From 9bbe54b368240d210ebc1ee5c5af15fd1b2d4c7c Mon Sep 17 00:00:00 2001 From: Matthew Landauer Date: Fri, 25 Jan 2013 15:38:36 +1100 Subject: Remove rails_xss plugin --- vendor/plugins/rails_xss/MIT-LICENSE | 20 - vendor/plugins/rails_xss/README.markdown | 91 -- vendor/plugins/rails_xss/Rakefile | 23 - vendor/plugins/rails_xss/init.rb | 9 - vendor/plugins/rails_xss/lib/rails_xss.rb | 3 - .../plugins/rails_xss/lib/rails_xss/action_view.rb | 111 -- vendor/plugins/rails_xss/lib/rails_xss/erubis.rb | 35 - .../plugins/rails_xss/lib/rails_xss/string_ext.rb | 65 - .../rails_xss/lib/tasks/rails_xss_tasks.rake | 4 - .../rails_xss/test/active_record_helper_test.rb | 74 - .../rails_xss/test/asset_tag_helper_test.rb | 49 - vendor/plugins/rails_xss/test/caching_test.rb | 54 - vendor/plugins/rails_xss/test/content_for_test.rb | 39 - vendor/plugins/rails_xss/test/date_helper_test.rb | 29 - .../test/deprecated_output_safety_test.rb | 112 -- vendor/plugins/rails_xss/test/erb_util_test.rb | 36 - vendor/plugins/rails_xss/test/form_helper_test.rb | 1447 -------------------- .../plugins/rails_xss/test/form_tag_helper_test.rb | 354 ----- .../rails_xss/test/javascript_helper_test.rb | 10 - .../plugins/rails_xss/test/output_escaping_test.rb | 19 - .../plugins/rails_xss/test/output_safety_test.rb | 115 -- vendor/plugins/rails_xss/test/rails_xss_test.rb | 23 - .../rails_xss/test/raw_output_helper_test.rb | 18 - vendor/plugins/rails_xss/test/safe_buffer_test.rb | 51 - vendor/plugins/rails_xss/test/tag_helper_test.rb | 21 - vendor/plugins/rails_xss/test/test_helper.rb | 6 - vendor/plugins/rails_xss/test/text_helper_test.rb | 30 - vendor/plugins/rails_xss/test/url_for_test.rb | 39 - 28 files changed, 2887 deletions(-) delete mode 100644 vendor/plugins/rails_xss/MIT-LICENSE delete mode 100644 vendor/plugins/rails_xss/README.markdown delete mode 100644 vendor/plugins/rails_xss/Rakefile delete mode 100644 vendor/plugins/rails_xss/init.rb delete mode 100644 vendor/plugins/rails_xss/lib/rails_xss.rb delete mode 100644 vendor/plugins/rails_xss/lib/rails_xss/action_view.rb delete mode 100644 vendor/plugins/rails_xss/lib/rails_xss/erubis.rb delete mode 100644 vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb delete mode 100644 vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake delete mode 100644 vendor/plugins/rails_xss/test/active_record_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/asset_tag_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/caching_test.rb delete mode 100644 vendor/plugins/rails_xss/test/content_for_test.rb delete mode 100644 vendor/plugins/rails_xss/test/date_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb delete mode 100644 vendor/plugins/rails_xss/test/erb_util_test.rb delete mode 100644 vendor/plugins/rails_xss/test/form_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/form_tag_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/javascript_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/output_escaping_test.rb delete mode 100644 vendor/plugins/rails_xss/test/output_safety_test.rb delete mode 100644 vendor/plugins/rails_xss/test/rails_xss_test.rb delete mode 100644 vendor/plugins/rails_xss/test/raw_output_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/safe_buffer_test.rb delete mode 100644 vendor/plugins/rails_xss/test/tag_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/test_helper.rb delete mode 100644 vendor/plugins/rails_xss/test/text_helper_test.rb delete mode 100644 vendor/plugins/rails_xss/test/url_for_test.rb diff --git a/vendor/plugins/rails_xss/MIT-LICENSE b/vendor/plugins/rails_xss/MIT-LICENSE deleted file mode 100644 index ed44a7bde..000000000 --- a/vendor/plugins/rails_xss/MIT-LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -Copyright (c) 2009 Koziarski Software Ltd. - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/plugins/rails_xss/README.markdown b/vendor/plugins/rails_xss/README.markdown deleted file mode 100644 index 1222ef38d..000000000 --- a/vendor/plugins/rails_xss/README.markdown +++ /dev/null @@ -1,91 +0,0 @@ -RailsXss -======== - -This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0. - -Strings now have a notion of "html safe", which is false by default. Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first. - -All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified. If you have your own helpers which return strings you *know* are safe, you will need to explicitly tell rails that they're safe. For an example, take the following helper. - - - def some_helper - (1..5).map do |i| - "
  • #{i}
    • " - end.join("\n") - end - -With this plugin installed, the html will be escaped. So you will need to do one of the following: - -1) Use the raw helper in your template. raw will ensure that your string is copied verbatim into the response body. - - <%= raw some_helper %> - -2) Mark the string as safe in the helper itself: - - def some_helper - (1..5).map do |i| - "
  • #{i}
    • " - end.join("\n").html_safe - end - -3) Use the `safe_helper` meta programming method (WARNING: This is not supported by Rails 3, so if you're planning to -eventually upgrade your app this alternative is not recommended): - - module ApplicationHelper - def some_helper - #... - end - safe_helper :some_helper # not supported by Rails 3 - end - -Example -------- - -BEFORE: - - <%= params[:own_me] %> => XSS attack - <%=h params[:own_me] %> => No XSS - <%= @blog_post.content %> => Displays the HTML - -AFTER: - - <%= params[:own_me] %> => No XSS - <%=h params[:own_me] %> => No XSS (same result) - <%= @blog_post.content %> => *escapes* the HTML - <%= raw @blog_post.content %> => Displays the HTML - - -Gotchas ---- - -#### textilize and simple_format do *not* return safe strings - -Both these methods support arbitrary HTML and are *not* safe to embed directly in your document. You'll need to do something like: - - <%= sanitize(textilize(@blog_post.content_textile)) %> - -#### Safe strings aren't magic. - -Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+. All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like - - value = something_safe - value.gsub!(/a/, params[:own_me]) - -Don't do that. - -#### String interpolation won't be safe, even when it 'should' be - - value = "#{something_safe}#{something_else_safe}" - value.html_safe? # => false - -This is intended functionality and can't be fixed. - -Getting Started -=============== - -1. Install rails 2.3.8 or higher, or freeze rails from 2-3-stable. -2. Install erubis (gem install erubis) -3. Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git) -4. Report anything that breaks. - -Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license. For full details see MIT-LICENSE included in this distribution. diff --git a/vendor/plugins/rails_xss/Rakefile b/vendor/plugins/rails_xss/Rakefile deleted file mode 100644 index 929ecbb81..000000000 --- a/vendor/plugins/rails_xss/Rakefile +++ /dev/null @@ -1,23 +0,0 @@ -require 'rake' -require 'rake/testtask' -require 'rake/rdoctask' - -desc 'Default: run unit tests.' -task :default => :test - -desc 'Test the rails_xss plugin.' -Rake::TestTask.new(:test) do |t| - t.libs << 'lib' - t.libs << 'test' - t.pattern = 'test/**/*_test.rb' - t.verbose = true -end - -desc 'Generate documentation for the rails_xss plugin.' -Rake::RDocTask.new(:rdoc) do |rdoc| - rdoc.rdoc_dir = 'rdoc' - rdoc.title = 'RailsXss' - rdoc.options << '--line-numbers' << '--inline-source' - rdoc.rdoc_files.include('README') - rdoc.rdoc_files.include('lib/**/*.rb') -end diff --git a/vendor/plugins/rails_xss/init.rb b/vendor/plugins/rails_xss/init.rb deleted file mode 100644 index 533eb1f36..000000000 --- a/vendor/plugins/rails_xss/init.rb +++ /dev/null @@ -1,9 +0,0 @@ -unless $gems_rake_task - if Rails::VERSION::MAJOR >= 3 - $stderr.puts "You don't need to install rails_xss as a plugin for Rails 3 and after." - elsif Rails::VERSION::MAJOR <= 2 && Rails::VERSION::MINOR <= 3 && Rails::VERSION::TINY <= 7 - $stderr.puts "rails_xss requires Rails 2.3.8 or later. Please upgrade to enable automatic HTML safety." - else - require 'rails_xss' - end -end diff --git a/vendor/plugins/rails_xss/lib/rails_xss.rb b/vendor/plugins/rails_xss/lib/rails_xss.rb deleted file mode 100644 index 46d1b9a4a..000000000 --- a/vendor/plugins/rails_xss/lib/rails_xss.rb +++ /dev/null @@ -1,3 +0,0 @@ -require 'rails_xss/erubis' -require 'rails_xss/action_view' -require 'rails_xss/string_ext' diff --git a/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb deleted file mode 100644 index c3f5e47df..000000000 --- a/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb +++ /dev/null @@ -1,111 +0,0 @@ -module ActionView - class Base - def self.xss_safe? - true - end - - module WithSafeOutputBuffer - # Rails version of with_output_buffer uses '' as the default buf - def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc: - super buf - end - end - - include WithSafeOutputBuffer - end - - module Helpers - module CaptureHelper - def content_for(name, content = nil, &block) - ivar = "@content_for_#{name}" - content = capture(&block) if block_given? - instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe) - nil - end - end - - module TextHelper - def concat(string, unused_binding = nil) - if unused_binding - ActiveSupport::Deprecation.warn("The binding argument of #concat is no longer needed. Please remove it from your views and helpers.", caller) - end - - output_buffer.concat(string) - end - - def simple_format(text, html_options={}) - start_tag = tag('p', html_options, true) - text = ERB::Util.h(text).to_str.dup - text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n - text.gsub!(/\n\n+/, "

