diff options
| author | Matthew Landauer <matthew@openaustralia.org> | 2013-01-25 15:12:16 +1100 | 
|---|---|---|
| committer | Matthew Landauer <matthew@openaustralia.org> | 2013-01-25 15:12:16 +1100 | 
| commit | 4e74f0fcdcb0820865689cc0595cf0c83aee7cab (patch) | |
| tree | 1fd4a83516acaad73d88f0d7f011caf045ab5a17 /vendor | |
| parent | 65680320bee44812394041492c8492e95b1a3d78 (diff) | |
| parent | a67666e34c280d2b9eb613f57d96ba4ee5fcd749 (diff) | |
Merge branch 'rails_xss' into rails-3-spike
Conflicts:
	Gemfile
	Gemfile.lock
	config/environment.rb
	lib/i18n_fixes.rb
Diffstat (limited to 'vendor')
28 files changed, 2887 insertions, 0 deletions
| diff --git a/vendor/plugins/rails_xss/MIT-LICENSE b/vendor/plugins/rails_xss/MIT-LICENSE new file mode 100644 index 000000000..ed44a7bde --- /dev/null +++ b/vendor/plugins/rails_xss/MIT-LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2009 Koziarski Software Ltd. + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/plugins/rails_xss/README.markdown b/vendor/plugins/rails_xss/README.markdown new file mode 100644 index 000000000..1222ef38d --- /dev/null +++ b/vendor/plugins/rails_xss/README.markdown @@ -0,0 +1,91 @@ +RailsXss +======== + +This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape.  This is consistent with the behaviour in Rails 3.0. + +Strings now have a notion of "html safe",  which is false by default.  Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first.   + +All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified.  If you have your own helpers which return strings you *know* are safe,  you will need to explicitly tell rails that they're safe.  For an example, take the following helper. + +     +    def some_helper +      (1..5).map do |i| +        "<li>#{i}</li>" +      end.join("\n") +    end + +With this plugin installed, the html will be escaped.  So you will need to do one of the following: + +1) Use the raw helper in your template.  raw will ensure that your string is copied verbatim into the response body. + +    <%= raw some_helper %> + +2) Mark the string as safe in the helper itself: + +    def some_helper +      (1..5).map do |i| +        "<li>#{i}</li>" +      end.join("\n").html_safe +    end +   +3) Use the `safe_helper` meta programming method (WARNING: This is not supported by Rails 3, so if you're planning to +eventually upgrade your app this alternative is not recommended): + +    module ApplicationHelper +      def some_helper +        #... +      end +      safe_helper :some_helper    # not supported by Rails 3 +    end   + +Example +------- + +BEFORE: + +    <%= params[:own_me] %>        => XSS attack +    <%=h params[:own_me] %>       => No XSS +    <%= @blog_post.content %>     => Displays the HTML +                                 +AFTER:                           + +    <%= params[:own_me] %>        => No XSS  +    <%=h params[:own_me] %>       => No XSS (same result) +    <%= @blog_post.content %>     => *escapes* the HTML +    <%= raw @blog_post.content %> => Displays the HTML +   +   +Gotchas +--- + +#### textilize and simple_format do *not* return safe strings + +Both these methods support arbitrary HTML and are *not* safe to embed directly in your document.  You'll need to do something like: + +    <%= sanitize(textilize(@blog_post.content_textile)) %> + +#### Safe strings aren't magic. + +Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+.  All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like + +    value = something_safe +    value.gsub!(/a/, params[:own_me]) + +Don't do that. + +#### String interpolation won't be safe, even when it 'should' be + +    value = "#{something_safe}#{something_else_safe}" +    value.html_safe? # => false +   +This is intended functionality and can't be fixed. + +Getting Started +=============== + +1. Install rails 2.3.8 or higher, or freeze rails from 2-3-stable. +2. Install erubis (gem install erubis) +3. Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git) +4. Report anything that breaks. + +Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license. For full details see MIT-LICENSE included in this distribution. diff --git a/vendor/plugins/rails_xss/Rakefile b/vendor/plugins/rails_xss/Rakefile new file mode 100644 index 000000000..929ecbb81 --- /dev/null +++ b/vendor/plugins/rails_xss/Rakefile @@ -0,0 +1,23 @@ +require 'rake' +require 'rake/testtask' +require 'rake/rdoctask' + +desc 'Default: run unit tests.' +task :default => :test + +desc 'Test the rails_xss plugin.' +Rake::TestTask.new(:test) do |t| +  t.libs << 'lib' +  t.libs << 'test' +  t.pattern = 'test/**/*_test.rb' +  t.verbose = true +end + +desc 'Generate documentation for the rails_xss plugin.' +Rake::RDocTask.new(:rdoc) do |rdoc| +  rdoc.rdoc_dir = 'rdoc' +  rdoc.title    = 'RailsXss' +  rdoc.options << '--line-numbers' << '--inline-source' +  rdoc.rdoc_files.include('README') +  rdoc.rdoc_files.include('lib/**/*.rb') +end diff --git a/vendor/plugins/rails_xss/init.rb b/vendor/plugins/rails_xss/init.rb new file mode 100644 index 000000000..533eb1f36 --- /dev/null +++ b/vendor/plugins/rails_xss/init.rb @@ -0,0 +1,9 @@ +unless $gems_rake_task +  if Rails::VERSION::MAJOR >= 3 +    $stderr.puts "You don't need to install rails_xss as a plugin for Rails 3 and after." +  elsif Rails::VERSION::MAJOR <= 2 && Rails::VERSION::MINOR <= 3 && Rails::VERSION::TINY <= 7 +    $stderr.puts "rails_xss requires Rails 2.3.8 or later. Please upgrade to enable automatic HTML safety." +  else +    require 'rails_xss' +  end +end diff --git a/vendor/plugins/rails_xss/lib/rails_xss.rb b/vendor/plugins/rails_xss/lib/rails_xss.rb new file mode 100644 index 000000000..46d1b9a4a --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss.rb @@ -0,0 +1,3 @@ +require 'rails_xss/erubis' +require 'rails_xss/action_view' +require 'rails_xss/string_ext' diff --git a/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb new file mode 100644 index 000000000..c3f5e47df --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb @@ -0,0 +1,111 @@ +module ActionView +  class Base +    def self.xss_safe? +      true +    end + +    module WithSafeOutputBuffer +      # Rails version of with_output_buffer uses '' as the default buf +      def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc: +        super buf +      end +    end + +    include WithSafeOutputBuffer +  end + +  module Helpers +    module CaptureHelper +      def content_for(name, content = nil, &block) +        ivar = "@content_for_#{name}" +        content = capture(&block) if block_given? +        instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe) +        nil +      end +    end     + +    module TextHelper +      def concat(string, unused_binding = nil) +        if unused_binding +          ActiveSupport::Deprecation.warn("The binding argument of #concat is no longer needed.  Please remove it from your views and helpers.", caller) +        end + +        output_buffer.concat(string) +      end + +      def simple_format(text, html_options={}) +        start_tag = tag('p', html_options, true) +        text = ERB::Util.h(text).to_str.dup +        text.gsub!(/\r\n?/, "\n")                    # \r\n and \r -> \n +        text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}")  # 2+ newline  -> paragraph +        text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline   -> br +        text.insert 0, start_tag +        text.html_safe.safe_concat("</p>") +      end +    end + +    module TagHelper +      private +        def content_tag_string_with_escaping(name, content, options, escape = true) +          content_tag_string_without_escaping(name, escape ? ERB::Util.h(content) : content, options, escape) +        end +        alias_method_chain :content_tag_string, :escaping +    end + +    module UrlHelper +      def link_to(*args, &block) +        if block_given? +          options      = args.first || {} +          html_options = args.second +          concat(link_to(capture(&block), options, html_options)) +        else +          name         = args.first +          options      = args.second || {} +          html_options = args.third + +          url = url_for(options) + +          if html_options +            html_options = html_options.stringify_keys +            href = html_options['href'] +            convert_options_to_javascript!(html_options, url) +            tag_options = tag_options(html_options) +          else +            tag_options = nil +          end + +          href_attr = "href=\"#{url}\"" unless href +          "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe +        end +      end +    end +     +    module JavaScriptHelper +      def escape_javascript(javascript) +        if javascript +          javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] } +        else +          '' +        end +      end +    end +  end +end + +module RailsXss +  module SafeHelpers +    def safe_helper(*names) +      names.each do |helper_method_name| +        aliased_target, punctuation = helper_method_name.to_s.sub(/([?!=])$/, ''), $1 +        module_eval <<-END +          def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block) +            raw(#{aliased_target}_without_xss_safety#{punctuation}(*args, &block)) +          end +        END +        alias_method_chain helper_method_name, :xss_safety +      end +    end +  end +end + +Module.class_eval { include RailsXss::SafeHelpers } diff --git a/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb new file mode 100644 index 000000000..c8171c669 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb @@ -0,0 +1,35 @@ +require 'erubis/helpers/rails_helper' + +module RailsXss +  class Erubis < ::Erubis::Eruby +    def add_preamble(src) +      src << "@output_buffer = ActiveSupport::SafeBuffer.new;" +    end + +    def add_text(src, text) +      return if text.empty? +      src << "@output_buffer.safe_concat('" << escape_text(text) << "');" +    end + +    BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/ + +    def add_expr_literal(src, code) +      if code =~ BLOCK_EXPR +        src << "@output_buffer.safe_concat((" << $1 << ").to_s);" +      else +        src << '@output_buffer << ((' << code << ').to_s);' +      end +    end + +    def add_expr_escaped(src, code) +      src << '@output_buffer << ' << escaped_expr(code) << ';' +    end + +    def add_postamble(src) +      src << '@output_buffer.to_s' +    end +  end +end + +Erubis::Helpers::RailsHelper.engine_class = RailsXss::Erubis +Erubis::Helpers::RailsHelper.show_src = false diff --git a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb new file mode 100644 index 000000000..ee32e47c8 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb @@ -0,0 +1,65 @@ +require 'active_support/deprecation' + +ActiveSupport::SafeBuffer.class_eval do +  def concat(value) +    if value.html_safe? +      super(value) +    else +      super(ERB::Util.h(value)) +    end +  end +  alias << concat +  UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze + +  for unsafe_method in UNSAFE_STRING_METHODS +    class_eval <<-EOT, __FILE__, __LINE__ + 1 +      def #{unsafe_method}(*args) +        super.to_str +      end +   +      def #{unsafe_method}!(*args) +        raise TypeError, "Cannot modify SafeBuffer in place" +      end +    EOT +  end +end + +class String +  def html_safe? +    defined?(@_rails_html_safe) +  end + +  def html_safe! +    ActiveSupport::Deprecation.warn("Use html_safe with your strings instead of html_safe! See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for the full story.", caller) +    @_rails_html_safe = true +    self +  end + +  def add_with_safety(other) +    result = add_without_safety(other) +    if html_safe? && also_html_safe?(other) +      result.html_safe! +    else +      result +    end +  end +  alias_method :add_without_safety, :+ +  alias_method :+, :add_with_safety + +  def concat_with_safety(other_or_fixnum) +    result = concat_without_safety(other_or_fixnum) +    unless html_safe? && also_html_safe?