Add tainting tests

test/integration/drop_test.rb

@@ -48,6 +48,10 @@ class ProductDrop < Liquid::Drop
     ContextDrop.new
   end
 
+  def user_input
+    "foo".taint
+  end
+
   protected
     def callmenot
       "protected"
@@ -108,6 +112,30 @@ class DropsTest < Minitest::Test
     assert_equal '  ', tpl.render!('product' => ProductDrop.new)
   end
 
+  def test_rendering_raises_on_tainted_attr
+    Liquid::Template.taint_mode = :error
+    tpl = Liquid::Template.parse('{{ product.user_input }}')
+    assert_raises TaintedError do
+      tpl.render!('product' => ProductDrop.new)
+    end
+    Liquid::Template.taint_mode = :lax
+  end
+
+  def test_rendering_warns_on_tainted_attr
+    Liquid::Template.taint_mode = :warn
+    tpl = Liquid::Template.parse('{{ product.user_input }}')
+    tpl.render!('product' => ProductDrop.new)
+    assert_match /tainted/, tpl.warnings.first
+    Liquid::Template.taint_mode = :lax
+  end
+
+  def test_rendering_doesnt_raise_on_escaped_tainted_attr
+    Liquid::Template.taint_mode = :error
+    tpl = Liquid::Template.parse('{{ product.user_input | escape }}')
+    tpl.render!('product' => ProductDrop.new)
+    Liquid::Template.taint_mode = :lax
+  end
+
   def test_drop_does_only_respond_to_whitelisted_methods
     assert_equal "", Liquid::Template.parse("{{ product.inspect }}").render!('product' => ProductDrop.new)
     assert_equal "", Liquid::Template.parse("{{ product.pretty_inspect }}").render!('product' => ProductDrop.new)