    \n\n#{start_tag}") # 2+ newline -> paragraph - text.gsub!(/([^\n]\n)(?=[^\n])/, '\1
    ') # 1 newline -> br - text.insert 0, start_tag - text.html_safe.safe_concat("

    ") - end - end - - module TagHelper - private - def content_tag_string_with_escaping(name, content, options, escape = true) - content_tag_string_without_escaping(name, escape ? ERB::Util.h(content) : content, options, escape) - end - alias_method_chain :content_tag_string, :escaping - end - - module UrlHelper - def link_to(*args, &block) - if block_given? - options = args.first || {} - html_options = args.second - concat(link_to(capture(&block), options, html_options)) - else - name = args.first - options = args.second || {} - html_options = args.third - - url = url_for(options) - - if html_options - html_options = html_options.stringify_keys - href = html_options['href'] - convert_options_to_javascript!(html_options, url) - tag_options = tag_options(html_options) - else - tag_options = nil - end - - href_attr = "href=\"#{url}\"" unless href - "#{ERB::Util.h(name || url)}".html_safe - end - end - end - - module JavaScriptHelper - def escape_javascript(javascript) - if javascript - javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] } - else - '' - end - end - end - end -end - -module RailsXss - module SafeHelpers - def safe_helper(*names) - names.each do |helper_method_name| - aliased_target, punctuation = helper_method_name.to_s.sub(/([?!=])$/, ''), $1 - module_eval <<-END - def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block) - raw(#{aliased_target}_without_xss_safety#{punctuation}(*args, &block)) - end - END - alias_method_chain helper_method_name, :xss_safety - end - end - end -end - -Module.class_eval { include RailsXss::SafeHelpers } diff --git a/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb deleted file mode 100644 index c8171c669..000000000 --- a/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'erubis/helpers/rails_helper' - -module RailsXss - class Erubis < ::Erubis::Eruby - def add_preamble(src) - src << "@output_buffer = ActiveSupport::SafeBuffer.new;" - end - - def add_text(src, text) - return if text.empty? - src << "@output_buffer.safe_concat('" << escape_text(text) << "');" - end - - BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/ - - def add_expr_literal(src, code) - if code =~ BLOCK_EXPR - src << "@output_buffer.safe_concat((" << $1 << ").to_s);" - else - src << '@output_buffer << ((' << code << ').to_s);' - end - end - - def add_expr_escaped(src, code) - src << '@output_buffer << ' << escaped_expr(code) << ';' - end - - def add_postamble(src) - src << '@output_buffer.to_s' - end - end -end - -Erubis::Helpers::RailsHelper.engine_class = RailsXss::Erubis -Erubis::Helpers::RailsHelper.show_src = false diff --git a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb deleted file mode 100644 index ee32e47c8..000000000 --- a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb +++ /dev/null @@ -1,65 +0,0 @@ -require 'active_support/deprecation' - -ActiveSupport::SafeBuffer.class_eval do - def concat(value) - if value.html_safe? - super(value) - else - super(ERB::Util.h(value)) - end - end - alias << concat - UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze - - for unsafe_method in UNSAFE_STRING_METHODS - class_eval <<-EOT, __FILE__, __LINE__ + 1 - def #{unsafe_method}(*args) - super.to_str - end - - def #{unsafe_method}!(*args) - raise TypeError, "Cannot modify SafeBuffer in place" - end - EOT - end -end - -class String - def html_safe? - defined?(@_rails_html_safe) - end - - def html_safe! - ActiveSupport::Deprecation.warn("Use html_safe with your strings instead of html_safe! See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for the full story.", caller) - @_rails_html_safe = true - self - end - - def add_with_safety(other) - result = add_without_safety(other) - if html_safe? && also_html_safe?(other) - result.html_safe! - else - result - end - end - alias_method :add_without_safety, :+ - alias_method :+, :add_with_safety - - def concat_with_safety(other_or_fixnum) - result = concat_without_safety(other_or_fixnum) - unless html_safe? && also_html_safe?(other_or_fixnum) - remove_instance_variable(:@_rails_html_safe) if defined?(@_rails_html_safe) - end - result - end - - alias_method_chain :concat, :safety - undef_method :<< - alias_method :<<, :concat_with_safety - - private - def also_html_safe?(other) - other.respond_to?(:html_safe?) && other.html_safe? - end -end diff --git a/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake b/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake deleted file mode 100644 index b8659f089..000000000 --- a/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake +++ /dev/null @@ -1,4 +0,0 @@ -# desc "Explaining what the task does" -# task :rails_xss do -# # Task goes here -# end diff --git a/vendor/plugins/rails_xss/test/active_record_helper_test.rb b/vendor/plugins/rails_xss/test/active_record_helper_test.rb deleted file mode 100644 index 728ec0ac6..000000000 --- a/vendor/plugins/rails_xss/test/active_record_helper_test.rb +++ /dev/null @@ -1,74 +0,0 @@ -require 'test_helper' - -class ActiveRecordHelperTest < ActionView::TestCase - silence_warnings do - Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on) - Post.class_eval do - alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast) - alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast) - alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast) - end - end - - def setup_post - @post = Post.new - def @post.errors - Class.new { - def on(field) - case field.to_s - when "author_name" - "can't be empty" - when "body" - true - else - false - end - end - def empty?() false end - def count() 1 end - def full_messages() [ "Author name can't be empty" ] end - }.new - end - - def @post.new_record?() true end - def @post.to_param() nil end - - def @post.column_for_attribute(attr_name) - Post.content_columns.select { |column| column.name == attr_name }.first - end - - silence_warnings do - def Post.content_columns() [ Column.new(:string, "title", "Title"), Column.new(:text, "body", "Body") ] end - end - - @post.title = "Hello World" - @post.author_name = "" - @post.body = "Back to the hill and over it again!" - @post.secret = 1 - @post.written_on = Date.new(2004, 6, 15) - end - - def setup - setup_post - - @response = ActionController::TestResponse.new - - @controller = Object.new - def @controller.url_for(options) - options = options.symbolize_keys - - [options[:action], options[:id].to_param].compact.join('/') - end - end - - def test_text_field_with_errors_is_safe - assert text_field("post", "author_name").html_safe? - end - - def test_text_field_with_errors - assert_dom_equal( - %(
    ), - text_field("post", "author_name") - ) - end -end diff --git a/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb b/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb deleted file mode 100644 index f58feda3d..000000000 --- a/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb +++ /dev/null @@ -1,49 +0,0 @@ -require 'test_helper' - -class AssetTagHelperTest < ActionView::TestCase - def setup - @controller = Class.new do - attr_accessor :request - def url_for(*args) "http://www.example.com" end - end.new - end - - def test_auto_discovery_link_tag - assert_dom_equal(%(), - auto_discovery_link_tag(:atom, {}, {:rel => "Not so alternate"})) - end - - def test_javascript_include_tag_with_blank_asset_id - ENV["RAILS_ASSET_ID"] = "" - assert_dom_equal(%(\n\n\n\n\n), - javascript_include_tag("test", :defaults)) - end - - def test_javascript_include_tag_with_given_asset_id - ENV["RAILS_ASSET_ID"] = "1" - assert_dom_equal(%(\n\n\n\n), - javascript_include_tag(:defaults)) - ENV["RAILS_ASSET_ID"] = "" - end - - def test_javascript_include_tag_is_html_safe - assert javascript_include_tag(:defaults).html_safe? - assert javascript_include_tag("prototype").html_safe? - end - - def test_stylesheet_link_tag - assert_dom_equal(%(), - stylesheet_link_tag("http://www.example.com/styles/style")) - end - - def test_stylesheet_link_tag_is_html_safe - assert stylesheet_link_tag('dir/file').html_safe? - assert stylesheet_link_tag('dir/other/file', 'dir/file2').html_safe? - assert stylesheet_tag('dir/file', {}).html_safe? - end - - def test_image_tag - assert_dom_equal(%(Mouse), - image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) - end -end diff --git a/vendor/plugins/rails_xss/test/caching_test.rb b/vendor/plugins/rails_xss/test/caching_test.rb deleted file mode 100644 index 3ea41e8b5..000000000 --- a/vendor/plugins/rails_xss/test/caching_test.rb +++ /dev/null @@ -1,54 +0,0 @@ -require 'test_helper' - -CACHE_DIR = 'test_cache' -# Don't change '/../temp/' cavalierly or you might hose something you don't want hosed -FILE_STORE_PATH = File.join(File.dirname(__FILE__), '/../temp/', CACHE_DIR) -ActionController::Base.page_cache_directory = FILE_STORE_PATH -ActionController::Base.cache_store = :file_store, FILE_STORE_PATH - -class FragmentCachingTestController < ActionController::Base - def some_action; end; -end - -class FragmentCachingTest < ActionController::TestCase - def setup - ActionController::Base.perform_caching = true - @store = ActiveSupport::Cache::MemoryStore.new - ActionController::Base.cache_store = @store - @controller = FragmentCachingTestController.new - @params = {:controller => 'posts', :action => 'index'} - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new - @controller.params = @params - @controller.request = @request - @controller.response = @response - @controller.send(:initialize_current_url) - @controller.send(:initialize_template_class, @response) - @controller.send(:assign_shortcuts, @request, @response) - end - - def test_fragment_for - @store.write('views/expensive', 'fragment content') - fragment_computed = false - - buffer = 'generated till now -> '.html_safe - @controller.fragment_for(buffer, 'expensive') { fragment_computed = true } - - assert !fragment_computed - assert_equal 'generated till now -> fragment content', buffer - end - - def test_html_safety - assert_nil @store.read('views/name') - content = 'value'.html_safe - assert_equal content, @controller.write_fragment('name', content) - - cached = @store.read('views/name') - assert_equal content, cached - assert_equal String, cached.class - - html_safe = @controller.read_fragment('name') - assert_equal content, html_safe - assert html_safe.html_safe? - end -end diff --git a/vendor/plugins/rails_xss/test/content_for_test.rb b/vendor/plugins/rails_xss/test/content_for_test.rb deleted file mode 100644 index 45ba6762c..000000000 --- a/vendor/plugins/rails_xss/test/content_for_test.rb +++ /dev/null @@ -1,39 +0,0 @@ -require 'test_helper' - -class ContentForTest < ActionView::TestCase - - def test_content_for_should_yield_html_safe_string - content_for(:testing, "Some

