From 7306b157b7c21683c654894300e3fefc18599e0d Mon Sep 17 00:00:00 2001 From: Michael Leimstaedtner Date: Thu, 20 Jun 2024 11:58:05 +0200 Subject: [PATCH] final touches --- CHANGELOG.md | 5 +++++ spec/angular_xss/erb_spec.rb | 8 ++++---- spec/angular_xss/escaper_spec.rb | 4 ++-- spec/angular_xss/output_buffer_spec.rb | 6 +++--- spec/angular_xss/safe_buffer_spec.rb | 4 ++-- spec/support/engine_preventing_angular_xss.rb | 4 +++- 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04ef6dc..e1738a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,11 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html * Add compatibility with Rails 7.1 * Add compatibility with HAML 6 * NOTE: Don't use HAML 6.0.0. AngularXSS relies on a patch [introduced in 6.0.1](https://github.com/haml/haml/blob/main/CHANGELOG.md#601). Anything newer should be fine - the gem is currently tested against HAML 6.3 +* Refactor our patches to use `Module#prepend` instead of `Module#module_eval` +* Refactor gem version comparisons to use `Gem::Version` instances +* Refactor specs to use the `expect` syntax +* Add missing unit tests for patched methods +* Improve test coverage for more interpolation scenarios in ERB and HAML ### Breaking changes diff --git a/spec/angular_xss/erb_spec.rb b/spec/angular_xss/erb_spec.rb index e70a3fd..d191742 100644 --- a/spec/angular_xss/erb_spec.rb +++ b/spec/angular_xss/erb_spec.rb @@ -4,7 +4,7 @@ describe ERB::Util do describe '#html_escape' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect(described_class.html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -14,7 +14,7 @@ end describe '#h' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect(described_class.h("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -26,7 +26,7 @@ # Rails < 4 does not implement unwrapped_html_escape and html_escape_once if described_class.method_defined? :unwrapped_html_escape describe '#unwrapped_html_escape' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect(described_class.unwrapped_html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -38,7 +38,7 @@ if described_class.method_defined? :html_escape_once describe '#html_escape_once' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect(described_class.html_escape_once("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end diff --git a/spec/angular_xss/escaper_spec.rb b/spec/angular_xss/escaper_spec.rb index e6f596f..8a891a7 100644 --- a/spec/angular_xss/escaper_spec.rb +++ b/spec/angular_xss/escaper_spec.rb @@ -1,6 +1,6 @@ describe AngularXss::Escaper do describe '.escape' do - it 'replaces double brackets with a closed variant' do + it 'replaces double braces with a closed variant' do expect(described_class.escape('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}') end @@ -10,7 +10,7 @@ end describe '.escape_if_unsafe' do - it 'replaces double brackets with a closed variant' do + it 'replaces double braces with a closed variant' do expect(described_class.escape_if_unsafe('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}') end diff --git a/spec/angular_xss/output_buffer_spec.rb b/spec/angular_xss/output_buffer_spec.rb index 208e1dd..a193852 100644 --- a/spec/angular_xss/output_buffer_spec.rb +++ b/spec/angular_xss/output_buffer_spec.rb @@ -1,6 +1,6 @@ describe ActionView::OutputBuffer do describe '#<<' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect((subject << "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -14,7 +14,7 @@ end describe '#concat' do - it 'escapes angular brackets' do + it 'escapes angular braces' do expect((subject.concat "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -28,7 +28,7 @@ end describe '#append=' do - it 'escapes angular brackets' do + it 'escapes angular braces' do subject.append = "{{unsafe}}" expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end diff --git a/spec/angular_xss/safe_buffer_spec.rb b/spec/angular_xss/safe_buffer_spec.rb index cfca064..e959821 100644 --- a/spec/angular_xss/safe_buffer_spec.rb +++ b/spec/angular_xss/safe_buffer_spec.rb @@ -1,7 +1,7 @@ describe ActiveSupport::SafeBuffer do describe '#<<' do - it 'escapes angular brackets' do + it 'escapes angular braces' do subject << "{{unsafe}}" expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end @@ -12,7 +12,7 @@ end describe '#+' do - it 'escapes angular brackets' do + it 'escapes angular braces' do combined_string = subject + "{{unsafe}}" expect(combined_string.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") end diff --git a/spec/support/engine_preventing_angular_xss.rb b/spec/support/engine_preventing_angular_xss.rb index 92b947b..025f4bc 100644 --- a/spec/support/engine_preventing_angular_xss.rb +++ b/spec/support/engine_preventing_angular_xss.rb @@ -16,9 +16,11 @@ end it 'recognizes the many ways to express an opening curly brace in HTML' do - + # Only unsafe strings are escaped expect(html).to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}") expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}") + + # Only safe strings with braces are left untouched expect(html).to include("{{safe}}") expect(html).not_to include("{{unsafe}}")