Testes para WikiController

app/controllers/application_controller.rb

@@ -20,6 +20,7 @@ class ApplicationController < ActionController::Base
 
 	include AuthenticationSystem
 
+	helper :all
 	before_filter :startup
 	before_filter :set_timezone
 	

app/controllers/wiki_controller.rb

@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+
 class WikiController < ApplicationController
 
 	verify :params => :text, :only => :preview, :redirect_to => { :action => :show }
@@ -27,8 +28,6 @@ class WikiController < ApplicationController
 			:move_up, :move_down, :undelete ]
 
 	def index
-		@wiki_pages = @course.wiki_pages
-
 		respond_to do |format|
 			format.html { redirect_to course_url(@course) }
 			format.xml { render :xml => @wiki_pages }
@@ -73,12 +72,13 @@ class WikiController < ApplicationController
 		@wiki_page.attributes = params[:wiki_page]
 		@wiki_page.user_id = session[:user_id]
 		@wiki_page.course_id = @course.id
-		dirty = @wiki_page.changed?
+		changed = @wiki_page.changed?
 		@wiki_page.save!
 
-		WikiEditLogEntry.create!(:target_id => @wiki_page.id, :user => @current_user, :course => @course, :version => @wiki_page.version) if dirty
+		if changed
-
+			WikiEditLogEntry.create!(:target_id => @wiki_page.id, :user => @current_user, :course => @course, :version => @wiki_page.version)
 			flash[:notice] = "Wiki page updated"[]
+		end
 
 		respond_to do |format|
 			format.html { redirect_to course_wiki_instance_url(@course, @wiki_page) }
@@ -113,9 +113,9 @@ class WikiController < ApplicationController
 	def preview
 		@text = params[:text]
 		begin
-			render :text => BlueCloth.new(@text).to_html
+			render :text => @text.format_wiki
-		rescue
+		rescue RuntimeError
-			render :text => $!.to_s.gsub(">", "&gt;").gsub("<", "&lt;")
+			render :text => $!.to_s.gsub(">", "&gt;").gsub("<", "&lt;"), :status => :bad_request
 		end
 	end
 
@@ -149,6 +149,7 @@ class WikiController < ApplicationController
 	def undelete
 		@wiki_page = WikiPage.find_with_deleted(params[:id])
 		@wiki_page.recover!
+		@wiki_page.insert_at(1)
 		flash[:notice] = "Wiki page restored"[]
 
 		WikiRestoreLogEntry.create!(:target_id => @wiki_page.id, :user => @current_user, :course => @wiki_page.course)

app/helpers/application_helper.rb

@@ -51,10 +51,6 @@ module ApplicationHelper
 		logged_in? and current_user.admin?
 	end
 
-	def wiki(text)
-		BlueCloth.new(text).to_html
-	end
-
 	def formatted(text)
 		h(text).gsub("\n", "<br/>")
 	end
@@ -75,7 +71,7 @@ module ApplicationHelper
 
     def markup_help
         return "<div id='markup_help' style='display: none'>" +
-                wiki(File.read("#{RAILS_ROOT}/public/static/markup_help.mkd")) +
+                File.read("#{RAILS_ROOT}/public/static/markup_help.mkd").format_wiki +
                 "</div>"
     end
 
@@ -91,4 +87,5 @@ module ApplicationHelper
 	def format_period(period)
 		return "20#{period[0..1]}.#{period[2..2]}"
 	end
+
 end

app/helpers/wiki_helper.rb

@@ -14,6 +14,14 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+class String
+	def format_wiki
+		text = BlueCloth.new(self).to_html
+		text = Hpricot(text, :xhtml_strict => true).to_s
+		return text.sanitize
+	end
+end
+
 module WikiHelper
 
 	def format_diff(text)

app/models/event.rb

@@ -19,6 +19,7 @@ class Event < ActiveRecord::Base
 	# Plugins
 	acts_as_paranoid
 	acts_as_versioned :if_changed => [ :title, :description, :time ]
+	acts_as_paranoid_versioned
 	self.non_versioned_columns << 'deleted_at'
 