    html

    ") - content = instance_variable_get(:"@content_for_testing") - assert content.html_safe? - end - - def test_content_for_should_escape_content - content_for(:testing, "Some

    html

    ") - content = instance_variable_get(:"@content_for_testing") - expected = %{Some <p>html</p>} - assert_dom_equal expected, content - end - - def test_content_for_should_not_escape_html_safe_content - content_for(:testing, "Some

    html

    ".html_safe) - content = instance_variable_get(:"@content_for_testing") - expected = %{Some

    html

    } - assert_dom_equal expected, content - end - - def test_content_for_should_escape_content_from_block - content_for(:testing){ "Some

    html

    " } - content = instance_variable_get(:"@content_for_testing") - expected = %{Some <p>html</p>} - assert_dom_equal expected, content - end - - def test_content_for_should_not_escape_html_safe_content_from_block - content_for(:testing){ "Some

    html

    ".html_safe } - content = instance_variable_get(:"@content_for_testing") - expected = %{Some

    html

    } - assert_dom_equal expected, content - end - -end diff --git a/vendor/plugins/rails_xss/test/date_helper_test.rb b/vendor/plugins/rails_xss/test/date_helper_test.rb deleted file mode 100644 index daf010274..000000000 --- a/vendor/plugins/rails_xss/test/date_helper_test.rb +++ /dev/null @@ -1,29 +0,0 @@ -require 'test_helper' - -class DateHelperTest < ActionView::TestCase - silence_warnings do - Post = Struct.new("Post", :id, :written_on, :updated_at) - end - - def test_select_html_safety - assert select_day(16).html_safe? - assert select_month(8).html_safe? - assert select_year(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? - assert select_minute(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? - assert select_second(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? - - assert select_minute(8, :use_hidden => true).html_safe? - assert select_month(8, :prompt => 'Choose month').html_safe? - - assert select_time(Time.mktime(2003, 8, 16, 8, 4, 18), {}, :class => 'selector').html_safe? - assert select_date(Time.mktime(2003, 8, 16), :date_separator => " / ", :start_year => 2003, :end_year => 2005, :prefix => "date[first]").html_safe? - end - - def test_object_select_html_safety - @post = Post.new - @post.written_on = Date.new(2004, 6, 15) - - assert date_select("post", "written_on", :default => Time.local(2006, 9, 19, 15, 16, 35), :include_blank => true).html_safe? - assert time_select("post", "written_on", :ignore_date => true).html_safe? - end -end diff --git a/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb b/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb deleted file mode 100644 index e16f7ce0d..000000000 --- a/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb +++ /dev/null @@ -1,112 +0,0 @@ -require 'test_helper' - -class DeprecatedOutputSafetyTest < ActiveSupport::TestCase - def setup - @string = "hello" - end - - test "A string can be marked safe using html_safe!" do - assert_deprecated do - @string.html_safe! - assert @string.html_safe? - end - end - - test "Marking a string safe returns the string using html_safe!" do - assert_deprecated do - assert_equal @string, @string.html_safe! - end - end - - test "Adding a safe string to another safe string returns a safe string using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - @string.html_safe! - @combination = @other_string + @string - - assert_equal "otherhello", @combination - assert @combination.html_safe? - end - end - - test "Adding an unsafe string to a safe string returns an unsafe string using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - @combination = @other_string + "" - @other_combination = @string + "" - - assert_equal "other", @combination - assert_equal "hello", @other_combination - - assert !@combination.html_safe? - assert !@other_combination.html_safe? - end - end - - test "Concatting safe onto unsafe yields unsafe using html_safe!" do - assert_deprecated do - @other_string = "other" - @string.html_safe! - - @other_string.concat(@string) - assert !@other_string.html_safe? - end - end - - test "Concatting unsafe onto safe yields unsafe using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - string = @other_string.concat("") - assert_equal "other", string - assert !string.html_safe? - end - end - - test "Concatting safe onto safe yields safe using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - @string.html_safe! - - @other_string.concat(@string) - assert @other_string.html_safe? - end - end - - test "Concatting safe onto unsafe with << yields unsafe using html_safe!" do - assert_deprecated do - @other_string = "other" - @string.html_safe! - - @other_string << @string - assert !@other_string.html_safe? - end - end - - test "Concatting unsafe onto safe with << yields unsafe using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - string = @other_string << "" - assert_equal "other", string - assert !string.html_safe? - end - end - - test "Concatting safe onto safe with << yields safe using html_safe!" do - assert_deprecated do - @other_string = "other".html_safe! - @string.html_safe! - - @other_string << @string - assert @other_string.html_safe? - end - end - - test "Concatting a fixnum to safe always yields safe using html_safe!" do - assert_deprecated do - @string.html_safe! - @string.concat(13) - assert_equal "hello".concat(13), @string - assert @string.html_safe? - end - end -end diff --git a/vendor/plugins/rails_xss/test/erb_util_test.rb b/vendor/plugins/rails_xss/test/erb_util_test.rb deleted file mode 100644 index 9a04d38e6..000000000 --- a/vendor/plugins/rails_xss/test/erb_util_test.rb +++ /dev/null @@ -1,36 +0,0 @@ -require 'test_helper' - -class ErbUtilTest < Test::Unit::TestCase - include ERB::Util - - ERB::Util::HTML_ESCAPE.each do |given, expected| - define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do - assert_equal expected, html_escape(given) - end - - unless given == '"' - define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do - assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given) - end - end - end - - def test_html_escape_is_html_safe - escaped = h("

    ") - assert_equal "<p>", escaped - assert escaped.html_safe? - end - - def test_html_escape_passes_html_escpe_unmodified - escaped = h("

    ".html_safe) - assert_equal "

