better_html 1.0.16 → 2.0.0

data/lib/better_html/test_helper/safe_erb/script_interpolation.rb

@@ -1,5 +1,7 @@
-require_relative 'base'
-require 'better_html/test_helper/ruby_node'
+# frozen_string_literal: true
+
+require_relative "base"
+require "better_html/test_helper/ruby_node"
 
 module BetterHtml
   module TestHelper
@@ -7,7 +9,7 @@ module BetterHtml
       class ScriptInterpolation < Base
         def validate
           script_tags.each do |tag, content_node|
-            if content_node.present? && (tag.attributes['type']&.value || "text/javascript") == "text/javascript"
+            if content_node.present? && (tag.attributes["type"]&.value || "text/javascript") == "text/javascript"
               validate_script(content_node)
             end
           end
@@ -24,8 +26,10 @@ module BetterHtml
         def validate_script(node)
           erb_nodes(node).each do |erb_node, indicator_node, code_node|
             next unless indicator_node.present?
+
             indicator = indicator_node.loc.source
-            next if indicator == '#' || indicator == '%'
+            next if indicator == "#" || indicator == "%"
+
             source = code_node.loc.source
 
             ruby_node = begin
@@ -34,6 +38,7 @@ module BetterHtml
               nil
             end
             next unless ruby_node
+
             validate_script_interpolation(erb_node, ruby_node)
           end
         end

data/lib/better_html/test_helper/safe_erb/tag_interpolation.rb

@@ -1,15 +1,14 @@
-require_relative 'base'
-require 'better_html/test_helper/ruby_node'
+# frozen_string_literal: true
+
+require_relative "base"
+require "better_html/test_helper/ruby_node"
 
 module BetterHtml
   module TestHelper
     module SafeErb
       class TagInterpolation < Base
-
-        NO_HTML_TAGS = %w(
-          title textarea script
-          style xmp iframe noembed noframes listing plaintext
-        )
+        NO_HTML_TAGS = ["title", "textarea", "script", "style", "xmp", "iframe", "noembed", "noframes", "listing",
+                        "plaintext",]
 
         def validate
           @parser.nodes_with_type(:tag).each do |tag_node|
@@ -43,7 +42,7 @@ module BetterHtml
             indicator = indicator_node.loc.source
             source = code_node.loc.source
 
-            if indicator == '='
+            if indicator == "="
               ruby_node = begin
                 RubyNode.parse(source)
               rescue ::Parser::SyntaxError
@@ -55,7 +54,7 @@ module BetterHtml
                   handle_missing_safe_wrapper(code_node, ruby_node, attribute.name)
                 end
               end
-            elsif indicator == '=='
+            elsif indicator == "=="
               add_error(
                 "erb interpolation with '<%==' inside html attribute is never safe",
                 location: erb_node.loc
@@ -65,9 +64,10 @@ module BetterHtml
         end
 
         def validate_text_node(text_node)
-          erb_nodes(text_node).each do |erb_node, indicator_node, code_node|
+          erb_nodes(text_node).each do |_erb_node, indicator_node, code_node|
             indicator = indicator_node&.loc&.source
-            next if indicator == '#' || indicator == '%'
+            next if indicator == "#" || indicator == "%"
+
             source = code_node.loc.source
 
             ruby_node = begin
@@ -76,6 +76,7 @@ module BetterHtml
               nil
             end
             next unless ruby_node
+
             no_unsafe_calls(code_node, ruby_node)
             validate_ruby_helper(code_node, ruby_node)
           end
@@ -93,12 +94,13 @@ module BetterHtml
 
         def validate_ruby_helper_hash_entry(parent_node, ruby_node, key_prefix, key_node, value_node)
           return unless [:sym, :str].include?(key_node.type)
-          key = [key_prefix, key_node.children.first.to_s].compact.join('-').dasherize
+
+          key = [key_prefix, key_node.children.first.to_s].compact.join("-").dasherize
           case value_node.type
           when :dstr
             validate_ruby_helper_hash_value(parent_node, ruby_node, key, value_node)
           when :hash
-            if key == 'data'
+            if key == "data"
               value_node.child_nodes.select(&:pair?).each do |pair_node|
                 validate_ruby_helper_hash_entry(parent_node, ruby_node, key, *pair_node.children)
               end
@@ -114,6 +116,7 @@ module BetterHtml
 
         def handle_missing_safe_wrapper(parent_node, ruby_node, attr_name)
           return unless @config.javascript_attribute_name?(attr_name)
+
           method_calls = ruby_node.return_values.select(&:method_call?)
           unsafe_calls = method_calls.select { |node| !@config.javascript_safe_method?(node.method_name) }
           if method_calls.empty?
@@ -140,13 +143,13 @@ module BetterHtml
           ruby_node.return_values.each do |call_node|
             next if call_node.static_return_value?
 