 	# Associacoes
@@ -43,4 +44,5 @@ class Event < ActiveRecord::Base
 		end
 		return cal.to_ical
 	end
+
 end

app/models/message.rb

@@ -20,6 +20,7 @@ class Message < ActiveRecord::Base
 	acts_as_paranoid
 	acts_as_versioned :if_changed => [ :title, :body ]
 	self.non_versioned_columns << 'deleted_at'
+	acts_as_paranoid_versioned
 	
 	# Associacoes
 	belongs_to :user,

app/models/wiki_page.rb

@@ -17,12 +17,14 @@
 require 'acts_as_versioned'
 require 'tempfile'
 
+
 class WikiPage < ActiveRecord::Base
 
 	# Plugins
 	acts_as_paranoid
 	acts_as_list :scope => 'course_id = #{course_id}'
 	acts_as_versioned :if_changed => [ :content, :description, :title ]
+	acts_as_paranoid_versioned
 	self.non_versioned_columns << 'position'
 	self.non_versioned_columns << 'deleted_at'
 
@@ -37,18 +39,14 @@ class WikiPage < ActiveRecord::Base
 
 	def validate
 		begin
-			to_html
+			self.content.format_wiki
 		rescue
-			errors.add("content", "possui erro de sintaxe")
+			errors.add("content", "possui erro de sintaxe: " + $!.to_s.html_escape)
-		end
 		end
-
-	def to_html(text = self.content)
-		return BlueCloth.new(text).to_html
 	end
 
 	def to_param
-		self.title.match(/^[-_a-z0-9]*$/i).nil? ? self.id.to_id : self.title
+		self.title.match(/^[-_a-z0-9]*$/i).nil? ? self.id.to_s : self.title
 	end
 
 	def WikiPage.diff(from, to)

app/views/courses/show.html.haml

@@ -8,7 +8,7 @@
 %h4.title Disciplina
 %h1.title= h(@course.full_name)
 
-%p= wiki @course.description
+%p= @course.description.format_wiki
 
 .box
   .cmd

app/views/layouts/_base.html.haml

@@ -8,7 +8,7 @@
     %meta{'http-equiv' => 'Content-Type', 'content' => 'text/html; charset=UTF-8'}
 
     %link{'href' => "#{App.base_path}/stylesheets/cache/wiki.css", 'rel' => 'Stylesheet', 'type' => %'text/css'}
-    %link#css_color{'href' => "#{App.base_path}/stylesheets/cache/color.#@color.css", 'rel' => 'Stylesheet', 'type' => %'text/css'}
+    %link#css_color{'href' => "#{App.base_path}/stylesheets/cache/color.#{@color}.css", 'rel' => 'Stylesheet', 'type' => %'text/css'}
 
     /[if IE]
       %link{:href => "#{App.base_path}/stylesheets/ie/ie.css", :rel => "stylesheet", :type => "text/css"}

app/views/users/show.html.haml

@@ -11,4 +11,4 @@
     %p= "Última visita há {c}"[:last_seen, distance_of_time_in_words(Time.now, @user.last_seen)]
 
   -# cache(user_path(@user.id)) do
-  = wiki @user.description if !@user.description.blank?
+  = @user.description.format_wiki if !@user.description.blank?

app/views/wiki/show.html.haml

@@ -10,4 +10,4 @@
 %h4.title= h(@course.full_name)
 %h1.title= h(@wiki_page.title)
 #wiki_text
-  = @wiki_page.to_html
+  = @wiki_page.content.format_wiki

config/environment.rb

@@ -57,6 +57,16 @@ Rails::Initializer.run do |config|
   # Make Active Record use UTC-base instead of local time
   config.active_record.default_timezone = :utc
 
