www_app 1.0.0

data/specs/as_ruby/0000-new.rb

@@ -0,0 +1,23 @@
+
+
+describe "IS_DEV" do
+
+  before {
+    @orig = ENV['IS_DEV']
+  }
+
+  after {
+    ENV['IS_DEV'] = @orig
+  }
+
+  it "raises RuntimeError if passed a block and non-IS_DEV" do
+    should.raise(RuntimeError) {
+      ENV['IS_DEV'] = nil
+      WWW_App.new {
+        div {}
+      }
+    }.message.should.match /non-DEV/i
+  end
+
+end # === describe IS_DEV ===
+

data/specs/as_ruby/0010-attrs.rb

@@ -0,0 +1,29 @@
+
+describe "all attrs" do
+
+  it "raises a RuntimeError if tag has an unknown attribute" do
+    should.raise(RuntimeError) {
+      actual {
+        a.href('/href') {
+          tag![:attrs][:hi] = 'hiya'
+          "here"
+        }
+      }
+    }.message.should.match /Unknown attr: :hi/
+  end
+
+  it "escapes attributes" do
+    target %^<a rel="&lt;hello">hello</a>^
+    actual {
+      a.rel('<hello') { 'hello' }
+    }
+  end
+
+end # === describe all attrs
+
+
+
+
+
+
+

data/specs/as_ruby/0011-class.rb

@@ -0,0 +1,39 @@
+
+
+
+describe :^ do
+
+  it "raises Invalid if class has invalid chars" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual {
+        div.^('hi)o') { 'hello' }
+      }
+    }.message.should.match /hi\)o/
+  end
+
+
+  # ==========================================================================
+  # ===========  end sanitization specs  =====================================
+  # ==========================================================================
+
+
+  it "adds 'class' attribute: a.^(:warning, :red) { }" do
+    target '<a class="warning red" href="&#47;here">Here</a>'
+
+    actual do
+      a.^(:warning, :red).href('/here') { "Here" }
+    end
+  end
+
+  it "merges classes: a.^(:super).^(:low)" do
+    target '<a class="super low" href="&#47;now">Now</a>'
+
+    actual do
+      a.^(:super).^(:low).href("/now") { "Now" }
+    end
+  end
+
+end # === describe :^
+
+
+

data/specs/as_ruby/0011-href.rb

@@ -0,0 +1,37 @@
+
+
+describe :href do
+
+  it "produces 'a' elements with 'href'" do
+    target '<a href="&#47;here">Here</a>'
+
+    actual do
+      a.href('/here') { "Here" }
+    end
+  end
+
+  it "escapes chars in 'href' attributes as a url" do
+    target %^<a href="&#47;home&#47;?a&amp;b">home</a>^
+
+    actual do
+      a.href('/home/?a&b') { "home" }
+    end
+  end
+
+  it "raises Invalid_HREF for :href: javacript:" do
+    should.raise(Escape_Escape_Escape::Invalid_HREF) {
+      actual do
+        a.href('javascript://alert()') { 'hello' }
+      end
+    }.message.should.match /javascript/
+  end
+
+  it "raises Escape_Escape_Escape::Invalid_Relative_HREF if not relative using :link" do
+    should.raise(Escape_Escape_Escape::Invalid_Relative_HREF) {
+      actual {
+        link.href('http://www.google.com/s.css')./
+      }
+    }.message.should.match /google/
+  end
+
+end # === describe :href

data/specs/as_ruby/0011-id.rb

@@ -0,0 +1,39 @@
+
+
+
+describe :* do
+
+  it "raises Invalid if id has invalid chars" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div.*('a<&a') { 'hello' }
+      end
+    }.message.should.match /a<&a/
+  end
+
+  it "raises HTML_ID_Duplicate if id is used more than once" do
+    should.raise(WWW_App::HTML_ID_Duplicate) {
+      actual do
+        div.*(:my_id) { '1' }
+        div.*(:my_id) { '2' }
+      end
+    }.message.should.match /my_id/
+  end
+
+  # ==========================================================================
+  # ===========  end sanitization specs  =====================================
+  # ==========================================================================
+
+
+  it "adds 'id' attribute: a.*(:warning)(...) { }" do
+    target '<a id="warning" href="&#47;there">There</a>'
+
+    actual do
+      a.*(:warning).href('/there') { "There" }
+    end
+  end
+
+end # === describe WWW_App.new ===
+
+
+

