angular_xss 0.4.0 → 1.0.0

data/spec/templates/_test_erb.erb

@@ -1,14 +1,23 @@
-<%= "{{unsafe}}" %>
-<%= "{{safe}}".html_safe %>
+<%- unsafe_string = '{{unsafe}}' %>
+<%- safe_string = '{{safe}}'.html_safe %>
+
+<%= unsafe_string %>
+<%= safe_string %>
+
+<%= ''.html_safe + unsafe_string %>
+<%= ''.html_safe + safe_string %>
+
+<%= ''.html_safe << unsafe_string %>
+<%= ''.html_safe << safe_string %>
 
 {{safe}}
 
-<div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
+<div foo="{{safe}}" bar="<%= unsafe_string %>">
   {{safe}}
 </div>
 
-<%= content_tag(:span, '{{unsafe}}') %>
-<%= content_tag(:span, '{{safe}}'.html_safe) %>
+<%= content_tag(:span, unsafe_string) %>
+<%= content_tag(:span, safe_string) %>
 
 <%= '{&lcub;unsafe}}' %>
 <%= '{&lbrace;unsafe}}' %>

data/spec/templates/_test_haml.haml

@@ -1,11 +1,46 @@
-= "{{unsafe}}"
-#{'{{unsafe}}'}
-= "{{safe}}".html_safe
+-# HTML attributes and static string interpolation in Haml work in different ways:
+-# 1. Under certain conditions, attributes are precompiled.
+-#    We never have to escape those because they can not contain user input.
+-# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
+-#    them at runtime. Since they can contain user input, XSS logic applies.
+
+-# precompiled (static)
+- if Gem::Version.new(Haml::VERSION) >= Gem::Version.new(6)
+  -# HAML 6 is smart enough to recognize static strings and will not
+  -# escape it - so neither do we
+  #{'{{safe}}'}
+  = "{{safe}}"
+- else
+  #{'{{unsafe}}'}
+  = "{{unsafe}}"
 
 {{safe}}
+%div(foo='{{safe}}')
+%div{:class => '{{safe}}', :id => '{{safe}}'}
+
+-# Compiled at runtime:
+- unsafe_evaluated_variable = '{{unsafe}}'
+- safe_evaluated_variable = '{{safe}}'.html_safe
+
+= unsafe_evaluated_variable
+= safe_evaluated_variable
+
+#{unsafe_evaluated_variable}
+#{safe_evaluated_variable}
+
+= ''.html_safe + unsafe_evaluated_variable
+= ''.html_safe + safe_evaluated_variable
+
+= ''.html_safe << unsafe_evaluated_variable
+= ''.html_safe << safe_evaluated_variable
 
-= content_tag(:span, '{{unsafe}}')
-= content_tag(:span, '{{safe}}'.html_safe)
+= content_tag(:span, unsafe_evaluated_variable)
+= content_tag(:span, safe_evaluated_variable)
+
+%div{:class => unsafe_evaluated_variable, :id => unsafe_evaluated_variable}
+%div(bar="#{unsafe_evaluated_variable}")
+  %div{:foo => safe_evaluated_variable, :bar => unsafe_evaluated_variable}
+  {{safe}}
 
 = '{&lcub;unsafe}}'
 = '{&lbrace;unsafe}}'
@@ -17,21 +52,3 @@
 = '{&#000000123;unsafe}}'
 = '{&#0000000000000123;unsafe}}'
 = '&lcub;&#x7b;unsafe}}'
-
--# HTML attributes in Haml work in different ways:
--# 1. Under certain conditions, attributes are precompiled.
--#    We never have to escape those because they can not contain user input.
--# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
--#    them at runtime. Since they can contain user input, XSS logic applies.
-
--# Precompiled:
-%div(foo='{{safe}}')
-%div{:class => '{{safe}}', :id => '{{safe}}'}
-
--# Compiled at runtime:
-- unsafe = '{{unsafe}}'
-- safe = '{{safe}}'.html_safe
-%div{:class => unsafe, :id => unsafe}
-%div(bar="#{unsafe}")
-  %div{:foo => safe, :bar => unsafe}
-  {{safe}}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: angular_xss
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Henning Koch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-23 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,8 +52,8 @@ files:
 - CHANGELOG.md
 - Gemfile
 - Gemfile.lock
-- Gemfile.rails-3.2
-- Gemfile.rails-3.2.lock
+- Gemfile.rails-3.2.haml-4
+- Gemfile.rails-3.2.haml-4.lock
 - Gemfile.rails-4.2.haml-4
 - Gemfile.rails-4.2.haml-4.lock
 - Gemfile.rails-4.2.haml-5
@@ -64,6 +64,12 @@ files:
 - Gemfile.rails-5.1.haml-5.lock
 - Gemfile.rails-6.1.haml-5
 - Gemfile.rails-6.1.haml-5.lock
+- Gemfile.rails-7.0.haml-5
+- Gemfile.rails-7.0.haml-5.lock
+- Gemfile.rails-7.1.haml-5
+- Gemfile.rails-7.1.haml-5.lock
+- Gemfile.rails-7.1.haml-6
+- Gemfile.rails-7.1.haml-6.lock
 - LICENSE
 - README.md
 - Rakefile
@@ -73,10 +79,13 @@ files:
 - lib/angular_xss/erb.rb
 - lib/angular_xss/escaper.rb
 - lib/angular_xss/haml.rb
+- lib/angular_xss/output_buffer.rb
 - lib/angular_xss/safe_buffer.rb
 - lib/angular_xss/version.rb
 - spec/angular_xss/erb_spec.rb
+- spec/angular_xss/escaper_spec.rb
 - spec/angular_xss/haml_spec.rb
+- spec/angular_xss/output_buffer_spec.rb
 - spec/angular_xss/safe_buffer_spec.rb
 - spec/spec_helper.rb
 - spec/support/engine_preventing_angular_xss.rb
@@ -85,7 +94,8 @@ files:
 homepage: https://github.com/makandra/angular_xss
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -101,14 +111,16 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.5.13
 signing_key: 
 specification_version: 4
 summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in
   unsafe strings.
 test_files:
 - spec/angular_xss/erb_spec.rb
+- spec/angular_xss/escaper_spec.rb
 - spec/angular_xss/haml_spec.rb
+- spec/angular_xss/output_buffer_spec.rb
 - spec/angular_xss/safe_buffer_spec.rb
 - spec/spec_helper.rb
 - spec/support/engine_preventing_angular_xss.rb