better_html 0.0.3

data/lib/better_html/node_iterator/javascript_erb.rb

@@ -0,0 +1,60 @@
+require 'erubis/engine/eruby'
+require_relative 'token'
+require_relative 'location'
+
+module BetterHtml
+  class NodeIterator
+    class JavascriptErb < ::Erubis::Eruby
+      attr_reader :tokens
+
+      def initialize(document)
+        @document = ""
+        @tokens = []
+        super
+      end
+
+      def add_text(src, text)
+        add_token(:text, text)
+        append(text)
+      end
+
+      def add_stmt(src, code)
+        text = "<%#{code}%>"
+        add_token(:stmt, text, code)
+        append(text)
+      end
+
+      def add_expr_literal(src, code)
+        text = "<%=#{code}%>"
+        add_token(:expr_literal, text, code)
+        append(text)
+      end
+
+      def add_expr_escaped(src, code)
+        text = "<%==#{code}%>"
+        add_token(:expr_escaped, text, code)
+        append(text)
+      end
+
+      private
+
+      def add_token(type, text, code = nil)
+        start = @document.size
+        stop = start + text.size
+        lines = @document.split("\n", -1)
+        line = lines.empty? ? 1 : lines.size
+        column = lines.empty? ? 0 : lines.last.size
+        @tokens << Token.new(
+          type: type,
+          text: text,
+          code: code,
+          location: Location.new(start, stop, line, column)
+        )
+      end
+
+      def append(text)
+        @document << text
+      end
+    end
+  end
+end

data/lib/better_html/node_iterator/location.rb

@@ -0,0 +1,14 @@
+module BetterHtml
+  class NodeIterator
+    class Location
+      attr_accessor :start, :stop, :line, :column
+
+      def initialize(start, stop, line, column)
+        @start = start
+        @stop = stop
+        @line = line
+        @column = column
+      end
+    end
+  end
+end

data/lib/better_html/node_iterator/text.rb

@@ -0,0 +1,8 @@
+require_relative 'content_node'
+
+module BetterHtml
+  class NodeIterator
+    class Text < ContentNode
+    end
+  end
+end

data/lib/better_html/node_iterator/token.rb

@@ -0,0 +1,8 @@
+require 'ostruct'
+
+module BetterHtml
+  class NodeIterator
+    class Token < OpenStruct
+    end
+  end
+end

data/lib/better_html/railtie.rb

@@ -0,0 +1,7 @@
+require 'better_html/better_erb'
+
+class BetterHtml::Railtie < Rails::Railtie
+  initializer "better_html.better_erb.initialization" do
+    BetterHtml::BetterErb.prepend!
+  end
+end

data/lib/better_html/test_helper/ruby_expr.rb

@@ -0,0 +1,89 @@
+require 'ripper'
+require 'pp'
+
+module BetterHtml
+  module TestHelper
+    class RubyExpr
+      attr_reader :calls
+
+      BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+      class ParseError < RuntimeError; end
+
+      class MethodCall
+        attr_accessor :instance, :method, :arguments
+      end
+
+      def initialize(code: nil, tree: nil)
+        if code
+          code = code.gsub(BLOCK_EXPR, '')
+          tree = Ripper.sexp(code)
+          raise ParseError, "cannot parse code" unless tree && tree.last.first.is_a?(Array)
+          @tree = tree.last.first
+        else
+          @tree = tree
+        end
+        @calls = []
+        parse!
+      end
+
+      private
+
+      def parse!
+        parse_expr(@tree)
+      end
+
+      def parse_expr(expr)
+        case expr.first
+        when :var_ref
+          parse_expr(expr[1])
+        when :paren
+          parse_expr(expr[1].first)
+        when :string_literal
+          parse_expr(expr[1])
+        when :string_content
+          expr[1..-1].each do |subexpr|
+            parse_expr(subexpr)
+          end
+        when :string_embexpr
+          expr[1].each do |subexpr|
+            parse_expr(subexpr)
+          end
+        when :assign, :massign
+          parse_expr(expr[2])
+        when :call
+          @calls << obj = MethodCall.new
+          obj.instance = expr[1]
+          obj.method = parse_expr(expr[3])
+          obj
+        when :fcall, :vcall
+          @calls << obj = MethodCall.new
+          obj.method = parse_expr(expr[1])
+          obj
+        when :method_add_arg
+          # foo(bar) -> foo=expr[1], bar=expr[2]
+          obj = parse_expr(expr[1])
+          obj.arguments = parse_expr(expr[2])
+          obj
+        when :command
+          # foo bar -> foo=expr[1], bar=expr[2]
+          @calls << obj = MethodCall.new
+          obj.method = parse_expr(expr[1])
+          obj.arguments = parse_expr(expr[2])
+          obj
+        when :arg_paren
+          parse_expr(expr[1]) unless expr[1].nil?
+        when :if_mod, :unless_mod
+          # foo if bar -> bar=expr[1], foo=expr[2]
+          parse_expr(expr[2])
+        when :ifop
+          # foo ? bar : baz -> foo=expr[1], bar=expr[2], baz=expr[3]
+          parse_expr(expr[2])
+          parse_expr(expr[3])
+        else
+          expr[1]
+        end
+      end
+    end
+  end
+end

