[Fix rubocop#4836] Make Rails/OutputSafety aware of safe navigation…

… operator The cop would not register an offense when `#html_safe` and `#safe_concat` were sent using the safe navigation operator. This change fixes that.
donjar · Oct 5, 2017 · 2677293 · 2677293
1 parent 4cb097e
commit 2677293
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@
 * [#4823](https://github.com/bbatsov/rubocop/issues/4823): Make `Lint/UnusedMethodArgument` and `Lint/UnusedBlockArgument` aware of overriding assignments. ([@akhramov][])
 * [#4830](https://github.com/bbatsov/rubocop/issues/4830): Prevent `Lint/BooleanSymbol` from truncating symbol's value in the message when offense is located in the new syntax hash. ([@akhramov][])
 * [#4747](https://github.com/bbatsov/rubocop/issues/4747): Fix `Rails/HasManyOrHasOneDependent` cop incorrectly flags `with_options` blocks. ([@koic][])
+* [#4836](https://github.com/bbatsov/rubocop/issues/4836): Make `Rails/OutputSafety` aware of safe navigation operator. ([@drenmi][])
 
 ### Changes
 

diff --git a/lib/rubocop/cop/rails/output_safety.rb b/lib/rubocop/cop/rails/output_safety.rb
@@ -78,6 +78,7 @@ def on_send(node)
 
           add_offense(node, location: :selector)
         end
+        alias on_csend on_send
 
         private
 

diff --git a/spec/rubocop/cop/rails/output_safety_spec.rb b/spec/rubocop/cop/rails/output_safety_spec.rb
@@ -10,12 +10,22 @@
             ^^^^^^^^^^^ Tagging a string as html safe may be a security risk.
       RUBY
     end
+
     it 'registers an offense when wrapped inside `#safe_join`' do
       expect_offense(<<-RUBY.strip_indent)
         safe_join([i18n_text.safe_concat(i18n_text)])
                              ^^^^^^^^^^^ Tagging a string as html safe may be a security risk.
       RUBY
     end
+
+    context 'when using safe navigation operator', :ruby23 do
+      it 'registers an offense' do
+        expect_offense(<<-RUBY.strip_indent)
+          foo&.safe_concat('bar')
+               ^^^^^^^^^^^ Tagging a string as html safe may be a security risk.
+        RUBY
+      end
+    end
   end
 
   context 'when using `#html_safe`' do
@@ -56,6 +66,15 @@
                                  ^^^^^^^^^ Tagging a string as html safe may be a security risk.
       RUBY
     end
+
+    context 'when using safe navigation operator', :ruby23 do
+      it 'registers an offense for variable receiver and no argument' do
+        expect_offense(<<-RUBY.strip_indent)
+          foo&.html_safe
+               ^^^^^^^^^ Tagging a string as html safe may be a security risk.
+        RUBY
+      end
+    end
   end
 
   context 'when using `#raw`' do
-Original file line number
+Diff line change
@@ Expand Up / @@ -78,6 +78,7 @@ def on_send(node) @@
               add_offense(node, location: :selector)
             end
+            alias on_csend on_send
             private
@@ Expand Down @@