From ac9844bb1a8dc5465ec3d6f9a746b3f34d9c29d4 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 8 Aug 2012 11:05:31 -0700 Subject: [PATCH] Squashed commit of the following: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 9ef905f19807c62fb549ae6fe3784be4bcda96dc Author: Rafael Mendonça França Date: Tue Aug 7 22:38:40 2012 -0300 Fix tests about single quote escaping commit 780a718723cf87b49cfe204d355948c4e0932d23 Author: Santiago Pastorino Date: Tue Jul 31 22:25:54 2012 -0300 html_escape should escape single quotes https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/controller/new_base/render_template_test.rb actionpack/test/template/asset_tag_helper_test.rb actionpack/test/template/erb_util_test.rb actionpack/test/template/javascript_helper_test.rb actionpack/test/template/template_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb activesupport/test/core_ext/string_ext_test.rb railties/test/application/assets_test.rb --- actionpack/test/controller/render_test.rb | 4 ++-- actionpack/test/template/asset_tag_helper_test.rb | 23 ++++++++++++++++------ actionpack/test/template/erb_util_test.rb | 10 +++++----- .../test/template/form_options_helper_test.rb | 6 +++--- actionpack/test/template/form_tag_helper_test.rb | 2 +- actionpack/test/template/javascript_helper_test.rb | 10 +++++----- actionpack/test/template/template_test.rb | 2 +- actionpack/test/template/text_helper_test.rb | 2 +- actionpack/test/template/url_helper_test.rb | 10 +++++----- .../core_ext/string/output_safety.rb | 6 +++--- activesupport/test/core_ext/string_ext_test.rb | 17 ++++++++++++++++ 11 files changed, 60 insertions(+), 32 deletions(-) diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index 498931e..4d2a49d 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -149,7 +149,7 @@ class TestController < ActionController::Base # :ported: def render_text_hello_world_with_layout - @variable_for_layout = ", I'm here!" + @variable_for_layout = ", I am here!" render :text => "hello world", :layout => true end @@ -776,7 +776,7 @@ class RenderTest < ActionController::TestCase # :ported: def test_do_with_render_text_and_layout get :render_text_hello_world_with_layout - assert_equal "hello world, I'm here!", @response.body + assert_equal "hello world, I am here!", @response.body end # :ported: diff --git a/actionpack/test/template/asset_tag_helper_test.rb b/actionpack/test/template/asset_tag_helper_test.rb index 18ef85d..63e10be 100644 --- a/actionpack/test/template/asset_tag_helper_test.rb +++ b/actionpack/test/template/asset_tag_helper_test.rb @@ -159,8 +159,9 @@ class AssetTagHelperTest < ActionView::TestCase %(image_tag("slash..png")) => %(Slash.), %(image_tag(".pdf.png")) => %(.pdf), %(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(Rails), - %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(Mouse), - %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(Mouse), + %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(Rails), + %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(Mouse), + %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(Mouse), %(image_tag("mouse.png", :alt => nil)) => %() } @@ -1007,8 +1008,8 @@ class AssetTagHelperNonVhostTest < ActionView::TestCase assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr")) assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style")) assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png")) - assert_dom_equal(%(Mouse), image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) - assert_dom_equal(%(Mouse2), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png"))) + assert_dom_equal(%(Mouse), image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) + assert_dom_equal(%(Mouse2), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png"))) end def test_should_ignore_relative_root_path_on_complete_url @@ -1021,8 +1022,18 @@ class AssetTagHelperNonVhostTest < ActionView::TestCase assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr")) assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style")) assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png")) - assert_dom_equal(%(Mouse), image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) - assert_dom_equal(%(Mouse2), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png"))) + assert_dom_equal(%(Mouse), image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) + assert_dom_equal(%(Mouse2), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png"))) + end + + def test_should_compute_proper_path_with_asset_host_and_default_protocol + @controller.config.asset_host = "assets.example.com" + @controller.config.default_asset_host_protocol = :request + assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr")) + assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style")) + assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png")) + assert_dom_equal(%(Mouse), image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) + assert_dom_equal(%(Mouse2), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png"))) end def test_should_ignore_asset_host_on_complete_url diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb index fc20b50..1fc4b84 100644 --- a/actionpack/test/template/erb_util_test.rb +++ b/actionpack/test/template/erb_util_test.rb @@ -7,11 +7,11 @@ class ErbUtilTest < Test::Unit::TestCase define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do assert_equal expected, html_escape(given) end + end - unless given == '"' - define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do - assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given) - end + ERB::Util::JSON_ESCAPE.each do |given, expected| + define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do + assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given) end end @@ -39,7 +39,7 @@ class ErbUtilTest < Test::Unit::TestCase def test_rest_in_ascii (0..127).to_a.map {|int| int.chr }.each do |chr| - next if %w(& " < >).include?(chr) + next if %w(& " < > ').include?