blob: 7cbea7e74284be5b150c37e348fb157a280d460b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# frozen_string_literal: true
module HtmlEscapedHelpers
extend self
# Checks if +content+ contains HTML escaped tags and returns its match.
#
# It matches escaped opening and closing tags `<<name>` and
# `</<name>`. The match is discarded if the tag is inside a quoted
# attribute value.
# Foor example, `<div title="We allow # <b>bold</b>">`.
#
# @return [MatchData, nil] Returns the match or +nil+ if no match was found.
def match_html_escaped_tags(content)
match_data = %r{<\s*(?:/\s*)?\w+}.match(content)
return unless match_data
# Escaped HTML tags are allowed inside quoted attribute values like:
# `title="Press <back>"`
return if %r{=\s*["'][^>]*\z}.match?(match_data.pre_match)
match_data
end
# Checks if +content+ contains HTML escaped tags and raises an exception
# if it does.
#
# See #match_html_escaped_tags for details.
def ensure_no_html_escaped_tags!(content, example)
match_data = match_html_escaped_tags(content)
return unless match_data
# Truncate
pre_match = match_data.pre_match.last(50)
match = match_data[0]
post_match = match_data.post_match.first(50)
string = "#{pre_match}«#{match}»#{post_match}"
raise <<~MESSAGE
The following string contains HTML escaped tags:
#{string}
Please consider using `.html_safe`.
This check can be disabled via:
it #{example.description.inspect}, :skip_html_escaped_tags_check do
...
end
MESSAGE
end
end
|