    ", escaped - assert escaped.html_safe? - end - - def test_rest_in_ascii - (0..127).to_a.map {|int| int.chr }.each do |chr| - next if %w(& " < >).include?(chr) - assert_equal chr, html_escape(chr) - end - end -end diff --git a/vendor/plugins/rails_xss/test/form_helper_test.rb b/vendor/plugins/rails_xss/test/form_helper_test.rb deleted file mode 100644 index e5580d26c..000000000 --- a/vendor/plugins/rails_xss/test/form_helper_test.rb +++ /dev/null @@ -1,1447 +0,0 @@ -require 'test_helper' - -silence_warnings do - Post = Struct.new(:title, :author_name, :body, :secret, :written_on, :cost) - Post.class_eval do - alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast) - alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast) - alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast) - alias_method :secret?, :secret - - def new_record=(boolean) - @new_record = boolean - end - - def new_record? - @new_record - end - - attr_accessor :author - def author_attributes=(attributes); end - - attr_accessor :comments - def comments_attributes=(attributes); end - - attr_accessor :tags - def tags_attributes=(attributes); end - end - - class Comment - attr_reader :id - attr_reader :post_id - def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end - def save; @id = 1; @post_id = 1 end - def new_record?; @id.nil? end - def to_param; @id; end - def name - @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" - end - - attr_accessor :relevances - def relevances_attributes=(attributes); end - - end - - class Tag - attr_reader :id - attr_reader :post_id - def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end - def save; @id = 1; @post_id = 1 end - def new_record?; @id.nil? end - def to_param; @id; end - def value - @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" - end - - attr_accessor :relevances - def relevances_attributes=(attributes); end - - end - - class CommentRelevance - attr_reader :id - attr_reader :comment_id - def initialize(id = nil, comment_id = nil); @id, @comment_id = id, comment_id end - def save; @id = 1; @comment_id = 1 end - def new_record?; @id.nil? end - def to_param; @id; end - def value - @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" - end - end - - class TagRelevance - attr_reader :id - attr_reader :tag_id - def initialize(id = nil, tag_id = nil); @id, @tag_id = id, tag_id end - def save; @id = 1; @tag_id = 1 end - def new_record?; @id.nil? end - def to_param; @id; end - def value - @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" - end - end - - class Author < Comment - attr_accessor :post - def post_attributes=(attributes); end - end -end - -class FormHelperTest < ActionView::TestCase - tests ActionView::Helpers::FormHelper - - def setup - super - - # Create "label" locale for testing I18n label helpers - I18n.backend.store_translations 'label', { - :helpers => { - :label => { - :post => { - :body => "Write entire text here" - } - } - } - } - - @post = Post.new - @comment = Comment.new - def @post.errors() - Class.new{ - def on(field); "can't be empty" if field == "author_name"; end - def empty?() false end - def count() 1 end - def full_messages() [ "Author name can't be empty" ] end - }.new - end - def @post.id; 123; end - def @post.id_before_type_cast; 123; end - def @post.to_param; '123'; end - - @post.title = "Hello World" - @post.author_name = "" - @post.body = "Back to the hill and over it again!" - @post.secret = 1 - @post.written_on = Date.new(2004, 6, 15) - - def Post.human_attribute_name(attribute) - attribute.to_s == "cost" ? "Total cost" : attribute.to_s.humanize - end - - @controller = Class.new do - attr_reader :url_for_options - def url_for(options) - @url_for_options = options - "http://www.example.com" - end - end - @controller = @controller.new - end - - def test_label - assert_dom_equal('', label("post", "title")) - assert_dom_equal('', label("post", "title", "The title goes here")) - assert_dom_equal( - '', - label("post", "title", nil, :class => 'title_label') - ) - assert_dom_equal('', label("post", "secret?")) - end - - def test_label_with_symbols - assert_dom_equal('', label(:post, :title)) - assert_dom_equal('', label(:post, :secret?)) - end - - def test_label_with_locales_strings - old_locale, I18n.locale = I18n.locale, :label - assert_dom_equal('', label("post", "body")) - ensure - I18n.locale = old_locale - end - - def test_label_with_human_attribute_name - old_locale, I18n.locale = I18n.locale, :label - assert_dom_equal('', label(:post, :cost)) - ensure - I18n.locale = old_locale - end - - def test_label_with_locales_symbols - old_locale, I18n.locale = I18n.locale, :label - assert_dom_equal('', label(:post, :body)) - ensure - I18n.locale = old_locale - end - - def test_label_with_for_attribute_as_symbol - assert_dom_equal('', label(:post, :title, nil, :for => "my_for")) - end - - def test_label_with_for_attribute_as_string - assert_dom_equal('', label(:post, :title, nil, "for" => "my_for")) - end - - def test_label_with_id_attribute_as_symbol - assert_dom_equal('', label(:post, :title, nil, :id => "my_id")) - end - - def test_label_with_id_attribute_as_string - assert_dom_equal('', label(:post, :title, nil, "id" => "my_id")) - end - - def test_label_with_for_and_id_attributes_as_symbol - assert_dom_equal('', label(:post, :title, nil, :for => "my_for", :id => "my_id")) - end - - def test_label_with_for_and_id_attributes_as_string - assert_dom_equal('', label(:post, :title, nil, "for" => "my_for", "id" => "my_id")) - end - - def test_label_for_radio_buttons_with_value - assert_dom_equal('', label("post", "title", "The title goes here", :value => "great_title")) - assert_dom_equal('', label("post", "title", "The title goes here", :value => "great title")) - end - - def test_text_field - assert_dom_equal( - '', text_field("post", "title") - ) - assert_dom_equal( - '', password_field("post", "title") - ) - assert_dom_equal( - '', password_field("person", "name") - ) - end - - def test_text_field_with_escapes - @post.title = "Hello World" - assert_dom_equal( - '', text_field("post", "title") - ) - end - - def test_text_field_with_html_entities - @post.title = "The HTML Entity for & is &" - assert_dom_equal( - '', - text_field("post", "title") - ) - end - - def test_text_field_with_options - expected = '' - assert_dom_equal expected, text_field("post", "title", "size" => 35) - assert_dom_equal expected, text_field("post", "title", :size => 35) - end - - def test_text_field_assuming_size - expected = '' - assert_dom_equal expected, text_field("post", "title", "maxlength" => 35) - assert_dom_equal expected, text_field("post", "title", :maxlength => 35) - end - - def test_text_field_removing_size - expected = '' - assert_dom_equal expected, text_field("post", "title", "maxlength" => 35, "size" => nil) - assert_dom_equal expected, text_field("post", "title", :maxlength => 35, :size => nil) - end - - def test_text_field_doesnt_change_param_values - object_name = 'post[]' - expected = '' - assert_equal expected, text_field(object_name, "title") - assert_equal object_name, "post[]" - end - - def test_hidden_field - assert_dom_equal '', - hidden_field("post", "title") - assert_dom_equal '', - hidden_field("post", "secret?") - end - - def test_hidden_field_with_escapes - @post.title = "Hello World" - assert_dom_equal '', - hidden_field("post", "title") - end - - def test_hidden_field_with_options - assert_dom_equal '', - hidden_field("post", "title", :value => "Something Else") - end - - def test_check_box - assert_dom_equal( - '', - check_box("post", "secret") - ) - @post.secret = 0 - assert_dom_equal( - '', - check_box("post", "secret") - ) - assert_dom_equal( - '', - check_box("post", "secret" ,{"checked"=>"checked"}) - ) - @post.secret = true - assert_dom_equal( - '', - check_box("post", "secret") - ) - assert_dom_equal( - '', - check_box("post", "secret?") - ) - - @post.secret = ['0'] - assert_dom_equal( - '', - check_box("post", "secret") - ) - @post.secret = ['1'] - assert_dom_equal( - '', - check_box("post", "secret") - ) - end - - def test_check_box_with_explicit_checked_and_unchecked_values - @post.secret = "on" - assert_dom_equal( - '', - check_box("post", "secret", {}, "on", "off") - ) - end - - def test_checkbox_disabled_still_submits_checked_value - assert_dom_equal( - '', - check_box("post", "secret", { :disabled => :true }) - ) - end - - def test_radio_button - assert_dom_equal('', - radio_button("post", "title", "Hello World") - ) - assert_dom_equal('', - radio_button("post", "title", "Goodbye World") - ) - assert_dom_equal('', - radio_button("item[subobject]", "title", "inside world") - ) - end - - def test_radio_button_is_checked_with_integers - assert_dom_equal('', - radio_button("post", "secret", "1") - ) - end - - def test_radio_button_respects_passed_in_id - assert_dom_equal('', - radio_button("post", "secret", "1", :id=>"foo") - ) - end - - def test_radio_button_with_booleans - assert_dom_equal('', - radio_button("post", "secret", true) - ) - - assert_dom_equal('', - radio_button("post", "secret", false) - ) - end - - def test_text_area - assert_dom_equal( - '', - text_area("post", "body") - ) - end - - def test_text_area_with_escapes - @post.body = "Back to the hill and over it again!" - assert_dom_equal( - '', - text_area("post", "body") - ) - end - - def test_text_area_with_alternate_value - assert_dom_equal( - '', - text_area("post", "body", :value => 'Testing alternate values.') - ) - end - - def test_text_area_with_html_entities - @post.body = "The HTML Entity for & is &" - assert_dom_equal( - '', - text_area("post", "body") - ) - end - - def test_text_area_with_size_option - assert_dom_equal( - '', - text_area("post", "body", :size => "183x820") - ) - end - - def test_explicit_name - assert_dom_equal( - '', text_field("post", "title", "name" => "dont guess") - ) - assert_dom_equal( - '', - text_area("post", "body", "name" => "really!") - ) - assert_dom_equal( - '', - check_box("post", "secret", "name" => "i mean it") - ) - assert_dom_equal text_field("post", "title", "name" => "dont guess"), - text_field("post", "title", :name => "dont guess") - assert_dom_equal text_area("post", "body", "name" => "really!"), - text_area("post", "body", :name => "really!") - assert_dom_equal check_box("post", "secret", "name" => "i mean it"), - check_box("post", "secret", :name => "i mean it") - end - - def test_explicit_id - assert_dom_equal( - '', text_field("post", "title", "id" => "dont guess") - ) - assert_dom_equal( - '', - text_area("post", "body", "id" => "really!") - ) - assert_dom_equal( - '', - check_box("post", "secret", "id" => "i mean it") - ) - assert_dom_equal text_field("post", "title", "id" => "dont guess"), - text_field("post", "title", :id => "dont guess") - assert_dom_equal text_area("post", "body", "id" => "really!"), - text_area("post", "body", :id => "really!") - assert_dom_equal check_box("post", "secret", "id" => "i mean it"), - check_box("post", "secret", :id => "i mean it") - end - - def test_auto_index - pid = @post.id - assert_dom_equal( - "", - label("post[]", "title") - ) - assert_dom_equal( - "", text_field("post[]","title") - ) - assert_dom_equal( - "", - text_area("post[]", "body") - ) - assert_dom_equal( - "", - check_box("post[]", "secret") - ) - assert_dom_equal( -"", - radio_button("post[]", "title", "Hello World") - ) - assert_dom_equal("", - radio_button("post[]", "title", "Goodbye World") - ) - end - - def test_form_for - form_for(:post, @post, :html => { :id => 'create-post' }) do |f| - concat f.label(:title) - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - concat f.submit('Create post') - end - - expected = - "