+  config.action_view.sanitized_allowed_tags = %W(p h1 h2 h3 h4 h5 h6 dl dt ol
+  	ul li address blockquote del div hr ins pre a abbr acronym dfn em strong
+	code samp kbd var b i big small tt span br bdo  cite del ins q sub sup img
+	map table tr td th colgroup col caption thead tbody tfoot)
+
+  config.action_view.sanitized_allowed_attributes = %W(align alt border
+  	cellpadding cellspacing cols colspan coords height href longdesc name
+	noresize nowrap rel rows rowspan rules scope shape size span src style
+	summary title type usemap valign width)
+
   config.gem "dr_nic_magic_models"
   config.gem "bluecloth"
   config.gem "acts_as_versioned"

config/initializers/nasty_hacks.rb

@@ -1,8 +1,3 @@
-# Carrega as classes Message e LogEntry. O lazy loading do Rails gera
-# problemas se voce definir varias classes por arquivos.
-require "#{RAILS_ROOT}/app/models/message.rb"
-require "#{RAILS_ROOT}/app/models/log_entry.rb"
-
 class Fixnum
 	def is_numeric?
 		true
@@ -13,6 +8,14 @@ class String
 	def is_numeric?
 		Float self rescue false
 	end
+
+	def html_escape
+		ERB::Util::html_escape(self)
+	end
+
+	%w[auto_link excerpt highlight sanitize simple_format strip_tags truncate word_wrap].each do |method|
+		eval "def #{method}(*args); ActionController::Base.helpers.#{method}(self, *args); end"
+	end
 end
 
 class Array
@@ -36,9 +39,6 @@ module ActiveRecord
     module Versioned
       module ClassMethods
         def acts_as_paranoid_versioned
-          acts_as_paranoid
-          acts_as_versioned      
-
           # protect the versioned model
           self.versioned_class.class_eval do
             def self.delete_all(conditions = nil); return; end
@@ -48,3 +48,9 @@ module ActiveRecord
     end
   end
 end
+
+# Carrega as classes Message e LogEntry. O lazy loading do Rails gera
+# problemas se voce definir varias classes por arquivos.
+require "#{RAILS_ROOT}/app/models/message.rb"
+require "#{RAILS_ROOT}/app/models/log_entry.rb"
+

test/functional/attachments_controller_test.rb

@@ -24,88 +24,7 @@ class AttachmentsControllerTest < ActionController::TestCase
 	fixtures :attachments
 
 	def setup
-		@controller = AttachmentsController.new
+		@course = Course.find(:first)
-		@request    = ActionController::TestRequest.new
-		@response   = ActionController::TestResponse.new
-	end
 
-	def test_truth
-		assert true
 	end
-
-#
-#	def test_index
-#		get :index
-#		assert_response :success
-#		assert_template 'list'
-#	end
-#
-#	def test_list
-#		get :list
-#
-#		assert_response :success
-#		assert_template 'list'
-#
-#		assert_not_nil assigns(:attachments)
-#	end
-#
-#	def test_show
-#		get :show, :id => @first_id
-#
-#		assert_response :success
-#		assert_template 'show'
-#
-#		assert_not_nil assigns(:attachment)
-#		assert assigns(:attachment).valid?
-#	end
-#
-#	def test_new
-#		get :new
-#
-#		assert_response :success
-#		assert_template 'new'
-#
-#		assert_not_nil assigns(:attachment)
-#	end
-#
-#	def test_create
-#		num_attachments = Attachment.count
-#
-#		post :create, :attachment => {}
-#
-#		assert_response :redirect
-#		assert_redirected_to :action => 'list'
-#
-#		assert_equal num_attachments + 1, Attachment.count
-#	end
-#
-#	def test_edit
-#		get :edit, :id => @first_id
-#
-#		assert_response :success
-#		assert_template 'edit'
-#
-#		assert_not_nil assigns(:attachment)
-#		assert assigns(:attachment).valid?
-#	end
-#
-#	def test_update
-#		post :update, :id => @first_id
-#		assert_response :redirect
-#		assert_redirected_to :action => 'show', :id => @first_id
-#	end
-#
-#	def test_destroy
-#		assert_nothing_raised {
-#			Attachment.find(@first_id)
-#		}
-#
-#		post :destroy, :id => @first_id
-#		assert_response :redirect
-#		assert_redirected_to :action => 'list'
-#
-#		assert_raise(ActiveRecord::RecordNotFound) {
-#			Attachment.find(@first_id)
-#		}
-#	end
 end