data/lib/better_html/test_helper/safe_erb_tester.rb

@@ -0,0 +1,202 @@
+require 'better_html/test_helper/ruby_expr'
+require_relative 'safety_tester_base'
+
+module BetterHtml
+  module TestHelper
+    module SafeErbTester
+      include SafetyTesterBase
+
+      SAFETY_TIPS = <<-EOF
+-----------
+
+The javascript snippets listed above do not appear to be escaped properly
+in a javascript context. Here are some tips:
+
+Never use html_safe inside a html tag, since it is _never_ safe:
+  <a href="<%= value.html_safe %>">
+                    ^^^^^^^^^^
+
+Always use .to_json for html attributes which contain javascript, like 'onclick',
+or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+  <div onclick="<%= value.to_json %>">
+                         ^^^^^^^^
+
+Always use raw and to_json together within <script> tags:
+  <script type="text/javascript">
+    var yourValue = <%= raw value.to_json %>;
+  </script>             ^^^      ^^^^^^^^
+
+-----------
+EOF
+
+      def assert_erb_safety(data, **options)
+        tester = Tester.new(data, **options)
+
+        message = ""
+        tester.errors.each do |error|
+          message << format_safety_error(data, error)
+        end
+
+        message << SAFETY_TIPS
+
+        assert_predicate tester.errors, :empty?, message
+      end
+
+      private
+
+      class Tester
+        attr_reader :errors
+
+        VALID_JAVASCRIPT_TAG_TYPES = ['text/javascript', 'text/template', 'text/html']
+
+        def initialize(data, **options)
+          @data = data
+          @errors = Errors.new
+          @options = options.present? ? options.dup : {}
+          @options[:template_language] ||= :html
+          @nodes = BetterHtml::NodeIterator.new(data, @options.slice(:template_language))
+          validate!
+        end
+
+        def add_error(token, message)
+          @errors.add(SafetyTesterBase::SafetyError.new(token, message))
+        end
+
+        def validate!
+          @nodes.each_with_index do |node, index|
+            case node
+            when BetterHtml::NodeIterator::Element
+              validate_element(node)
+
+              if node.name == 'script'
+                next_node = @nodes[index + 1]
+                if next_node.is_a?(BetterHtml::NodeIterator::ContentNode) && !node.closing?
+                  if javascript_tag_type?(node, "text/javascript")
+                    validate_script_tag_content(next_node)
+                  end
+                  validate_no_statements(next_node) unless javascript_tag_type?(node, "text/html")
+                end
+
+                validate_javascript_tag_type(node) unless node.closing?
+              end
+            when BetterHtml::NodeIterator::Text
+              if @nodes.template_language == :javascript
+                validate_script_tag_content(node)
+                validate_no_statements(node)
+              else
+                validate_no_javascript_tag(node)
+              end
+            when BetterHtml::NodeIterator::CData, BetterHtml::NodeIterator::Comment
+              validate_no_statements(node)
+            end
+          end
+        end
+
+        def javascript_tag_type?(element, which)
+          typeattr = element['type']
+          value = typeattr&.unescaped_value || "text/javascript"
+          value == which
+        end
+
+        def validate_javascript_tag_type(element)
+          typeattr = element['type']
+          return if typeattr.nil?
+          if !VALID_JAVASCRIPT_TAG_TYPES.include?(typeattr.unescaped_value)
+            add_error(typeattr.value_parts.first, "#{typeattr.value} is not a valid type, valid types are #{VALID_JAVASCRIPT_TAG_TYPES.join(', ')}")
+          end
+        end
+
+        def validate_element(element)
+          element.attributes.each do |attr_token|
+            attr_token.value_parts.each do |value_token|
+              case value_token.type
+              when :expr_literal
+                validate_tag_expression(element, attr_token.name, value_token)
+              when :expr_escaped
+                add_error(value_token, "erb interpolation with '<%==' inside html attribute is never safe")
+              end
+            end
+          end
+        end
+
+        def validate_tag_expression(node, attr_name, value_token)
+          expr = RubyExpr.new(code: value_token.code)
+
+          if javascript_attribute_name?(attr_name) && expr.calls.empty?
+            add_error(value_token, "erb interpolation in javascript attribute must call '(...).to_json'")
+            return
+          end
+
+          expr.calls.each do |call|
+            if call.method == 'raw'
+              add_error(value_token, "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe")
+            elsif call.method == 'html_safe'
+              add_error(value_token, "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe")
+            elsif javascript_attribute_name?(attr_name) && !javascript_safe_method?(call.method)
+              add_error(value_token, "erb interpolation in javascript attribute must call '(...).to_json'")
+            end
+          end
+        end
+
+        def javascript_attribute_name?(name)
+          BetterHtml.config.javascript_attribute_names.any?{ |other| other === name }
+        end
+
+        def javascript_safe_method?(name)
+          BetterHtml.config.javascript_safe_methods.include?(name)
+        end
+
+        def validate_script_tag_content(node)
+          node.content_parts.each do |token|
+            case token.type
+            when :expr_literal, :expr_escaped
+              expr = RubyExpr.new(code: token.code)
+              if expr.calls.empty?
+                add_error(token, "erb interpolation in javascript tag must call '(...).to_json'")
+              else
+                validate_script_expression(node, token, expr)
+              end
+            end
+          end
+        end
+
+        def validate_script_expression(node, token, expr)
+          expr.calls.each do |call|
+            if call.method == 'raw'
+              arguments_expr = RubyExpr.new(tree: call.arguments)
+              validate_script_expression(node, token, arguments_expr)
+            elsif call.method == 'html_safe'
+              instance_expr = RubyExpr.new(tree: call.instance)
+              validate_script_expression(node, token, instance_expr)
+            elsif !javascript_safe_method?(call.method)
+              add_error(token, "erb interpolation in javascript tag must call '(...).to_json'")
+            end
+          end
+        end
+
+        def validate_no_statements(node)
+          node.content_parts.each do |token|
+            if token.type == :stmt && !(/\A\s*end/m === token.code)
+              add_error(token, "erb statement not allowed here; did you mean '<%=' ?")
+            end
+          end
+        end
+
+        def validate_no_javascript_tag(node)
+          node.content_parts.each do |token|
+            if [:stmt, :expr_literal, :expr_escaped].include?(token.type)
+              expr = begin
+                RubyExpr.new(code: token.code)
+              rescue RubyExpr::ParseError
+                next
+              end
+              if expr.calls.size == 1 && expr.calls.first.method == 'javascript_tag'
+                add_error(token, "'javascript_tag do' syntax is deprecated; use inline <script> instead")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/better_html/test_helper/safe_lodash_tester.rb