    " + - "" + - "" + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_method - form_for(:post, @post, :html => { :id => 'create-post', :method => :put }) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "
    " + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_without_object - form_for(:post, :html => { :id => 'create-post' }) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_index - form_for("post[]", @post) do |f| - concat f.label(:title) - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "" + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_nil_index_option_override - form_for("post[]", @post, :index => nil) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for - form_for(:post, @post) do |f| - f.fields_for(:comment, @post) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_nested_collections - form_for('post[]', @post) do |f| - concat f.text_field(:title) - f.fields_for('comment[]', @comment) do |c| - concat c.text_field(:name) - end - end - - expected = "
    " + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_index_and_parent_fields - form_for('post', @post, :index => 1) do |c| - concat c.text_field(:title) - c.fields_for('comment', @comment, :index => 1) do |r| - concat r.text_field(:name) - end - end - - expected = "
    " + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_index_and_nested_fields_for - form_for(:post, @post, :index => 1) do |f| - f.fields_for(:comment, @post) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_index_on_both - form_for(:post, @post, :index => 1) do |f| - f.fields_for(:comment, @post, :index => 5) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_auto_index - form_for("post[]", @post) do |f| - f.fields_for(:comment, @post) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_index_radio_button - form_for(:post, @post) do |f| - f.fields_for(:comment, @post, :index => 5) do |c| - concat c.radio_button(:title, "hello") - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_auto_index_on_both - form_for("post[]", @post) do |f| - f.fields_for("comment[]", @post) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_index_and_auto_index - form_for("post[]", @post) do |f| - f.fields_for(:comment, @post, :index => 5) do |c| - concat c.text_field(:title) - end - end - - form_for(:post, @post, :index => 1) do |f| - f.fields_for("comment[]", @post) do |c| - concat c.text_field(:title) - end - end - - expected = "
    " + - "" + - "
    " + - "
    " + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_a_new_record_on_a_nested_attributes_one_to_one_association - @post.author = Author.new - - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:author) do |af| - concat af.text_field(:name) - end - end - - expected = '
    ' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_explicitly_passed_object_on_a_nested_attributes_one_to_one_association - form_for(:post, @post) do |f| - f.fields_for(:author, Author.new(123)) do |af| - assert_not_nil af.object - assert_equal 123, af.object.id - end - end - end - - def test_nested_fields_for_with_an_existing_record_on_a_nested_attributes_one_to_one_association - @post.author = Author.new(321) - - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:author) do |af| - concat af.text_field(:name) - end - end - - expected = '
    ' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_one_association_with_explicit_hidden_field_placement - @post.author = Author.new(321) - - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:author) do |af| - concat af.hidden_field(:id) - concat af.text_field(:name) - end - end - - expected = '
    ' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association - @post.comments = Array.new(2) { |id| Comment.new(id + 1) } - - form_for(:post, @post) do |f| - concat f.text_field(:title) - @post.comments.each do |comment| - f.fields_for(:comments, comment) do |cf| - concat cf.text_field(:name) - end - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association_with_explicit_hidden_field_placement - @post.comments = Array.new(2) { |id| Comment.new(id + 1) } - - form_for(:post, @post) do |f| - concat f.text_field(:title) - @post.comments.each do |comment| - f.fields_for(:comments, comment) do |cf| - concat cf.hidden_field(:id) - concat cf.text_field(:name) - end - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_new_records_on_a_nested_attributes_collection_association - @post.comments = [Comment.new, Comment.new] - - form_for(:post, @post) do |f| - concat f.text_field(:title) - @post.comments.each do |comment| - f.fields_for(:comments, comment) do |cf| - concat cf.text_field(:name) - end - end - end - - expected = '
    ' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_existing_and_new_records_on_a_nested_attributes_collection_association - @post.comments = [Comment.new(321), Comment.new] - - form_for(:post, @post) do |f| - concat f.text_field(:title) - @post.comments.each do |comment| - f.fields_for(:comments, comment) do |cf| - concat cf.text_field(:name) - end - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_an_empty_supplied_attributes_collection - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:comments, []) do |cf| - concat cf.text_field(:name) - end - end - - expected = '
    ' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_with_existing_records_on_a_supplied_nested_attributes_collection - @post.comments = Array.new(2) { |id| Comment.new(id + 1) } - - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:comments, @post.comments) do |cf| - concat cf.text_field(:name) - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_for_on_a_nested_attributes_collection_association_yields_only_builder - @post.comments = [Comment.new(321), Comment.new] - yielded_comments = [] - - form_for(:post, @post) do |f| - concat f.text_field(:title) - f.fields_for(:comments) do |cf| - concat cf.text_field(:name) - yielded_comments << cf.object - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - assert_equal yielded_comments, @post.comments - end - - def test_nested_fields_for_with_child_index_option_override_on_a_nested_attributes_collection_association - @post.comments = [] - - form_for(:post, @post) do |f| - f.fields_for(:comments, Comment.new(321), :child_index => 'abc') do |cf| - concat cf.text_field(:name) - end - end - - expected = '
    ' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_nested_fields_uses_unique_indices_for_different_collection_associations - @post.comments = [Comment.new(321)] - @post.tags = [Tag.new(123), Tag.new(456)] - @post.comments[0].relevances = [] - @post.tags[0].relevances = [] - @post.tags[1].relevances = [] - form_for(:post, @post) do |f| - f.fields_for(:comments, @post.comments[0]) do |cf| - concat cf.text_field(:name) - cf.fields_for(:relevances, CommentRelevance.new(314)) do |crf| - concat crf.text_field(:value) - end - end - f.fields_for(:tags, @post.tags[0]) do |tf| - concat tf.text_field(:value) - tf.fields_for(:relevances, TagRelevance.new(3141)) do |trf| - concat trf.text_field(:value) - end - end - f.fields_for('tags', @post.tags[1]) do |tf| - concat tf.text_field(:value) - tf.fields_for(:relevances, TagRelevance.new(31415)) do |trf| - concat trf.text_field(:value) - end - end - end - - expected = '
    ' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '' + - '
    ' - - assert_dom_equal expected, output_buffer - end - - def test_fields_for - fields_for(:post, @post) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_with_index - fields_for("post[]", @post) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_with_nil_index_option_override - fields_for("post[]", @post, :index => nil) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_with_index_option_override - fields_for("post[]", @post, :index => "abc") do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_without_object - fields_for(:post) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_with_only_object - fields_for(@post) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "" + - "" + - "" + - "" - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_object_with_bracketed_name - fields_for("author[post]", @post) do |f| - concat f.label(:title) - concat f.text_field(:title) - end - - assert_dom_equal "" + - "", - output_buffer - end - - def test_fields_for_object_with_bracketed_name_and_index - fields_for("author[post]", @post, :index => 1) do |f| - concat f.label(:title) - concat f.text_field(:title) - end - - assert_dom_equal "" + - "", - output_buffer - end - - def test_form_builder_does_not_have_form_for_method - assert ! ActionView::Helpers::FormBuilder.instance_methods.include?('form_for') - end - - def test_form_for_and_fields_for - form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form| - concat post_form.text_field(:title) - concat post_form.text_area(:body) - - fields_for(:parent_post, @post) do |parent_fields| - concat parent_fields.check_box(:secret) - end - end - - expected = - "
    " + - "" + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_and_fields_for_with_object - form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form| - concat post_form.text_field(:title) - concat post_form.text_area(:body) - - post_form.fields_for(@comment) do |comment_fields| - concat comment_fields.text_field(:name) - end - end - - expected = - "
    " + - "" + - "" + - "" + - "
    " - - assert_dom_equal expected, output_buffer - end - - class LabelledFormBuilder < ActionView::Helpers::FormBuilder - (field_helpers - %w(hidden_field)).each do |selector| - src, line = <<-END_SRC, __LINE__ + 1 - def #{selector}(field, *args, &proc) - (" " + super + "
    ").html_safe - end - END_SRC - class_eval src, __FILE__, line - end - end - - def test_form_for_with_labelled_builder - form_for(:post, @post, :builder => LabelledFormBuilder) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "
    " + - "
    " + - "
    " + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_default_form_builder - old_default_form_builder, ActionView::Base.default_form_builder = - ActionView::Base.default_form_builder, LabelledFormBuilder - - form_for(:post, @post) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "
    " + - "
    " + - "
    " + - "
    " - - assert_dom_equal expected, output_buffer - ensure - ActionView::Base.default_form_builder = old_default_form_builder - end - - def test_default_form_builder_with_active_record_helpers - form_for(:post, @post) do |f| - concat f.error_message_on('author_name') - concat f.error_messages - end - - expected = %(
    ) + - %(
    can't be empty
    ) + - %(

