// Copyright (C) 2009 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package com.google.gwtexpui.safehtml.client; import static com.google.common.truth.Truth.assertThat; import org.junit.Rule; import org.junit.Test; import org.junit.rules.ExpectedException; public class SafeHtmlBuilderTest { @Rule public ExpectedException exception = ExpectedException.none(); @Test public void empty() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b.isEmpty()).isTrue(); assertThat(b.hasContent()).isFalse(); assertThat(b.asString()).isEmpty(); b.append("a"); assertThat(b.hasContent()).isTrue(); assertThat(b.asString()).isEqualTo("a"); } @Test public void toSafeHtml() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); b.append(1); final SafeHtml h = b.toSafeHtml(); assertThat(h).isNotNull(); assertThat(h).isNotSameAs(b); assertThat(h).isNotInstanceOf(SafeHtmlBuilder.class); assertThat(h.asString()).isEqualTo("1"); } @Test public void append_boolean() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append(true)); assertThat(b).isSameAs(b.append(false)); assertThat(b.asString()).isEqualTo("truefalse"); } @Test public void append_char() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append('a')); assertThat(b).isSameAs(b.append('b')); assertThat(b.asString()).isEqualTo("ab"); } @Test public void append_int() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append(4)); assertThat(b).isSameAs(b.append(2)); assertThat(b).isSameAs(b.append(-100)); assertThat(b.asString()).isEqualTo("42-100"); } @Test public void append_long() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append(4L)); assertThat(b).isSameAs(b.append(2L)); assertThat(b.asString()).isEqualTo("42"); } @Test public void append_float() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append(0.0f)); assertThat(b.asString()).isEqualTo("0.0"); } @Test public void append_double() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append(0.0)); assertThat(b.asString()).isEqualTo("0.0"); } @Test public void append_String() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((String) null)); assertThat(b.asString()).isEmpty(); assertThat(b).isSameAs(b.append("foo")); assertThat(b).isSameAs(b.append("bar")); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void append_StringBuilder() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((StringBuilder) null)); assertThat(b.asString()).isEmpty(); assertThat(b).isSameAs(b.append(new StringBuilder("foo"))); assertThat(b).isSameAs(b.append(new StringBuilder("bar"))); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void append_StringBuffer() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((StringBuffer) null)); assertThat(b.asString()).isEmpty(); assertThat(b).isSameAs(b.append(new StringBuffer("foo"))); assertThat(b).isSameAs(b.append(new StringBuffer("bar"))); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void append_Object() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((Object) null)); assertThat(b.asString()).isEmpty(); assertThat(b) .isSameAs( b.append( new Object() { @Override public String toString() { return "foobar"; } })); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void append_CharSequence() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((CharSequence) null)); assertThat(b.asString()).isEmpty(); assertThat(b).isSameAs(b.append((CharSequence) "foo")); assertThat(b).isSameAs(b.append((CharSequence) "bar")); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void append_SafeHtml() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.append((SafeHtml) null)); assertThat(b.asString()).isEmpty(); assertThat(b).isSameAs(b.append(new SafeHtmlString("foo"))); assertThat(b).isSameAs(b.append(new SafeHtmlBuilder().append("bar"))); assertThat(b.asString()).isEqualTo("foobar"); } @Test public void htmlSpecialCharacters() { assertThat(escape("&")).isEqualTo("&"); assertThat(escape("<")).isEqualTo("<"); assertThat(escape(">")).isEqualTo(">"); assertThat(escape("\"")).isEqualTo("""); assertThat(escape("'")).isEqualTo("'"); assertThat(escape('&')).isEqualTo("&"); assertThat(escape('<')).isEqualTo("<"); assertThat(escape('>')).isEqualTo(">"); assertThat(escape('"')).isEqualTo("""); assertThat(escape('\'')).isEqualTo("'"); assertThat(escape("")).isEqualTo("<b>"); assertThat(escape("<b>")).isEqualTo("&lt;b&gt;"); } @Test public void entityNbsp() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.nbsp()); assertThat(b.asString()).isEqualTo(" "); } @Test public void tagBr() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.br()); assertThat(b.asString()).isEqualTo("
"); } @Test public void tagTableTrTd() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.openElement("table")); assertThat(b).isSameAs(b.openTr()); assertThat(b).isSameAs(b.openTd()); assertThat(b).isSameAs(b.append("dta")); assertThat(b).isSameAs(b.closeTd()); assertThat(b).isSameAs(b.closeTr()); assertThat(b).isSameAs(b.closeElement("table")); assertThat(b.asString()).isEqualTo("
d<a>ta
"); } @Test public void tagDiv() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.openDiv()); assertThat(b).isSameAs(b.append("dta")); assertThat(b).isSameAs(b.closeDiv()); assertThat(b.asString()).isEqualTo("
d<a>ta
"); } @Test public void tagAnchor() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.openAnchor()); assertThat(b.getAttribute("href")).isEmpty(); assertThat(b).isSameAs(b.setAttribute("href", "http://here")); assertThat(b.getAttribute("href")).isEqualTo("http://here"); assertThat(b).isSameAs(b.setAttribute("href", "dta")); assertThat(b.getAttribute("href")).isEqualTo("dta"); assertThat(b.getAttribute("target")).isEmpty(); assertThat(b).isSameAs(b.setAttribute("target", null)); assertThat(b.getAttribute("target")).isEmpty(); assertThat(b).isSameAs(b.append("go")); assertThat(b).isSameAs(b.closeAnchor()); assertThat(b.asString()).isEqualTo("go"); } @Test public void tagHeightWidth() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.openElement("img")); assertThat(b).isSameAs(b.setHeight(100)); assertThat(b).isSameAs(b.setWidth(42)); assertThat(b).isSameAs(b.closeSelf()); assertThat(b.asString()).isEqualTo(""); } @Test public void styleName() { final SafeHtmlBuilder b = new SafeHtmlBuilder(); assertThat(b).isSameAs(b.openSpan()); assertThat(b).isSameAs(b.setStyleName("foo")); assertThat(b).isSameAs(b.addStyleName("bar")); assertThat(b).isSameAs(b.append("dta")); assertThat(b).isSameAs(b.closeSpan()); assertThat(b.asString()).isEqualTo("d<a>ta"); } @Test public void rejectJavaScript_AnchorHref() { final String href = "javascript:window.close();"; exception.expect(RuntimeException.class); exception.expectMessage("javascript unsafe in href: " + href); new SafeHtmlBuilder().openAnchor().setAttribute("href", href); } @Test public void rejectJavaScript_ImgSrc() { final String href = "javascript:window.close();"; exception.expect(RuntimeException.class); exception.expectMessage("javascript unsafe in href: " + href); new SafeHtmlBuilder().openElement("img").setAttribute("src", href); } @Test public void rejectJavaScript_FormAction() { final String href = "javascript:window.close();"; exception.expect(RuntimeException.class); exception.expectMessage("javascript unsafe in href: " + href); new SafeHtmlBuilder().openElement("form").setAttribute("action", href); } private static String escape(char c) { return new SafeHtmlBuilder().append(c).asString(); } private static String escape(String c) { return new SafeHtmlBuilder().append(c).asString(); } }