This repository was archived by the owner on Apr 1, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 160
Expand file tree
/
Copy pathUnsafeInterfacesTest.hack
More file actions
84 lines (72 loc) · 2.83 KB
/
UnsafeInterfacesTest.hack
File metadata and controls
84 lines (72 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
/*
* Copyright (c) 2004-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*
*/
use namespace Facebook\XHP\Core as x;
use type Facebook\XHP\HTML\{body, div, html};
use function Facebook\FBExpect\expect;
// Please see MIGRATING.md for information on how these should be used in
// practice; please don't create/use classes as unsafe as these examples.
/* HHAST_IGNORE_ERROR[FinalOrAbstractClass]: Intentionally non-final for test purpose */
class ExampleUnsafeRenderable implements Facebook\XHP\UnsafeRenderable {
public function __construct(public string $htmlString) {
}
public async function toHTMLStringAsync(): Awaitable<string> {
return $this->htmlString;
}
}
/* HHAST_IGNORE_ERROR[FinalOrAbstractClass]: Intentionally non-final for test purpose */
class ExampleVeryUnsafeRenderable
extends ExampleUnsafeRenderable
implements Facebook\XHP\UnsafeRenderable, Facebook\XHP\AlwaysValidChild {
}
final class ExampleUnsafeAttribute extends Facebook\XHP\UnsafeAttributeValue_DEPRECATED {
public function __construct(public string $htmlString) {
}
<<__Override>>
public function toHTMLString(): string {
return $this->htmlString;
}
}
final class UnsafeInterfacesTest extends Facebook\HackTest\HackTest {
public async function testUnsafeRenderable(): Awaitable<void> {
$x = new ExampleUnsafeRenderable('<script>lollerskates</script>');
$xhp = <div>{$x}</div>;
expect(await $xhp->toStringAsync())->toEqual(
'<div><script>lollerskates</script></div>',
);
}
public async function testInvalidChild(): Awaitable<void> {
expect(async () ==> {
$x = new ExampleUnsafeRenderable('foo');
$xhp = <html>{$x}<body /></html>;
await $xhp->toStringAsync(); // validate, throw exception
})->toThrow(Facebook\XHP\InvalidChildrenException::class);
}
public async function testAlwaysValidChild(): Awaitable<void> {
$x = new ExampleVeryUnsafeRenderable('foo');
$xhp = <html>{$x}<body /></html>;
expect(await $xhp->toStringAsync())->toEqual(
'<html>foo<body></body></html>',
);
}
public async function testUnsafeAttribute(): Awaitable<void> {
// without using XHPUnsafeAttributeValue_DEPRECATED, each & will be double-escaped as &amp;
$attr = 'foo && bar';
$xhp = <div onclick={$attr} />;
expect(await $xhp->toStringAsync())->toEqual(
'<div onclick="foo &amp;&amp; bar"></div>',
);
// using XHPUnsafeAttributeValue_DEPRECATED the & is not double escaped
$escaped = new ExampleUnsafeAttribute('foo && bar');
$xhp = <div />;
$xhp->forceAttribute_DEPRECATED('onclick', $escaped);
expect(await $xhp->toStringAsync())->toEqual(
'<div onclick="foo && bar"></div>',
);
}
}