template_spec.rb 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe NotificationFactory::Template do
  4. subject(:template) do
  5. described_class.new(template_string, escape, trusted)
  6. end
  7. let(:trusted) { false }
  8. describe '#to_s' do
  9. context 'for empty input template (incl. whitespace-only)' do
  10. let(:template_string) { "\#{ }" }
  11. context 'with escape = true' do
  12. let(:escape) { true }
  13. it 'returns an ERB template with the #d helper, and passes escape arg as string' do
  14. expect(template.to_s).to eq('<%= d "", true %>')
  15. end
  16. end
  17. context 'with escape = false' do
  18. let(:escape) { false }
  19. it 'returns an ERB template with the #d helper, and passes escape arg as string' do
  20. expect(template.to_s).to eq('<%= d "", false %>')
  21. end
  22. end
  23. end
  24. context 'for escaped input template' do
  25. let(:template_string) { "\\\#{ticket.customer.name}" }
  26. context 'with escape = true' do
  27. let(:escape) { true }
  28. it 'returns the original template string' do
  29. expect(template.to_s).to eq('#{ticket.customer.name}') # rubocop:disable Lint/InterpolationCheck
  30. end
  31. end
  32. context 'with escape = false' do
  33. let(:escape) { false }
  34. it 'returns the original template string' do
  35. expect(template.to_s).to eq('#{ticket.customer.name}') # rubocop:disable Lint/InterpolationCheck
  36. end
  37. end
  38. end
  39. context 'for sanitizing the template string' do
  40. let(:escape) { false }
  41. context 'for strings containing ERB' do
  42. let(:template_string) { '<%% <% "<%" %> <%# comment %> <%= "<%" %> <%- "" %> %%>' }
  43. context 'for untrusted templates' do
  44. it 'mutes all pre-existing ERB tags' do
  45. expect(template.to_s).to eq('<%% <%% "<%%" %> <%%# comment %> <%%= "<%%" %> <%%- "" %> %%>')
  46. end
  47. end
  48. context 'for trusted templates' do
  49. let(:trusted) { true }
  50. it 'keeps all pre-existing ERB tags' do
  51. expect(template.to_s).to eq(template_string)
  52. end
  53. end
  54. end
  55. end
  56. context 'for input template using #t helper' do
  57. let(:template_string) { "\#{t('some text')}" }
  58. let(:escape) { false }
  59. it 'returns an ERB template with the #t helper, and passes escape arg as string' do
  60. expect(template.to_s).to eq('<%= t "some text", false %>')
  61. end
  62. context 'with double-quotes in argument' do
  63. let(:template_string) { "\#{t('some \"text\"')}" }
  64. it 'adds backslash-escaping' do
  65. expect(template.to_s).to eq('<%= t "some \"text\"", false %>')
  66. end
  67. end
  68. end
  69. # Regression test for https://github.com/zammad/zammad/issues/385
  70. context 'with HTML auto-injected by browser' do
  71. let(:escape) { true }
  72. context 'for <a> tags wrapped around "ticket.id"' do
  73. let(:template_string) { <<~'TEMPLATE'.chomp }
  74. #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id</a>}
  75. TEMPLATE
  76. it 'strips tag from resulting ERB template' do
  77. expect(template.to_s).to eq('<%= d "ticket.id", true %>')
  78. end
  79. end
  80. context 'for <a> tags wrapped around "config.fqdn"' do
  81. let(:template_string) { <<~'TEMPLATE'.chomp }
  82. #{<a href="http://config.fqdn" title="http://config.fqdn" target="_blank">config.fqdn</a>}
  83. TEMPLATE
  84. it 'strips tag from resulting ERB template' do
  85. expect(template.to_s).to eq('<%= c "fqdn", true %>')
  86. end
  87. end
  88. context 'for <a> tags surrounded by whitespace' do
  89. let(:template_string) { <<~'TEMPLATE'.chomp }
  90. #{ <a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id </a> }
  91. TEMPLATE
  92. it 'strips tag and spaces from template' do
  93. expect(template.to_s).to eq('<%= d "ticket.id", true %>')
  94. end
  95. end
  96. context 'for unpaired <a> tag and trailing whitespace' do
  97. let(:template_string) { <<~'TEMPLATE'.chomp }
  98. #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id }
  99. TEMPLATE
  100. it 'strips tag and spaces from template' do
  101. expect(template.to_s).to eq('<%= d "ticket.id", true %>')
  102. end
  103. end
  104. end
  105. end
  106. end