(other_or_fixnum) +      remove_instance_variable(:@_rails_html_safe) if defined?(@_rails_html_safe) +    end +    result +  end + +  alias_method_chain :concat, :safety +  undef_method :<< +  alias_method :<<, :concat_with_safety + +  private +    def also_html_safe?(other) +      other.respond_to?(:html_safe?) && other.html_safe? +    end +end diff --git a/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake b/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake new file mode 100644 index 000000000..b8659f089 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake @@ -0,0 +1,4 @@ +# desc "Explaining what the task does" +# task :rails_xss do +#   # Task goes here +# end diff --git a/vendor/plugins/rails_xss/test/active_record_helper_test.rb b/vendor/plugins/rails_xss/test/active_record_helper_test.rb new file mode 100644 index 000000000..728ec0ac6 --- /dev/null +++ b/vendor/plugins/rails_xss/test/active_record_helper_test.rb @@ -0,0 +1,74 @@ +require 'test_helper' + +class ActiveRecordHelperTest < ActionView::TestCase +  silence_warnings do +    Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on) +    Post.class_eval do +      alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast) +      alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast) +      alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast) +    end +  end + +  def setup_post +    @post = Post.new +    def @post.errors +      Class.new { +        def on(field) +          case field.to_s +          when "author_name" +            "can't be empty" +          when "body" +            true +          else +            false +          end +        end +        def empty?() false end +        def count() 1 end +        def full_messages() [ "Author name can't be empty" ] end +      }.new +    end + +    def @post.new_record?() true end +    def @post.to_param() nil end + +    def @post.column_for_attribute(attr_name) +      Post.content_columns.select { |column| column.name == attr_name }.first +    end + +    silence_warnings do +      def Post.content_columns() [ Column.new(:string, "title", "Title"), Column.new(:text, "body", "Body") ] end +    end + +    @post.title       = "Hello World" +    @post.author_name = "" +    @post.body        = "Back to the hill and over it again!" +    @post.secret = 1 +    @post.written_on  = Date.new(2004, 6, 15) +  end + +  def setup +    setup_post + +    @response = ActionController::TestResponse.new + +    @controller = Object.new +    def @controller.url_for(options) +      options = options.symbolize_keys + +      [options[:action], options[:id].to_param].compact.join('/') +    end +  end + +  def test_text_field_with_errors_is_safe +    assert text_field("post", "author_name").html_safe? +  end + +  def test_text_field_with_errors +    assert_dom_equal( +      %(<div class="fieldWithErrors"><input id="post_author_name" name="post[author_name]" size="30" type="text" value="" /></div>), +      text_field("post", "author_name") +    ) +  end +end diff --git a/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb b/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb new file mode 100644 index 000000000..f58feda3d --- /dev/null +++ b/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb @@ -0,0 +1,49 @@ +require 'test_helper' + +class AssetTagHelperTest < ActionView::TestCase +  def setup +    @controller = Class.new do +      attr_accessor :request +      def url_for(*args) "http://www.example.com" end +    end.new +  end + +  def test_auto_discovery_link_tag +    assert_dom_equal(%(<link href="http://www.example.com" rel="Not so alternate" title="ATOM" type="application/atom+xml" />), +                     auto_discovery_link_tag(:atom, {}, {:rel => "Not so alternate"})) +  end + +  def test_javascript_include_tag_with_blank_asset_id +    ENV["RAILS_ASSET_ID"] = "" +    assert_dom_equal(%(<script src="/javascripts/test.js" type="text/javascript"></script>\n<script src="/javascripts/prototype.js" type="text/javascript"></script>\n<script src="/javascripts/effects.js" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js" type="text/javascript"></script>\n<script src="/javascripts/controls.js" type="text/javascript"></script>\n<script src="/javascripts/application.js" type="text/javascript"></script>), +                     javascript_include_tag("test", :defaults)) +  end + +  def test_javascript_include_tag_with_given_asset_id +    ENV["RAILS_ASSET_ID"] = "1" +    assert_dom_equal(%(<script src="/javascripts/prototype.js?1" type="text/javascript"></script>\n<script src="/javascripts/effects.js?1" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js?1" type="text/javascript"></script>\n<script src="/javascripts/controls.js?1" type="text/javascript"></script>\n<script src="/javascripts/application.js?1" type="text/javascript"></script>), +                     javascript_include_tag(:defaults)) +    ENV["RAILS_ASSET_ID"] = "" +  end + +  def test_javascript_include_tag_is_html_safe +    assert javascript_include_tag(:defaults).html_safe? +    assert javascript_include_tag("prototype").html_safe? +  end + +  def test_stylesheet_link_tag +    assert_dom_equal(%(<link href="http://www.example.com/styles/style.css" media="screen" rel="stylesheet" type="text/css" />), +                     stylesheet_link_tag("http://www.example.com/styles/style")) +  end + +  def test_stylesheet_link_tag_is_html_safe +    assert stylesheet_link_tag('dir/file').html_safe? +    assert stylesheet_link_tag('dir/other/file', 'dir/file2').html_safe? +    assert stylesheet_tag('dir/file', {}).html_safe? +  end + +  def test_image_tag +    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />), +                     image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) +  end +end diff --git a/vendor/plugins/rails_xss/test/caching_test.rb b/vendor/plugins/rails_xss/test/caching_test.rb new file mode 100644 index 000000000..3ea41e8b5 --- /dev/null +++ b/vendor/plugins/rails_xss/test/caching_test.rb @@ -0,0 +1,54 @@ +require 'test_helper' + +CACHE_DIR = 'test_cache' +# Don't change '/../temp/' cavalierly or you might hose something you don't want hosed +FILE_STORE_PATH = File.join(File.dirname(__FILE__), '/../temp/', CACHE_DIR) +ActionController::Base.page_cache_directory = FILE_STORE_PATH +ActionController::Base.cache_store = :file_store, FILE_STORE_PATH + +class FragmentCachingTestController < ActionController::Base +  def some_action; end; +end + +class FragmentCachingTest < ActionController::TestCase +  def setup +    ActionController::Base.perform_caching = true +    @store = ActiveSupport::Cache::MemoryStore.new +    ActionController::Base.cache_store = @store +    @controller = FragmentCachingTestController.new +    @params = {:controller => 'posts', :action => 'index'} +    @request = ActionController::TestRequest.new +    @response = ActionController::TestResponse.new +    @controller.params = @params +    @controller.request = @request +    @controller.response = @response +    @controller.send(:initialize_current_url) +    @controller.send(:initialize_template_class, @response) +    @controller.send(:assign_shortcuts, @request, @response) +  end + +  def test_fragment_for +    @store.write('views/expensive', 'fragment content') +    fragment_computed = false + +    buffer = 'generated till now -> '.html_safe +    @controller.fragment_for(buffer, 'expensive') { fragment_computed = true } + +    assert !fragment_computed +    assert_equal 'generated till now -> fragment content', buffer +  end + +  def test_html_safety +    assert_nil @store.read('views/name') +    content = 'value'.html_safe +    assert_equal content, @controller.write_fragment('name', content) + +    cached = @store.read('views/name') +    assert_equal content, cached +    assert_equal String, cached.class + +    html_safe = @controller.read_fragment('name') +    assert_equal content, html_safe +    assert html_safe.html_safe? +  end +end diff --git a/vendor/plugins/rails_xss/test/content_for_test.rb b/vendor/plugins/rails_xss/test/content_for_test.rb new file mode 100644 index 000000000..45ba6762c --- /dev/null +++ b/vendor/plugins/rails_xss/test/content_for_test.rb @@ -0,0 +1,39 @@ +require 'test_helper' + +class ContentForTest < ActionView::TestCase + +  def test_content_for_should_yield_html_safe_string +    content_for(:testing, "Some <p>html</p>") +    content = instance_variable_get(:"@content_for_testing") +    assert content.html_safe? +  end + +  def test_content_for_should_escape_content +    content_for(:testing, "Some <p>html</p>") +    content = instance_variable_get(:"@content_for_testing") +    expected = %{Some <p>html</p>} +    assert_dom_equal expected, content +  end + +  def test_content_for_should_not_escape_html_safe_content +    content_for(:testing, "Some <p>html</p>".html_safe) +    content = instance_variable_get(:"@content_for_testing") +    expected = %{Some <p>html</p>} +    assert_dom_equal expected, content +  end + +  def test_content_for_should_escape_content_from_block +    content_for(:testing){ "Some <p>html</p>" } +    content = instance_variable_get(:"@content_for_testing") +    expected = %{Some <p>html</p>} +    assert_dom_equal expected, content +  end + +  def test_content_for_should_not_escape_html_safe_content_from_block +    content_for(:testing){ "Some <p>html</p>".html_safe } +    content = instance_variable_get(:"@content_for_testing") +    expected = %{Some <p>html</p>} +    assert_dom_equal expected, content +  end + +end diff --git a/vendor/plugins/rails_xss/test/date_helper_test.rb b/vendor/plugins/rails_xss/test/date_helper_test.rb new file mode 100644 index 000000000..daf010274 --- /dev/null +++ b/vendor/plugins/rails_xss/test/date_helper_test.rb @@ -0,0 +1,29 @@ +require 'test_helper' + +class DateHelperTest < ActionView::TestCase +  silence_warnings do +    Post = Struct.new("Post", :id, :written_on, :updated_at) +  end + +  def test_select_html_safety +    assert select_day(16).html_safe? +    assert select_month(8).html_safe? +    assert select_year(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? +    assert select_minute(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? +    assert select_second(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe? + +    assert select_minute(8, :use_hidden => true).html_safe? +    assert select_month(8, :prompt => 'Choose month').html_safe? + +    assert select_time(Time.mktime(2003, 8, 16, 8, 4, 18), {}, :class => 'selector').html_safe? +    assert select_date(Time.mktime(2003, 8, 16), :date_separator => " / ", :start_year => 2003, :end_year => 2005, :prefix => "date[first]").html_safe? +  end +   +  def test_object_select_html_safety +    @post = Post.new +    @post.written_on = Date.new(2004, 6, 15) + +    assert date_select("post", "written_on", :default => Time.local(2006, 9, 19, 15, 16, 35), :include_blank => true).html_safe?     +    assert time_select("post", "written_on", :ignore_date => true).html_safe?     +  end +end diff --git a/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb b/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb new file mode 100644 index 000000000..e16f7ce0d --- /dev/null +++ b/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb @@ -0,0 +1,112 @@ +require 'test_helper' + +class DeprecatedOutputSafetyTest < ActiveSupport::TestCase +  def setup +    @string = "hello" +  end + +  test "A string can be marked safe using html_safe!" do +    assert_deprecated do +      @string.html_safe! +      assert @string.html_safe? +    end +  end + +  test "Marking a string safe returns the string using html_safe!" do +    assert_deprecated do +      assert_equal @string, @string.html_safe! +    end +  end + +  test "Adding a safe string to another safe string returns a safe string using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      @string.html_safe! +      @combination = @other_string + @string + +      assert_equal "otherhello", @combination +      assert @combination.html_safe? +    end +  end + +  test "Adding an unsafe string to a safe string returns an unsafe string using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      @combination = @other_string + "<foo>" +      @other_combination = @string + "<foo>" + +      assert_equal "other<foo>", @combination +      assert_equal "hello<foo>", @other_combination + +      assert !