Merge pull request #1555 from koic/fix_false_positive_for_rails_output_safety

[Fix #1553] Fix false positives for `Rails/OutputSafety`

Author: koic

changelog/fix_false_positive_for_rails_output_safety.md

@@ -0,0 +1 @@
+* [#1553](https://github.com/rubocop/rubocop-rails/issues/1553): Fix false positives for `Rails/OutputSafety` when using non-interpolated multiline heredoc. ([@koic][])

lib/rubocop/cop/rails/output_safety.rb

@@ -84,7 +84,9 @@ def on_send(node)
         private
 
         def non_interpolated_string?(node)
-          node.receiver&.str_type? && !node.receiver.dstr_type?
+          return false unless (receiver = node.receiver)
+
+          receiver.str_type? || (receiver.dstr_type? && receiver.children.all?(&:str_type?))
         end
 
         def looks_like_rails_html_safe?(node)

spec/rubocop/cop/rails/output_safety_spec.rb

@@ -40,6 +40,42 @@
       RUBY
     end
 
+    it 'does not register an offense for static single line heredoc receiver' do
+      expect_no_offenses(<<~RUBY)
+        <<~HTML.html_safe
+          foo
+        HTML
+      RUBY
+    end
+
+    it 'registers an offense for dynamic single line heredoc receiver' do
+      expect_offense(<<~'RUBY')
+        <<~HTML.html_safe
+                ^^^^^^^^^ Tagging a string as html safe may be a security risk.
+          #{foo}
+        HTML
+      RUBY
+    end
+
+    it 'does not register an offense for static multiline heredoc receiver' do
+      expect_no_offenses(<<~RUBY)
+        <<~HTML.html_safe
+          foo
+          bar
+        HTML
+      RUBY
+    end
+
+    it 'registers an offense for dynamic multiline heredoc receiver' do
+      expect_offense(<<~'RUBY')
+        <<~HTML.html_safe
+                ^^^^^^^^^ Tagging a string as html safe may be a security risk.
+          foo
+          #{bar}
+        HTML
+      RUBY
+    end
+
     it 'registers an offense for variable receiver' do
       expect_offense(<<~RUBY)
         foo.html_safe