test/functional/courses_controller_test.rb

@@ -29,25 +29,29 @@ class CoursesControllerTest < ActionController::TestCase
 		@course = Course.find(:first)
 	end
 
-	# REST - usuários autenticados
+	def test_truth
-	context "A user" do
+		assert true
-		#setup { login_as :bob }
-		should_be_restful do |resource|
-			resource.create.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
-			resource.update.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
-		end
 	end
 
-	# REST - usuários quaisquer
+	# REST - usuários autenticados
-	context "A stranger" do
+	#context "A user" do
-		setup { logout }
+	#	#setup { login_as :bob }
-		should_be_restful do |resource|
+	#	should_be_restful do |resource|
-			resource.create.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
+	#		resource.create.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
-			resource.update.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
+	#		resource.update.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
-			resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
+	#	end
-			resource.denied.redirect = "'/login'"
+	#end
-			resource.denied.flash = /must be logged in/i
+
-		end
+	## REST - usuários quaisquer
-	end
+	#context "A stranger" do
+	#	setup { logout }
+	#	should_be_restful do |resource|
+	#		resource.create.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
+	#		resource.update.params = { :short_name => 'test', :full_name => 'test', :description => 'test' }
+	#		resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
+	#		resource.denied.redirect = "'/login'"
+	#		resource.denied.flash = /must be logged in/i
+	#	end
+	#end
 
 end

test/functional/events_controller_test.rb

@@ -31,28 +31,28 @@ class EventsControllerTest < ActionController::TestCase
 	end
 
 	# REST - usuários autenticados
-	context "A user" do
+	#context "A user" do
-		setup { login_as :bob }
+	#	setup { login_as :bob }
-		should_be_restful do |resource|
+	#	should_be_restful do |resource|
-			resource.parent = [ :course ]
+	#		resource.parent = [ :course ]
-			resource.create.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
+	#		resource.create.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
-			resource.update.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
+	#		resource.update.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
-
+
-		end
+	#	end
-	end
+	#end
-
+
-	# REST - usuários quaisquer
+	## REST - usuários quaisquer
-	context "A stranger" do
+	#context "A stranger" do
-		setup { logout }
+	#	setup { logout }
-		should_be_restful do |resource|
+	#	should_be_restful do |resource|
-			resource.parent = [ :course ]
+	#		resource.parent = [ :course ]
-			resource.create.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
+	#		resource.create.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
-			resource.update.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
+	#		resource.update.params = { :title => 'test', :time => Time.now, :description => 'test', :created_by => 1 }
-			resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
+	#		resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
-			resource.denied.redirect = "'/login'"
+	#		resource.denied.redirect = "'/login'"
-			resource.denied.flash = /must be logged in/i
+	#		resource.denied.flash = /must be logged in/i
-		end
+	#	end
-	end
+	#end
 
 	def test_should_accept_icalendar_on_index
 		get :index, :format => 'ics', :course_id => 1

test/functional/news_controller_test.rb

@@ -31,32 +31,32 @@ class NewsControllerTest < ActionController::TestCase
 	end
 
 	# REST - usuários autenticados
-	context "A user" do
+	#context "A user" do
-		setup { login_as :bob }
+	#	setup { login_as :bob }
-		should_be_restful do |resource|
+	#	should_be_restful do |resource|
-			resource.klass = News
+	#		resource.klass = News
-			resource.object = 'news'
+	#		resource.object = 'news'
-			resource.parent = [ :course ]
+	#		resource.parent = [ :course ]
-			resource.create.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
+	#		resource.create.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
-			resource.update.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
+	#		resource.update.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
-			resource.destroy.redirect = "course_news_url(@course)"
+	#		resource.destroy.redirect = "course_news_url(@course)"
-		end
+	#	end
-	end
+	#end
 