@combination.html_safe? +      assert !@other_combination.html_safe? +    end +  end + +  test "Concatting safe onto unsafe yields unsafe using html_safe!" do +    assert_deprecated do +      @other_string = "other" +      @string.html_safe! + +      @other_string.concat(@string) +      assert !@other_string.html_safe? +    end +  end + +  test "Concatting unsafe onto safe yields unsafe using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      string = @other_string.concat("<foo>") +      assert_equal "other<foo>", string +      assert !string.html_safe? +    end +  end + +  test "Concatting safe onto safe yields safe using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      @string.html_safe! + +      @other_string.concat(@string) +      assert @other_string.html_safe? +    end +  end + +  test "Concatting safe onto unsafe with << yields unsafe using html_safe!" do +    assert_deprecated do +      @other_string = "other" +      @string.html_safe! + +      @other_string << @string +      assert !@other_string.html_safe? +    end +  end + +  test "Concatting unsafe onto safe with << yields unsafe using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      string = @other_string << "<foo>" +      assert_equal "other<foo>", string +      assert !string.html_safe? +    end +  end + +  test "Concatting safe onto safe with << yields safe using html_safe!" do +    assert_deprecated do +      @other_string = "other".html_safe! +      @string.html_safe! + +      @other_string << @string +      assert @other_string.html_safe? +    end +  end + +  test "Concatting a fixnum to safe always yields safe using html_safe!" do +    assert_deprecated do +      @string.html_safe! +      @string.concat(13) +      assert_equal "hello".concat(13), @string +      assert @string.html_safe? +    end +  end +end diff --git a/vendor/plugins/rails_xss/test/erb_util_test.rb b/vendor/plugins/rails_xss/test/erb_util_test.rb new file mode 100644 index 000000000..9a04d38e6 --- /dev/null +++ b/vendor/plugins/rails_xss/test/erb_util_test.rb @@ -0,0 +1,36 @@ +require 'test_helper' + +class ErbUtilTest < Test::Unit::TestCase +  include ERB::Util + +  ERB::Util::HTML_ESCAPE.each do |given, expected| +    define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do +      assert_equal expected, html_escape(given) +    end + +    unless given == '"' +      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do +        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given) +      end +    end +  end +   +  def test_html_escape_is_html_safe +    escaped = h("<p>") +    assert_equal "<p>", escaped +    assert escaped.html_safe? +  end + +  def test_html_escape_passes_html_escpe_unmodified +    escaped = h("<p>".html_safe) +    assert_equal "<p>", escaped +    assert escaped.html_safe? +  end + +  def test_rest_in_ascii +    (0..127).to_a.map {|int| int.chr }.each do |chr| +      next if %w(& " < >).include?(chr) +      assert_equal chr, html_escape(chr) +    end +  end +end diff --git a/vendor/plugins/rails_xss/test/form_helper_test.rb b/vendor/plugins/rails_xss/test/form_helper_test.rb new file mode 100644 index 000000000..e5580d26c --- /dev/null +++ b/vendor/plugins/rails_xss/test/form_helper_test.rb @@ -0,0 +1,1447 @@ +require 'test_helper' + +silence_warnings do +  Post = Struct.new(:title, :author_name, :body, :secret, :written_on, :cost) +  Post.class_eval do +    alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast) +    alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast) +    alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast) +    alias_method :secret?, :secret + +    def new_record=(boolean) +      @new_record = boolean +    end + +    def new_record? +      @new_record +    end + +    attr_accessor :author +    def author_attributes=(attributes); end + +    attr_accessor :comments +    def comments_attributes=(attributes); end + +    attr_accessor :tags +    def tags_attributes=(attributes); end +  end + +  class Comment +    attr_reader :id +    attr_reader :post_id +    def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end +    def save; @id = 1; @post_id = 1 end +    def new_record?; @id.nil? end +    def to_param; @id; end +    def name +      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" +    end + +    attr_accessor :relevances +    def relevances_attributes=(attributes); end + +  end + +  class Tag +    attr_reader :id +    attr_reader :post_id +    def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end +    def save; @id = 1; @post_id = 1 end +    def new_record?; @id.nil? end +    def to_param; @id; end +    def value +      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" +    end + +    attr_accessor :relevances +    def relevances_attributes=(attributes); end + +  end + +  class CommentRelevance +    attr_reader :id +    attr_reader :comment_id +    def initialize(id = nil, comment_id = nil); @id, @comment_id = id, comment_id end +    def save; @id = 1; @comment_id = 1 end +    def new_record?; @id.nil? end +    def to_param; @id; end +    def value +      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" +    end +  end + +  class TagRelevance +    attr_reader :id +    attr_reader :tag_id +    def initialize(id = nil, tag_id = nil); @id, @tag_id = id, tag_id end +    def save; @id = 1; @tag_id = 1 end +    def new_record?; @id.nil? end +    def to_param; @id; end +    def value +      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}" +    end +  end + +  class Author < Comment +    attr_accessor :post +    def post_attributes=(attributes); end +  end +end + +class FormHelperTest < ActionView::TestCase +  tests ActionView::Helpers::FormHelper + +  def setup +    super + +    # Create "label" locale for testing I18n label helpers +    I18n.backend.store_translations 'label', { +      :helpers => { +        :label => { +          :post => { +            :body => "Write entire text here" +          } +        } +      } +    } + +    @post = Post.new +    @comment = Comment.new +    def @post.errors() +      Class.new{ +        def on(field); "can't be empty" if field == "author_name"; end +        def empty?() false end +        def count() 1 end +        def full_messages() [ "Author name can't be empty" ] end +      }.new +    end +    def @post.id; 123; end +    def @post.id_before_type_cast; 123; end +    def @post.to_param; '123'; end + +    @post.title       = "Hello World" +    @post.author_name = "" +    @post.body        = "Back to the hill and over it again!" +    @post.secret      = 1 +    @post.written_on  = Date.new(2004, 6, 15) + +    def Post.human_attribute_name(attribute) +      attribute.to_s == "cost" ? "Total cost" : attribute.to_s.humanize +    end + +    @controller = Class.new do +      attr_reader :url_for_options +      def url_for(options) +        @url_for_options = options +        "http://www.example.com" +      end +    end +    @controller = @controller.new +  end + +  def test_label +    assert_dom_equal('<label for="post_title">Title</label>', label("post", "title")) +    assert_dom_equal('<label for="post_title">The title goes here</label>', label("post", "title", "The title goes here")) +    assert_dom_equal( +      '<label class="title_label" for="post_title">Title</label>', +      label("post", "title", nil, :class => 'title_label') +    ) +    assert_dom_equal('<label for="post_secret">Secret?</label>', label("post", "secret?")) +  end + +  def test_label_with_symbols +    assert_dom_equal('<label for="post_title">Title</label>', label(:post, :title)) +    assert_dom_equal('<label for="post_secret">Secret?</label>', label(:post, :secret?)) +  end + +  def test_label_with_locales_strings +    old_locale, I18n.locale = I18n.locale, :label +    assert_dom_equal('<label for="post_body">Write entire text here</label>', label("post", "body")) +  ensure +    I18n.locale = old_locale +  end + +  def test_label_with_human_attribute_name +    old_locale, I18n.locale = I18n.locale, :label +    assert_dom_equal('<label for="post_cost">Total cost</label>', label(:post, :cost)) +  ensure +    I18n.locale = old_locale +  end + +  def test_label_with_locales_symbols +    old_locale, I18n.locale = I18n.locale, :label +    assert_dom_equal('<label for="post_body">Write entire text here</label>', label(:post, :body)) +  ensure +    I18n.locale = old_locale +  end + +  def test_label_with_for_attribute_as_symbol +    assert_dom_equal('<label for="my_for">Title</label>', label(:post, :title, nil, :for => "my_for")) +  end + +  def test_label_with_for_attribute_as_string +    assert_dom_equal('<label for="my_for">Title</label>', label(:post, :title, nil, "for" => "my_for")) +  end + +  def test_label_with_id_attribute_as_symbol +    assert_dom_equal('<label for="post_title" id="my_id">Title</label>', label(:post, :title, nil, :id => "my_id")) +  end + +  def test_label_with_id_attribute_as_string +    assert_dom_equal('<label for="post_title" id="my_id">Title</label>', label(:post, :title, nil, "id" => "my_id")) +  end + +  def test_label_with_for_and_id_attributes_as_symbol +    assert_dom_equal('<label for="my_for" id="my_id">Title</label>', label(:post, :title, nil, :for => "my_for", :id => "my_id")) +  end + +  def test_label_with_for_and_id_attributes_as_string +    assert_dom_equal('<label for="my_for" id="my_id">Title</label>', label(:post, :title, nil, "for" => "my_for", "id" => "my_id")) +  end + +  def test_label_for_radio_buttons_with_value +    assert_dom_equal('<label for="post_title_great_title">The title goes here</label>', label("post", "title", "The title goes here", :value => "great_title")) +    assert_dom_equal('<label for="post_title_great_title">The title goes here</label>', label("post", "title", "The title goes here", :value => "great title")) +  end + +  def test_text_field +    assert_dom_equal( +      '<input id="post_title" name="post[title]" size="30" type="text" value="Hello World" />', text_field("post", "title") +    ) +    assert_dom_equal( +      '<input id="post_title" name="post[title]" size="30" type="password" value="Hello World" />', password_field("post", "title") +    ) +    assert_dom_equal( +      '<input id="person_name" name="person[name]" size="30" type="password" />', password_field("person", "name") +    ) +  end + +  def test_text_field_with_escapes +    @post.title = "<b>Hello World</b>" +    assert_dom_equal( +      '<input id="post_title" name="post[title]" size="30" type="text" value="<b>Hello World</b>" />', text_field("post", "title") +    ) +  end + +  def test_text_field_with_html_entities +    @post.title = "The HTML Entity for & is &" +    assert_dom_equal( +      '<input id="post_title" name="post[title]" size="30" type="text" value="The HTML Entity for & is &amp;" />', +      text_field("post", "title") +    ) +  end + +  def test_text_field_with_options +    expected = '<input id="post_title" name="post[title]" size="35" type="text" value="Hello World" />' +    assert_dom_equal expected, text_field("post", "title", "size" => 35) +    assert_dom_equal expected, text_field("post", "title", :size => 35) +  end + +  def test_text_field_assuming_size +    expected = '<input id="post_title" maxlength="35" name="post[title]" size="35" type="text" value="Hello World" />' +    assert_dom_equal