169 lines
7.9 KiB
Ruby
169 lines
7.9 KiB
Ruby
require "test_helper"
|
|
|
|
class HtmlHelperTest < ActionView::TestCase
|
|
test "convert URLs into anchor tags" do
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com" rel="noopener noreferrer">https://example.com</a></p>),
|
|
format_html("<p>Check this: https://example.com</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a></p>),
|
|
format_html("<p>Check this: https://example.com/</p>")
|
|
end
|
|
|
|
test "convert multiple URLs in the same string" do
|
|
assert_equal_html \
|
|
%(Visit <a href="https://foo.com/" rel="noopener noreferrer">https://foo.com/</a>. Also see <a href="https://bar.com/" rel="noopener noreferrer">https://bar.com/</a>!),
|
|
format_html("Visit https://foo.com/. Also see https://bar.com/!")
|
|
end
|
|
|
|
test "don't include punctuation in URL autolinking" do
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>!</p>),
|
|
format_html("<p>Check this: https://example.com/!</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>.</p>),
|
|
format_html("<p>Check this: https://example.com/.</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>?</p>),
|
|
format_html("<p>Check this: https://example.com/?</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>,</p>),
|
|
format_html("<p>Check this: https://example.com/,</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>:</p>),
|
|
format_html("<p>Check this: https://example.com/:</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>;</p>),
|
|
format_html("<p>Check this: https://example.com/;</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>"</p>),
|
|
format_html("<p>Check this: https://example.com/\"</p>")
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>'</p>),
|
|
format_html("<p>Check this: https://example.com/'</p>")
|
|
|
|
# trailing entities that decode to punctuation
|
|
# use assert_equal and not assert_equal_html to make sure we're getting entities correct
|
|
assert_equal \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a><</p>),
|
|
format_html("<p>Check this: https://example.com/<</p>")
|
|
assert_equal \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>></p>),
|
|
format_html("<p>Check this: https://example.com/></p>")
|
|
assert_equal \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>"</p>),
|
|
format_html("<p>Check this: https://example.com/"</p>")
|
|
|
|
# multiple punctuation characters including entities
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>!?;</p>),
|
|
format_html("<p>Check this: https://example.com/!?;</p>")
|
|
assert_equal_html \
|
|
%(<img src="<a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>">),
|
|
format_html(%(<img src="https://example.com/">))
|
|
assert_equal_html \
|
|
%(<img src="<a href="https://example.com/" rel="noopener noreferrer">https://example.com/</a>"!>),
|
|
format_html(%(<img src="https://example.com/"!>))
|
|
end
|
|
|
|
test "make sure the linked content is properly sanitized" do
|
|
# https://hackerone.com/reports/3481093
|
|
result = format_html(%(https://google.com/\">test</a><input></input>))
|
|
assert_no_match(/<input>/i, result, "should not create an input element")
|
|
|
|
result = format_html(%(https://google.com/\"><script>alert('xss')</script>))
|
|
assert_no_match(/<script>/i, result, "should not create a script element")
|
|
end
|
|
|
|
test "handle URLs with query parameters" do
|
|
# use assert_equal and not assert_equal_html to make sure we're getting entities correct
|
|
assert_equal \
|
|
%(<p>Check this: <a href="https://example.com/a?b=c&d=e" rel="noopener noreferrer">https://example.com/a?b=c&d=e</a></p>),
|
|
format_html("<p>Check this: https://example.com/a?b=c&d=e</p>")
|
|
|
|
assert_equal \
|
|
%(<p>Check this: <a href="https://example.com/a?b=c&d=e" rel="noopener noreferrer">https://example.com/a?b=c&d=e</a></p>),
|
|
format_html("<p>Check this: https://example.com/a?b=c&d=e</p>")
|
|
end
|
|
|
|
test "respect existing links" do
|
|
assert_equal_html \
|
|
%(<p>Check this: <a href="https://example.com">https://example.com</a></p>),
|
|
format_html("<p>Check this: <a href=\"https://example.com\">https://example.com</a></p>")
|
|
end
|
|
|
|
test "convert email addresses into mailto links" do
|
|
assert_equal_html \
|
|
%(<p>Contact us at <a href="mailto:support@example.com" rel="noopener noreferrer">support@example.com</a></p>),
|
|
format_html("<p>Contact us at support@example.com</p>")
|
|
end
|
|
|
|
test "respect existing linked emails" do
|
|
assert_equal_html \
|
|
%(<p>Contact us at <a href="mailto:support@example.com">support@example.com</a></p>),
|
|
format_html(%(<p>Contact us at <a href="mailto:support@example.com">support@example.com</a></p>))
|
|
end
|
|
|
|
test "gracefully handle regexp timeout by skipping auto-linking" do
|
|
input = "<p>Check this: https://example.com</p>"
|
|
|
|
String.class_eval do
|
|
alias_method :original_scan, :scan
|
|
define_method(:scan) do |*args, &block|
|
|
if args.first == AutoLinkScrubber::AUTOLINK_REGEXP
|
|
raise Regexp::TimeoutError
|
|
end
|
|
original_scan(*args, &block)
|
|
end
|
|
end
|
|
|
|
assert_equal_html %(<p>Check this: https://example.com</p>), format_html(input)
|
|
ensure
|
|
String.class_eval do
|
|
alias_method :scan, :original_scan
|
|
remove_method :original_scan
|
|
end
|
|
end
|
|
|
|
test "don't autolink content in excluded elements" do
|
|
%w[ figcaption pre code ].each do |element|
|
|
assert_equal_html \
|
|
"<#{element}>Check this: https://example.com</#{element}>",
|
|
format_html("<#{element}>Check this: https://example.com</#{element}>")
|
|
end
|
|
end
|
|
|
|
test "preserve escaped HTML containing URLs" do
|
|
input = 'before text <img src="https://example.com/image.png"> after text'
|
|
output = format_html(input)
|
|
|
|
assert_no_match(/<img/, output, "should not create an img element")
|
|
assert_includes output, "<img"
|
|
end
|
|
|
|
test "card_html_title renders backticks as code elements" do
|
|
assert_equal "Fix the <code>bug</code> in production", card_html_title(cards(:logo).tap { _1.title = "Fix the `bug` in production" })
|
|
end
|
|
|
|
test "card_html_title renders multiple code spans" do
|
|
assert_equal "<code>foo</code> and <code>bar</code>", card_html_title(cards(:logo).tap { _1.title = "`foo` and `bar`" })
|
|
end
|
|
|
|
test "card_html_title renders code spans without surrounding spaces" do
|
|
assert_equal "what<code>about</code>this", card_html_title(cards(:logo).tap { _1.title = "what`about`this" })
|
|
end
|
|
|
|
test "card_html_title escapes HTML tags" do
|
|
assert_equal "<script>alert(1)</script>", card_html_title(cards(:logo).tap { _1.title = "<script>alert(1)</script>" })
|
|
end
|
|
|
|
test "card_html_title escapes HTML inside backticks" do
|
|
assert_equal "<code><script></code>", card_html_title(cards(:logo).tap { _1.title = "`<script>`" })
|
|
end
|
|
|
|
test "card_html_title returns blank title as-is" do
|
|
assert_nil card_html_title(cards(:logo).tap { _1.title = nil })
|
|
assert_equal "", card_html_title(cards(:logo).tap { _1.title = "" })
|
|
end
|
|
end
|