teacup-yoppet
Version:
Render HTML with native CoffeeScript templates. No magic, no fuss. Teacup Yoppet
37 lines (28 loc) • 1.55 kB
text/coffeescript
expect = require 'expect.js'
{render, raw, script, escape, h1, input} = require '..'
describe 'Auto escaping', ->
describe 'a script tag', ->
it "adds HTML entities for sensitive characters", ->
template = -> h1 "<script>alert('\"owned\" by c&a ©')</script>"
expect(render template).to.equal "<h1><script>alert('"owned" by c&a &copy;')</script></h1>"
it 'escapes tag attributes', ->
template = -> input name: '"pwned'
expect(render template).to.equal '<input name=""pwned" />'
it 'does not escape single quotes in tag attributes', ->
template = -> input name: "'pwned"
expect(render template).to.equal '<input name="\'pwned" />'
describe 'raw filter', ->
it 'prints sensitive characters verbatim', ->
template = -> raw "<script>alert('on purpose')</script>"
expect(render template).to.equal "<script>alert('on purpose')</script>"
describe 'combined with the escape filter', ->
it 'gives the author granular control of escaping', ->
template = ->
raw "<script>alert('#{escape 'perfect <3'}')</script>"
expect(render template).to.equal "<script>alert('perfect <3')</script>"
describe 'script tag', ->
it 'escapes /', ->
user = name: '</script><script>alert("alert");</script>'
template = ->
script "window.user = #{JSON.stringify user}"
expect(render template).to.equal '<script>window.user = {"name":"</script><script>alert(\\"alert\\");</script>"}</script>'