Merge branch 'rails_xss' into rails-3-spike

Conflicts:
	Gemfile
	Gemfile.lock
	config/environment.rb
	lib/i18n_fixes.rb

1 files changed, 38 insertions, 0 deletions

diff --git a/spec/lib/i18n_interpolation.rb b/spec/lib/i18n_interpolation.rb
index 6b745059c..e8d046757 100644
--- a/spec/lib/i18n_interpolation.rb
+++ b/spec/lib/i18n_interpolation.rb
@@ -8,5 +8,43 @@ describe "when using i18n" do
         result = _('Hello {{dip}}', :dip => 'hummus')
         result.should == 'Hello hummus'
     end
+
+    it "should assume that simple translations are always html safe" do
+      _("Hello").should be_html_safe
+    end
+
 end
 
+describe "gettext_interpolate" do
+    context "html unsafe string" do
+        let(:string) { "Hello {{a}}" }
+
+        it "should give an unsafe result" do
+          result = gettext_interpolate(string, :a => "foo")
+          result.should == "Hello foo"
+          result.should_not be_html_safe
+        end
+
+        it "should give an unsafe result" do
+          result = gettext_interpolate(string, :a => "foo".html_safe)
+          result.should == "Hello foo"
+          result.should_not be_html_safe
+        end        
+    end
+
+    context "html safe string" do
+        let(:string) { "Hello {{a}}".html_safe }
+
+        it "should quote the input if it's unsafe" do
+          result = gettext_interpolate(string, :a => "foo&")
+          result.should == "Hello foo&"
+          result.should be_html_safe
+        end
+
+        it "should not quote the input if it's safe" do
+          result = gettext_interpolate(string, :a => "foo&".html_safe)
+          result.should == "Hello foo&"
+          result.should be_html_safe
+        end        
+    end
+end