Make sure assert_lodash_safety works

Before this commit it was raising an error because the string the message was being appended to was frozen.
Shopify · Jun 28, 2023 · 9b4d7bd · 9b4d7bd
1 parent f806ca6
commit 9b4d7bd
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/lib/better_html/test_helper/safe_lodash_tester.rb b/lib/better_html/test_helper/safe_lodash_tester.rb
@@ -35,7 +35,7 @@ def assert_lodash_safety(data, **options)
         buffer.source = data
         tester = Tester.new(buffer, **options)
 
-        message = ""
+        message = +""
         tester.errors.each do |error|
           message << <<~EOL
             On line #{error.location.line}

diff --git a/test/better_html/test_helper/safe_lodash_tester_test.rb b/test/better_html/test_helper/safe_lodash_tester_test.rb
@@ -6,6 +6,8 @@
 module BetterHtml
   module TestHelper
     class SafeLodashTesterTest < ActiveSupport::TestCase
+      include SafeLodashTester
+
       test "interpolate in attribute not allowed" do
         errors = parse(<<-EOF).errors
           <div class="[%! foo %]">
@@ -83,6 +85,43 @@ class SafeLodashTesterTest < ActiveSupport::TestCase
         assert_equal "javascript statement not allowed here; did you mean '[%=' ?", errors.first.message
       end
 
+      test "assertion failure" do
+        error = assert_raises(Minitest::Assertion) do
+          assert_lodash_safety(<<-EOF)
+            <div class="foo[% if (foo) %]">
+          EOF
+        end
+
+        assert_equal <<~MESSAGE.chomp, error.message
+          On line 1
+          javascript statement not allowed here; did you mean '[%=' ?
+          <div class="foo[% if (foo) %]">
+                         ^^^^^^^^^^^^^^
+
+          -----------
+
+          The javascript snippets listed above do not appear to be escaped properly
+          in their context. Here are some tips:
+
+          Always use lodash's escape syntax inside a html tag:
+            <a href="[%= value %]">
+                     ^^^^
+
+          Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
+          or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+            <div onclick="[%= JSON.stringify(value) %]">
+                              ^^^^^^^^^^^^^^
+
+          Never use <script> tags inside lodash template.
+            <script type="text/javascript">
+            ^^^^^^^
+
+          -----------
+          .
+          Expected [#<BetterHtml::TestHelper::SafetyError: javascript statement not allowed here; did you mean '[%=' ?>] to be empty?.
+        MESSAGE
+      end
+
       private
 
       def parse(data)