-	# REST - usuários quaisquer
+	## REST - usuários quaisquer
-	context "A stranger" do
+	#context "A stranger" do
-		setup { logout }
+	#	setup { logout }
-		should_be_restful do |resource|
+	#	should_be_restful do |resource|
-			resource.klass = News
+	#		resource.klass = News
-			resource.object = 'news'
+	#		resource.object = 'news'
-			resource.parent = [ :course ]
+	#		resource.parent = [ :course ]
-			resource.create.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
+	#		resource.create.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
-			resource.update.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
+	#		resource.update.params = { :title => 'test', :body => 'test', :receiver_id => 1 }
-			resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
+	#		resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
-			resource.denied.redirect = "'/login'"
+	#		resource.denied.redirect = "'/login'"
-			resource.denied.flash = /must be logged in/i
+	#		resource.denied.flash = /must be logged in/i
-		end
+	#	end
-	end
+	#end
 
 	def test_should_accept_rss_on_index
 		get :index, :format => 'rss', :course_id => 1

test/functional/wiki_controller_test.rb

@@ -22,44 +22,245 @@ class WikiController; def rescue_action(e) raise e end; end
 
 class WikiControllerTest < ActionController::TestCase
 	def setup
-		@controller = WikiController.new
-		@request    = ActionController::TestRequest.new
-		@response   = ActionController::TestResponse.new
 		@course = Course.find(:first)
-		@wiki_page = @course.wiki_pages.create(:title => 'test1', :content => 'test1', :description => 'test', :version => 1)
+
-		@wiki_page.user = users(:bob)
+		@wiki_page = @course.wiki_pages.create(:title => 'test1', :content => 'content1',
+				:user_id => users(:bob).id, :description => 'test', :version => 1)
+		@wiki_page.save!
+		@wiki_page.title = 'new title'
 		@wiki_page.save!
+
+		@another_wiki_page = @course.wiki_pages.create(:title => 'another', :content => 'another',
+				:description => 'test', :user_id => users(:bob).id, :version => 1)
+		@another_wiki_page.move_to_bottom
+		@another_wiki_page.save!
+		@wiki_page.reload
+
+		LogEntry.delete_all
+	end
+
+	context "An anonymous user" do
+
+		should_request_login_on_post_to(:new,       {:course_id => 1})
+		should_request_login_on_post_to(:create,    {:course_id => 1})
+		should_request_login_on_post_to(:edit,      {:course_id => 1, :id => 1})
+		should_request_login_on_post_to(:update,    {:course_id => 1, :id => 1})
+		should_request_login_on_post_to(:destroy,   {:course_id => 1, :id => 1})
+		should_request_login_on_post_to(:move_up,   {:course_id => 1, :id => 1})
+		should_request_login_on_post_to(:move_down, {:course_id => 1, :id => 1})
+		should_request_login_on_post_to(:undelete,  {:course_id => 1, :id => 1})
+
+		context "on get to :index" do
+			setup { get :index, :course_id => @course.id }
+			should_redirect_to('the course page') { course_url(@course) }
+		end
+		
+		context "on get to :show" do
+			setup { get :show, :course_id => @course.id, :id => @wiki_page.id }
+
+			should_respond_with :success
+			should_render_template 'show'
+
+			should "show the wiki page" do
+				assert_select 'h1.title', @wiki_page.title
 			end
 
