final touches

Author: makmic

CHANGELOG.md

@@ -9,6 +9,11 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 * Add compatibility with Rails 7.1
 * Add compatibility with HAML 6
   * NOTE: Don't use HAML 6.0.0. AngularXSS relies on a patch [introduced in 6.0.1](https://github.com/haml/haml/blob/main/CHANGELOG.md#601). Anything newer should be fine - the gem is currently tested against HAML 6.3
+* Refactor our patches to use `Module#prepend` instead of `Module#module_eval`
+* Refactor gem version comparisons to use `Gem::Version` instances
+* Refactor specs to use the `expect` syntax
+* Add missing unit tests for patched methods
+* Improve test coverage for more interpolation scenarios in ERB and HAML
 
 ### Breaking changes
 

spec/angular_xss/erb_spec.rb

@@ -4,7 +4,7 @@
 
 describe ERB::Util do
   describe '#html_escape' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       expect(described_class.html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end
 
@@ -14,7 +14,7 @@
   end
 
   describe '#h' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       expect(described_class.h("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end
 
@@ -26,7 +26,7 @@
   # Rails < 4 does not implement unwrapped_html_escape and html_escape_once
   if described_class.method_defined? :unwrapped_html_escape
     describe '#unwrapped_html_escape' do
-      it 'escapes angular brackets' do
+      it 'escapes angular braces' do
         expect(described_class.unwrapped_html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
       end
 
@@ -38,7 +38,7 @@
 
   if described_class.method_defined? :html_escape_once
     describe '#html_escape_once' do
-      it 'escapes angular brackets' do
+      it 'escapes angular braces' do
         expect(described_class.html_escape_once("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
       end
 

spec/angular_xss/escaper_spec.rb

@@ -1,6 +1,6 @@
 describe AngularXss::Escaper do
   describe '.escape' do
-    it 'replaces double brackets with a closed variant' do
+    it 'replaces double braces with a closed variant' do
       expect(described_class.escape('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
     end
 
@@ -10,7 +10,7 @@
   end
 
   describe '.escape_if_unsafe' do
-    it 'replaces double brackets with a closed variant' do
+    it 'replaces double braces with a closed variant' do
       expect(described_class.escape_if_unsafe('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
     end
 

spec/angular_xss/output_buffer_spec.rb

@@ -1,6 +1,6 @@
 describe ActionView::OutputBuffer do
   describe '#<<' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       expect((subject << "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end
 
@@ -14,7 +14,7 @@
   end
 
   describe '#concat' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       expect((subject.concat "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end
 
@@ -28,7 +28,7 @@
   end
 
   describe '#append=' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       subject.append = "{{unsafe}}"
       expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end

spec/angular_xss/safe_buffer_spec.rb

@@ -1,7 +1,7 @@
 describe ActiveSupport::SafeBuffer do
 
   describe '#<<' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       subject << "{{unsafe}}"
       expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end
@@ -12,7 +12,7 @@
   end
 
   describe '#+' do
-    it 'escapes angular brackets' do
+    it 'escapes angular braces' do
       combined_string = subject + "{{unsafe}}"
       expect(combined_string.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     end

spec/support/engine_preventing_angular_xss.rb

@@ -16,9 +16,11 @@
   end
 
   it 'recognizes the many ways to express an opening curly brace in HTML' do
-
+    # Only unsafe strings are escaped
     expect(html).to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
+
+    # Only safe strings with braces are left untouched
     expect(html).to include("{{safe}}")
     expect(html).not_to include("{{unsafe}}")