require "test_helper" class HtmlHelperTest < ActionView::TestCase test "convert URLs into anchor tags" do assert_equal_html \ %(
Check this: https://example.com
), format_html("Check this: https://example.com
") assert_equal_html \ %(Check this: https://example.com/
), format_html("Check this: https://example.com/
") end test "convert multiple URLs in the same string" do assert_equal_html \ %(Visit https://foo.com/. Also see https://bar.com/!), format_html("Visit https://foo.com/. Also see https://bar.com/!") end test "don't include punctuation in URL autolinking" do assert_equal_html \ %(Check this: https://example.com/!
), format_html("Check this: https://example.com/!
") assert_equal_html \ %(Check this: https://example.com/.
), format_html("Check this: https://example.com/.
") assert_equal_html \ %(Check this: https://example.com/?
), format_html("Check this: https://example.com/?
") assert_equal_html \ %(Check this: https://example.com/,
), format_html("Check this: https://example.com/,
") assert_equal_html \ %(Check this: https://example.com/:
), format_html("Check this: https://example.com/:
") assert_equal_html \ %(Check this: https://example.com/;
), format_html("Check this: https://example.com/;
") assert_equal_html \ %(Check this: https://example.com/"
), format_html("Check this: https://example.com/\"
") assert_equal_html \ %(Check this: https://example.com/'
), format_html("Check this: https://example.com/'
") # trailing entities that decode to punctuation # use assert_equal and not assert_equal_html to make sure we're getting entities correct assert_equal \ %(Check this: https://example.com/<
), format_html("Check this: https://example.com/<
") assert_equal \ %(Check this: https://example.com/>
), format_html("Check this: https://example.com/>
") assert_equal \ %(Check this: https://example.com/"
), format_html("Check this: https://example.com/"
") # multiple punctuation characters including entities assert_equal_html \ %(Check this: https://example.com/!?;
), format_html("Check this: https://example.com/!?;
") assert_equal_html \ %(<img src="https://example.com/">), format_html(%(<img src="https://example.com/">)) assert_equal_html \ %(<img src="https://example.com/"!>), format_html(%(<img src="https://example.com/"!>)) end test "make sure the linked content is properly sanitized" do # https://hackerone.com/reports/3481093 result = format_html(%(https://google.com/\">test</a><input></input>)) assert_no_match(//i, result, "should not create an input element") result = format_html(%(https://google.com/\"><script>alert('xss')</script>)) assert_no_match(/" }) end test "card_html_title escapes HTML inside backticks" do assert_equal "<script>", card_html_title(cards(:logo).tap { _1.title = "`