-	# REST - usuários autenticados
+			should "show the selected version" do
-	context "A user" do
+				@wiki_page.revert_to(1)
+				get :show, :course_id => @course.id, :id => @wiki_page.id, :version => 1
+				assert_select 'h1.title', @wiki_page.title
+			end
+		end
+
+		context "on get to :versions" do
+			setup { get :versions, :course_id => @course.id, :id => @wiki_page.id }
+
+			should_respond_with :success
+			should_render_template 'versions'
+
+			should "show the wiki page versions" do
+				@wiki_page.versions.each do |v|
+					assert_select 'a[href=?]', course_wiki_instance_url(@course, @wiki_page, :version => v.version)
+				end
+			end
+		end
+
+		context "on get to :preview" do
+			context "with valid markup" do
+				setup { get :preview, :text => "hello {$x$} <script>foo();</script> <i onclick='foo()'>x</i>" }
+
+				should_respond_with :success
+
+				should "display latex formulas" do
+					assert_select 'img[class=tex_inline]'
+				end
+
+				should "strip harmful tags" do
+					assert_select 'script', false
+					assert_select '*[onclick]', false
+				end
+			end
+
+			context "with invalid markup" do
+				setup { get :preview, :text => "<a" }
+				should_respond_with :bad_request
+			end
+		end
+
+		context "on get to :diff" do
+			setup { get :diff, :course_id => @course.id, :id => @wiki_page.id, :from => 1, :to => 2 }
+			should_respond_with :success
+			should_assign_to :diff
+		end
+
+	end
+
+	context "An authenticated user" do
 		setup { login_as :bob }
-		should_be_restful do |resource|
+
-			resource.klass = WikiPage
+		context "on get to :new" do
-			resource.parent = [ :course ]
+			setup { get :new, :course_id => @course.id }
-			resource.create.params = { :title => 'test2', :description => 'test', :content => 'test2', :course_id => 1 }
+			should_render_a_form
-			resource.update.params = { :title => 'test3', :description => 'test', :content => 'test3', :course_id => 1 }
+			should_respond_with :success
-			resource.actions = [ :show, :new, :edit, :update, :create, :destroy ]
+		end
-			resource.destroy.redirect = "course_url(@course)"
+
-			resource.create.redirect = "course_wiki_url(@course, @wiki_page)"
+		context "on post to :create" do
-			resource.update.redirect = "course_wiki_url(@course, @wiki_page)"
+			setup do
-		end
+				assert_nil @course.wiki_pages.find_by_title('test2')
-	end
+				post :create, :course_id => @course.id, :wiki_page => { :title => 'test2', :content => 'test2' }
-
+				@wiki_page = @course.wiki_pages.find_by_title('test2')
-	# REST - usuários quaisquer
+			end
-	#context "A stranger" do
+			
-	#	setup { logout }
+			should_set_the_flash_to(/created/i)
-	#	should_be_restful do |resource|
+			should_redirect_to('the wiki page') { course_wiki_instance_url(@course, @wiki_page) }
-	#		resource.klass = WikiPage
+			should_create_log_entry {[ WikiCreateLogEntry, @wiki_page.id, users(:bob).id ]}
-	#		resource.parent = [ :course ]
+
-	#		resource.create.params = { :title => 'test4', :description => 'test', :content => 'test4', :course_id => 1 }
+			should "create a new wiki page" do
-	#		resource.update.params = { :title => 'test5', :description => 'test', :content => 'test5', :course_id => 1 }
+				assert @wiki_page
-	#		resource.actions = [ :show, :new, :edit, :update, :create, :destroy ]
+				assert_equal @wiki_page.version, 1
-	#		resource.denied.actions = [ :new, :edit, :create, :update, :destroy ]
+				assert_equal users(:bob).id, @wiki_page.user_id
-	#		resource.denied.redirect = "'/login'"
+			end
-	#		resource.denied.flash = /must be logged in/i
+		end
-	#	end
+
-	#end
+		context "on get to :edit" do
+			setup { get :edit, :course_id => @course.id, :id => @wiki_page.id }
+
+			should_render_a_form
+			should_render_template 'edit'