expected, text_field("post", "title", "maxlength" => 35) +    assert_dom_equal expected, text_field("post", "title", :maxlength => 35) +  end + +  def test_text_field_removing_size +    expected = '<input id="post_title" maxlength="35" name="post[title]" type="text" value="Hello World" />' +    assert_dom_equal expected, text_field("post", "title", "maxlength" => 35, "size" => nil) +    assert_dom_equal expected, text_field("post", "title", :maxlength => 35, :size => nil) +  end + +  def test_text_field_doesnt_change_param_values +    object_name = 'post[]' +    expected = '<input id="post_123_title" name="post[123][title]" size="30" type="text" value="Hello World" />' +    assert_equal expected, text_field(object_name, "title") +    assert_equal object_name, "post[]" +  end + +  def test_hidden_field +    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="Hello World" />', +      hidden_field("post", "title") +      assert_dom_equal '<input id="post_secret" name="post[secret]" type="hidden" value="1" />', +        hidden_field("post", "secret?") +  end + +  def test_hidden_field_with_escapes +    @post.title = "<b>Hello World</b>" +    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="<b>Hello World</b>" />', +      hidden_field("post", "title") +  end + +  def test_hidden_field_with_options +    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="Something Else" />', +      hidden_field("post", "title", :value => "Something Else") +  end + +  def test_check_box +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret") +    ) +    @post.secret = 0 +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret") +    ) +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret" ,{"checked"=>"checked"}) +    ) +    @post.secret = true +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret") +    ) +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret?") +    ) + +    @post.secret = ['0'] +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret") +    ) +    @post.secret = ['1'] +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret") +    ) +  end + +  def test_check_box_with_explicit_checked_and_unchecked_values +    @post.secret = "on" +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="off" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="on" />', +      check_box("post", "secret", {}, "on", "off") +    ) +  end + +  def test_checkbox_disabled_still_submits_checked_value +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="1" /><input checked="checked" disabled="disabled" id="post_secret" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret", { :disabled => :true }) +    ) +  end + +  def test_radio_button +    assert_dom_equal('<input checked="checked" id="post_title_hello_world" name="post[title]" type="radio" value="Hello World" />', +      radio_button("post", "title", "Hello World") +    ) +    assert_dom_equal('<input id="post_title_goodbye_world" name="post[title]" type="radio" value="Goodbye World" />', +      radio_button("post", "title", "Goodbye World") +    ) +    assert_dom_equal('<input id="item_subobject_title_inside_world" name="item[subobject][title]" type="radio" value="inside world"/>', +      radio_button("item[subobject]", "title", "inside world") +    ) +  end + +  def test_radio_button_is_checked_with_integers +    assert_dom_equal('<input checked="checked" id="post_secret_1" name="post[secret]" type="radio" value="1" />', +      radio_button("post", "secret", "1") +   ) +  end + +  def test_radio_button_respects_passed_in_id +     assert_dom_equal('<input checked="checked" id="foo" name="post[secret]" type="radio" value="1" />', +       radio_button("post", "secret", "1", :id=>"foo") +    ) +  end + +  def test_radio_button_with_booleans +    assert_dom_equal('<input id="post_secret_true" name="post[secret]" type="radio" value="true" />', +      radio_button("post", "secret", true) +    ) + +    assert_dom_equal('<input id="post_secret_false" name="post[secret]" type="radio" value="false" />', +      radio_button("post", "secret", false) +    ) +  end + +  def test_text_area +    assert_dom_equal( +      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea>', +      text_area("post", "body") +    ) +  end + +  def test_text_area_with_escapes +    @post.body        = "Back to <i>the</i> hill and over it again!" +    assert_dom_equal( +      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Back to <i>the</i> hill and over it again!</textarea>', +      text_area("post", "body") +    ) +  end + +  def test_text_area_with_alternate_value +    assert_dom_equal( +      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Testing alternate values.</textarea>', +      text_area("post", "body", :value => 'Testing alternate values.') +    ) +  end + +  def test_text_area_with_html_entities +    @post.body        = "The HTML Entity for & is &" +    assert_dom_equal( +      '<textarea cols="40" id="post_body" name="post[body]" rows="20">The HTML Entity for & is &amp;</textarea>', +      text_area("post", "body") +    ) +  end + +  def test_text_area_with_size_option +    assert_dom_equal( +      '<textarea cols="183" id="post_body" name="post[body]" rows="820">Back to the hill and over it again!</textarea>', +      text_area("post", "body", :size => "183x820") +    ) +  end + +  def test_explicit_name +    assert_dom_equal( +      '<input id="post_title" name="dont guess" size="30" type="text" value="Hello World" />', text_field("post", "title", "name" => "dont guess") +    ) +    assert_dom_equal( +      '<textarea cols="40" id="post_body" name="really!" rows="20">Back to the hill and over it again!</textarea>', +      text_area("post", "body", "name" => "really!") +    ) +    assert_dom_equal( +      '<input name="i mean it" type="hidden" value="0" /><input checked="checked" id="post_secret" name="i mean it" type="checkbox" value="1" />', +      check_box("post", "secret", "name" => "i mean it") +    ) +    assert_dom_equal text_field("post", "title", "name" => "dont guess"), +                 text_field("post", "title", :name => "dont guess") +    assert_dom_equal text_area("post", "body", "name" => "really!"), +                 text_area("post", "body", :name => "really!") +    assert_dom_equal check_box("post", "secret", "name" => "i mean it"), +                 check_box("post", "secret", :name => "i mean it") +  end + +  def test_explicit_id +    assert_dom_equal( +      '<input id="dont guess" name="post[title]" size="30" type="text" value="Hello World" />', text_field("post", "title", "id" => "dont guess") +    ) +    assert_dom_equal( +      '<textarea cols="40" id="really!" name="post[body]" rows="20">Back to the hill and over it again!</textarea>', +      text_area("post", "body", "id" => "really!") +    ) +    assert_dom_equal( +      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="i mean it" name="post[secret]" type="checkbox" value="1" />', +      check_box("post", "secret", "id" => "i mean it") +    ) +    assert_dom_equal text_field("post", "title", "id" => "dont guess"), +                 text_field("post", "title", :id => "dont guess") +    assert_dom_equal text_area("post", "body", "id" => "really!"), +                 text_area("post", "body", :id => "really!") +    assert_dom_equal check_box("post", "secret", "id" => "i mean it"), +                 check_box("post", "secret", :id => "i mean it") +  end + +  def test_auto_index +    pid = @post.id +    assert_dom_equal( +      "<label for=\"post_#{pid}_title\">Title</label>", +      label("post[]", "title") +    ) +    assert_dom_equal( +      "<input id=\"post_#{pid}_title\" name=\"post[#{pid}][title]\" size=\"30\" type=\"text\" value=\"Hello World\" />", text_field("post[]","title") +    ) +    assert_dom_equal( +      "<textarea cols=\"40\" id=\"post_#{pid}_body\" name=\"post[#{pid}][body]\" rows=\"20\">Back to the hill and over it again!</textarea>", +      text_area("post[]", "body") +    ) +    assert_dom_equal( +      "<input name=\"post[#{pid}][secret]\" type=\"hidden\" value=\"0\" /><input checked=\"checked\" id=\"post_#{pid}_secret\" name=\"post[#{pid}][secret]\" type=\"checkbox\" value=\"1\" />", +      check_box("post[]", "secret") +    ) +   assert_dom_equal( +"<input checked=\"checked\" id=\"post_#{pid}_title_hello_world\" name=\"post[#{pid}][title]\" type=\"radio\" value=\"Hello World\" />", +      radio_button("post[]", "title", "Hello World") +    ) +    assert_dom_equal("<input id=\"post_#{pid}_title_goodbye_world\" name=\"post[#{pid}][title]\" type=\"radio\" value=\"Goodbye World\" />", +      radio_button("post[]", "title", "Goodbye World") +    ) +  end + +  def test_form_for +    form_for(:post, @post, :html => { :id => 'create-post' }) do |f| +      concat f.label(:title) +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +      concat f.submit('Create post') +    end + +    expected = +      "<form action='http://www.example.com' id='create-post' method='post'>" + +      "<label for='post_title'>Title</label>" + +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +      "<input name='commit' id='post_submit' type='submit' value='Create post' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_method +    form_for(:post, @post, :html => { :id => 'create-post', :method => :put }) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' id='create-post' method='post'>" + +      "<div style='margin:0;padding:0;display:inline'><input name='_method' type='hidden' value='put' /></div>" + +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_without_object +    form_for(:post, :html => { :id => 'create-post' }) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' id='create-post' method='post'>" + +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_index +    form_for("post[]", @post) do |f| +      concat f.label(:title) +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' method='post'>" + +      "<label for=\"post_123_title\">Title</label>" + +      "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" + +      "<textarea name='post[123][body]' id='post_123_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[123][secret]' type='hidden' value='0' />" + +      "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_nil_index_option_override +    form_for("post[]", @post, :index => nil) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' method='post'>" + +      "<input name='post[][title]' size='30' type='text' id='post__title' value='Hello World' />" + +      "<textarea name='post[][body]' id='post__body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[][secret]' type='hidden' value='0' />" + +      "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for +    form_for(:post, @post) do |f| +      f.fields_for(:comment, @post) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[comment][title]' size='30' type='text' id='post_comment_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_nested_collections +    form_for('post[]', @post) do |f| +      concat f.text_field(:title) +      f.fields_for('comment[]', @comment) do |c| +        concat c.text_field(:name) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" + +               "<input name='post[123][comment][][name]' size='30' type='text' id='post_123_comment__name' value='new comment' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_index_and_parent_fields +    form_for('post', @post, :index => 1) do |c| +      concat c.text_field(:title) +      c.fields_for('comment', @comment, :index => 1) do |r| +        concat r.text_field(:name) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[1][title]' size='30' type='text' id='post_1_title' value='Hello World' />" + +               "<input name='post[1][comment][1][name]' size='30' type='text' id='post_1_comment_1_name' value='new comment' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_index_and_nested_fields_for +    form_for(:post, @post, :index => 1) do |f| +      f.fields_for(:comment, @post) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[1][comment][title]' size='30' type='text' id='post_1_comment_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_index_on_both +    form_for(:post, @post, :index => 1) do |f| +      f.fields_for(:comment, @post, :index => 5) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[1][comment][5][title]' size='30' type='text' id='post_1_comment_5_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_auto_index +    form_for("post[]", @post) do |f| +      f.fields_for(:comment, @post) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[123][comment][title]' size='30' type='text' id='post_123_comment_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_index_radio_button +    form_for(:post, @post) do |f| +      f.fields_for(:comment, @post, :index => 5) do |c| +        concat c.radio_button(:title, "hello") +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[comment][5][title]' type='radio' id='post_comment_5_title_hello' value='hello' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_auto_index_on_both +    form_for("post[]", @post) do |f| +      f.fields_for("comment[]", @post) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[123][comment][123][title]' size='30' type='text' id='post_123_comment_123_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_index_and_auto_index +    form_for("post[]", @post) do |f| +      f.fields_for(:comment, @post, :index => 5) do |c| +        concat c.text_field(:title) +      end +    end + +    form_for(:post, @post, :index => 1) do |f| +      f.fields_for("comment[]", @post) do |c| +        concat c.text_field(:title) +      end +    end + +    expected = "<form action='http://www.example.com' method='post'>" + +               "<input name='post[123][comment][5][title]' size='30' type='text' id='post_123_comment_5_title' value='Hello World' />" + +               "</form>" + +               "<form action='http://www.example.com' method='post'>" + +               "<input name='post[1][comment][123][title]' size='30' type='text' id='post_1_comment_123_title' value='Hello World' />" + +               "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_a_new_record_on_a_nested_attributes_one_to_one_association +    @post.author = Author.new + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:author) do |af| +        concat af.text_field(:name) +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="new author" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_explicitly_passed_object_on_a_nested_attributes_one_to_one_association +    form_for(:post, @post) do |f| +      f.fields_for(:author, Author.new(123)) do |af| +        assert_not_nil af.object +        assert_equal 123, af.object.id +      end +    end +  end + +  def test_nested_fields_for_with_an_existing_record_on_a_nested_attributes_one_to_one_association +    @post.author = Author.new(321) + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:author) do |af| +        concat af.text_field(:name) +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' + +               '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end +   +  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_one_association_with_explicit_hidden_field_placement +    @post.author = Author.new(321) + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:author) do |af| +        concat af.hidden_field(:id) +        concat af.text_field(:name) +      end +    end +     +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' + +               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association +    @post.comments = Array.new(2) { |id| Comment.new(id + 1) } + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      @post.comments.each do |comment| +        f.fields_for(:comments, comment) do |cf| +          concat cf.text_field(:name) +        end +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' + +               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association_with_explicit_hidden_field_placement +    @post.comments = Array.new(2) { |id| Comment.new(id + 1) } + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      @post.comments.each do |comment| +        f.fields_for(:comments, comment) do |cf| +          concat cf.hidden_field(:id) +          concat cf.text_field(:name) +        end +      end +    end +     +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' + +               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_new_records_on_a_nested_attributes_collection_association +    @post.comments = [Comment.new, Comment.new] + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      @post.comments.each do |comment| +        f.fields_for(:comments, comment) do |cf| +          concat cf.text_field(:name) +        end +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="new comment" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_existing_and_new_records_on_a_nested_attributes_collection_association +    @post.comments = [Comment.new(321), Comment.new] + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      @post.comments.each do |comment| +        f.fields_for(:comments, comment) do |cf| +          concat cf.text_field(:name) +        end +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_an_empty_supplied_attributes_collection +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:comments, []) do |cf| +        concat cf.text_field(:name) +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_with_existing_records_on_a_supplied_nested_attributes_collection +    @post.comments = Array.new(2) { |id| Comment.new(id + 1) } + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:comments, @post.comments) do |cf| +        concat cf.text_field(:name) +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' + +               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_for_on_a_nested_attributes_collection_association_yields_only_builder +    @post.comments = [Comment.new(321), Comment.new] +    yielded_comments = [] + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      f.fields_for(:comments) do |cf| +        concat cf.text_field(:name) +        yielded_comments << cf.object +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' + +               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +    assert_equal yielded_comments, @post.comments +  end + +  def test_nested_fields_for_with_child_index_option_override_on_a_nested_attributes_collection_association +    @post.comments = [] + +    form_for(:post, @post) do |f| +      f.fields_for(:comments, Comment.new(321), :child_index => 'abc') do |cf| +        concat cf.text_field(:name) +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input id="post_comments_attributes_abc_name" name="post[comments_attributes][abc][name]" size="30" type="text" value="comment #321" />' + +               '<input id="post_comments_attributes_abc_id" name="post[comments_attributes][abc][id]" type="hidden" value="321" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_nested_fields_uses_unique_indices_for_different_collection_associations +    @post.comments = [Comment.new(321)] +    @post.tags = [Tag.new(123), Tag.new(456)] +    @post.comments[0].relevances = [] +    @post.tags[0].relevances = [] +    @post.tags[1].relevances = [] +    form_for(:post, @post) do |f| +      f.fields_for(:comments, @post.comments[0]) do |cf| +        concat cf.text_field(:name) +        cf.fields_for(:relevances, CommentRelevance.new(314)) do |crf| +          concat crf.text_field(:value) +        end +      end +      f.fields_for(:tags, @post.tags[0]) do |tf| +        concat tf.text_field(:value) +        tf.fields_for(:relevances, TagRelevance.new(3141)) do |trf| +          concat trf.text_field(:value) +        end +      end +      f.fields_for('tags', @post.tags[1]) do |tf| +        concat tf.text_field(:value) +        tf.fields_for(:relevances, TagRelevance.new(31415)) do |trf| +          concat trf.text_field(:value) +        end +      end +    end + +    expected = '<form action="http://www.example.com" method="post">' + +               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' + +               '<input id="post_comments_attributes_0_relevances_attributes_0_value" name="post[comments_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="commentrelevance #314" />' + +               '<input id="post_comments_attributes_0_relevances_attributes_0_id" name="post[comments_attributes][0][relevances_attributes][0][id]" type="hidden" value="314" />' + +               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' + +               '<input id="post_tags_attributes_0_value" name="post[tags_attributes][0][value]" size="30" type="text" value="tag #123" />' + +               '<input id="post_tags_attributes_0_relevances_attributes_0_value" name="post[tags_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #3141" />' + +               '<input id="post_tags_attributes_0_relevances_attributes_0_id" name="post[tags_attributes][0][relevances_attributes][0][id]" type="hidden" value="3141" />' + +               '<input id="post_tags_attributes_0_id" name="post[tags_attributes][0][id]" type="hidden" value="123" />' + +               '<input id="post_tags_attributes_1_value" name="post[tags_attributes][1][value]" size="30" type="text" value="tag #456" />' + +               '<input id="post_tags_attributes_1_relevances_attributes_0_value" name="post[tags_attributes][1][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #31415" />' + +               '<input id="post_tags_attributes_1_relevances_attributes_0_id" name="post[tags_attributes][1][relevances_attributes][0][id]" type="hidden" value="31415" />' + +               '<input id="post_tags_attributes_1_id" name="post[tags_attributes][1][id]" type="hidden" value="456" />' + +               '</form>' + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for +    fields_for(:post, @post) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_with_index +    fields_for("post[]", @post) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" + +      "<textarea name='post[123][body]' id='post_123_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[123][secret]' type='hidden' value='0' />" + +      "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_with_nil_index_option_override +    fields_for("post[]", @post, :index => nil) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[][title]' size='30' type='text' id='post__title' value='Hello World' />" + +      "<textarea name='post[][body]' id='post__body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[][secret]' type='hidden' value='0' />" + +      "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_with_index_option_override +    fields_for("post[]", @post, :index => "abc") do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[abc][title]' size='30' type='text' id='post_abc_title' value='Hello World' />" + +      "<textarea name='post[abc][body]' id='post_abc_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[abc][secret]' type='hidden' value='0' />" + +      "<input name='post[abc][secret]' checked='checked' type='checkbox' id='post_abc_secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_without_object +    fields_for(:post) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_with_only_object +    fields_for(@post) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[secret]' type='hidden' value='0' />" + +      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" + +    assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_object_with_bracketed_name +    fields_for("author[post]", @post) do |f| +      concat f.label(:title) +      concat f.text_field(:title) +    end + +    assert_dom_equal "<label for=\"author_post_title\">Title</label>" + +    "<input name='author[post][title]' size='30' type='text' id='author_post_title' value='Hello World' />", +      output_buffer +  end + +  def test_fields_for_object_with_bracketed_name_and_index +    fields_for("author[post]", @post, :index => 1) do |f| +      concat f.label(:title) +      concat f.text_field(:title) +    end + +    assert_dom_equal "<label for=\"author_post_1_title\">Title</label>" + +      "<input name='author[post][1][title]' size='30' type='text' id='author_post_1_title' value='Hello World' />", +      output_buffer +  end + +  def test_form_builder_does_not_have_form_for_method +    assert ! ActionView::Helpers::FormBuilder.instance_methods.include?