@@ -0,0 +1,121 @@
+require_relative 'safety_tester_base'
+
+module BetterHtml
+  module TestHelper
+    module SafeLodashTester
+      include SafetyTesterBase
+
+      SAFETY_TIPS = <<-EOF
+-----------
+
+The javascript snippets listed above do not appear to be escaped properly
+in their context. Here are some tips:
+
+Always use lodash's escape syntax inside a html tag:
+  <a href="[%= value %]">
+           ^^^^
+
+Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
+or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+  <div onclick="[%= JSON.stringify(value) %]">
+                    ^^^^^^^^^^^^^^
+
+Never use <script> tags inside lodash template.
+  <script type="text/javascript">
+  ^^^^^^^
+
+-----------
+EOF
+
+      def assert_lodash_safety(data)
+        tester = Tester.new(data)
+
+        message = ""
+        tester.errors.each do |error|
+          message << format_safety_error(data, error)
+        end
+
+        message << SAFETY_TIPS
+
+        assert_predicate tester.errors, :empty?, message
+      end
+
+      private
+
+      class Tester
+        attr_reader :errors
+
+        def initialize(data)
+          @data = data
+          @errors = Errors.new
+          @nodes = BetterHtml::NodeIterator.new(data, template_language: :lodash)
+          validate!
+        end
+
+        def add_error(token, message)
+          @errors.add(SafetyTesterBase::SafetyError.new(token, message))
+        end
+
+        def validate!
+          @nodes.each_with_index do |node, index|
+            case node
+            when BetterHtml::NodeIterator::Element
+              validate_element(node)
+
+              if node.name == 'script' && !node.closing?
+                add_error(node.name_parts.first,
+                  "No script tags allowed nested in lodash templates")
+              end
+            when BetterHtml::NodeIterator::CData, BetterHtml::NodeIterator::Comment
+              validate_no_statements(node)
+            end
+          end
+        end
+
+        def validate_element(element)
+          element.attributes.each do |attribute|
+            attribute.name_parts.each do |token|
+              add_no_statement_error(attribute, token) if token.type == :stmt
+            end
+
+            attribute.value_parts.each do |token|
+              case token.type
+              when :stmt
+                add_no_statement_error(attribute, token)
+              when :expr_literal
+                validate_tag_expression(element, attribute.name, token)
+              when :expr_escaped
+                add_error(token, "lodash interpolation with '[%!' inside html attribute is never safe")
+              end
+            end
+          end
+        end
+
+        def validate_tag_expression(node, attr_name, value_token)
+          if javascript_attribute_name?(attr_name) && !lodash_safe_javascript_expression?(value_token.code.strip)
+            add_error(value_token, "lodash interpolation in javascript attribute "\
+              "`#{attr_name}` must call `JSON.stringify(#{value_token.code.strip})`")
+          end
+        end
+
+        def javascript_attribute_name?(name)
+          BetterHtml.config.javascript_attribute_names.any?{ |other| other === name }
+        end
+
+        def lodash_safe_javascript_expression?(code)
+          BetterHtml.config.lodash_safe_javascript_expression.any?{ |other| other === code }
+        end
+
+        def validate_no_statements(node)
+          node.content_parts.each do |token|
+            add_no_statement_error(node, token) if token.type == :stmt
+          end
+        end
+
+        def add_no_statement_error(node, token)
+          add_error(token, "javascript statement not allowed here; did you mean '[%=' ?")
+        end
+      end
+    end
+  end
+end