test/tests.rb in oj-2.1.7 vs test/tests.rb in oj-2.2.0

@@ -38,25 +38,25 @@
   def eql?(o)
     self.class == o.class && @x == o.x && @y == o.y
   end
   alias == eql?
 
-end # Jam
+end# Jam
 
 class Jeez < Jam
   def initialize(x, y)
     super
   end
-  
+
   def to_json()
     %{{"json_class":"#{self.class}","x":#{@x},"y":#{@y}}}
   end
 
   def self.json_create(h)
     self.new(h['x'], h['y'])
   end
-end # Jeez
+end# Jeez
 
 # contributed by sauliusg to fix as_json
 class Orange < Jam
   def initialize(x, y)
     super
@@ -95,11 +95,11 @@
     { 'json_class' => self.class.to_s, 'x' => @x, 'y' => @y }
   end
   def self.json_create(h)
     self.new(h['x'], h['y'])
   end
-end # Jazz
+end# Jazz
 
 class Range
   def to_hash()
     { 'begin' => self.begin, 'end' => self.end, 'exclude_end' => self.exclude_end? }
   end
@@ -127,11 +127,11 @@
                    :second_precision=>9,
                    :circular=>false,
                    :auto_define=>false,
                    :symbol_keys=>false,
                    :class_cache=>true,
-                   :ascii_only=>false,
+                   :escape_mode=>:json,
                    :mode=>:object,
                    :time_format=>:unix,
                    :bigdecimal_as_decimal=>true,
                    :bigdecimal_load=>false,
                    :create_id=>'json_class'}, opts)
@@ -143,11 +143,11 @@
       :second_precision=>9,
       :circular=>false,
       :auto_define=>false,
       :symbol_keys=>false,
       :class_cache=>true,
-      :ascii_only=>false,
+      :escape_mode=>:ascii,
       :mode=>:object,
       :time_format=>:unix,
       :bigdecimal_as_decimal=>true,
       :bigdecimal_load=>false,
       :create_id=>'json_class'}
@@ -156,11 +156,11 @@
       :second_precision=>7,
       :circular=>true,
       :auto_define=>true,
       :symbol_keys=>true,
       :class_cache=>false,
-      :ascii_only=>true,
+      :escape_mode=>:json,
       :mode=>:compat,
       :time_format=>:ruby,
       :bigdecimal_as_decimal=>false,
       :bigdecimal_load=>true,
       :create_id=>nil}
@@ -248,10 +248,40 @@
     dump_and_load(['a', 1, nil], false)
     dump_and_load([[nil]], false)
     dump_and_load([[nil], 58], false)
   end
 