-            if @config.javascript_attribute_name?(attr_name) &&
-                  !@config.javascript_safe_method?(call_node.method_name)
-              add_error(
-                "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'",
-                location: nested_location(parent_node, ruby_node)
-              )
-            end
+            next unless @config.javascript_attribute_name?(attr_name) &&
+              !@config.javascript_safe_method?(call_node.method_name)
+
+            add_error(
+              "erb interpolation in javascript attribute must be wrapped in safe helper such as '(...).to_json'",
+              location: nested_location(parent_node, ruby_node)
+            )
           end
         end
 

data/lib/better_html/test_helper/safe_erb_tester.rb

@@ -1,43 +1,45 @@
-require 'better_html/parser'
-require 'better_html/test_helper/safety_error'
-require 'better_html/test_helper/safe_erb/base'
-require 'better_html/test_helper/safe_erb/no_statements'
-require 'better_html/test_helper/safe_erb/allowed_script_type'
-require 'better_html/test_helper/safe_erb/no_javascript_tag_helper'
-require 'better_html/test_helper/safe_erb/tag_interpolation'
-require 'better_html/test_helper/safe_erb/script_interpolation'
-require 'better_html/tree/tag'
+# frozen_string_literal: true
+
+require "better_html/parser"
+require "better_html/test_helper/safety_error"
+require "better_html/test_helper/safe_erb/base"
+require "better_html/test_helper/safe_erb/no_statements"
+require "better_html/test_helper/safe_erb/allowed_script_type"
+require "better_html/test_helper/safe_erb/no_javascript_tag_helper"
+require "better_html/test_helper/safe_erb/tag_interpolation"
+require "better_html/test_helper/safe_erb/script_interpolation"
+require "better_html/tree/tag"
 
 module BetterHtml
   module TestHelper
     module SafeErbTester
-      SAFETY_TIPS = <<-EOF
------------
+      SAFETY_TIPS = <<~EOF
+        -----------
 
-The javascript snippets listed above do not appear to be escaped properly
-in a javascript context. Here are some tips:
+        The javascript snippets listed above do not appear to be escaped properly
+        in a javascript context. Here are some tips:
 
-Never use html_safe inside a html tag, since it is _never_ safe:
-  <a href="<%= value.html_safe %>">
-                    ^^^^^^^^^^
+        Never use html_safe inside a html tag, since it is _never_ safe:
+          <a href="<%= value.html_safe %>">
+                            ^^^^^^^^^^
 
-Always use .to_json for html attributes which contain javascript, like 'onclick',
-or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
-  <div onclick="<%= value.to_json %>">
-                         ^^^^^^^^
+        Always use .to_json for html attributes which contain javascript, like 'onclick',
+        or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+          <div onclick="<%= value.to_json %>">
+                                 ^^^^^^^^
 
-Always use raw and to_json together within <script> tags:
-  <script type="text/javascript">
-    var yourValue = <%= raw value.to_json %>;
-  </script>             ^^^      ^^^^^^^^
+        Always use raw and to_json together within <script> tags:
+          <script type="text/javascript">
+            var yourValue = <%= raw value.to_json %>;
+          </script>             ^^^      ^^^^^^^^
 
------------
-EOF
+        -----------
+      EOF
 
       def assert_erb_safety(data, **options)
         options = options.present? ? options.dup : {}
         options[:template_language] ||= :html
-        buffer = ::Parser::Source::Buffer.new(options[:filename] || '(buffer)')
+        buffer = ::Parser::Source::Buffer.new(options[:filename] || "(buffer)")
         buffer.source = data
         parser = BetterHtml::Parser.new(buffer, **options)
 
@@ -59,14 +61,14 @@ EOF
 
         messages = errors.map do |error|
           <<~EOL
-          In #{buffer.name}:#{error.location.line}
-          #{error.message}
-          #{error.location.line_source_with_underline}\n
+            In #{buffer.name}:#{error.location.line}
+            #{error.message}
+            #{error.location.line_source_with_underline}\n
           EOL
         end
         messages << SAFETY_TIPS
 
