activesupport 3.1.0 → 5.0.0

data/lib/active_support/core_ext/string/output_safety.rb

@@ -3,25 +3,21 @@ require 'active_support/core_ext/kernel/singleton_class'
 
 class ERB
   module Util
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
-    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
+    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+    JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
 
     # A utility method for escaping HTML tag characters.
     # This method is also aliased as <tt>h</tt>.
     #
     # In your ERB templates, use this method to escape any unsafe content. For example:
-    #   <%=h @person.name %>
+    #   <%= h @person.name %>
     #
-    # ==== Example:
-    #   puts html_escape("is a > 0 & a < 10?")
+    #   puts html_escape('is a > 0 & a < 10?')
     #   # => is a &gt; 0 &amp; a &lt; 10?
     def html_escape(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
-      end
+      unwrapped_html_escape(s).html_safe
     end
 
     # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
@@ -33,30 +29,92 @@ class ERB
     singleton_class.send(:remove_method, :html_escape)
     module_function :html_escape
 
-    # A utility method for escaping HTML entities in JSON strings
-    # using \uXXXX JavaScript escape sequences for string literals:
+    # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
+    # This method is not for public consumption! Seriously!
+    def unwrapped_html_escape(s) # :nodoc:
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
+      end
+    end
+    module_function :unwrapped_html_escape
+
+    # A utility method for escaping HTML without affecting existing escaped entities.
+    #
+    #   html_escape_once('1 < 2 &amp; 3')
+    #   # => "1 &lt; 2 &amp; 3"
+    #
+    #   html_escape_once('&lt;&lt; Accept & Checkout')
+    #   # => "&lt;&lt; Accept &amp; Checkout"
+    def html_escape_once(s)
+      result = ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
+      s.html_safe? ? result.html_safe : result
+    end
+
+    module_function :html_escape_once
+
+    # A utility method for escaping HTML entities in JSON strings. Specifically, the
+    # &, > and < characters are replaced with their equivalent unicode escaped form -
+    # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
+    # escaped as they are treated as newline characters in some JavaScript engines.
+    # These sequences have identical meaning as the original characters inside the
+    # context of a JSON string, so assuming the input is a valid and well-formed
+    # JSON value, the output will have equivalent meaning when parsed:
+    #
+    #   json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
+    #   # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
+    #
+    #   json_escape(json)
+    #   # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
+    #
+    #   JSON.parse(json) == JSON.parse(json_escape(json))
+    #   # => true
+    #
+    # The intended use case for this method is to escape JSON strings before including
+    # them inside a script tag to avoid XSS vulnerability:
+    #
+    #   <script>
+    #     var currentUser = <%= raw json_escape(current_user.to_json) %>;
+    #   </script>
+    #
+    # It is necessary to +raw+ the result of +json_escape+, so that quotation marks
+    # don't get converted to <tt>&quot;</tt> entities. +json_escape+ doesn't
+    # automatically flag the result as HTML safe, since the raw value is unsafe to
+    # use inside HTML attributes.
     #
-    #   json_escape("is a > 0 & a < 10?")
-    #   # => is a \u003E 0 \u0026 a \u003C 10?
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via +html()+. Most jQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
     #
-    # Note that after this operation is performed the output is not
-    # valid JSON. In particular double quotes are removed:
+    # If you need to output JSON elsewhere in your HTML, you can just do something
+    # like this, as any unsafe characters (including quotation marks) will be
+    # automatically escaped for you:
     #
-    #   json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
-    #   # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
+    #   <div data-user-info="<%= current_user.to_json %>">...</div>
     #
-    # This method is also aliased as +j+, and available as a helper
-    # in Rails templates:
+    # WARNING: this helper only works with valid JSON. Using this on non-JSON values
+    # will open up serious XSS vulnerabilities. For example, if you replace the
+    # +current_user.to_json+ in the example above with user input instead, the browser
+    # will happily eval() that string as JavaScript.
     #
-    #   <%=j @person.to_json %>
+    # The escaping performed in this method is identical to those performed in the
+    # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
+    # set to true. Because this transformation is idempotent, this helper can be
+    # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
     #
+    # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
+    # is enabled, or if you are unsure where your JSON string originated from, it
+    # is recommended that you always apply this helper (other libraries, such as the
+    # JSON gem, do not provide this kind of protection by default; also some gems
+    # might override +to_json+ to bypass Active Support's encoder).
     def json_escape(s)
-      result = s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
+      result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
       s.html_safe? ? result.html_safe : result
     end
 
-    alias j json_escape
-    module_function :j
     module_function :json_escape
   end
 end
@@ -75,47 +133,84 @@ end
 
 module ActiveSupport #:nodoc:
   class SafeBuffer < String
-    UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
+    UNSAFE_STRING_METHODS = %w(
+      capitalize chomp chop delete downcase gsub lstrip next reverse rstrip
+      slice squeeze strip sub succ swapcase tr tr_s upcase
+    )
 
     alias_method :original_concat, :concat
     private :original_concat
 
+    # Raised when <tt>ActiveSupport::SafeBuffer#safe_concat</tt> is called on unsafe buffers.
     class SafeConcatError < StandardError
       def initialize
-        super "Could not concatenate to the buffer because it is not html safe."
+        super 'Could not concatenate to the buffer because it is not html safe.'
+      end
+    end
+
+    def [](*args)
+      if args.size < 2
+        super
+      else
+        if html_safe?
+          new_safe_buffer = super
+
+          if new_safe_buffer
+            new_safe_buffer.instance_variable_set :@html_safe, true
+          end
+
+          new_safe_buffer
+        else
+          to_str[*args]
+        end
       end
     end
 
     def safe_concat(value)
-      raise SafeConcatError if dirty?
+      raise SafeConcatError unless html_safe?
       original_concat(value)
     end
 
