Module: BetterHtml::TestHelper::SafeErbTester

Defined in:

lib/better_html/test_helper/safe_erb_tester.rb

Constant Summary

SAFETY_TIPS =

"-----------\n\nThe javascript snippets listed above do not appear to be escaped properly\nin a javascript context. Here are some tips:\n\nNever use html_safe inside a html tag, since it is _never_ safe:\n  <a href=\"<%= value.html_safe %>\">\n                    ^^^^^^^^^^\n\nAlways use .to_json for html attributes which contain javascript, like 'onclick',\nor twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:\n  <div onclick=\"<%= value.to_json %>\">\n                         ^^^^^^^^\n\nAlways use raw and to_json together within <script> tags:\n  <script type=\"text/javascript\">\n    var yourValue = <%= raw value.to_json %>;\n  </script>             ^^^      ^^^^^^^^\n\n-----------\n"

Instance Method Summary

• #assert_erb_safety(data, **options) ⇒ Object

Instance Method Details

#assert_erb_safety(data, **options) ⇒ Object

# File 'lib/better_html/test_helper/safe_erb_tester.rb', line 37

def assert_erb_safety(data, **options)
  options = options.present? ? options.dup : {}
  options[:template_language] ||= :html
  parser = BetterHtml::Parser.new(data, options)

  tester_classes = [
    SafeErb::NoStatements,
    SafeErb::AllowedScriptType,
    SafeErb::NoJavascriptTagHelper,
    SafeErb::TagInterpolation,
    SafeErb::ScriptInterpolation,
  ]

  testers = tester_classes.map do |tester_klass|
    tester = tester_klass.new(parser)
  end
  testers.each(&:validate)
  errors = testers.map(&:errors).flatten

  messages = errors.map do |error|
    "    On line \#{error.location.line}\n    \#{error.message}\n    \#{error.location.line_source_with_underline}\\n\n    EOL\n  end\n  messages << SAFETY_TIPS\n\n  assert_predicate errors, :empty?, messages.join\nend\n"