From 2d146beb5dcbc5f81df5740ff28cf3e7a50750ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafael.franca@shopify.com>
Date: Wed, 28 Jun 2023 17:37:14 +0000
Subject: [PATCH] Make sure `assert_lodash_safety` works

Before this commit it was raising an error because the string
the message was being appended to was frozen.
---
 .../test_helper/safe_lodash_tester.rb         |  2 +-
 .../test_helper/safe_lodash_tester_test.rb    | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/lib/better_html/test_helper/safe_lodash_tester.rb b/lib/better_html/test_helper/safe_lodash_tester.rb
index db980eb..b83ac7e 100644
--- a/lib/better_html/test_helper/safe_lodash_tester.rb
+++ b/lib/better_html/test_helper/safe_lodash_tester.rb
@@ -35,7 +35,7 @@ def assert_lodash_safety(data, **options)
         buffer.source = data
         tester = Tester.new(buffer, **options)
 
-        message = ""
+        message = +""
         tester.errors.each do |error|
           message << <<~EOL
             On line #{error.location.line}
diff --git a/test/better_html/test_helper/safe_lodash_tester_test.rb b/test/better_html/test_helper/safe_lodash_tester_test.rb
index 94e38cf..be55878 100644
--- a/test/better_html/test_helper/safe_lodash_tester_test.rb
+++ b/test/better_html/test_helper/safe_lodash_tester_test.rb
@@ -6,6 +6,8 @@
 module BetterHtml
   module TestHelper
     class SafeLodashTesterTest < ActiveSupport::TestCase
+      include SafeLodashTester
+
       test "interpolate in attribute not allowed" do
         errors = parse(<<-EOF).errors
           <div class="[%! foo %]">
@@ -83,6 +85,43 @@ class SafeLodashTesterTest < ActiveSupport::TestCase
         assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
       end
 
+      test "assertion failure" do
+        error = assert_raises(Minitest::Assertion) do
+          assert_lodash_safety(<<-EOF)
+            <div class="foo[% if (foo) %]">
+          EOF
+        end
+
+        assert_equal <<-MESSAGE.chomp, error.message
+On line 1
+javascript statement not allowed here; did you mean '[%=' ?
+<div class="foo[% if (foo) %]">
+               ^^^^^^^^^^^^^^
+
+-----------
+
+The javascript snippets listed above do not appear to be escaped properly
+in their context. Here are some tips:
+
+Always use lodash's escape syntax inside a html tag:
+  <a href="[%= value %]">
+           ^^^^
+
+Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
+or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+  <div onclick="[%= JSON.stringify(value) %]">
+                    ^^^^^^^^^^^^^^
+
+Never use <script> tags inside lodash template.
+  <script type="text/javascript">
+  ^^^^^^^
+
+-----------
+.
+Expected [#<BetterHtml::TestHelper::SafetyError: javascript statement not allowed here; did you mean '[%=' ?>] to be empty?.
+        MESSAGE
+      end
+
       private
 
       def parse(data)