Wolfmans Howlings: RSpec testing views for escaped HTML http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html en-us 40 A programmers Blog about Ruby, Rails and a few other issues RSpec testing views for escaped HTML <p>For my social networking site <a href="http://snowdogsr.us">snowdogsr.us</a> I decided to escape all user input that gets displayed. I know people like to trick out their profiles with HTML but I want to avoid the various hacks that it allows.</p> <p>So thinking I had done a good job of using h everywhere I output user input fields, I decided to see if I could actually test this with RSpec view tests.</p> <p>I recently switched to <a href="http://rspec.rubyforge.org">RSpec</a> for my testing needs, its cool :)</p> <p>One thing it does is isolate the various things for testing using built in mocking, and views can be entirely tested standalone without accessing a model or a controller.</p> <p>So how would it do testing for escaped user input I wondered?</p> <p>Very well actually.</p> <p>An example is worth a thousand words, so here is my RSpec for my home page.</p> <p>BTW I found about 4 places where embedded HTML in user input was bleeding through, so it was well worth the effort.</p> <p>So this goes in spec/views/home/home_spec.rb...</p> <div class="typocode"><pre><code class="typocode_ruby "> <span class="ident">it</span> <span class="punct">&quot;</span><span class="string">should escape all user input</span><span class="punct">&quot;</span> <span class="keyword">do</span> <span class="attribute">@place</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Place</span><span class="punct">,</span> <span class="symbol">:name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">place name&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:location</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">place location&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:tag_list</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">place taglist &lt;b&gt;</span><span class="punct">&quot;,</span> <span class="symbol">:rated?</span> <span class="punct">=&gt;</span> <span class="constant">false</span><span class="punct">)</span> <span class="attribute">@event</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Event</span><span class="punct">,</span> <span class="symbol">:name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">event name&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:where</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">event where&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:tag_list</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">event taglist &lt;b&gt;</span><span class="punct">&quot;,</span> <span class="symbol">:date_time</span> <span class="punct">=&gt;</span> <span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">,</span> <span class="symbol">:hosted_by</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Event host&lt;b&gt;</span><span class="punct">')</span> <span class="attribute">@post</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Input</span><span class="punct">,</span> <span class="symbol">:input</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">input body &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:tag_list</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">post taglist &lt;b&gt;</span><span class="punct">&quot;,</span> <span class="symbol">:updated_at</span> <span class="punct">=&gt;</span> <span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">,</span> <span class="symbol">:created_at</span> <span class="punct">=&gt;</span> <span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">,</span> <span class="symbol">:created_by</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">post created by person&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:rated?</span> <span class="punct">=&gt;</span> <span class="constant">false</span><span class="punct">)</span> <span class="attribute">@picture</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Picture</span><span class="punct">,</span> <span class="symbol">:public_filename</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">filename&lt;b&gt;.png</span><span class="punct">&quot;)</span> <span class="attribute">@pictures</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@picture</span><span class="punct">]</span> <span class="attribute">@pet</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Pet</span><span class="punct">,</span> <span class="symbol">:name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">pet name&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:owned_by</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">pet owner &lt;b&gt;</span><span class="punct">&quot;,</span> <span class="symbol">:breed</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">breed &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:description</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">pet description &lt;b&gt;</span><span class="punct">&quot;,</span> <span class="symbol">:neutered</span> <span class="punct">=&gt;</span> <span class="constant">true</span><span class="punct">,</span> <span class="symbol">:gender</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">M&lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:pictures</span> <span class="punct">=&gt;</span> <span class="attribute">@pictures</span><span class="punct">,</span> <span class="symbol">:owned_by?