angular_xss 0.2.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/angular_xss.rb +1 -0
  3. data/lib/angular_xss/action_view.rb +13 -0
  4. data/lib/angular_xss/version.rb +1 -1
  5. data/spec/rails-2.3/Gemfile.lock +1 -1
  6. data/spec/rails-3.2/Gemfile.lock +1 -1
  7. data/spec/shared/app_root/app/views/test/_test_haml.haml +16 -7
  8. metadata +2 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: cca3cff1d32777a0e9ae8857bc136981cb61c359
4
- data.tar.gz: 520d0d7d7122a4d630fca1d5a09d1f98f9ca1ef3
3
+ metadata.gz: bd5001cfe150eb1c470f46cdabc75fa7c93c6eda
4
+ data.tar.gz: d3fa3b7a9ea77d3f47bb4ff3adec608427f8bb83
5
5
  SHA512:
6
- metadata.gz: caf93d6ac6230f240914ba3bbed906c688435d7b4acd5ec925a55f5b13476c8b1fd4c1c9cf8b3641315ec8c3845cdff2b7c78c30f7ff7247d4f4b4f760b18601
7
- data.tar.gz: 20b38f1cb2a45f52fb4083ada04e33c2c926ba62989e8f0651645e02ecd0da1df7d484e0eaaedc111ae18f866b1c179e43e9f2b9f5642181461b32ce89319268
6
+ metadata.gz: 770c23bad28c0c1f9e46495e292e3bce47741e423fdece2735c980c74c0ac9b202766e614153270179d8027424a0054267299b33bd7b6b0619a5d3ca1b737376
7
+ data.tar.gz: 84e8ab293070e44d74242692147e15e0b505c1c5bdd7ca1856893115160fba93fd04c650fe026589e3f583b170b7f12a0633c709522af70754ebafbdc0ec61b3
data/lib/angular_xss.rb CHANGED
@@ -3,3 +3,4 @@
3
3
  require 'angular_xss/escaper'
4
4
  require 'angular_xss/erb'
5
5
  require 'angular_xss/haml'
6
+ require 'angular_xss/action_view'
data/lib/angular_xss/action_view.rb ADDED
@@ -0,0 +1,13 @@
1
+ ActionView::Template.class_eval do
2
+
3
+ protected
4
+
5
+ def compile_with_angular_xss(*args, &block)
6
+ AngularXss.disable do
7
+ compile_without_angular_xss(*args, &block)
8
+ end
9
+ end
10
+
11
+ alias_method_chain :compile, :angular_xss
12
+
13
+ end
data/lib/angular_xss/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module AngularXss
2
- VERSION = '0.2.0'
2
+ VERSION = '0.2.1'
3
3
  end
data/spec/rails-2.3/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ../..
3
3
  specs:
4
- angular_xss (0.2.0)
4
+ angular_xss (0.2.1)
5
5
  activesupport
6
6
  haml (>= 3.1.5)
7
7
 
data/spec/rails-3.2/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ../..
3
3
  specs:
4
- angular_xss (0.2.0)
4
+ angular_xss (0.2.1)
5
5
  activesupport
6
6
  haml (>= 3.1.5)
7
7
 
data/spec/shared/app_root/app/views/test/_test_haml.haml CHANGED
@@ -4,13 +4,6 @@
4
4
 
5
5
  {{safe}}
6
6
 
7
- %div{:foo => '{{safe}}'.html_safe, :bar => '{{unsafe}}'}
8
- {{safe}}
9
-
10
- -# We can't support Angular interpolations in class and id attributes.
11
- -# This is a limitation of Haml.
12
- %div{:class => '{{unsafe_id}}', :id => '{{unsafe_id}}'}
13
-
14
7
  = '{{unsafe}}'
15
8
  = '{{unsafe}}'
16
9
  = '{{unsafe}}'
@@ -21,3 +14,19 @@
21
14
  = '{{unsafe}}'
22
15
  = '{{unsafe}}'
23
16
  = '{{unsafe}}'
17
+
18
+ -# HTML attributes in Haml work in different ways:
19
+ -# 1. Under certain conditions, attributes are precompiled.
20
+ -# We never have to escape those because they can not contain user input.
21
+ -# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
22
+ -# them at runtime. Since they can contain user input, XSS logic applies.
23
+
24
+ -# Precompiled:
25
+ %div(foo='{{safe}}')
26
+ %div{:class => '{{safe}}', :id => '{{safe}}'}
27
+
28
+ -# Compiled at runtime:
29
+ %div{:class => '{{unsafe}}', :id => '{{unsafe}}', :foo => rand}
30
+ %div(bar="#{'{{unsafe}}'}")
31
+ %div{:foo => '{{safe}}'.html_safe, :bar => '{{unsafe}}'}
32
+ {{safe}}
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: angular_xss
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Henning Koch
@@ -52,6 +52,7 @@ files:
52
52
  - Rakefile
53
53
  - angular_xss.gemspec
54
54
  - lib/angular_xss.rb
55
+ - lib/angular_xss/action_view.rb
55
56
  - lib/angular_xss/erb.rb
56
57
  - lib/angular_xss/escaper.rb
57
58
  - lib/angular_xss/haml.rb