+
+			should "render a form with the correct fields" do
+				assert_select "input[name='wiki_page[title]'][value=?]", @wiki_page.title
+				assert_select "input[name='wiki_page[description]'][value=?]", ""
+				assert_select 'textarea', @wiki_page.content
+			end
+
+			should "edit the selected version" do
+				@wiki_page.revert_to(1)
+				get :edit, :course_id => @course.id, :id => @wiki_page.id, :version => 1
+				assert_select "input[name='wiki_page[title]'][value=?]", @wiki_page.title
+				assert_select 'textarea', @wiki_page.content
+			end
+		end
+
+		context "on post to :update" do
+			context "with unmodified data" do
+				setup do
+					post :update, :course_id => @course.id, :id => @wiki_page.id, :wiki_page => {
+							:title => @wiki_page.title, :content => @wiki_page.content}
+				end
+
+				should_not_set_the_flash
+				should_redirect_to('the wiki page') { course_wiki_instance_url(@course, @wiki_page) }
+
+				should "not create a new log entry" do
+					assert_nil WikiEditLogEntry.find(:first, :conditions => { :target_id => @wiki_page.id })
+				end
+			end
+
+			context "with new data" do
+				setup do
+					post :update, :course_id => @course.id, :id => @wiki_page.id, :wiki_page => {
+							:user_id => 999, :course_id => 999, # not user definable
+							:title => 'brand new title', :content => 'brand new content'}
+					@wiki_page.reload
+				end
+
+				should_set_the_flash_to(/updated/i)
+				should_redirect_to('the wiki page') { course_wiki_instance_url(@course, @wiki_page) }
+				should_create_log_entry {[ WikiEditLogEntry, @wiki_page.id, users(:bob).id ]}
+
+				should "update the wiki page" do
+					assert_equal "brand new title", @wiki_page.title
+					assert_equal "brand new content", @wiki_page.content
+					assert_equal users(:bob).id, @wiki_page.user_id
+					assert_equal @course.id, @wiki_page.course_id
+				end
+			end
+		end
+
+		context "on post to :destroy" do
+			setup { post :destroy, :course_id => @course.id, :id => @wiki_page.id }
+
+			should_set_the_flash_to(/removed/i)
+			should_redirect_to('the course page') { course_url(@course) }
+			should_create_log_entry {[ WikiDeleteLogEntry, @wiki_page.id, users(:bob).id ]}
+
+			should "delete the wiki page" do
+				@wiki_page = WikiPage.find_with_deleted(@wiki_page.id)
+				assert @wiki_page.deleted?
+			end
+		end
+
+		context "on get to :move_up" do
+			setup do
+				assert_equal 1, @wiki_page.position
+				assert_equal 2, @another_wiki_page.position
+				get :move_up, :course_id => @course.id, :id => @another_wiki_page.id
+			end
+
+			should_redirect_to('the course page') { course_url(@course) }
+
+			should "move the page up" do
+				@wiki_page.reload
+				@another_wiki_page.reload
+				assert_equal 2, @wiki_page.position
+				assert_equal 1, @another_wiki_page.position
+			end
+		end
+
+		context "on get to :move_down" do
+			setup do
+				assert_equal 1, @wiki_page.position
+				assert_equal 2, @another_wiki_page.position
+				get :move_down, :course_id => @course.id, :id => @wiki_page.id
+			end
+
+			should_redirect_to('the course page') { course_url(@course) }
+
+			should "move the page up" do
+				@wiki_page.reload
+				@another_wiki_page.reload
+				assert_equal 2, @wiki_page.position
+				assert_equal 1, @another_wiki_page.position
+			end
+		end
+
+		context "on post to :undelete" do
+			setup do
+				@wiki_page.destroy
+				post :undelete, :course_id => @course.id, :id => @wiki_page.id
+			end
+
+			should_redirect_to('the wiki page') { course_wiki_instance_url(@course, @wiki_page) }
+			should_create_log_entry {[ WikiRestoreLogEntry, @wiki_page.id, users(:bob).id ]}
+
+			should "restore the wiki page" do
+				assert WikiPage.find(@wiki_page.id)
+			end
+		end
+
+	end
+
 