</span> <span class="punct">=&gt;</span> <span class="constant">false</span><span class="punct">)</span> <span class="attribute">@posts</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@post</span><span class="punct">]</span> <span class="attribute">@events</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@event</span><span class="punct">]</span> <span class="attribute">@places</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@place</span><span class="punct">]</span> <span class="attribute">@top_places</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@place</span><span class="punct">]</span> <span class="attribute">@new_pets</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@pet</span><span class="punct">]</span> <span class="attribute">@comment</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Comment</span><span class="punct">)</span> <span class="attribute">@comment</span><span class="punct">.</span><span class="ident">stub!</span><span class="punct">(</span><span class="symbol">:user</span><span class="punct">).</span><span class="ident">and_return</span><span class="punct">(</span><span class="attribute">@user</span><span class="punct">)</span> <span class="attribute">@comment</span><span class="punct">.</span><span class="ident">stub!</span><span class="punct">(</span><span class="symbol">:created_at</span><span class="punct">).</span><span class="ident">and_return</span><span class="punct">(</span><span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">)</span> <span class="attribute">@comment</span><span class="punct">.</span><span class="ident">stub!</span><span class="punct">(</span><span class="symbol">:comment</span><span class="punct">).</span><span class="ident">and_return</span><span class="punct">('</span><span class="string">comment body &lt;b&gt;</span><span class="punct">')</span> <span class="attribute">@comments</span><span class="punct">=</span> <span class="punct">[</span><span class="attribute">@comment</span><span class="punct">]</span> <span class="attribute">@post</span><span class="punct">.</span><span class="ident">should_receive</span><span class="punct">(</span><span class="symbol">:comments</span><span class="punct">).</span><span class="ident">and_return</span><span class="punct">(</span><span class="attribute">@comments</span><span class="punct">)</span> <span class="attribute">@new_stuff</span><span class="punct">=</span> <span class="punct">[]</span> <span class="attribute">@new_stuff</span> <span class="punct">&lt;&lt;</span> <span class="punct">{</span><span class="symbol">:list</span> <span class="punct">=&gt;</span> <span class="attribute">@posts</span><span class="punct">,</span> <span class="symbol">:title</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Posts</span><span class="punct">',</span> <span class="symbol">:link</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">#</span><span class="punct">'}</span> <span class="attribute">@new_stuff</span> <span class="punct">&lt;&lt;</span> <span class="punct">{</span><span class="symbol">:list</span> <span class="punct">=&gt;</span> <span class="attribute">@events</span><span class="punct">,</span> <span class="symbol">:title</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Events</span><span class="punct">',</span> <span class="symbol">:link</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">#</span><span class="punct">'}</span> <span class="attribute">@new_stuff</span> <span class="punct">&lt;&lt;</span> <span class="punct">{</span><span class="symbol">:list</span> <span class="punct">=&gt;</span> <span class="attribute">@places</span><span class="punct">,</span> <span class="symbol">:title</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Places</span><span class="punct">',</span> <span class="symbol">:link</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">#</span><span class="punct">'}</span> <span class="attribute">@top</span><span class="punct">=</span> <span class="punct">[]</span> <span class="attribute">@top</span> <span class="punct">&lt;&lt;</span> <span class="punct">{</span><span class="symbol">:list</span> <span class="punct">=&gt;</span> <span class="attribute">@top_places</span><span class="punct">,</span> <span class="symbol">:title</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Hot Places</span><span class="punct">',</span> <span class="symbol">:link</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">#</span><span class="punct">'}</span> <span class="ident">assigns</span><span class="punct">[</span><span class="symbol">:new_stuff</span><span class="punct">]</span> <span class="punct">=</span> <span class="attribute">@new_stuff</span> <span class="ident">assigns</span><span class="punct">[</span><span class="symbol">:top</span><span class="punct">]</span> <span class="punct">=</span> <span class="attribute">@top</span> <span class="ident">assigns</span><span class="punct">[</span><span class="symbol">:new_pets</span><span class="punct">]</span> <span class="punct">=</span> <span class="attribute">@new_pets</span> <span class="ident">render</span> <span class="punct">&quot;</span><span class="string">/home/logged_in</span><span class="punct">&quot;</span> <span class="comment">#puts excerpt(response.body, &quot;&lt;b&gt;&quot;)</span> <span class="ident">response</span><span class="punct">.</span><span class="ident">should_not</span> <span class="ident">have_text</span><span class="punct">(/</span><span class="regex">&lt;b&gt;</span><span class="punct">/)</span> <span class="keyword">end</span></code></pre></div> <p>Its quite complex as the home page renders a lot of summaries of the various lists I have.