    1 error prohibited this post from being saved

    There were problems with the following fields:

    • Author name can't be empty
    ) + - %(
    ) - - assert_dom_equal expected, output_buffer - - end - - def test_default_form_builder_no_instance_variable - post = @post - @post = nil - - form_for(:post, post) do |f| - concat f.error_message_on('author_name') - concat f.error_messages - end - - expected = %(
    ) + - %(
    can't be empty
    ) + - %(

    1 error prohibited this post from being saved

    There were problems with the following fields:

    • Author name can't be empty
    ) + - %(
    ) - - assert_dom_equal expected, output_buffer - - end - - def test_default_form_builder_without_object - - form_for(:post) do |f| - concat f.error_message_on('author_name') - concat f.error_messages - end - - expected = %(
    ) + - %(
    can't be empty
    ) + - %(

    1 error prohibited this post from being saved

    There were problems with the following fields:

    • Author name can't be empty
    ) + - %(
    ) - - assert_dom_equal expected, output_buffer - - end - - # Perhaps this test should be moved to prototype helper tests. - def test_remote_form_for_with_labelled_builder - self.extend ActionView::Helpers::PrototypeHelper - - remote_form_for(:post, @post, :builder => LabelledFormBuilder) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - %(
    ) + - "
    " + - "
    " + - "
    " + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_fields_for_with_labelled_builder - fields_for(:post, @post, :builder => LabelledFormBuilder) do |f| - concat f.text_field(:title) - concat f.text_area(:body) - concat f.check_box(:secret) - end - - expected = - "
    " + - "
    " + - "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_labelled_builder_with_nested_fields_for_without_options_hash - klass = nil - - form_for(:post, @post, :builder => LabelledFormBuilder) do |f| - f.fields_for(:comments, Comment.new) do |nested_fields| - klass = nested_fields.class - '' - end - end - - assert_equal LabelledFormBuilder, klass - end - - def test_form_for_with_labelled_builder_with_nested_fields_for_with_options_hash - klass = nil - - form_for(:post, @post, :builder => LabelledFormBuilder) do |f| - f.fields_for(:comments, Comment.new, :index => 'foo') do |nested_fields| - klass = nested_fields.class - '' - end - end - - assert_equal LabelledFormBuilder, klass - end - - class LabelledFormBuilderSubclass < LabelledFormBuilder; end - - def test_form_for_with_labelled_builder_with_nested_fields_for_with_custom_builder - klass = nil - - form_for(:post, @post, :builder => LabelledFormBuilder) do |f| - f.fields_for(:comments, Comment.new, :builder => LabelledFormBuilderSubclass) do |nested_fields| - klass = nested_fields.class - '' - end - end - - assert_equal LabelledFormBuilderSubclass, klass - end - - def test_form_for_with_html_options_adds_options_to_form_tag - form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end - expected = "
    " - - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_string_url_option - form_for(:post, @post, :url => 'http://www.otherdomain.com') do |f| end - - assert_equal '
    ', output_buffer - end - - def test_form_for_with_hash_url_option - form_for(:post, @post, :url => {:controller => 'controller', :action => 'action'}) do |f| end - - assert_equal 'controller', @controller.url_for_options[:controller] - assert_equal 'action', @controller.url_for_options[:action] - end - - def test_form_for_with_record_url_option - form_for(:post, @post, :url => @post) do |f| end - - expected = "
    " - assert_equal expected, output_buffer - end - - def test_form_for_with_existing_object - form_for(@post) do |f| end - - expected = "
    " - assert_equal expected, output_buffer - end - - def test_form_for_with_new_object - post = Post.new - post.new_record = true - def post.id() nil end - - form_for(post) do |f| end - - expected = "
    " - assert_equal expected, output_buffer - end - - def test_form_for_with_existing_object_in_list - @post.new_record = false - @comment.save - - form_for([@post, @comment]) {} - - expected = %(
    ) - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_new_object_in_list - @post.new_record = false - - form_for([@post, @comment]) {} - - expected = %(
    ) - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_existing_object_and_namespace_in_list - @post.new_record = false - @comment.save - - form_for([:admin, @post, @comment]) {} - - expected = %(
    ) - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_new_object_and_namespace_in_list - @post.new_record = false - - form_for([:admin, @post, @comment]) {} - - expected = %(
    ) - assert_dom_equal expected, output_buffer - end - - def test_form_for_with_existing_object_and_custom_url - form_for(@post, :url => "/super_posts") do |f| end - - expected = "
    " - assert_equal expected, output_buffer - end - - def test_remote_form_for_with_html_options_adds_options_to_form_tag - self.extend ActionView::Helpers::PrototypeHelper - - remote_form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end - expected = "
    " - - assert_dom_equal expected, output_buffer - end - - protected - def comments_path(post) - "/posts/#{post.id}/comments" - end - alias_method :post_comments_path, :comments_path - - def comment_path(post, comment) - "/posts/#{post.id}/comments/#{comment.id}" - end - alias_method :post_comment_path, :comment_path - - def admin_comments_path(post) - "/admin/posts/#{post.id}/comments" - end - alias_method :admin_post_comments_path, :admin_comments_path - - def admin_comment_path(post, comment) - "/admin/posts/#{post.id}/comments/#{comment.id}" - end - alias_method :admin_post_comment_path, :admin_comment_path - - def posts_path - "/posts" - end - - def post_path(post) - "/posts/#{post.id}" - end - - def protect_against_forgery? - false - end -end diff --git a/vendor/plugins/rails_xss/test/form_tag_helper_test.rb b/vendor/plugins/rails_xss/test/form_tag_helper_test.rb deleted file mode 100644 index 41eeceeb3..000000000 --- a/vendor/plugins/rails_xss/test/form_tag_helper_test.rb +++ /dev/null @@ -1,354 +0,0 @@ -require 'test_helper' - -class FormTagHelperTest < ActionView::TestCase - def setup - @controller = Class.new do - def url_for(options) - "http://www.example.com" - end - end - @controller = @controller.new - end - - VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name - - def test_check_box_tag - actual = check_box_tag "admin" - expected = %() - assert_dom_equal expected, actual - end - - def test_check_box_tag_id_sanitized - label_elem = root_elem(check_box_tag("project[2][admin]")) - assert_match VALID_HTML_ID, label_elem['id'] - end - - def test_form_tag - actual = form_tag - expected = %(
    ) - assert_dom_equal expected, actual - end - - def test_form_tag_multipart - actual = form_tag({}, { 'multipart' => true }) - expected = %() - assert_dom_equal expected, actual - end - - def test_form_tag_with_method_put - actual = form_tag({}, { :method => :put }) - expected = %(
    ) - assert_dom_equal expected, actual - end - - def test_form_tag_with_method_delete - actual = form_tag({}, { :method => :delete }) - expected = %(
    ) - assert_dom_equal expected, actual - end - - def test_form_tag_with_block_in_erb - __in_erb_template = '' - form_tag("http://example.com") { concat "Hello world!" } - - expected = %(Hello world!
    ) - assert_dom_equal expected, output_buffer - end - - def test_form_tag_with_block_and_method_in_erb - __in_erb_template = '' - form_tag("http://example.com", :method => :put) { concat "Hello world!" } - - expected = %(
    Hello world!
    ) - assert_dom_equal expected, output_buffer - end - - def test_hidden_field_tag - actual = hidden_field_tag "id", 3 - expected = %() - assert_dom_equal expected, actual - end - - def test_hidden_field_tag_id_sanitized - input_elem = root_elem(hidden_field_tag("item[][title]")) - assert_match VALID_HTML_ID, input_elem['id'] - end - - def test_file_field_tag - assert_dom_equal "", file_field_tag("picsplz") - end - - def test_file_field_tag_with_options - assert_dom_equal "", file_field_tag("picsplz", :class => "pix") - end - - def test_password_field_tag - actual = password_field_tag - expected = %() - assert_dom_equal expected, actual - end - - def test_radio_button_tag - actual = radio_button_tag "people", "david" - expected = %() - assert_dom_equal expected, actual - - actual = radio_button_tag("num_people", 5) - expected = %() - assert_dom_equal expected, actual - - actual = radio_button_tag("gender", "m") + radio_button_tag("gender", "f") - expected = %() - assert_dom_equal expected, actual - - actual = radio_button_tag("opinion", "-1") + radio_button_tag("opinion", "1") - expected = %() - assert_dom_equal expected, actual - - actual = radio_button_tag("person[gender]", "m") - expected = %() - assert_dom_equal expected, actual - end - - def test_select_tag - actual = select_tag "people", "".html_safe - expected = %() - assert_dom_equal expected, actual - end - - def test_select_tag_with_multiple - actual = select_tag "colors", "".html_safe, :multiple => :true - expected = %() - assert_dom_equal expected, actual - end - - def test_select_tag_disabled - actual = select_tag "places", "".html_safe, :disabled => :true - expected = %() - assert_dom_equal expected, actual - end - - def test_select_tag_id_sanitized - input_elem = root_elem(select_tag("project[1]people", "")) - assert_match VALID_HTML_ID, input_elem['id'] - end - - def test_select_tag_with_array_options - assert_deprecated /array/ do - select_tag "people", [""] - end - end - - def test_text_area_tag_size_string - actual = text_area_tag "body", "hello world", "size" => "20x40" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_area_tag_size_symbol - actual = text_area_tag "body", "hello world", :size => "20x40" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_area_tag_should_disregard_size_if_its_given_as_an_integer - actual = text_area_tag "body", "hello world", :size => 20 - expected = %() - assert_dom_equal expected, actual - end - - def test_text_area_tag_id_sanitized - input_elem = root_elem(text_area_tag("item[][description]")) - assert_match VALID_HTML_ID, input_elem['id'] - end - - def test_text_area_tag_escape_content - actual = text_area_tag "body", "hello world", :size => "20x40" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_area_tag_unescaped_content - actual = text_area_tag "body", "hello world", :size => "20x40", :escape => false - expected = %() - assert_dom_equal expected, actual - end - - def test_text_area_tag_unescaped_nil_content - actual = text_area_tag "body", nil, :escape => false - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag - actual = text_field_tag "title", "Hello!" