Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Branch: stable-4.1
Branches Tags
zammad
/
spec
/
lib
/
notification_factory
/
template_spec.rb

template_spec.rb 3.6 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. require 'rails_helper'
    2. 

  2. 

  3. RSpec.describe NotificationFactory::Template do
    4. 

  4.   subject(:template) do
    5. 

  5.     described_class.new(template_string, escape, trusted)
    6. 

  6.   end
    7. 

  7. 

  8.   let(:trusted) { false }
    9. 

  9. 

  10.   describe '#to_s' do
    11. 

  11.     context 'for empty input template (incl. whitespace-only)' do
    12. 

  12.       let(:template_string) { "\#{ }" }
    13. 

  13. 

  14.       context 'with escape = true' do
    15. 

  15.         let(:escape) { true }
    16. 

  16. 

  17.         it 'returns an ERB template with the #d helper, and passes escape arg as string' do
    18. 

  18.           expect(template.to_s).to eq('<%= d "", true %>')
    19. 

  19.         end
    20. 

  20.       end
    21. 

  21. 

  22.       context 'with escape = false' do
    23. 

  23.         let(:escape) { false }
    24. 

  24. 

  25.         it 'returns an ERB template with the #d helper, and passes escape arg as string' do
    26. 

  26.           expect(template.to_s).to eq('<%= d "", false %>')
    27. 

  27.         end
    28. 

  28.       end
    29. 

  29.     end
    30. 

  30. 

  31.     context 'for sanitizing the template string' do
    32. 

  32.       let(:escape) { false }
    33. 

  33. 

  34.       context 'for strings containing ERB' do
    35. 

  35.         let(:template_string) { '<%% <% "<%" %> <%# comment %> <%= "<%" %> <%- "" %> %%>' }
    36. 

  36. 

  37.         context 'for untrusted templates' do
    38. 

  38.           it 'mutes all pre-existing ERB tags' do
    39. 

  39.             expect(template.to_s).to eq('<%% <%% "<%%" %> <%%# comment %> <%%= "<%%" %> <%%- "" %> %%>')
    40. 

  40.           end
    41. 

  41.         end
    42. 

  42. 

  43.         context 'for trusted templates' do
    44. 

  44.           let(:trusted) { true }
    45. 

  45. 

  46.           it 'keeps all pre-existing ERB tags' do
    47. 

  47.             expect(template.to_s).to eq(template_string)
    48. 

  48.           end
    49. 

  49.         end
    50. 

  50.       end
    51. 

  51.     end
    52. 

  52. 

  53.     context 'for input template using #t helper' do
    54. 

  54.       let(:template_string) { "\#{t('some text')}" }
    55. 

  55.       let(:escape) { false }
    56. 

  56. 

  57.       it 'returns an ERB template with the #t helper, and passes escape arg as string' do
    58. 

  58.         expect(template.to_s).to eq('<%= t "some text", false %>')
    59. 

  59.       end
    60. 

  60. 

  61.       context 'with double-quotes in argument' do
    62. 

  62.         let(:template_string) { "\#{t('some \"text\"')}" }
    63. 

  63. 

  64.         it 'adds backslash-escaping' do
    65. 

  65.           expect(template.to_s).to eq('<%= t "some \"text\"", false %>')
    66. 

  66.         end
    67. 

  67.       end
    68. 

  68.     end
    69. 

  69. 

  70.     # Regression test for https://github.com/zammad/zammad/issues/385
    71. 

  71.     context 'with HTML auto-injected by browser' do
    72. 

  72.       let(:escape) { true }
    73. 

  73. 

  74.       context 'for <a> tags wrapped around "ticket.id"' do
    75. 

  75.         let(:template_string) { <<~'TEMPLATE'.chomp }
    76. 

  76.           #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id</a>}
    77. 

  77.         TEMPLATE
    78. 

  78. 

  79.         it 'strips tag from resulting ERB template' do
    80. 

  80.           expect(template.to_s).to eq('<%= d "ticket.id", true %>')
    81. 

  81.         end
    82. 

  82.       end
    83. 

  83. 

  84.       context 'for <a> tags wrapped around "config.fqdn"' do
    85. 

  85.         let(:template_string) { <<~'TEMPLATE'.chomp }
    86. 

  86.           #{<a href="http://config.fqdn" title="http://config.fqdn" target="_blank">config.fqdn</a>}
    87. 

  87.         TEMPLATE
    88. 

  88. 

  89.         it 'strips tag from resulting ERB template' do
    90. 

  90.           expect(template.to_s).to eq('<%= c "fqdn", true %>')
    91. 

  91.         end
    92. 

  92.       end
    93. 

  93. 

  94.       context 'for <a> tags surrounded by whitespace' do
    95. 

  95.         let(:template_string) { <<~'TEMPLATE'.chomp }
    96. 

  96.           #{   <a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  </a>  }
    97. 

  97.         TEMPLATE
    98. 

  98. 

  99.         it 'strips tag and spaces from template' do
    100. 

  100.           expect(template.to_s).to eq('<%= d "ticket.id", true %>')
    101. 

  101.         end
    102. 

  102.       end
    103. 

  103. 

  104.       context 'for unpaired <a> tag and trailing whitespace' do
    105. 

  105.         let(:template_string) { <<~'TEMPLATE'.chomp }
    106. 

  106.           #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  }
    107. 

  107.         TEMPLATE
    108. 

  108. 

  109.         it 'strips tag and spaces from template' do
    110. 

  110.           expect(template.to_s).to eq('<%= d "ticket.id", true %>')
    111. 

  111.         end
    112. 

  112.       end
    113. 

  113.     end
    114. 

  114.   end
    115. 

  115. end
    116.