('form_for') +  end + +  def test_form_for_and_fields_for +    form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form| +      concat post_form.text_field(:title) +      concat post_form.text_area(:body) + +      fields_for(:parent_post, @post) do |parent_fields| +        concat parent_fields.check_box(:secret) +      end +    end + +    expected = +      "<form action='http://www.example.com' id='create-post' method='post'>" + +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='parent_post[secret]' type='hidden' value='0' />" + +      "<input name='parent_post[secret]' checked='checked' type='checkbox' id='parent_post_secret' value='1' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_and_fields_for_with_object +    form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form| +      concat post_form.text_field(:title) +      concat post_form.text_area(:body) + +      post_form.fields_for(@comment) do |comment_fields| +        concat comment_fields.text_field(:name) +      end +    end + +    expected = +      "<form action='http://www.example.com' id='create-post' method='post'>" + +      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" + +      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" + +      "<input name='post[comment][name]' type='text' id='post_comment_name' value='new comment' size='30' />" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  class LabelledFormBuilder < ActionView::Helpers::FormBuilder +    (field_helpers - %w(hidden_field)).each do |selector| +      src, line = <<-END_SRC, __LINE__ + 1 +        def #{selector}(field, *args, &proc) +          ("<label for='\#{field}'>\#{field.to_s.humanize}:</label> " + super + "<br/>").html_safe +        end +      END_SRC +      class_eval src, __FILE__, line +    end +  end + +  def test_form_for_with_labelled_builder +    form_for(:post, @post, :builder => LabelledFormBuilder) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' method='post'>" + +      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" + +      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" + +      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_default_form_builder +    old_default_form_builder, ActionView::Base.default_form_builder = +      ActionView::Base.default_form_builder, LabelledFormBuilder + +    form_for(:post, @post) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<form action='http://www.example.com' method='post'>" + +      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" + +      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" + +      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" + +      "</form>" + +    assert_dom_equal expected, output_buffer +  ensure +    ActionView::Base.default_form_builder = old_default_form_builder +  end + +  def test_default_form_builder_with_active_record_helpers +    form_for(:post, @post) do |f| +       concat f.error_message_on('author_name') +       concat f.error_messages +    end + +    expected = %(<form action='http://www.example.com' method='post'>) + +               %(<div class='formError'>can't be empty</div>) + +               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) + +               %(</form>) + +    assert_dom_equal expected, output_buffer + +  end + +  def test_default_form_builder_no_instance_variable +    post = @post +    @post = nil + +    form_for(:post, post) do |f| +       concat f.error_message_on('author_name') +       concat f.error_messages +    end + +    expected = %(<form action='http://www.example.com' method='post'>) + +               %(<div class='formError'>can't be empty</div>) + +               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) + +               %(</form>) + +    assert_dom_equal expected, output_buffer + +  end +   +  def test_default_form_builder_without_object + +    form_for(:post) do |f| +       concat f.error_message_on('author_name') +       concat f.error_messages +    end + +    expected = %(<form action='http://www.example.com' method='post'>) + +               %(<div class='formError'>can't be empty</div>) + +               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) + +               %(</form>) + +    assert_dom_equal expected, output_buffer + +  end + +  # Perhaps this test should be moved to prototype helper tests. +  def test_remote_form_for_with_labelled_builder +    self.extend ActionView::Helpers::PrototypeHelper + +     remote_form_for(:post, @post, :builder => LabelledFormBuilder) do |f| +       concat f.text_field(:title) +       concat f.text_area(:body) +       concat f.check_box(:secret) +     end + +     expected = +       %(<form action="http://www.example.com" onsubmit="new Ajax.Request('http://www.example.com', {asynchronous:true, evalScripts:true, parameters:Form.serialize(this)}); return false;" method="post">) + +       "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" + +       "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" + +       "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" + +       "</form>" + +     assert_dom_equal expected, output_buffer +  end + +  def test_fields_for_with_labelled_builder +    fields_for(:post, @post, :builder => LabelledFormBuilder) do |f| +      concat f.text_field(:title) +      concat f.text_area(:body) +      concat f.check_box(:secret) +    end + +    expected = +      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" + +      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" + +      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_labelled_builder_with_nested_fields_for_without_options_hash +    klass = nil + +    form_for(:post, @post, :builder => LabelledFormBuilder) do |f| +      f.fields_for(:comments, Comment.new) do |nested_fields| +        klass = nested_fields.class +        '' +      end +    end + +    assert_equal LabelledFormBuilder, klass +  end + +  def test_form_for_with_labelled_builder_with_nested_fields_for_with_options_hash +    klass = nil + +    form_for(:post, @post, :builder => LabelledFormBuilder) do |f| +      f.fields_for(:comments, Comment.new, :index => 'foo') do |nested_fields| +        klass = nested_fields.class +        '' +      end +    end + +    assert_equal LabelledFormBuilder, klass +  end + +  class LabelledFormBuilderSubclass < LabelledFormBuilder; end + +  def test_form_for_with_labelled_builder_with_nested_fields_for_with_custom_builder +    klass = nil + +    form_for(:post, @post, :builder => LabelledFormBuilder) do |f| +      f.fields_for(:comments, Comment.new, :builder => LabelledFormBuilderSubclass) do |nested_fields| +        klass = nested_fields.class +        '' +      end +    end + +    assert_equal LabelledFormBuilderSubclass, klass +  end + +  def test_form_for_with_html_options_adds_options_to_form_tag +    form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end +    expected = "<form action=\"http://www.example.com\" class=\"some_class\" id=\"some_form\" method=\"post\"></form>" + +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_string_url_option +    form_for(:post, @post, :url => 'http://www.otherdomain.com') do |f| end + +    assert_equal '<form action="http://www.otherdomain.com" method="post"></form>', output_buffer +  end + +  def test_form_for_with_hash_url_option +    form_for(:post, @post, :url => {:controller => 'controller', :action => 'action'}) do |f| end + +    assert_equal 'controller', @controller.url_for_options[:controller] +    assert_equal 'action', @controller.url_for_options[:action] +  end + +  def test_form_for_with_record_url_option +    form_for(:post, @post, :url => @post) do |f| end + +    expected = "<form action=\"/posts/123\" method=\"post\"></form>" +    assert_equal expected, output_buffer +  end + +  def test_form_for_with_existing_object +    form_for(@post) do |f| end + +    expected = "<form action=\"/posts/123\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>" +    assert_equal expected, output_buffer +  end + +  def test_form_for_with_new_object +    post = Post.new +    post.new_record = true +    def post.id() nil end + +    form_for(post) do |f| end + +    expected = "<form action=\"/posts\" class=\"new_post\" id=\"new_post\" method=\"post\"></form>" +    assert_equal expected, output_buffer +  end + +  def test_form_for_with_existing_object_in_list +    @post.new_record = false +    @comment.save + +    form_for([@post, @comment]) {} + +    expected = %(<form action="#{comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_new_object_in_list +    @post.new_record = false + +    form_for([@post, @comment]) {} + +    expected = %(<form action="#{comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_existing_object_and_namespace_in_list +    @post.new_record = false +    @comment.save + +    form_for([:admin, @post, @comment]) {} + +    expected = %(<form action="#{admin_comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_new_object_and_namespace_in_list +    @post.new_record = false + +    form_for([:admin, @post, @comment]) {} + +    expected = %(<form action="#{admin_comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_form_for_with_existing_object_and_custom_url +    form_for(@post, :url => "/super_posts") do |f| end + +    expected = "<form action=\"/super_posts\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>" +    assert_equal expected, output_buffer +  end + +  def test_remote_form_for_with_html_options_adds_options_to_form_tag +    self.extend ActionView::Helpers::PrototypeHelper + +    remote_form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end +    expected = "<form action=\"http://www.example.com\" class=\"some_class\" id=\"some_form\" method=\"post\" onsubmit=\"new Ajax.Request('http://www.example.com', {asynchronous:true, evalScripts:true, parameters:Form.serialize(this)}); return false;\"></form>" + +    assert_dom_equal expected, output_buffer +  end + +  protected +    def comments_path(post) +      "/posts/#{post.id}/comments" +    end +    alias_method :post_comments_path, :comments_path + +    def comment_path(post, comment) +      "/posts/#{post.id}/comments/#{comment.id}" +    end +    alias_method :post_comment_path, :comment_path + +    def admin_comments_path(post) +      "/admin/posts/#{post.id}/comments" +    end +    alias_method :admin_post_comments_path, :admin_comments_path + +    def admin_comment_path(post, comment) +      "/admin/posts/#{post.id}/comments/#{comment.id}" +    end +    alias_method :admin_post_comment_path, :admin_comment_path + +    def posts_path +      "/posts" +    end + +    def post_path(post) +      "/posts/#{post.id}" +    end + +    def protect_against_forgery? +      false +    end +end diff --git a/vendor/plugins/rails_xss/test/form_tag_helper_test.rb b/vendor/plugins/rails_xss/test/form_tag_helper_test.rb new file mode 100644 index 000000000..41eeceeb3 --- /dev/null +++ b/vendor/plugins/rails_xss/test/form_tag_helper_test.rb @@ -0,0 +1,354 @@ +require 'test_helper' + +class FormTagHelperTest < ActionView::TestCase +  def setup +    @controller = Class.new do +      def url_for(options) +        "http://www.example.com" +      end +    end +    @controller = @controller.new +  end + +  VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name + +  def test_check_box_tag +    actual = check_box_tag "admin" +    expected = %(<input id="admin" name="admin" type="checkbox" value="1" />) +    assert_dom_equal expected, actual +  end + +  def test_check_box_tag_id_sanitized +    label_elem = root_elem(check_box_tag("project[2][admin]")) +    assert_match VALID_HTML_ID, label_elem['id'] +  end + +  def test_form_tag +    actual = form_tag +    expected = %(<form action="http://www.example.com" method="post">) +    assert_dom_equal expected, actual +  end + +  def test_form_tag_multipart +    actual = form_tag({}, { 'multipart' => true }) +    expected = %(<form action="http://www.example.com" enctype="multipart/form-data" method="post">) +    assert_dom_equal expected, actual +  end + +  def test_form_tag_with_method_put +    actual = form_tag({}, { :method => :put }) +    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>) +    assert_dom_equal expected, actual +  end + +  def test_form_tag_with_method_delete +    actual = form_tag({}, { :method => :delete }) +    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="delete" /></div>) +    assert_dom_equal expected, actual +  end + +  def test_form_tag_with_block_in_erb +    __in_erb_template = '' +    form_tag("http://example.com") { concat "Hello world!" } + +    expected = %(<form action="http://example.com" method="post">Hello world!