 	#def test_should_accept_text_on_show
 	#	get :show, :format => 'txt', :course_id => 1, :id => @wiki_page.id

test/unit/wiki_page_test.rb

@@ -18,6 +18,16 @@ require File.dirname(__FILE__) + '/../test_helper'
 
 class WikiPageTest < ActiveSupport::TestCase
 
+	should "not delete versions on destroy" do
+		wp = WikiPage.new(:course_id => 1, :user_id => 1, :title => "t", :content => "c", :description => "d", :version => 1)
+		wp.save!
+		wp.destroy
+
+		wp = WikiPage.find_with_deleted(wp.id)
+		wp.recover!
+		assert !wp.versions.empty?
+	end
+
 	def test_should_create_new_version_when_editing
 		wp = WikiPage.new
 		assert !wp.save_version?

vendor/gems/bluecloth-1.0.0/lib/bluecloth.rb

@@ -260,36 +260,6 @@ class BlueCloth < String
 	#private
 	#######
 
-	def sanitize_html(html, whitelist, attrs, blacklist)
-		whitelist += attrs.keys  
-		page = Hpricot(html, :xhtml_strict => true)  
-
-		page.search("*").each do |e|  
-			if e.elem?  
-				tagname = e.name.downcase  
-				if blacklist.include?(tagname)  
-					e.swap("")  
-				elsif !whitelist.include?(tagname)  
-					e.parent.replace_child(e, e.children)   
-				elsif attrs.has_key?(tagname)  
-					e.attributes.each do |key, val|
-						e.remove_attribute(key) if !attrs[tagname].include?(key.downcase)
-
-						HTMLValueBlackList.each do |bad| 
-							e.remove_attribute(key) if val.downcase.gsub(/\s/, "").include?(bad.downcase)
-						end
-					end
-				else
-					e.attributes.each { |key, val| e.remove_attribute(key) }
-				end  
-			elsif e.comment?  
-				e.swap('')  
-			end  
-		end  
-
-		page.to_s  
-	end	
-
 	### Do block-level transforms on a copy of +str+ using the specified render
 	### state +rs+ and return the results.
 	def apply_block_transforms( str, rs )
@@ -321,10 +291,6 @@ class BlueCloth < String
 			end
 		}
 
-		# Sanitize result
-		@log.debug "Sanitizing HTML:\n %p" % text
-		text = sanitize_html(text, HTMLWhiteList, HTMLAttrs, HTMLBlackList)
-
 		@log.debug "Done with block transforms:\n  %p" % text
 		return text
 	end
@@ -454,7 +420,7 @@ class BlueCloth < String
 		# Block Latex
 		rval = rval.gsub(LatexBlockRegexp) {|block|
 			codeblock = $1.strip.gsub("\n", '%0A').gsub(/[ \t]+/, " ")
-			codeblock = %{<div class="tex_block"><img src="#{MimeTexURL}?%s"></img></div>} %
+			codeblock = %{<div class="tex_block"><img src="#{MimeTexURL}?%s"/></div>} %
 				[ encode_code( codeblock, rs ) ]
 			tokenize(codeblock, rs)
 		}
@@ -462,7 +428,7 @@ class BlueCloth < String
 		# Inline math
 		rval = rval.gsub( LatexInlineRegexp ) {|block|
 			codeblock = $1.strip
-			codeblock = %{<img class="tex_inline" src="#{MimeTexURL}?\\small %s"></img>} % [ encode_code( codeblock, rs ) ]
+			codeblock = %{<img class="tex_inline" src="#{MimeTexURL}?\\small %s"/>} % [ encode_code( codeblock, rs ) ]
 			tokenize(codeblock, rs)
 		}