Merge pull request #5 from damien/4-mark-cleaned-strings-as-html-safe

Mark cleaned strings as html safe, bootstrap test suite
vjt · Mar 14, 2014 · 5ba1f92 · 5ba1f92
2 parents a0640cc + a1c8456
commit 5ba1f92
Show file tree

Hide file tree

Showing 8 changed files with 118 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
-html
-pkg
 .*.sw?
 .DS_Store
+*.sublime-*
 Gemfile.lock
+html
+pkg
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,5 @@
+language: ruby
+cache: bundler
+rvm:
+- 2.0.0
+- 1.9.3
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Sanitize-Rails - sanitize .. on Rails.
+Sanitize-Rails - sanitize .. on Rails. [![Build Status](https://travis-ci.org/vjt/sanitize-rails.png)](https://travis-ci.org/vjt/sanitize-rails)
 ======================================
 
 Installation

diff --git a/Rakefile b/Rakefile
@@ -17,9 +17,13 @@ end
 
 Bundler::GemHelper.install_tasks
 
-desc 'Will someone help write tests?'
-task :default do
-  puts
-  puts 'Can you help in writing tests? Please do :-)'
-  puts
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs.push 'test'
+  t.test_files = FileList['test/*_test.rb']
+  t.warning = true
+  t.verbose = true
 end
+
+task default: :test
diff --git a/lib/sanitize/rails.rb b/lib/sanitize/rails.rb
@@ -44,13 +44,17 @@ def cleaner
       @sanitizer ||= ::Sanitize.new(@@config)
     end
 
-    # Returns a copy of the given `string` after sanitizing it
+    # Returns a copy of the given `string` after sanitizing it and marking it
+    # as `html_safe`
     #
+    # Ensuring this methods return instances of ActiveSupport::SafeBuffer
+    # means that text passed through `Sanitize::Rails::Engine.clean`
+    # will not be escaped by ActionView's XSS filtering utilities.
     def clean(string)
-      string.dup.tap {|s| clean!(s)}
+      ::ActiveSupport::SafeBuffer.new string.dup.tap { |s| clean!(s) }
     end
 
-    # Sanitizes the given `string` in place
+    # Sanitizes the given `string` in place and does NOT mark it as `html_safe`
     #
     def clean!(string)
       cleaner.clean!(string)

diff --git a/test/sanitize_rails_engine_test.rb b/test/sanitize_rails_engine_test.rb
@@ -0,0 +1,53 @@
+require 'test_helper'
+
+require 'action_view'
+require 'sanitize'
+require 'sanitize/rails'
+
+# Test suite for Sanitize::Rails::Engine
+class SanitizeRailsEngineTest < MiniTest::Unit::TestCase
+  def setup
+    @engine = Sanitize::Rails::Engine
+  end
+
+  def test_respond_to_configure
+    assert_respond_to @engine, :configure
+  end
+
+  def test_respond_to_cleaner
+    assert_respond_to @engine, :cleaner
+  end
+
+  def test_cleaner_returns_instance_of_sanitize
+    assert_kind_of Sanitize, @engine.cleaner
+  end
+
+  def test_respond_to_clean_bang
+    assert_respond_to @engine, :clean!
+  end
+
+  def test_clean_bang_modifies_string_in_place
+    string = %Q|<script>alert("hello world")</script>|
+    @engine.clean! string
+    assert_equal string, %q|alert("hello world")|
+  end
+
+  def test_respond_to_clean
+    assert_respond_to @engine, :clean
+  end
+
+  def test_clean_does_not_modify_string_in_place
+    string = %Q|<script>alert("hello world")</script>|
+    new_string = @engine.clean string
+    assert_equal string, %Q|<script>alert("hello world")</script>|
+    assert_equal new_string, 'alert("hello world")'
+  end
+
+  def test_clean_returns_safe_buffers
+    string = %Q|<script>alert("hello world")</script>|
+    assert_instance_of String, string
+
+    new_string = @engine.clean string
+    assert_instance_of ::ActiveSupport::SafeBuffer, new_string
+  end
+end
diff --git a/test/sanitize_rails_string_extension_test.rb b/test/sanitize_rails_string_extension_test.rb
@@ -0,0 +1,38 @@
+require 'test_helper'
+
+require 'action_view'
+require 'sanitize'
+require 'sanitize/rails'
+
+# Test suite for Sanitize::Rails::Engine
+class SanitizeRailsStringExtensionTest < MiniTest::Unit::TestCase
+  SanitizableString = Class.new(String) { include Sanitize::Rails::String }
+
+  def setup
+    @string = SanitizableString.new %Q|<script>alert("hello world")</script>|
+  end
+
+  def test_respond_to_sanitize_as_html_bang
+    assert_respond_to @string, :sanitize_as_html!
+  end
+
+  def test_sanitize_as_html_bang_does_not_return_safe_buffers
+    sanitizable_string = @string.dup
+    assert_instance_of SanitizableString, sanitizable_string
+
+    new_string = sanitizable_string.sanitize_as_html!
+    assert_instance_of String, new_string
+  end
+
+  def test_respond_to_sanitize_as_html
+    assert_respond_to @string, :sanitize_as_html
+  end
+
+  def test_sanitize_as_html_returns_safe_buffers
+    sanitizable_string = @string.dup
+    assert_instance_of SanitizableString, sanitizable_string
+
+    new_string = sanitizable_string.sanitize_as_html
+    assert_instance_of ::ActiveSupport::SafeBuffer, new_string
+  end
+end
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -0,0 +1,2 @@
+require 'minitest/unit'
+require 'minitest/autorun'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		require 'minitest/unit'
		require 'minitest/autorun'