</p> <p>First I mock the models that are called, and stub out the calls that are made to them. I force them all to return an embedded <code>&lt;b&gt;</code> which I don't use anyway, and with the new CSS oriented web styles shouldn't be used in HTML anyway.</p> <p>Then I just test that <code>&lt;b&gt;</code> does not appear anywhere. If I have correctly used h to escape all the inputs then it should be rendered as <code>&amp;lt;b&amp;gt;</code> instead.</p> <p>The <code>response.should_not have_text(/&lt;b&gt;/)</code> should do that test.</p> <p>One cool thing is the mocking will tell you if any new inputs (ie calls to model attributes) have been added, or if you have forgotten any. So this should keep you honest in the future if you add new attributes that need escaping.</p> <p>The </p> <pre><code>assigns[:new_stuff] = @new_stuff assigns[:top] = @top assigns[:new_pets] = @new_pets </code></pre> <p>Sets the assigns to the variables that my view uses,simulating what the controller would pass in.</p> <p>The <code>mock_model</code> calls at the top also use a shortcut to define all the attributes that get called, and what they return. You can also explicitly do this...</p> <pre><code>@post.should_receive(:comments).and_return(@comments) </code></pre> <p>If you read the RSpec docs you can see that you can also test for parameters passed in, how many times it is called and various other nice things.</p> <p>I added this snippet taken from the rails helpers to aid in finding any errant HTML that bleads through. (I'm not sure how to call it from the RSpec so I just copied the code into a private method).</p> <div class="typocode"><pre><code class="typocode_ruby "> <span class="ident">private</span> <span class="keyword">def </span><span class="method">excerpt</span><span class="punct">(</span><span class="ident">text</span><span class="punct">,</span> <span class="ident">phrase</span><span class="punct">,</span> <span class="ident">radius</span> <span class="punct">=</span> <span class="number">100</span><span class="punct">,</span> <span class="ident">excerpt_string</span> <span class="punct">=</span> <span class="punct">&quot;</span><span class="string">...</span><span class="punct">&quot;)</span> <span class="keyword">if</span> <span class="ident">text</span><span class="punct">.</span><span class="ident">nil?</span> <span class="punct">||</span> <span class="ident">phrase</span><span class="punct">.</span><span class="ident">nil?</span> <span class="keyword">then</span> <span class="keyword">return</span> <span class="keyword">end</span> <span class="ident">phrase</span> <span class="punct">=</span> <span class="constant">Regexp</span><span class="punct">.</span><span class="ident">escape</span><span class="punct">(</span><span class="ident">phrase</span><span class="punct">)</span> <span class="keyword">if</span> <span class="ident">found_pos</span> <span class="punct">=</span> <span class="ident">text</span><span class="punct">.</span><span class="ident">chars</span> <span class="punct">=~</span> <span class="punct">/</span><span class="regex">(<span class="expr">#{phrase}</span>)</span><span class="punct">/</span><span class="ident">i</span> <span class="ident">start_pos</span> <span class="punct">=</span> <span class="punct">[</span> <span class="ident">found_pos</span> <span class="punct">-</span> <span class="ident">radius</span><span class="punct">,</span> <span class="number">0</span> <span class="punct">].</span><span class="ident">max</span> <span class="ident">end_pos</span> <span class="punct">=</span> <span class="punct">[</span> <span class="ident">found_pos</span> <span class="punct">+</span> <span class="ident">phrase</span><span class="punct">.</span><span class="ident">chars</span><span class="punct">.</span><span class="ident">length</span> <span class="punct">+</span> <span class="ident">radius</span><span class="punct">,</span> <span class="ident">text</span><span class="punct">.</span><span class="ident">chars</span><span class="punct">.</span><span class="ident">length</span> <span class="punct">].</span><span class="ident">min</span> <span class="ident">prefix</span> <span class="punct">=</span> <span class="ident">start_pos</span> <span class="punct">&gt;</span> <span class="number">0</span> <span class="punct">?</span> <span class="ident">excerpt_string</span> <span class="punct">:</span> <span class="punct">&quot;</span><span class="string"></span><span class="punct">&quot;</span> <span class="ident">postfix</span> <span class="punct">=</span> <span class="ident">end_pos</span> <span class="punct">&lt;</span> <span class="ident">text</span><span class="punct">.</span><span class="ident">chars</span><span class="punct">.</span><span class="ident">length</span> <span class="punct">?</span> <span class="ident">excerpt_string</span> <span class="punct">:</span> <span class="punct">&quot;</span><span class="string"></span><span class="punct">&quot;</span> <span class="ident">prefix</span> <span class="punct">+</span> <span class="ident">text</span><span class="punct">.</span><span class="ident">chars</span><span class="punct">[</span><span class="ident">start_pos</span><span class="punct">..</span><span class="ident">end_pos</span><span class="punct">].</span><span class="ident">strip</span> <span class="punct">+</span> <span class="ident">postfix</span> <span class="keyword">else</span> <span class="constant">nil</span> <span class="keyword">end</span> <span class="keyword">end</span></code></pre></div> <p>and you can see the call that shows me where the errant <code>&lt;b&gt;</code> is...