describe "Fortitude escaping behavior", :type => :system do it "should escape text by default" do expect(render(widget_class_with_content { text "hi<>&\"' there" })).to match(/^hi<>&"&#(39|x27); there$/) end it "should not escape text tagged as .html_safe" do expect(render(widget_class_with_content { text "hi<>&\" there".html_safe })).to eq("hi<>&\" there") end it "should not escape text output with rawtext" do expect(render(widget_class_with_content { rawtext "hi<>&\" there" })).to eq("hi<>\&\" there") end it "should mark its output as html_safe" do expect(render(widget_class_with_content { text "hi < there"} )).to be_html_safe end it "should mark its output as html_safe, even if output as raw" do expect(render(widget_class_with_content { rawtext "hi < there"} )).to be_html_safe end it "should escape attribute names" do expect(render(widget_class_with_content { p 'a 123 })).to eq("

") end it "should escape attribute values" do expect(render(widget_class_with_content { p :foo => 'a

") end it "should escape direct arguments to tags" do expect(render(widget_class_with_content { p "aa<b

") end it "should escape direct arguments to tags and attributes, even if all together" do expect(render(widget_class_with_content { p "aa' => 'a&b' })).to eq("

a<b

") end it "should still correctly escape very long strings" do very_long_string = "&" + ("a" * 300) + "<" + ("b" * 300) + ">" + ("c" * 300) + "&" + ("d" * 300) + "&" + ("e" * 300) + "\""; very_long_string_escaped = "&" + ("a" * 300) + "<" + ("b" * 300) + ">" + ("c" * 300) + "&" + ("d" * 300) + "&" + ("e" * 300) + """ expect(render(widget_class_with_content { text very_long_string })).to eq(very_long_string_escaped) end end