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_class_string - actual = text_field_tag "title", "Hello!", "class" => "admin" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_size_symbol - actual = text_field_tag "title", "Hello!", :size => 75 - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_size_string - actual = text_field_tag "title", "Hello!", "size" => "75" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_maxlength_symbol - actual = text_field_tag "title", "Hello!", :maxlength => 75 - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_maxlength_string - actual = text_field_tag "title", "Hello!", "maxlength" => "75" - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_disabled - actual = text_field_tag "title", "Hello!", :disabled => :true - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_with_multiple_options - actual = text_field_tag "title", "Hello!", :size => 70, :maxlength => 80 - expected = %() - assert_dom_equal expected, actual - end - - def test_text_field_tag_id_sanitized - input_elem = root_elem(text_field_tag("item[][title]")) - assert_match VALID_HTML_ID, input_elem['id'] - end - - def test_label_tag_without_text - actual = label_tag "title" - expected = %() - assert_dom_equal expected, actual - end - - def test_label_tag_with_symbol - actual = label_tag :title - expected = %() - assert_dom_equal expected, actual - end - - def test_label_tag_with_text - actual = label_tag "title", "My Title" - expected = %() - assert_dom_equal expected, actual - end - - def test_label_tag_class_string - actual = label_tag "title", "My Title", "class" => "small_label" - expected = %() - assert_dom_equal expected, actual - end - - def test_label_tag_id_sanitized - label_elem = root_elem(label_tag("item[title]")) - assert_match VALID_HTML_ID, label_elem['for'] - end - - def test_boolean_options - assert_dom_equal %(), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes") - assert_dom_equal %(), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil) - assert_dom_equal %(), tag(:input, :type => "checkbox", :checked => false) - assert_dom_equal %(), select_tag("people", "".html_safe, :multiple => true) - assert_dom_equal %(), select_tag("people[]", "".html_safe, :multiple => true) - assert_dom_equal %(), select_tag("people", "".html_safe, :multiple => nil) - end - - def test_stringify_symbol_keys - actual = text_field_tag "title", "Hello!", :id => "admin" - expected = %() - assert_dom_equal expected, actual - end - - def test_submit_tag - assert_dom_equal( - %(), - submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')") - ) - end - - def test_submit_tag_with_no_onclick_options - assert_dom_equal( - %(), - submit_tag("Save", :disable_with => "Saving...") - ) - end - - def test_submit_tag_with_confirmation - assert_dom_equal( - %(), - submit_tag("Save", :confirm => "Are you sure?") - ) - end - - def test_submit_tag_with_confirmation_and_with_disable_with - assert_dom_equal( - %(), - submit_tag("Save", :disable_with => "Saving...", :confirm => "Are you sure?") - ) - end - - def test_image_submit_tag_with_confirmation - assert_dom_equal( - %(), - image_submit_tag("save.gif", :confirm => "Are you sure?") - ) - end - - def test_pass - assert_equal 1, 1 - end - - def test_field_set_tag_in_erb - __in_erb_template = '' - field_set_tag("Your details") { concat "Hello world!" } - - expected = %(
    Your detailsHello world!
    ) - assert_dom_equal expected, output_buffer - - self.output_buffer = ''.html_safe - field_set_tag { concat "Hello world!" } - - expected = %(
    Hello world!
    ) - assert_dom_equal expected, output_buffer - - self.output_buffer = ''.html_safe - field_set_tag('') { concat "Hello world!" } - - expected = %(
    Hello world!
    ) - assert_dom_equal expected, output_buffer - - self.output_buffer = ''.html_safe - field_set_tag('', :class => 'format') { concat "Hello world!" } - - expected = %(
    Hello world!
    ) - assert_dom_equal expected, output_buffer - end - - def protect_against_forgery? - false - end - - private - - def root_elem(rendered_content) - HTML::Document.new(rendered_content).root.children[0] - end -end diff --git a/vendor/plugins/rails_xss/test/javascript_helper_test.rb b/vendor/plugins/rails_xss/test/javascript_helper_test.rb deleted file mode 100644 index 691d97a15..000000000 --- a/vendor/plugins/rails_xss/test/javascript_helper_test.rb +++ /dev/null @@ -1,10 +0,0 @@ -require 'test_helper' - -class JavascriptHelperTest < ActionView::TestCase - def test_escape_javascript_with_safebuffer - given = %('quoted' "double-quoted" new-line:\n ) - expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) - assert_equal expect, escape_javascript(given) - assert_equal expect, escape_javascript(ActiveSupport::SafeBuffer.new(given)) - end -end diff --git a/vendor/plugins/rails_xss/test/output_escaping_test.rb b/vendor/plugins/rails_xss/test/output_escaping_test.rb deleted file mode 100644 index 8b6f8b83c..000000000 --- a/vendor/plugins/rails_xss/test/output_escaping_test.rb +++ /dev/null @@ -1,19 +0,0 @@ -require 'test_helper' - -class OutputEscapingTest < ActiveSupport::TestCase - - test "escape_html shouldn't die when passed nil" do - assert ERB::Util.h(nil).blank? - end - - test "escapeHTML should escape strings" do - assert_equal "<>"", ERB::Util.h("<>\"") - end - - test "escapeHTML shouldn't touch explicitly safe strings" do - # TODO this seems easier to compose and reason about, but - # this should be verified - assert_equal "<", ERB::Util.h("<".html_safe) - end - -end diff --git a/vendor/plugins/rails_xss/test/output_safety_test.rb b/vendor/plugins/rails_xss/test/output_safety_test.rb deleted file mode 100644 index 2e376477d..000000000 --- a/vendor/plugins/rails_xss/test/output_safety_test.rb +++ /dev/null @@ -1,115 +0,0 @@ -require 'test_helper' - -class OutputSafetyTest < ActiveSupport::TestCase - def setup - @string = "hello" - @object = Class.new(Object) do - def to_s - "other" - end - end.new - end - - test "A string is unsafe by default" do - assert !@string.html_safe? - end - - test "A string can be marked safe" do - string = @string.html_safe - assert string.html_safe? - end - - test "Marking a string safe returns the string" do - assert_equal @string, @string.html_safe - end - - test "A fixnum is safe by default" do - assert 5.html_safe? - end - - test "An object is unsafe by default" do - assert !@object.html_safe? - end - - test "Adding an object to a safe string returns a safe string" do - string = @string.html_safe - string << @object - - assert_equal "helloother", string - assert string.html_safe? - end - - test "Adding a safe string to another safe string returns a safe string" do - @other_string = "other".html_safe - string = @string.html_safe - @combination = @other_string + string - - assert_equal "otherhello", @combination - assert @combination.html_safe? - end - - test "Adding an unsafe string to a safe string escapes it and returns a safe string" do - @other_string = "other".html_safe - @combination = @other_string + "" - @other_combination = @string + "" - - assert_equal "other<foo>", @combination - assert_equal "hello", @other_combination - - assert @combination.html_safe? - assert !@other_combination.html_safe? - end - - test "Concatting safe onto unsafe yields unsafe" do - @other_string = "other" - - string = @string.html_safe - @other_string.concat(string) - assert !@other_string.html_safe? - end - - test "Concatting unsafe onto safe yields escaped safe" do - @other_string = "other".html_safe - string = @other_string.concat("") - assert_equal "other<foo>", string - assert string.html_safe? - end - - test "Concatting safe onto safe yields safe" do - @other_string = "other".html_safe - string = @string.html_safe - - @other_string.concat(string) - assert @other_string.html_safe? - end - - test "Concatting safe onto unsafe with << yields unsafe" do - @other_string = "other" - string = @string.html_safe - - @other_string << string - assert !@other_string.html_safe? - end - - test "Concatting unsafe onto safe with << yields escaped safe" do - @other_string = "other".html_safe - string = @other_string << "" - assert_equal "other<foo>", string - assert string.html_safe? - end - - test "Concatting safe onto safe with << yields safe" do - @other_string = "other".html_safe - string = @string.html_safe - - @other_string << string - assert @other_string.html_safe? - end - - test "Concatting a fixnum to safe always yields safe" do - string = @string.html_safe - string = string.concat(13) - assert_equal "hello".concat(13), string - assert string.html_safe? - end -end diff --git a/vendor/plugins/rails_xss/test/rails_xss_test.rb b/vendor/plugins/rails_xss/test/rails_xss_test.rb deleted file mode 100644 index b6268bafd..000000000 --- a/vendor/plugins/rails_xss/test/rails_xss_test.rb +++ /dev/null @@ -1,23 +0,0 @@ -require 'test_helper' - -class RailsXssTest < ActiveSupport::TestCase - test "ERB::Util.h should mark its return value as safe and escape it" do - escaped = ERB::Util.h("