-    def initialize(*)
-      @dirty = false
+    def initialize(str = '')
+      @html_safe = true
       super
     end
 
     def initialize_copy(other)
       super
-      @dirty = other.dirty?
+      @html_safe = other.html_safe?
+    end
+
+    def clone_empty
+      self[0, 0]
     end
 
     def concat(value)
-      if dirty? || value.html_safe?
-        super(value)
-      else
-        super(ERB::Util.h(value))
-      end
+      super(html_escape_interpolated_argument(value))
     end
     alias << concat
 
+    def prepend(value)
+      super(html_escape_interpolated_argument(value))
+    end
+
     def +(other)
       dup.concat(other)
     end
 
+    def %(args)
+      case args
+      when Hash
+        escaped_args = Hash[args.map { |k,arg| [k, html_escape_interpolated_argument(arg)] }]
+      else
+        escaped_args = Array(args).map { |arg| html_escape_interpolated_argument(arg) }
+      end
+
+      self.class.new(super(escaped_args))
+    end
+
     def html_safe?
-      !dirty?
+      defined?(@html_safe) && @html_safe
     end
 
     def to_s
@@ -127,36 +222,38 @@ module ActiveSupport #:nodoc:
     end
 
     def encode_with(coder)
-      coder.represent_scalar nil, to_str
+      coder.represent_object nil, to_str
     end
 
-    def to_yaml(*args)
-      return super() if defined?(YAML::ENGINE) && !YAML::ENGINE.syck?
-      to_str.to_yaml(*args)
-    end
-
-    for unsafe_method in UNSAFE_STRING_METHODS
-      class_eval <<-EOT, __FILE__, __LINE__
-        def #{unsafe_method}(*args)
-          super.to_str
-        end
+    UNSAFE_STRING_METHODS.each do |unsafe_method|
+      if unsafe_method.respond_to?(unsafe_method)
+        class_eval <<-EOT, __FILE__, __LINE__ + 1
+          def #{unsafe_method}(*args, &block)       # def capitalize(*args, &block)
+            to_str.#{unsafe_method}(*args, &block)  #   to_str.capitalize(*args, &block)
+          end                                       # end
 
-        def #{unsafe_method}!(*args)
-          @dirty = true
-          super
-        end
-      EOT
+          def #{unsafe_method}!(*args)              # def capitalize!(*args)
+            @html_safe = false                      #   @html_safe = false
+            super                                   #   super
+          end                                       # end
+        EOT
+      end
     end
 
-    protected
+    private
 
-    def dirty?
-      @dirty
+    def html_escape_interpolated_argument(arg)
+      (!html_safe? || arg.html_safe?) ? arg : CGI.escapeHTML(arg.to_s)
     end
   end
 end
 
 class String
+  # Marks a string as trusted safe. It will be inserted into HTML with no
+  # additional escaping performed. It is your responsibility to ensure that the
+  # string contains no malicious content. This method is equivalent to the
+  # `raw` helper in views. It is recommended that you use `sanitize` instead of
+  # this method. It should never be called on user input.
   def html_safe
     ActiveSupport::SafeBuffer.new(self)
   end

data/lib/active_support/core_ext/string/strip.rb

@@ -1,5 +1,3 @@
-require 'active_support/core_ext/object/try'
-
 class String
   # Strips indentation in heredocs.
   #
@@ -17,10 +15,9 @@ class String
   #
   # the user would see the usage message aligned against the left margin.
   #
-  # Technically, it looks for the least indented line in the whole string, and removes
-  # that amount of leading whitespace.
+  # Technically, it looks for the least indented non-empty line
+  # in the whole string, and removes that amount of leading whitespace.
   def strip_heredoc
-    indent = scan(/^[ \t]*(?=\S)/).min.try(:size) || 0
-    gsub(/^[ \t]{#{indent}}/, '')
+    gsub(/^#{scan(/^[ \t]*(?=\S)/).min}/, ''.freeze)
   end
 end

data/lib/active_support/core_ext/string/zones.rb

@@ -0,0 +1,14 @@
+require 'active_support/core_ext/string/conversions'
+require 'active_support/core_ext/time/zones'
+
+class String
+  # Converts String to a TimeWithZone in the current zone if Time.zone or Time.zone_default
+  # is set, otherwise converts String to a Time via String#to_time
+  def in_time_zone(zone = ::Time.zone)
+    if zone
+      ::Time.find_zone!(zone).parse(self)
+    else
+      to_time
+    end
+  end
+end

data/lib/active_support/core_ext/string.rb

@@ -4,11 +4,10 @@ require 'active_support/core_ext/string/multibyte'
 require 'active_support/core_ext/string/starts_ends_with'
 require 'active_support/core_ext/string/inflections'
 require 'active_support/core_ext/string/access'
-require 'active_support/core_ext/string/xchar'
 require 'active_support/core_ext/string/behavior'
-require 'active_support/core_ext/string/interpolation'
 require 'active_support/core_ext/string/output_safety'
 require 'active_support/core_ext/string/exclude'
-require 'active_support/core_ext/string/encoding'
 require 'active_support/core_ext/string/strip'
 require 'active_support/core_ext/string/inquiry'
+require 'active_support/core_ext/string/indent'
+require 'active_support/core_ext/string/zones'

data/lib/active_support/core_ext/struct.rb

@@ -0,0 +1,3 @@
+require 'active_support/deprecation'
+
+ActiveSupport::Deprecation.warn("This file is deprecated and will be removed in Rails 5.1 with no replacement.")