data/specs/as_ruby/0020-tag.rb

@@ -0,0 +1,21 @@
+
+describe :tag do
+
+  it "raises Invalid if tag starts w/ a number" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div.*('0a') { 'hello' }
+      end
+    }.message.should.match /0a/
+  end
+
+  it "raises Invalid if tag is unknown: e.g. :footers" do
+    should.raise(StandardError) {
+      actual do
+        tag(:footers) { 'bye' }
+      end
+    }.message.should.match /footers/
+  end
+
+end # === describe :tag ===
+

data/specs/as_ruby/0020-tag_content.rb

@@ -0,0 +1,43 @@
+
+describe "HTML contents" do
+
+  it "uses last String value as content" do
+    target %^<p>Hello</p>^
+
+    actual do
+      p { "Hello" }
+    end
+  end
+
+  it "closes tag with :/" do
+    target %^<p></p>^
+    actual {
+      p./
+    }
+  end
+
+  it "does not give end-tags to void tags (self-closing tags)" do
+    target %^<br />\n<img />^
+    actual {
+      br./
+      img./
+    }
+  end
+
+  it "escapes inner text" do
+    target %^<p>&amp; here lies jack</p>^
+
+    actual do
+      p { "& here lies jack" }
+    end
+  end
+
+  it "strips out W3C unallowed Unicode chars" do
+    target %^<div>hello      hello</div>^
+    actual do
+      div { "hello \u0340\u0341\u17a3\u17d3\u2028\u2029 hello" }
+    end
+  end
+
+end # === describe HTML contents
+

data/specs/as_ruby/0021-body.rb

@@ -0,0 +1,16 @@
+
+describe "body with inner style" do
+
+  it "uses 'body' instead of id" do
+    target :style, %^
+      body {
+        border-width: 3px;
+      }
+    ^
+
+    actual {
+      border_width '3px'
+    }
+  end
+
+end # === describe

data/specs/as_ruby/0021-form.rb

@@ -0,0 +1,22 @@
+
+describe :forms do
+
+  it "requires a CSRF token" do
+    should.raise(Mustache::ContextMiss) {
+      actual do
+        form.action('/home') {
+        }
+      end
+    }.message.should.match /auth_token/
+  end
+
+  it "raises Invalid_Relative_HREF if :action is not a relative url" do
+    should.raise(Escape_Escape_Escape::Invalid_Relative_HREF) {
+      actual :auth_token => 'mytoken' do
+        form.action('http://www.google.com/') {}
+      end
+    }.message.should.match /google.com/
+  end
+
+end # === describe :forms ===
+

data/specs/as_ruby/0021-link.rb

@@ -0,0 +1,26 @@
+
+describe :link do
+
+  it "raises Invalid_Relative_HREF" do
+    should.raise(Escape_Escape_Escape::Invalid_Relative_HREF) {
+      actual do
+        link.href('http://www.google.com/')./
+      end
+    }.message.should.match /google/
+  end
+
+  it "escapes slashes in :href" do
+    target %^<link href="&#47;css&#47;css&#47;styles.css" />^
+    actual {
+      link.href('/css/css/styles.css')./
+    }
+  end
+
+  it "allows a relative :href" do
+    target %^<link href="&#47;css.css" />^
+    actual {
+      link.href('/css.css')./
+    }
+  end
+
+end # === describe :link

data/specs/as_ruby/0021-script.rb

@@ -0,0 +1,44 @@
+
+describe :script do
+
+  it "raises Invalid_Relative_HREF if :src is not relative" do
+    should.raise(Escape_Escape_Escape::Invalid_Relative_HREF) {
+      actual do
+        script.src('http://www.example.org/file.js')./
+      end
+    }.message.should.match /example\.org/
+  end
+
+  it "allows a relative :src" do
+    target %^<script src="&#47;file.js"></script>^
+    actual {
+      script.src('/file.js')./
+    }
+  end
+
+  it "escapes slashes in attr :src" do
+    target %^<script src="&#47;dir&#47;file.js"></script>^
+    actual {
+      script.src('/dir/file.js')./
+    }
+  end
+
+  it "does not allow vars in :script :src attribute" do
+    target :body, <<-EOF
+      <script src="help"></script>
+    EOF
+
+    actual do
+      script.src(:help)
+    end
+  end
+
+  it "ignores text for :script block" do
+    target %^<script src="&#47;hello.js"></script>^
+    actual {
+      script.src('/hello.js') { 'hello' }
+    }
+  end
+
+
+end # === describe :JS ===

