Module: BetterHtml::TestHelper::SafeLodashTester

Defined in:
lib/better_html/test_helper/safe_lodash_tester.rb

Defined Under Namespace

Classes: Tester

Constant Summary collapse

SAFETY_TIPS = 
<<-EOF
-----------

The javascript snippets listed above do not appear to be escaped properly
in their context. Here are some tips:

Always use lodash's escape syntax inside a html tag:
  <a href="[%= value %]">
           ^^^^

Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
  <div onclick="[%= JSON.stringify(value) %]">
                    ^^^^^^^^^^^^^^

Never use <script> tags inside lodash template.
  <script type="text/javascript">
  ^^^^^^^

-----------
EOF

Instance Method Summary collapse

Instance Method Details

#assert_lodash_safety(data, **options) ⇒ Object 



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 30

def assert_lodash_safety(data, **options)
  buffer = ::Parser::Source::Buffer.new(options[:filename] || '(buffer)')
  buffer.source = data
  tester = Tester.new(buffer, **options)

  message = ""
  tester.errors.each do |error|
    message << <<~EOL
      On line #{error.location.line}
      #{error.message}
      #{error.location.line_source_with_underline}\n
    EOL
  end

  message << SAFETY_TIPS

  assert_predicate tester.errors, :empty?, message
end