Update specs to match on translations

In Rails 7.13.1 and 7.0.8.1, a XSS vulnerability was closed that updated how translated strings are dealth with. GHSA-9822-6m93-xqf4 This change to specs updates how we verify acceptance (using the translation instead of a regex) and also adds in a helper to conditionally html escape the string based on the Rails version.
thoughtbot · Mar 29, 2024 · f394587 · f394587
1 parent 43b84ec
commit f394587
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 8 deletions.
diff --git a/spec/controllers/passwords_controller_spec.rb b/spec/controllers/passwords_controller_spec.rb
@@ -33,7 +33,7 @@
         }
 
         email = ActionMailer::Base.deliveries.last
-        expect(email.subject).to match(/change your password/i)
+        expect(email.subject).to match(translated_string("passwords.edit.title"))
       end
 
       it "re-renders the page when turbo is enabled" do
@@ -53,7 +53,7 @@
           password: {},
         }
 
-        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(flash.now[:alert]).to match(translated_string("flashes.failure_when_missing_email"))
         expect(response).to render_template(:new)
       end
 
@@ -74,7 +74,7 @@
           },
         }
 
-        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(flash.now[:alert]).to match(translated_string("flashes.failure_when_missing_email"))
         expect(response).to render_template(:new)
       end
 
@@ -164,7 +164,7 @@
         }
 
         expect(response).to render_template(:new)
-        expect(flash.now[:alert]).to match(/double check the URL/i)
+        expect(flash.now[:alert]).to match(translated_string("flashes.failure_when_forbidden"))
       end
     end
 
@@ -178,7 +178,7 @@
         }
 
         expect(response).to render_template(:new)
-        expect(flash.now[:alert]).to match(/double check the URL/i)
+        expect(flash.now[:alert]).to match(translated_string("flashes.failure_when_forbidden"))
       end
     end
 
@@ -278,7 +278,7 @@
           new_password: "",
         )
 
-        expect(flash.now[:alert]).to match(/password can't be blank/i)
+        expect(flash.now[:alert]).to match(translated_string("flashes.failure_after_update"))
         expect(response).to have_http_status(:unprocessable_entity)
         expect(response).to render_template(:edit)
       end

diff --git a/spec/controllers/permissions_controller_spec.rb b/spec/controllers/permissions_controller_spec.rb
@@ -58,7 +58,7 @@ def show
     it "denies access to show and display a flash message" do
       get :show
 
-      expect(flash[:alert]).to match(/^Please sign in to continue/)
+      expect(flash[:alert]).to match(translated_string("flashes.failure_when_not_signed_in"))
     end
   end
 

diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
@@ -41,7 +41,7 @@
         }
 
         expect(response).to render_template(:new)
-        expect(flash[:alert]).to match(/^Bad email or password/)
+        expect(flash[:alert]).to match(translated_string("flashes.failure_after_create"))
       end
     end
 

diff --git a/spec/support/html_escape_helper.rb b/spec/support/html_escape_helper.rb
@@ -0,0 +1,13 @@
+module HTMLEscapeHelper
+  def translated_string(key)
+    if Rails.version >= "7.0"
+      ERB::Util.html_escape_once(I18n.t(key))
+    else
+      I18n.t(key)
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include HTMLEscapeHelper
+end
-Original file line number
+Diff line change
@@ Expand Up / @@ -41,7 +41,7 @@ @@
             }
             expect(response).to render_template(:new)
-            expect(flash[:alert]).to match(/^Bad email or password/)
+            expect(flash[:alert]).to match(translated_string("flashes.failure_after_create"))
           end
         end
@@ Expand Down @@