data/specs/as_ruby/0030-mustache.rb

@@ -0,0 +1,113 @@
+
+describe :mustache do
+
+  it "replaces values with hash" do
+    target <<-EOF
+      <div>hello</div>
+    EOF
+
+    actual greeting: 'hello' do
+      div { :greeting }
+    end
+  end
+
+  it "raises ContextMiss for unauthorized methods" do
+    should.raise(Mustache::ContextMiss) {
+      target "nothing"
+      actual name: 'Bob' do
+        div { :object_id }
+      end
+    }.message.should.match /Can't find \.html\(:object_id\)/i
+
+    should.raise(Mustache::ContextMiss) {
+      target "nothing"
+      actual name: 'Bob' do
+        div { :to_s }
+      end
+    }.message.should.match /Can't find \.html\(:to_s\)/i
+  end
+
+  it "raises ContextMiss when an unknown value is requested" do
+    should.raise(Mustache::ContextMiss) {
+      actual name: 'Bob' do
+        div { :object_ids }
+      end
+    }.message.should.match /object_ids/
+  end
+
+  it "renders if inverted section and key is not defined" do
+    target <<-EOF
+      <div>hello</div>
+    EOF
+
+    actual {
+      render_unless(:here) { div { 'hello' } }
+    }
+  end
+
+  it "escapes html" do
+    target <<-EOF
+      <div>&amp; &#47; hello</div>
+    EOF
+
+    actual :hello=>'& / hello' do
+      div { :hello }
+    end
+  end
+
+  it "escapes html in nested values" do
+    target <<-EOF
+      <div id="my_box"><span>&amp; hello 1</span>
+        <span>&amp;&amp; hello 2</span></div>
+    EOF
+
+    actual(:hello=>{:msg=>'& hello 1', :goodbye=>nil}) {
+      div.*(:my_box) {
+        render_if(:hello) {
+          span { :msg } 
+          render_unless(:goodbye) { span { '&& hello 2' } }
+        }
+      }
+    }
+  end
+
+  it "escapes :href in nested values" do
+    target %^<div><div><a href="&#47;hello">hello</a></div></div>^
+    actual(o: {url: '/hello', msg: 'hello'}) {
+      div {
+        render_if(:o) {
+          div { a.href(:url) { :msg } }
+        }
+      }
+    }
+  end
+
+  it "does not allow vars to be used in form :action" do
+    target %^<form action="url"><input type="hidden" name="auth_token" value="hello" /></form>^
+
+    actual :auth_token => 'hello' do
+      form.action(:url) {}
+    end
+  end
+
+  it "does not allow vars to be used in :link :href" do
+    target %^<link href="hello" />^
+    actual {
+      link.href(:hello)./
+    }
+  end
+
+  it "raises ContextMiss if encounters unescaped value" do
+    should.raise(Mustache::ContextMiss) {
+      actual(blue: 'hello<') {
+        div { '-- {{{ blue }}}' }
+      }
+    }.message.should.match /blue/
+  end
+
+end # === describe Sanitize mustache ===
+
+
+
+
+