-        assert_predicate errors, :empty?, messages.join
+        assert_predicate(errors, :empty?, messages.join)
       end
     end
   end

data/lib/better_html/test_helper/safe_lodash_tester.rb

@@ -1,35 +1,37 @@
-require 'better_html/test_helper/safety_error'
-require 'better_html/ast/iterator'
-require 'better_html/tree/tag'
-require 'better_html/parser'
+# frozen_string_literal: true
+
+require "better_html/test_helper/safety_error"
+require "better_html/ast/iterator"
+require "better_html/tree/tag"
+require "better_html/parser"
 
 module BetterHtml
   module TestHelper
     module SafeLodashTester
-      SAFETY_TIPS = <<-EOF
------------
+      SAFETY_TIPS = <<~EOF
+        -----------
 
-The javascript snippets listed above do not appear to be escaped properly
-in their context. Here are some tips:
+        The javascript snippets listed above do not appear to be escaped properly
+        in their context. Here are some tips:
 
-Always use lodash's escape syntax inside a html tag:
-  <a href="[%= value %]">
-           ^^^^
+        Always use lodash's escape syntax inside a html tag:
+          <a href="[%= value %]">
+                   ^^^^
 
-Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
-or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
-  <div onclick="[%= JSON.stringify(value) %]">
-                    ^^^^^^^^^^^^^^
+        Always use JSON.stringify() for html attributes which contain javascript, like 'onclick',
+        or twine attributes like 'data-define', 'data-context', 'data-eval', 'data-bind', etc:
+          <div onclick="[%= JSON.stringify(value) %]">
+                            ^^^^^^^^^^^^^^
 
-Never use <script> tags inside lodash template.
-  <script type="text/javascript">
-  ^^^^^^^
+        Never use <script> tags inside lodash template.
+          <script type="text/javascript">
+          ^^^^^^^
 
------------
-EOF
+        -----------
+      EOF
 
       def assert_lodash_safety(data, **options)
-        buffer = ::Parser::Source::Buffer.new(options[:filename] || '(buffer)')
+        buffer = ::Parser::Source::Buffer.new(options[:filename] || "(buffer)")
         buffer.source = data
         tester = Tester.new(buffer, **options)
 
@@ -44,11 +46,9 @@ EOF
 
         message << SAFETY_TIPS
 
-        assert_predicate tester.errors, :empty?, message
+        assert_predicate(tester.errors, :empty?, message)
       end
 
-      private
-
       class Tester
         attr_reader :errors
 
@@ -70,12 +70,12 @@ EOF
             validate_tag_attributes(tag)
             validate_no_statements(tag_node)
 
-            if tag.name == 'script' && !tag.closing?
-              add_error(
-                "No script tags allowed nested in lodash templates",
-                location: tag_node.loc
-              )
-            end
+            next unless tag.name == "script" && !tag.closing?
+
+            add_error(
+              "No script tags allowed nested in lodash templates",
+              location: tag_node.loc
+            )
           end
 
           @parser.nodes_with_type(:cdata, :comment).each do |node|
@@ -86,6 +86,7 @@ EOF
         def lodash_nodes(node)
           Enumerator.new do |yielder|
             next if node.nil?
+
             node.descendants(:lodash).each do |lodash_node|
               indicator_node, code_node = *lodash_node
               yielder.yield(lodash_node, indicator_node, code_node)
@@ -95,12 +96,12 @@ EOF
 
         def validate_tag_attributes(tag)
           tag.attributes.each do |attribute|
-            lodash_nodes(attribute.value_node).each do |lodash_node, indicator_node, code_node|
+            lodash_nodes(attribute.value_node).each do |lodash_node, indicator_node, _code_node|
               next if indicator_node.nil?
 
