-      attr_accessor :request
-      def url_for(*args) "http://www.example.com" end
-    end.new
-  end
-  def test_simple_format_with_escaping_html_options
-    assert_dom_equal(%(<p class="intro">It's nice to have options.</p>),
-                     simple_format("It's nice to have options.", :class=>"intro"))
-  end
-end