</p> <pre><code>puts excerpt(response.body, "&lt;b&gt;") </code></pre> <p>I also have some setup code that handles the login and log out mocking, but I'll leave that for the end user to sort out ;)</p> <p>So I think this will make sure that now and in the future this particular view will not bleed user input HTML.</p> <p>Once I did the complex one above the rest of the views were much easier and quicker to implement. Here is an example of a really simple one...</p> <div class="typocode"><pre><code class="typocode_ruby "> <span class="ident">it</span> <span class="punct">&quot;</span><span class="string">should escape all user input</span><span class="punct">&quot;</span> <span class="keyword">do</span> <span class="attribute">@person</span><span class="punct">=</span> <span class="ident">mock_model</span><span class="punct">(</span><span class="constant">Person</span><span class="punct">,</span> <span class="symbol">:name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">person name &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:first_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">person first name &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:last_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">person last name &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:alias</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">person alias &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:show_gender</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Male</span><span class="punct">',</span> <span class="symbol">:about_me</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">about &lt;b&gt;</span><span class="punct">',</span> <span class="symbol">:updated_at</span> <span class="punct">=&gt;</span> <span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">,</span> <span class="symbol">:created_at</span> <span class="punct">=&gt;</span> <span class="constant">DateTime</span><span class="punct">.</span><span class="ident">now</span><span class="punct">,</span> <span class="symbol">:pets</span> <span class="punct">=&gt;</span> <span class="punct">[])</span> <span class="ident">assigns</span><span class="punct">[</span><span class="symbol">:person</span><span class="punct">]</span> <span class="punct">=</span> <span class="attribute">@person</span> <span class="ident">render</span> <span class="punct">&quot;</span><span class="string">/people/show</span><span class="punct">&quot;</span> <span class="ident">response</span><span class="punct">.</span><span class="ident">should_not</span> <span class="ident">have_text</span><span class="punct">(/</span><span class="regex">&lt;b&gt;</span><span class="punct">/)</span> <span class="keyword">end</span></code></pre></div> <p>Couldn't be much simpler, but I found one place where I was not escaping the HTML!</p> <p><a href="http://technorati.com/tag/rspec" rel="tag"></a> <a href="http://technorati.com/tag/view+testing" rel="tag"></a></p> Fri, 06 Jul 2007 18:22:00 -0700 urn:uuid:750e90a2-3017-4858-971a-be0121ae78b6 Jim Morris http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html RSpec Rails rails rspec escapinghtml http://blog.wolfman.com/articles/trackback/331 "RSpec testing views for escaped HTML" by Henrik N <p>Thanks for the idea – implemented something similar.</p> <p>You can probably do something like this to get around re-implementing excerpt:</p> <pre><code>puts "Unescaped user data here: " + response.template.excerpt(response.body, "&lt;b&gt;") </code></pre> Mon, 14 Jan 2008 07:59:41 -0800 urn:uuid:e66c718c-316a-40f3-9d8c-3fe521fc9214 http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html#comment-194 "RSpec testing views for escaped HTML" by Tony <p>So this still requires a setup and a spec for <em>every view</em>. Could get quite complicated for heavier pages, as the home example demonstrates.</p> <p>Would be nice if HAML just escaped everything on its own in the first place.</p> Wed, 01 Aug 2007 11:33:53 -0700 urn:uuid:eeada837-564a-4d10-b10f-a0a683fb1314 http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html#comment-125 "RSpec testing views for escaped HTML" by wolfmanjm <p>Thats a good suggestion. The reason it is in one behavior is there is only one render call, and I try to test the render as it would be called in real life with lots of input.</p> <p>However for the purpose of this specific test, you are right it would be easier to track down the problem if I tested each object separately and called the render three times instead of once.</p> <p>However it wasn't really hard to track down the problems when the <code>puts excerpt...</code> was enabled as it showed exactly where the error was.</p> Wed, 18 Jul 2007 21:52:25 -0700 urn:uuid:86a95538-0abe-4c49-81e8-b01aeea827e9 http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html#comment-105 "RSpec testing views for escaped HTML" by zubari <p>You might find it useful to break down that rather large specification into separate blocks for each of the models you use so that it is easier for you to identify problems if they do occur. In its current state, if you DID forget to escape the html, it wouldn't be obvious where the problem was occurring. A possible strategy would be to mock the models in a "before" block, and then add the stubbing afterwards in separate behaviours.</p> Wed, 18 Jul 2007 20:45:59 -0700 urn:uuid:8316d905-ddc9-4aa9-a5e4-8945d47d1ef1 http://blog.wolfman.com/articles/2007/07/06/rspec-testing-views-for-escaped-html#comment-104