</form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_form_tag_with_block_and_method_in_erb +    __in_erb_template = '' +    form_tag("http://example.com", :method => :put) { concat "Hello world!" } + +    expected = %(<form action="http://example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>Hello world!</form>) +    assert_dom_equal expected, output_buffer +  end + +  def test_hidden_field_tag +    actual = hidden_field_tag "id", 3 +    expected = %(<input id="id" name="id" type="hidden" value="3" />) +    assert_dom_equal expected, actual +  end + +  def test_hidden_field_tag_id_sanitized +    input_elem = root_elem(hidden_field_tag("item[][title]")) +    assert_match VALID_HTML_ID, input_elem['id'] +  end + +  def test_file_field_tag +    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" />", file_field_tag("picsplz") +  end + +  def test_file_field_tag_with_options +    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" class=\"pix\"/>", file_field_tag("picsplz", :class => "pix") +  end + +  def test_password_field_tag +    actual = password_field_tag +    expected = %(<input id="password" name="password" type="password" />) +    assert_dom_equal expected, actual +  end + +  def test_radio_button_tag +    actual = radio_button_tag "people", "david" +    expected = %(<input id="people_david" name="people" type="radio" value="david" />) +    assert_dom_equal expected, actual + +    actual = radio_button_tag("num_people", 5) +    expected = %(<input id="num_people_5" name="num_people" type="radio" value="5" />) +    assert_dom_equal expected, actual + +    actual = radio_button_tag("gender", "m") + radio_button_tag("gender", "f") +    expected = %(<input id="gender_m" name="gender" type="radio" value="m" /><input id="gender_f" name="gender" type="radio" value="f" />) +    assert_dom_equal expected, actual + +    actual = radio_button_tag("opinion", "-1") + radio_button_tag("opinion", "1") +    expected = %(<input id="opinion_-1" name="opinion" type="radio" value="-1" /><input id="opinion_1" name="opinion" type="radio" value="1" />) +    assert_dom_equal expected, actual + +    actual = radio_button_tag("person[gender]", "m") +    expected = %(<input id="person_gender_m" name="person[gender]" type="radio" value="m" />) +    assert_dom_equal expected, actual +  end + +  def test_select_tag +    actual = select_tag "people", "<option>david</option>".html_safe +    expected = %(<select id="people" name="people"><option>david</option></select>) +    assert_dom_equal expected, actual +  end + +  def test_select_tag_with_multiple +    actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>".html_safe, :multiple => :true +    expected = %(<select id="colors" multiple="multiple" name="colors"><option>Red</option><option>Blue</option><option>Green</option></select>) +    assert_dom_equal expected, actual +  end + +  def test_select_tag_disabled +    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :disabled => :true +    expected = %(<select id="places" disabled="disabled" name="places"><option>Home</option><option>Work</option><option>Pub</option></select>) +    assert_dom_equal expected, actual +  end + +  def test_select_tag_id_sanitized +    input_elem = root_elem(select_tag("project[1]people", "<option>david</option>")) +    assert_match VALID_HTML_ID, input_elem['id'] +  end + +  def test_select_tag_with_array_options +    assert_deprecated /array/ do +      select_tag "people", ["<option>david</option>"] +    end +  end + +  def test_text_area_tag_size_string +    actual = text_area_tag "body", "hello world", "size" => "20x40" +    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_area_tag_size_symbol +    actual = text_area_tag "body", "hello world", :size => "20x40" +    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_area_tag_should_disregard_size_if_its_given_as_an_integer +    actual = text_area_tag "body", "hello world", :size => 20 +    expected = %(<textarea id="body" name="body">hello world</textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_area_tag_id_sanitized +    input_elem = root_elem(text_area_tag("item[][description]")) +    assert_match VALID_HTML_ID, input_elem['id'] +  end + +  def test_text_area_tag_escape_content +    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40" +    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_area_tag_unescaped_content +    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false +    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_area_tag_unescaped_nil_content +    actual = text_area_tag "body", nil, :escape => false +    expected = %(<textarea id="body" name="body"></textarea>) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag +    actual = text_field_tag "title", "Hello!" +    expected = %(<input id="title" name="title" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_class_string +    actual = text_field_tag "title", "Hello!", "class" => "admin" +    expected = %(<input class="admin" id="title" name="title" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_size_symbol +    actual = text_field_tag "title", "Hello!", :size => 75 +    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_size_string +    actual = text_field_tag "title", "Hello!", "size" => "75" +    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_maxlength_symbol +    actual = text_field_tag "title", "Hello!", :maxlength => 75 +    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_maxlength_string +    actual = text_field_tag "title", "Hello!", "maxlength" => "75" +    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_disabled +    actual = text_field_tag "title", "Hello!", :disabled => :true +    expected = %(<input id="title" name="title" disabled="disabled" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_with_multiple_options +    actual = text_field_tag "title", "Hello!", :size => 70, :maxlength => 80 +    expected = %(<input id="title" name="title" size="70" maxlength="80" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_text_field_tag_id_sanitized +    input_elem = root_elem(text_field_tag("item[][title]")) +    assert_match VALID_HTML_ID, input_elem['id'] +  end + +  def test_label_tag_without_text +    actual = label_tag "title" +    expected = %(<label for="title">Title</label>) +    assert_dom_equal expected, actual +  end + +  def test_label_tag_with_symbol +    actual = label_tag :title +    expected = %(<label for="title">Title</label>) +    assert_dom_equal expected, actual +  end + +  def test_label_tag_with_text +    actual = label_tag "title", "My Title" +    expected = %(<label for="title">My Title</label>) +    assert_dom_equal expected, actual +  end + +  def test_label_tag_class_string +    actual = label_tag "title", "My Title", "class" => "small_label" +    expected = %(<label for="title" class="small_label">My Title</label>) +    assert_dom_equal expected, actual +  end + +  def test_label_tag_id_sanitized +    label_elem = root_elem(label_tag("item[title]")) +    assert_match VALID_HTML_ID, label_elem['for'] +  end + +  def test_boolean_options +    assert_dom_equal %(<input checked="checked" disabled="disabled" id="admin" name="admin" readonly="readonly" type="checkbox" value="1" />), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes") +    assert_dom_equal %(<input checked="checked" id="admin" name="admin" type="checkbox" value="1" />), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil) +    assert_dom_equal %(<input type="checkbox" />), tag(:input, :type => "checkbox", :checked => false) +    assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => true) +    assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>".html_safe, :multiple => true) +    assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => nil) +  end + +  def test_stringify_symbol_keys +    actual = text_field_tag "title", "Hello!", :id => "admin" +    expected = %(<input id="admin" name="title" type="text" value="Hello!" />) +    assert_dom_equal expected, actual +  end + +  def test_submit_tag +    assert_dom_equal( +      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />), +      submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')") +    ) +  end + +  def test_submit_tag_with_no_onclick_options +    assert_dom_equal( +      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />), +      submit_tag("Save", :disable_with => "Saving...") +    ) +  end + +  def test_submit_tag_with_confirmation +    assert_dom_equal( +      %(<input name='commit' type='submit' value='Save' onclick="if (!confirm('Are you sure?')) return false; return true;"/>), +      submit_tag("Save", :confirm => "Are you sure?") +    ) +  end + +  def test_submit_tag_with_confirmation_and_with_disable_with +    assert_dom_equal( +      %(<input name="commit" onclick="if (!confirm('Are you sure?')) return false; if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />), +      submit_tag("Save", :disable_with => "Saving...", :confirm => "Are you sure?") +    ) +  end + +  def test_image_submit_tag_with_confirmation +    assert_dom_equal( +      %(<input type="image" src="/images/save.gif" onclick="return confirm('Are you sure?');"/>), +      image_submit_tag("save.gif", :confirm => "Are you sure?") +    ) +  end + +  def test_pass +    assert_equal 1, 1 +  end + +  def test_field_set_tag_in_erb +    __in_erb_template = '' +    field_set_tag("Your details") { concat "Hello world!" } + +    expected = %(<fieldset><legend>Your details</legend>Hello world!</fieldset>) +    assert_dom_equal expected, output_buffer + +    self.output_buffer = ''.html_safe +    field_set_tag { concat "Hello world!" } + +    expected = %(<fieldset>Hello world!</fieldset>) +    assert_dom_equal expected, output_buffer + +    self.output_buffer = ''.html_safe +    field_set_tag('') { concat "Hello world!" } + +    expected = %(<fieldset>Hello world!</fieldset>) +    assert_dom_equal expected, output_buffer + +    self.output_buffer = ''.html_safe +    field_set_tag('', :class => 'format') { concat "Hello world!" } + +    expected = %(<fieldset class="format">Hello world!