+  # rails encoding tests
+  def test_does_not_escape_entities_by_default
+    # use Oj to create the hash since some Rubies don't deal nicely with unicode.
+    json = %{{"key":"I <3 this\\u2028space"}}
+    hash = Oj.load(json)
+    out = Oj.dump(hash)
+    assert_equal(json, out)
+  end
+  def test_escapes_entities_by_default_when_configured_to_do_so
+    hash = {'key' => "I <3 this"}
+    Oj.default_options = {:escape_mode => :xss_safe}
+    out = Oj.dump hash
+    assert_equal(%{{"key":"I \\u003c3 this"}}, out)
+  end
+  def test_escapes_entities_when_asked_to
+    hash = {'key' => "I <3 this"}
+    out = Oj.dump(hash, :escape_mode => :xss_safe)
+    assert_equal(%{{"key":"I \\u003c3 this"}}, out)
+  end
+  def test_does_not_escape_entities_when_not_asked_to
+    hash = {'key' => "I <3 this"}
+    out = Oj.dump(hash, :escape_mode => :json)
+    assert_equal(%{{"key":"I <3 this"}}, out)
+  end
+  def test_escapes_common_xss_vectors
+    hash = {'key' => "<script>alert(123) && formatHD()</script>"}
+    out = Oj.dump(hash, :escape_mode => :xss_safe)
+    assert_equal(%{{"key":"\\u003cscript\\u003ealert(123) \\u0026\\u0026 formatHD()\\u003c\\/script\\u003e"}}, out)
+  end
+
   # Symbol
   def test_symbol_strict
     begin
       Oj.dump(:abc, :mode => :strict)
     rescue Exception
@@ -265,11 +295,11 @@
     assert_equal('null', json)
   end
   def test_symbol_compat
     json = Oj.dump(:abc, :mode => :compat)
     assert_equal('"abc"', json)
-  end    
+  end
   def test_symbol_object
     Oj.default_options = { :mode => :object }
     #dump_and_load(''.to_sym, false)
     dump_and_load(:abc, false)
     dump_and_load(':xyz'.to_sym, false)
@@ -293,36 +323,36 @@
   def test_unix_time_compat
     t = Time.xmlschema("2012-01-05T23:58:07.123456000+09:00")
     #t = Time.local(2012, 1, 5, 23, 58, 7, 123456)
     json = Oj.dump(t, :mode => :compat)
     assert_equal(%{1325775487.123456000}, json)
-  end    
+  end
   def test_unix_time_compat_precision
     t = Time.xmlschema("2012-01-05T23:58:07.123456789+09:00")
     #t = Time.local(2012, 1, 5, 23, 58, 7, 123456)
     json = Oj.dump(t, :mode => :compat, :second_precision => 5)
     assert_equal(%{1325775487.12346}, json)
     t = Time.xmlschema("2012-01-05T23:58:07.999600+09:00")
     json = Oj.dump(t, :mode => :compat, :second_precision => 3)
     assert_equal(%{1325775488.000}, json)
-  end    
+  end
   def test_unix_time_compat_early
     t = Time.xmlschema("1954-01-05T00:00:00.123456789+00:00")
     json = Oj.dump(t, :mode => :compat, :second_precision => 5)
     assert_equal(%{-504575999.87654}, json)
-  end    
+  end
   def test_unix_time_compat_1970
     t = Time.xmlschema("1970-01-01T00:00:00.123456789+00:00")
     json = Oj.dump(t, :mode => :compat, :second_precision => 5)
     assert_equal(%{0.12346}, json)
-  end    
+  end
   def test_ruby_time_compat
     t = Time.xmlschema("2012-01-05T23:58:07.123456000+09:00")
     json = Oj.dump(t, :mode => :compat, :time_format => :ruby)
     #assert_equal(%{"2012-01-05 23:58:07 +0900"}, json)
     assert_equal(%{"#{t.to_s}"}, json)
-  end    
+  end
   def test_xml_time_compat
     begin
       t = Time.new(2012, 1, 5, 23, 58, 7.123456000, 34200)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema)
       assert_equal(%{"2012-01-05T23:58:07.123456000+09:30"}, json)
@@ -337,11 +367,11 @@
         sign = '-'
         tz = -tz
       end
       assert_equal(%{"2012-01-05T23:58:07.123456000%s%02d:%02d"} % [sign, tz / 3600, tz / 60 % 60], json)
     end
-  end    
+  end
   def test_xml_time_compat_no_secs
     begin
       t = Time.new(2012, 1, 5, 23, 58, 7.0, 34200)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema)
       assert_equal(%{"2012-01-05T23:58:07+09:30"}, json)
@@ -356,11 +386,11 @@
         sign = '-'
         tz = -tz
       end
       assert_equal(%{"2012-01-05T23:58:07%s%02d:%02d"} % [sign, tz / 3600, tz / 60 % 60], json)
     end
-  end    
+  end
   def test_xml_time_compat_precision
     begin
       t = Time.new(2012, 1, 5, 23, 58, 7.123456789, 32400)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema, :second_precision => 5)
       assert_equal(%{"2012-01-05T23:58:07.12346+09:00"}, json)
@@ -375,11 +405,11 @@
         sign = '-'
         tz = -tz
       end
       assert_equal(%{"2012-01-05T23:58:07.12346%s%02d:%02d"} % [sign, tz / 3600, tz / 60 % 60], json)
     end
-  end    
+  end
   def test_xml_time_compat_precision_round
     begin
       t = Time.new(2012, 1, 5, 23, 58, 7.9996, 32400)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema, :second_precision => 3)
       assert_equal(%{"2012-01-05T23:58:08+09:00"}, json)
@@ -394,11 +424,11 @@
         sign = '-'
         tz = -tz
       end
       assert_equal(%{"2012-01-05T23:58:08%s%02d:%02d"} % [sign, tz / 3600, tz / 60 % 60], json)
     end
-  end    
+  end
   def test_xml_time_compat_zulu
     begin
       t = Time.new(2012, 1, 5, 23, 58, 7.0, 0)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema)
       assert_equal(%{"2012-01-05T23:58:07Z"}, json)
@@ -407,11 +437,11 @@
       t = Time.utc(2012, 1, 5, 23, 58, 7, 0)
       json = Oj.dump(t, :mode => :compat, :time_format => :xmlschema)
       #tz = t.utc_offset
       assert_equal(%{"2012-01-05T23:58:07Z"}, json)
     end
-  end    
+  end
   def test_time_object
     t = Time.now()
     Oj.default_options = { :mode => :object }
     dump_and_load(t, false)
   end
@@ -435,10 +465,10 @@
     assert_equal('null', json)
   end
   def test_class_compat
     json = Oj.dump(Juice, :mode => :compat)
     assert_equal(%{"Juice"}, json)
-  end    
+  end
   def test_class_object
     Oj.default_options = { :mode => :object }
     dump_and_load(Juice, false)
   end