(chr) assert_equal chr, html_escape(chr) end end diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb index b85e917..9b6a8bf 100644 --- a/actionpack/test/template/form_options_helper_test.rb +++ b/actionpack/test/template/form_options_helper_test.rb @@ -887,7 +887,7 @@ class FormOptionsHelperTest < ActionView::TestCase def test_options_for_select_with_element_attributes assert_dom_equal( - "\n\n\n", + "\n\n\n", options_for_select([ [ "", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ]) ) end @@ -923,13 +923,13 @@ class FormOptionsHelperTest < ActionView::TestCase def test_option_html_attributes_with_multiple_element_hash output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ]) assert output.include?(" class=\"fancy\"") - assert output.include?(" onclick=\"alert('Hello World');\"") + assert output.include?(" onclick=\"alert('Hello World');\"") end def test_option_html_attributes_with_multiple_hashes output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ]) assert output.include?(" class=\"fancy\"") - assert output.include?(" onclick=\"alert('Hello World');\"") + assert output.include?(" onclick=\"alert('Hello World');\"") end def test_option_html_attributes_with_special_characters diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index 532f086..3c94c7a 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -361,7 +361,7 @@ class FormTagHelperTest < ActionView::TestCase def test_submit_tag assert_dom_equal( - %(), + %(), submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')") ) end diff --git a/actionpack/test/template/javascript_helper_test.rb b/actionpack/test/template/javascript_helper_test.rb index ba9ab89..47109f4 100644 --- a/actionpack/test/template/javascript_helper_test.rb +++ b/actionpack/test/template/javascript_helper_test.rb @@ -41,7 +41,7 @@ class JavaScriptHelperTest < ActionView::TestCase end def test_button_to_function - assert_dom_equal %(), + assert_dom_equal %(), button_to_function("Greeting", "alert('Hello world!')") end @@ -60,7 +60,7 @@ class JavaScriptHelperTest < ActionView::TestCase end def test_button_to_function_with_onclick - assert_dom_equal "", + assert_dom_equal "", button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')") end @@ -70,12 +70,12 @@ class JavaScriptHelperTest < ActionView::TestCase end def test_link_to_function - assert_dom_equal %(Greeting), + assert_dom_equal %(Greeting), link_to_function("Greeting", "alert('Hello world!')") end def test_link_to_function_with_existing_onclick - assert_dom_equal %(Greeting), + assert_dom_equal %(Greeting), link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')") end @@ -94,7 +94,7 @@ class JavaScriptHelperTest < ActionView::TestCase end def test_link_to_function_with_href - assert_dom_equal %(Greeting), + assert_dom_equal %(Greeting), link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/') end diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb index c37ed9c..8d766c6 100644 --- a/actionpack/test/template/template_test.rb +++ b/actionpack/test/template/template_test.rb @@ -50,7 +50,7 @@ class TestERBTemplate < ActiveSupport::TestCase def test_locals @template = new_template("<%= my_local %>") - assert_equal "I'm a local", render(:my_local => "I'm a local") + assert_equal "I am a local", render(:my_local => "I am a local") end def test_restores_buffer diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index 9795a3f..acd6097 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -305,7 +305,7 @@ class TextHelperTest < ActionView::TestCase http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007 http://www.mail-archive.com/rails@lists.rubyonrails.org/ http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1 - http://en.wikipedia.org/wiki/Texas_hold'em + http://en.wikipedia.org/wiki/Texas_hold https://www.google.com/doku.php?id=gps:resource:scs:start http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group http://of.openfoundry.org/projects/492/download#4th.Release.3 diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index f68af93..30e1269 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -188,7 +188,7 @@ class UrlHelperTest < ActiveSupport::TestCase def test_link_tag_with_custom_onclick link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')") - expected = %{Hello} + expected = %{Hello} assert_dom_equal expected, link end @@ -198,12 +198,12 @@ class UrlHelperTest < ActiveSupport::TestCase link_to("Hello", "http://www.example.com", :confirm => "Are you sure?") ) assert_dom_equal( - "Hello", - link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?") + "Hello", + link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?") ) assert_dom_equal( - "Hello", - link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?") + "Hello", + link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?") ) end diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb index 0358873..b25592a 100644 --- a/activesupport/lib/active_support/core_ext/string/output_safety.rb +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -3,13 +3,13 @@ require 'active_support/core_ext/kernel/singleton_class' class ERB module Util - HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } + HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } # A utility method for escaping HTML tag characters. # This method is also aliased as h. # - # In your ERb templates, use this method to escape any unsafe content. For example: + # In your ERB templates, use this method to escape any unsafe content. For example: # <%=h @person.name %> # # ==== Example: @@ -20,7 +20,7 @@ class ERB if s.html_safe? s else - s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/<]/n) { |special| HTML_ESCAPE[special] }.html_safe end end diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb index 8f07cd1..be9a41b 100644 --- a/activesupport/test/core_ext/string_ext_test.rb +++ b/activesupport/test/core_ext/string_ext_test.rb @@ -527,6 +527,23 @@ class OutputSafetyTest < ActiveSupport::TestCase assert string.html_safe? assert !string.to_param.html_safe? end + + test "ERB::Util.html_escape should escape unsafe characters" do + string = '<>&"\'' + expected = '<>&"'' + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do + string = [192, 60].pack('CC') + expected = 192.chr + "<" + assert_equal expected, ERB::Util.html_escape(string) + end + + test "ERB::Util.html_escape should not escape safe strings" do + string = "hello".html_safe + assert_equal string, ERB::Util.html_escape(string) + end end class StringExcludeTest < ActiveSupport::TestCase -- 1.7.11.1