    ") - assert_equal "<p>", escaped - assert escaped.html_safe? - end - - test "ERB::Util.h should leave previously safe strings alone " do - # TODO this seems easier to compose and reason about, but - # this should be verified - escaped = ERB::Util.h("

    ".html_safe) - assert_equal "

    ", escaped - assert escaped.html_safe? - end - - test "ERB::Util.h should not implode when passed a non-string" do - assert_nothing_raised do - assert_equal "1", ERB::Util.h(1) - end - end -end diff --git a/vendor/plugins/rails_xss/test/raw_output_helper_test.rb b/vendor/plugins/rails_xss/test/raw_output_helper_test.rb deleted file mode 100644 index 2a67f976e..000000000 --- a/vendor/plugins/rails_xss/test/raw_output_helper_test.rb +++ /dev/null @@ -1,18 +0,0 @@ -require 'test_helper' - -class RawOutputHelperTest < ActionView::TestCase - - def setup - @string = "hello" - end - - test "raw returns the safe string" do - result = raw(@string) - assert_equal @string, result - assert result.html_safe? - end - - test "raw handles nil values correctly" do - assert_equal "", raw(nil) - end -end diff --git a/vendor/plugins/rails_xss/test/safe_buffer_test.rb b/vendor/plugins/rails_xss/test/safe_buffer_test.rb deleted file mode 100644 index a0a2eccee..000000000 --- a/vendor/plugins/rails_xss/test/safe_buffer_test.rb +++ /dev/null @@ -1,51 +0,0 @@ -require 'test_helper' - -class SafeBufferTest < ActiveSupport::TestCase - def setup - @buffer = ActiveSupport::SafeBuffer.new - end - - test "Should look like a string" do - assert @buffer.is_a?(String) - assert_equal "", @buffer - end - - test "Should escape a raw string which is passed to them" do - @buffer << "') - assert_equal "

    ", - content_tag(:p, '', nil, false) - end - - def test_tag_honors_html_safe_for_param_values - ['1&2', '1 < 2', '“test“'].each do |escaped| - assert_equal %(), tag('a', :href => escaped.html_safe) - end - end -end diff --git a/vendor/plugins/rails_xss/test/test_helper.rb b/vendor/plugins/rails_xss/test/test_helper.rb deleted file mode 100644 index d9594e446..000000000 --- a/vendor/plugins/rails_xss/test/test_helper.rb +++ /dev/null @@ -1,6 +0,0 @@ -abort 'RAILS_ROOT=/path/to/rails/2.3/app rake test' unless ENV['RAILS_ROOT'] -require File.expand_path('config/environment', ENV['RAILS_ROOT']) -require File.expand_path('../../init', __FILE__) -require 'active_support/test_case' -require 'action_view/test_case' -require 'test/unit' diff --git a/vendor/plugins/rails_xss/test/text_helper_test.rb b/vendor/plugins/rails_xss/test/text_helper_test.rb deleted file mode 100644 index b74ae547c..000000000 --- a/vendor/plugins/rails_xss/test/text_helper_test.rb +++ /dev/null @@ -1,30 +0,0 @@ -require 'test_helper' - -class TextHelperTest < ActionView::TestCase - - def setup - @controller = Class.new do - attr_accessor :request - def url_for(*args) "http://www.example.com" end - end.new - end - - def test_simple_format_with_escaping_html_options - assert_dom_equal(%(

    It's nice to have options.

    ), - simple_format("It's nice to have options.", :class=>"intro")) - end - - def test_simple_format_should_not_escape_safe_content - assert_dom_equal(%(

    This is .

    ), - simple_format('This is .'.html_safe)) - end - - def test_simple_format_escapes_unsafe_content - assert_dom_equal(%(

    This is <script>evil_js</script>.

    ), - simple_format('This is .')) - end - - def test_truncate_should_not_be_html_safe - assert !truncate("Hello World!", :length => 12).html_safe? - end -end diff --git a/vendor/plugins/rails_xss/test/url_for_test.rb b/vendor/plugins/rails_xss/test/url_for_test.rb deleted file mode 100644 index b13451bfb..000000000 --- a/vendor/plugins/rails_xss/test/url_for_test.rb +++ /dev/null @@ -1,39 +0,0 @@ -require 'test_helper' - -class UrlHelperTest < ActionView::TestCase - - def abcd(hash = {}) - hash_for(:a => :b, :c => :d).merge(hash) - end - - def hash_for(opts = {}) - {:controller => "foo", :action => "bar"}.merge(opts) - end - - def test_url_for_does_not_escape_urls_if_explicitly_stated - assert_equal "/foo/bar?a=b&c=d", url_for(abcd(:escape => false)) - end - - def test_link_tag_with_img - link = link_to("".html_safe, "/") - expected = %{    } - assert_dom_equal expected, link - end - - def test_link_to_should_not_escape_content_for_html_safe - link = link_to("Some

    html

    ".html_safe, "/") - expected = %{Some

    html

    } - assert_dom_equal link, expected - end - - def test_link_to_escapes_content_for_non_safe - link = link_to("Some

    html

    ", "/") - expected = %{Some <p>html</p>} - assert_dom_equal link, expected - end - - def test_url_for_escaping_is_safety_aware - assert url_for(abcd(:escape => true)).html_safe?, "escaped urls should be html_safe?" - assert !url_for(abcd(:escape => false)).html_safe?, "non-escaped urls should not be html_safe?" - end -end -- cgit v1.2.3