# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/ require 'rails_helper' RSpec.describe NotificationFactory::Template do subject(:template) do described_class.new(template_string, escape, trusted) end let(:trusted) { false } describe '#to_s' do context 'for empty input template (incl. whitespace-only)' do let(:template_string) { "\#{ }" } context 'with escape = true' do let(:escape) { true } it 'returns an ERB template with the #d helper, and passes escape arg as string' do expect(template.to_s).to eq('<%= d "", true %>') end end context 'with escape = false' do let(:escape) { false } it 'returns an ERB template with the #d helper, and passes escape arg as string' do expect(template.to_s).to eq('<%= d "", false %>') end end end context 'for escaped input template' do let(:template_string) { "\\\#{ticket.customer.name}" } context 'with escape = true' do let(:escape) { true } it 'returns the original template string' do expect(template.to_s).to eq('#{ticket.customer.name}') # rubocop:disable Lint/InterpolationCheck end end context 'with escape = false' do let(:escape) { false } it 'returns the original template string' do expect(template.to_s).to eq('#{ticket.customer.name}') # rubocop:disable Lint/InterpolationCheck end end end context 'for sanitizing the template string' do let(:escape) { false } context 'for strings containing ERB' do let(:template_string) { '<%% <% "<%" %> <%# comment %> <%= "<%" %> <%- "" %> %%>' } context 'for untrusted templates' do it 'mutes all pre-existing ERB tags' do expect(template.to_s).to eq('<%% <%% "<%%" %> <%%# comment %> <%%= "<%%" %> <%%- "" %> %%>') end end context 'for trusted templates' do let(:trusted) { true } it 'keeps all pre-existing ERB tags' do expect(template.to_s).to eq(template_string) end end end end context 'for input template using #t helper' do let(:template_string) { "\#{t('some text')}" } let(:escape) { false } it 'returns an ERB template with the #t helper, and passes escape arg as string' do expect(template.to_s).to eq('<%= t "some text", false %>') end context 'with double-quotes in argument' do let(:template_string) { "\#{t('some \"text\"')}" } it 'adds backslash-escaping' do expect(template.to_s).to eq('<%= t "some \"text\"", false %>') end end end # Regression test for https://github.com/zammad/zammad/issues/385 context 'with HTML auto-injected by browser' do let(:escape) { true } context 'for tags wrapped around "ticket.id"' do let(:template_string) { <<~'TEMPLATE'.chomp } #{ticket.id} TEMPLATE it 'strips tag from resulting ERB template' do expect(template.to_s).to eq('<%= d "ticket.id", true %>') end end context 'for tags wrapped around "config.fqdn"' do let(:template_string) { <<~'TEMPLATE'.chomp } #{config.fqdn} TEMPLATE it 'strips tag from resulting ERB template' do expect(template.to_s).to eq('<%= c "fqdn", true %>') end end context 'for tags surrounded by whitespace' do let(:template_string) { <<~'TEMPLATE'.chomp } #{ ticket.id } TEMPLATE it 'strips tag and spaces from template' do expect(template.to_s).to eq('<%= d "ticket.id", true %>') end end context 'for unpaired tag and trailing whitespace' do let(:template_string) { <<~'TEMPLATE'.chomp } #{ticket.id } TEMPLATE it 'strips tag and spaces from template' do expect(template.to_s).to eq('<%= d "ticket.id", true %>') end end end end end