Class: BetterHtml::TestHelper::SafeLodashTester::Tester

Inherits:
Object
  • Object
show all
Defined in:
lib/better_html/test_helper/safe_lodash_tester.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(data, config: BetterHtml.config) ⇒ Tester

Returns a new instance of Tester.



52
53
54
55
56
57
58
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 52

def initialize(data, config: BetterHtml.config)
  @data = data
  @config = config
  @errors = Errors.new
  @parser = BetterHtml::Parser.new(data, template_language: :lodash)
  validate!
end

Instance Attribute Details

#errorsObject (readonly)

Returns the value of attribute errors.



50
51
52
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 50

def errors
  @errors
end

Instance Method Details

#add_error(message, location:) ⇒ Object 



60
61
62
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 60

def add_error(message, location:)
  @errors.add(SafetyError.new(message, location: location))
end

#add_no_statement_error(loc) ⇒ Object 



128
129
130
131
132
133
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 128

def add_no_statement_error(loc)
  add_error(
    "javascript statement not allowed here; did you mean '[%=' ?",
    location: loc
  )
end

#lodash_nodes(node) ⇒ Object 



83
84
85
86
87
88
89
90
91
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 83

def lodash_nodes(node)
  Enumerator.new do |yielder|
    next if node.nil?
    node.descendants(:lodash).each do |lodash_node|
      indicator_node, code_node = *lodash_node
      yielder.yield(lodash_node, indicator_node, code_node)
    end
  end
end

#validate!Object 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 64

def validate!
  @parser.nodes_with_type(:tag).each do |tag_node|
    tag = Tree::Tag.from_node(tag_node)
    validate_tag_attributes(tag)
    validate_no_statements(tag_node)

    if tag.name == 'script' && !tag.closing?
      add_error(
        "No script tags allowed nested in lodash templates",
        location: tag_node.loc
      )
    end
  end

  @parser.nodes_with_type(:cdata, :comment).each do |node|
    validate_no_statements(node)
  end
end

#validate_no_statements(node) ⇒ Object 



122
123
124
125
126
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 122

def validate_no_statements(node)
  lodash_nodes(node).each do |lodash_node, indicator_node, code_node|
    add_no_statement_error(lodash_node.loc) if indicator_node.nil?
  end
end

#validate_tag_attributes(tag) ⇒ Object 



93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 93

def validate_tag_attributes(tag)
  tag.attributes.each do |attribute|
    lodash_nodes(attribute.value_node).each do |lodash_node, indicator_node, code_node|
      next if indicator_node.nil?

      if indicator_node.loc.source == '='
        validate_tag_expression(attribute, lodash_node)
      elsif indicator_node.loc.source == '!'
        add_error(
          "lodash interpolation with '[%!' inside html attribute is never safe",
          location: lodash_node.loc
        )
      end
    end
  end
end

#validate_tag_expression(attribute, lodash_node) ⇒ Object 



110
111
112
113
114
115
116
117
118
119
120
 
# File 'lib/better_html/test_helper/safe_lodash_tester.rb', line 110

def validate_tag_expression(attribute, lodash_node)
  _, code_node = *lodash_node
  source = code_node.loc.source.strip
  if @config.javascript_attribute_name?(attribute.name) && !@config.lodash_safe_javascript_expression?(source)
    add_error(
      "lodash interpolation in javascript attribute "\
      "`#{attribute.name}` must call `JSON.stringify(#{source})`",
      location: lodash_node.loc
    )
  end
end