spec/models/concerns/sanitizable_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Sanitizable do
  let_it_be(:klass) do
    Class.new do
      include ActiveModel::Model
      include ActiveModel::Attributes
      include ActiveModel::Validations
      include ActiveModel::Validations::Callbacks
      include Sanitizable

      attribute :id, :integer
      attribute :name, :string
      attribute :description, :string
      attribute :html_body, :string

      sanitizes! :name, :description

      def self.model_name
        ActiveModel::Name.new(self, nil, 'SomeModel')
      end
    end
  end

  shared_examples 'noop' do
    it 'has no effect' do
      expect(subject).to eq(input)
    end
  end

  shared_examples 'a sanitizable field' do |field|
    let(:record) { klass.new(id: 1, name: input, description: input, html_body: input) }

    before do
      record.valid?
    end

    subject { record.public_send(field) }

    describe field do
      context 'when input is nil' do
        let_it_be(:input) { nil }

        it_behaves_like 'noop'
      end

      context 'when input does not contain any html' do
        let_it_be(:input) { 'hello, world!' }

        it_behaves_like 'noop'
      end

      context 'when input contains html' do
        let_it_be(:input) { 'hello<script>alert(1)</script>' }

        it 'sanitizes the input' do
          expect(subject).to eq('hello')
        end

        context 'when input includes html entities' do
          let(:input) { '<div>hello&world</div>' }

          it 'does not escape them' do
            expect(subject).to eq(' hello&world ')
          end
        end
      end

      context 'when input contains pre-escaped html entities' do
        let_it_be(:input) { '&lt;script&gt;alert(1)&lt;/script&gt;' }

        it_behaves_like 'noop'

        it 'is not valid', :aggregate_failures do
          expect(record).not_to be_valid
          expect(record.errors.full_messages).to include('Name cannot contain escaped HTML entities')
        end
      end
    end
  end

  shared_examples 'a non-sanitizable field' do |field, input|
    describe field do
      subject { klass.new(field => input).valid? }

      it 'has no effect' do
        expect(Sanitize).not_to receive(:fragment)

        subject
      end
    end
  end

  it_behaves_like 'a non-sanitizable field', :id, 1
  it_behaves_like 'a non-sanitizable field', :html_body, 'hello<script>alert(1)</script>'

  it_behaves_like 'a sanitizable field', :name
  it_behaves_like 'a sanitizable field', :description
end