data/specs/as_ruby/0040-css.rb

@@ -0,0 +1,174 @@
+
+describe :css do
+
+  it "raises Invalid if class name has invalid chars: class=\"hi;o\"" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual {
+        div.^('hi;o') { 
+          border '1px solid #fff'
+          'hi o'
+        }
+      }
+    }.message.should.match /hi;o/
+  end
+
+  it "raises Invalid if css value has invalid chars: something *" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div {
+          background 'something *'
+        }
+      end
+    }.message.should.match /something \*/
+  end
+
+  it 'raises Invalid if css selector has invalid chars: s*s' do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div.^("s*s") { border '1px'}
+      end
+    }.message.should.match /s\*s/
+  end
+
+  it "raises Invalid if contains 'expression:'" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div {
+          background 'solid expression:'
+        }
+      end
+    }.message.should.match /expression:/
+  end
+
+  it "raises Invalid if contains 'expression&'" do
+    should.raise(Escape_Escape_Escape::Invalid) {
+      actual do
+        div {
+          background 'solid expression&'
+        }
+      end
+    }.message.should.match /expression&/
+  end
+
+  it "sanitizes urls" do
+    target :style, <<-EOF
+      div.box {
+        background-image: url(http:&#47;&#47;www.example.com&#47;back.png);
+      }
+    EOF
+
+    actual do
+      div.^(:box) {
+        background_image 'http://www.example.com/back.png'
+      }
+    end
+  end
+
+
+  # ==========================================================================
+  # ===========  end sanitization specs  =====================================
+  # ==========================================================================
+
+
+  it 'allows css selectors with valid chars: #my_box div.box' do
+    target :style, <<-EOF
+      #my_box div.box {
+        border: 1px;
+      }
+    EOF
+
+    actual {
+      div.*(:my_box) {
+        div.^(:box) { border '1px' }
+      }
+    }
+  end
+
+  it "adds a 'style' tag to 'head'" do
+    target :outer, :style, %^
+      <style type="text/css">
+        #the_box {
+          border-width: 10px;
+        }
+      </style>
+    ^
+
+    actual do
+      div.*(:the_box) {
+        border_width '10px'
+      }
+    end
+  end
+
+  it "uses id of element to add style" do
+    target :style, %^
+      #my_box {
+        border-width: 1px;
+      }
+    ^
+
+    actual do
+      div.*(:my_box) {
+        border_width '1px'
+      }
+    end
+  end
+
+  it "uses tag hierarchy if no id found" do
+    target :style, %^
+      div div span {
+        width: 20px;
+      }
+    ^
+
+    actual do
+      div { div { span { width '20px' } } }
+    end
+  end
+
+  it "does not include parents when element has id" do
+    target :style, <<-EOF
+      #my_box div.box {
+        border: 15px;
+      }
+    EOF
+
+    actual do
+      div.^(:top) {
+        div.*(:my_box) {
+          div.^(:box) { border '15px' }
+        }
+      }
+    end
+  end
+
+
+  it "does not accept vars for css values" do
+    target :style, %^
+      div {
+        border: something;
+      }
+    ^
+    actual {
+      div {
+        border :something
+      }
+    }
+  end
+
+  it "does not accept vars for css -image values" do
+    target :style, %^
+      div {
+        background-image: url(something);
+      }
+    ^
+    actual {
+      div {
+        background_image :something
+      }
+    }
+  end
+
+end # === sanitize css selectors
+
+

data/specs/as_ruby/0050-on.rb

@@ -0,0 +1,64 @@
+
+describe "HTML :on" do
+
+  it "escapes text as :html" do
+    target :script, <<-EOF
+      WWW_App.compile(
+        ["create_event",["div","click","add_class",["red&lt;red"]]]
+      );
+    EOF
+
+    actual do
+      div {
+        on(:click) { add_class "red<red" }
+      }
+    end
+  end
+
+  it "renders js" do
+    target :script, <<-EOF
+      WWW_App.compile(
+        #{
+          Escape_Escape_Escape.json_encode( ["create_event", [ "#my_box", "click", "add_class", ["hello"] ] ] )
+        }
+      );
+    EOF
+
+    actual {
+      div.*(:my_box) {
+        on(:click) { add_class :hello }
+      }
+    }
+  end
+
+  it "adds class to id of element: #id.class" do
+    target :style, %^
+      #me.highlight {
+        border-color: #fff;
+      }
+    ^
+
+    actual do
+      div.*(:me) {
+        on(:highlight) { border_color '#fff' }
+      }
+    end
+  end
+
+  it "adds a psuedo class if passed a String" do
+    target :style, <<-EOF
+      a:hover {
+        border: 12px;
+      }
+    EOF
+
+    actual {
+      a.href('/home') {
+        on(':hover') { border '12px' }
+      }
+    }
+  end
+
+end # === describe
+
+