</fieldset>) +    assert_dom_equal expected, output_buffer +  end + +  def protect_against_forgery? +    false +  end + +  private + +  def root_elem(rendered_content) +    HTML::Document.new(rendered_content).root.children[0] +  end +end diff --git a/vendor/plugins/rails_xss/test/javascript_helper_test.rb b/vendor/plugins/rails_xss/test/javascript_helper_test.rb new file mode 100644 index 000000000..691d97a15 --- /dev/null +++ b/vendor/plugins/rails_xss/test/javascript_helper_test.rb @@ -0,0 +1,10 @@ +require 'test_helper' + +class JavascriptHelperTest < ActionView::TestCase +  def test_escape_javascript_with_safebuffer +    given = %('quoted' "double-quoted" new-line:\n </closed>) +    expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) +    assert_equal expect, escape_javascript(given) +    assert_equal expect, escape_javascript(ActiveSupport::SafeBuffer.new(given)) +  end +end diff --git a/vendor/plugins/rails_xss/test/output_escaping_test.rb b/vendor/plugins/rails_xss/test/output_escaping_test.rb new file mode 100644 index 000000000..8b6f8b83c --- /dev/null +++ b/vendor/plugins/rails_xss/test/output_escaping_test.rb @@ -0,0 +1,19 @@ +require 'test_helper' + +class OutputEscapingTest < ActiveSupport::TestCase + +  test "escape_html shouldn't die when passed nil" do +    assert ERB::Util.h(nil).blank? +  end + +  test "escapeHTML should escape strings" do +    assert_equal "<>"", ERB::Util.h("<>\"") +  end + +  test "escapeHTML shouldn't touch explicitly safe strings" do +    # TODO this seems easier to compose and reason about, but +    # this should be verified +    assert_equal "<", ERB::Util.h("<".html_safe) +  end + +end diff --git a/vendor/plugins/rails_xss/test/output_safety_test.rb b/vendor/plugins/rails_xss/test/output_safety_test.rb new file mode 100644 index 000000000..2e376477d --- /dev/null +++ b/vendor/plugins/rails_xss/test/output_safety_test.rb @@ -0,0 +1,115 @@ +require 'test_helper' + +class OutputSafetyTest < ActiveSupport::TestCase +  def setup +    @string = "hello" +    @object = Class.new(Object) do +      def to_s +        "other" +      end +    end.new +  end + +  test "A string is unsafe by default" do +    assert !@string.html_safe? +  end + +  test "A string can be marked safe" do +    string = @string.html_safe +    assert string.html_safe? +  end + +  test "Marking a string safe returns the string" do +    assert_equal @string, @string.html_safe +  end + +  test "A fixnum is safe by default" do +    assert 5.html_safe? +  end + +  test "An object is unsafe by default" do +    assert !@object.html_safe? +  end + +  test "Adding an object to a safe string returns a safe string" do +    string = @string.html_safe +    string << @object + +    assert_equal "helloother", string +    assert string.html_safe? +  end + +  test "Adding a safe string to another safe string returns a safe string" do +    @other_string = "other".html_safe +    string = @string.html_safe +    @combination = @other_string + string + +    assert_equal "otherhello", @combination +    assert @combination.html_safe? +  end + +  test "Adding an unsafe string to a safe string escapes it and returns a safe string" do +    @other_string = "other".html_safe +    @combination = @other_string + "<foo>" +    @other_combination = @string + "<foo>" + +    assert_equal "other<foo>", @combination +    assert_equal "hello<foo>", @other_combination + +    assert @combination.html_safe? +    assert !@other_combination.html_safe? +  end + +  test "Concatting safe onto unsafe yields unsafe" do +    @other_string = "other" + +    string = @string.html_safe +    @other_string.concat(string) +    assert !@other_string.html_safe? +  end + +  test "Concatting unsafe onto safe yields escaped safe" do +    @other_string = "other".html_safe +    string = @other_string.concat("<foo>") +    assert_equal "other<foo>", string +    assert string.html_safe? +  end + +  test "Concatting safe onto safe yields safe" do +    @other_string = "other".html_safe +    string = @string.html_safe + +    @other_string.concat(string) +    assert @other_string.html_safe? +  end + +  test "Concatting safe onto unsafe with << yields unsafe" do +    @other_string = "other" +    string = @string.html_safe + +    @other_string << string +    assert !@other_string.html_safe? +  end + +  test "Concatting unsafe onto safe with << yields escaped safe" do +    @other_string = "other".html_safe +    string = @other_string << "<foo>" +    assert_equal "other<foo>", string +    assert string.html_safe? +  end + +  test "Concatting safe onto safe with << yields safe" do +    @other_string = "other".html_safe +    string = @string.html_safe + +    @other_string << string +    assert @other_string.html_safe? +  end + +  test "Concatting a fixnum to safe always yields safe" do +    string = @string.html_safe +    string = string.concat(13) +    assert_equal "hello".concat(13), string +    assert string.html_safe? +  end +end diff --git a/vendor/plugins/rails_xss/test/rails_xss_test.rb b/vendor/plugins/rails_xss/test/rails_xss_test.rb new file mode 100644 index 000000000..b6268bafd --- /dev/null +++ b/vendor/plugins/rails_xss/test/rails_xss_test.rb @@ -0,0 +1,23 @@ +require 'test_helper' + +class RailsXssTest < ActiveSupport::TestCase +  test "ERB::Util.h should mark its return value as safe and escape it" do +    escaped = ERB::Util.h("<p>") +    assert_equal "<p>", escaped +    assert escaped.html_safe? +  end + +  test "ERB::Util.h should leave previously safe strings alone " do +    # TODO this seems easier to compose and reason about, but +    # this should be verified +    escaped = ERB::Util.h("<p>".html_safe) +    assert_equal "<p>", escaped +    assert escaped.html_safe? +  end + +  test "ERB::Util.h should not implode when passed a non-string" do +    assert_nothing_raised do +      assert_equal "1", ERB::Util.h(1) +    end +  end +end diff --git a/vendor/plugins/rails_xss/test/raw_output_helper_test.rb b/vendor/plugins/rails_xss/test/raw_output_helper_test.rb new file mode 100644 index 000000000..2a67f976e --- /dev/null +++ b/vendor/plugins/rails_xss/test/raw_output_helper_test.rb @@ -0,0 +1,18 @@ +require 'test_helper' + +class RawOutputHelperTest < ActionView::TestCase + +  def setup +    @string = "hello" +  end + +  test "raw returns the safe string" do +    result = raw(@string) +    assert_equal @string, result +    assert result.html_safe? +  end + +  test "raw handles nil values correctly" do +    assert_equal "", raw(nil) +  end +end diff --git a/vendor/plugins/rails_xss/test/safe_buffer_test.rb b/vendor/plugins/rails_xss/test/safe_buffer_test.rb new file mode 100644 index 000000000..a0a2eccee --- /dev/null +++ b/vendor/plugins/rails_xss/test/safe_buffer_test.rb @@ -0,0 +1,51 @@ +require 'test_helper' + +class SafeBufferTest < ActiveSupport::TestCase +  def setup +    @buffer = ActiveSupport::SafeBuffer.new +  end + +  test "Should look like a string" do +    assert @buffer.is_a?(String) +    assert_equal "", @buffer +  end + +  test "Should escape a raw string which is passed to them" do +    @buffer << "<script>" +    assert_equal "<script>", @buffer +  end + +  test "Should NOT escape a safe value passed to it" do +    @buffer << "<script>".html_safe +    assert_equal "<script>", @buffer +  end + +  test "Should not mess with an innocuous string" do +    @buffer << "Hello" +    assert_equal "Hello", @buffer +  end + +  test "Should not mess with a previously escape test" do +    @buffer << ERB::Util.html_escape("<script>") +    assert_equal "<script>", @buffer +  end + +  test "Should be considered safe" do +    assert @buffer.html_safe? +  end + +  test "Should return a safe buffer when calling to_s" do +    new_buffer = @buffer.to_s +    assert_equal ActiveSupport::SafeBuffer, new_buffer.class +  end +   +  test "Should not return a safe buffer when using sub" do +    assert !@buffer.sub('', "asdf").html_safe? +  end +   +  test "Should raise argument error when using sub!" do +    assert_raise TypeError do +      @buffer.sub!('', "asdf") +    end +  end +end diff --git a/vendor/plugins/rails_xss/test/tag_helper_test.rb b/vendor/plugins/rails_xss/test/tag_helper_test.rb new file mode 100644 index 000000000..2a4280943 --- /dev/null +++ b/vendor/plugins/rails_xss/test/tag_helper_test.rb @@ -0,0 +1,21 @@ +require 'test_helper' + +class TagHelperTest < ActionView::TestCase + +  def test_content_tag +    assert_equal "<a href=\"create\">Create</a>", content_tag("a", "Create", "href" => "create") +    assert content_tag("a", "Create", "href" => "create").html_safe? +    assert_equal content_tag("a", "Create", "href" => "create"), +                 content_tag("a", "Create", :href => "create") +    assert_equal "<p><script>evil_js</script></p>", +                 content_tag(:p, '<script>evil_js</script>') +    assert_equal "<p><script>evil_js</script></p>", +                 content_tag(:p, '<script>evil_js</script>', nil, false) +  end + +  def test_tag_honors_html_safe_for_param_values +    ['1&2', '1 < 2', '“test“'].each do |escaped| +      assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped.html_safe) +    end +  end +end diff --git a/vendor/plugins/rails_xss/test/test_helper.rb b/vendor/plugins/rails_xss/test/test_helper.rb new file mode 100644 index 000000000..d9594e446 --- /dev/null +++ b/vendor/plugins/rails_xss/test/test_helper.rb @@ -0,0 +1,6 @@ +abort 'RAILS_ROOT=/path/to/rails/2.3/app rake test' unless ENV['RAILS_ROOT'] +require File.expand_path('config/environment', ENV['RAILS_ROOT']) +require File.expand_path('../../init', __FILE__) +require 'active_support/test_case' +require 'action_view/test_case' +require 'test/unit' diff --git a/vendor/plugins/rails_xss/test/text_helper_test.rb b/vendor/plugins/rails_xss/test/text_helper_test.rb new file mode 100644 index 000000000..b74ae547c --- /dev/null +++ b/vendor/plugins/rails_xss/test/text_helper_test.rb @@ -0,0 +1,30 @@ +require 'test_helper' + +class TextHelperTest < ActionView::TestCase + +  def setup +    @controller = Class.new do +      attr_accessor :request +      def url_for(*args) "http://www.example.com" end +    end.new +  end + +  def test_simple_format_with_escaping_html_options +    assert_dom_equal(%(<p class="intro">It's nice to have options.</p>), +                     simple_format("It's nice to have options.", :class=>"intro")) +  end + +  def test_simple_format_should_not_escape_safe_content +    assert_dom_equal(%(<p>This is <script>safe_js</script>.</p>), +                     simple_format('This is <script>safe_js</script>.'.html_safe)) +  end + +  def test_simple_format_escapes_unsafe_content +    assert_dom_equal(%(<p>This is <script>evil_js</script>.</p>), +                     simple_format('This is <script>evil_js</script>.')) +  end + +  def test_truncate_should_not_be_html_safe +    assert !truncate("Hello World!", :length => 12).html_safe? +  end +end diff --git a/vendor/plugins/rails_xss/test/url_for_test.rb b/vendor/plugins/rails_xss/test/url_for_test.rb new file mode 100644 index 000000000..b13451bfb --- /dev/null +++ b/vendor/plugins/rails_xss/test/url_for_test.rb @@ -0,0 +1,39 @@ +require 'test_helper' + +class UrlHelperTest < ActionView::TestCase + +  def abcd(hash = {}) +    hash_for(:a => :b, :c => :d).merge(hash) +  end + +  def hash_for(opts = {}) +    {:controller => "foo", :action => "bar"}.merge(opts) +  end + +  def test_url_for_does_not_escape_urls_if_explicitly_stated +    assert_equal "/foo/bar?a=b&c=d", url_for(abcd(:escape => false)) +  end + +  def test_link_tag_with_img +    link = link_to("<img src='/favicon.jpg' />".html_safe, "/") +    expected = %{<a href="/"><img src='/favicon.jpg' /></a>} +    assert_dom_equal expected, link +  end + +  def test_link_to_should_not_escape_content_for_html_safe +    link = link_to("Some <p>html</p>".html_safe, "/") +    expected = %{<a href="/">Some <p>html</p></a>} +    assert_dom_equal link, expected +  end + +  def test_link_to_escapes_content_for_non_safe +    link = link_to("Some <p>html</p>", "/") +    expected = %{<a href="/">Some <p>html</p></a>} +    assert_dom_equal link, expected +  end + +  def test_url_for_escaping_is_safety_aware +    assert url_for(abcd(:escape => true)).html_safe?, "escaped urls should be html_safe?" +    assert !url_for(abcd(:escape => false)).html_safe?, "non-escaped urls should not be html_safe?" +  end +end | 