-              if indicator_node.loc.source == '='
+              if indicator_node.loc.source == "="
                 validate_tag_expression(attribute, lodash_node)
-              elsif indicator_node.loc.source == '!'
+              elsif indicator_node.loc.source == "!"
                 add_error(
                   "lodash interpolation with '[%!' inside html attribute is never safe",
                   location: lodash_node.loc
@@ -116,14 +117,14 @@ EOF
           if @config.javascript_attribute_name?(attribute.name) && !@config.lodash_safe_javascript_expression?(source)
             add_error(
               "lodash interpolation in javascript attribute "\
-              "`#{attribute.name}` must call `JSON.stringify(#{source})`",
+                "`#{attribute.name}` must call `JSON.stringify(#{source})`",
               location: lodash_node.loc
             )
           end
         end
 
         def validate_no_statements(node)
-          lodash_nodes(node).each do |lodash_node, indicator_node, code_node|
+          lodash_nodes(node).each do |lodash_node, indicator_node, _code_node|
             add_no_statement_error(lodash_node.loc) if indicator_node.nil?
           end
         end

data/lib/better_html/test_helper/safety_error.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module BetterHtml
   module TestHelper
     class SafetyError < InterpolatorError

data/lib/better_html/tokenizer/base_erb.rb

@@ -1,7 +1,9 @@
-require 'erubi'
-require_relative 'token'
-require_relative 'location'
-require 'parser/source/buffer'
+# frozen_string_literal: true
+
+require "erubi"
+require_relative "token"
+require_relative "location"
+require "parser/source/buffer"
 
 module BetterHtml
   module Tokenizer
@@ -14,7 +16,9 @@ module BetterHtml
       attr_reader :current_position
 
       def initialize(buffer)
-        raise ArgumentError, 'first argument must be Parser::Source::Buffer' unless buffer.is_a?(::Parser::Source::Buffer)
+        raise ArgumentError,
+          "first argument must be Parser::Source::Buffer" unless buffer.is_a?(::Parser::Source::Buffer)
+
         @buffer = buffer
         @tokens = []
         @current_position = 0
@@ -28,13 +32,13 @@ module BetterHtml
       end
 
       def add_code(code)
-        if code[0] == '%'
-          add_erb_tokens(nil, '%', code[1..-1], nil)
+        if code[0] == "%"
+          add_erb_tokens(nil, "%", code[1..-1], nil)
           append("<%#{code}%>")
         else
           _, ltrim_or_comment, code, rtrim = *STMT_TRIM_MATCHER.match(code)
-          ltrim = ltrim_or_comment if ltrim_or_comment == '-'
-          indicator = ltrim_or_comment if ltrim_or_comment == '#'
+          ltrim = ltrim_or_comment if ltrim_or_comment == "-"
+          indicator = ltrim_or_comment if ltrim_or_comment == "#"
           add_erb_tokens(ltrim, indicator, code, rtrim)
           append("<%#{ltrim}#{indicator}#{code}#{rtrim}%>")
         end
@@ -66,7 +70,7 @@ module BetterHtml
         pos += code.length
 
         if rtrim
-          token = add_token(:trim, pos, pos + rtrim.length)
+          add_token(:trim, pos, pos + rtrim.length)
           pos += rtrim.length
         end
 

data/lib/better_html/tokenizer/html_erb.rb

@@ -1,5 +1,6 @@
-require 'html_tokenizer'
-require_relative 'base_erb'
+# frozen_string_literal: true
+
+require_relative "base_erb"
 
 module BetterHtml
   module Tokenizer

data/lib/better_html/tokenizer/html_lodash.rb

@@ -1,7 +1,8 @@
-require 'active_support'
-require 'html_tokenizer'
-require_relative 'token'
-require_relative 'location'
+# frozen_string_literal: true
+
+require "active_support"
+require_relative "token"
+require_relative "location"
 
 module BetterHtml
   module Tokenizer
@@ -10,9 +11,9 @@ module BetterHtml
       attr_reader :parser
 
       cattr_accessor :lodash_escape, :lodash_evaluate, :lodash_interpolate
-      self.lodash_escape = %r{(?:\[\%)=(.+?)(?:\%\])}m
-      self.lodash_evaluate = %r{(?:\[\%)(.+?)(?:\%\])}m
-      self.lodash_interpolate = %r{(?:\[\%)!(.+?)(?:\%\])}m
+      self.lodash_escape = /(?:\[\%)=(.+?)(?:\%\])/m
+      self.lodash_evaluate = /(?:\[\%)(.+?)(?:\%\])/m
+      self.lodash_interpolate = /(?:\[\%)!(.+?)(?:\%\])/m
 
       def initialize(buffer)
         @buffer = buffer
@@ -27,25 +28,32 @@ module BetterHtml
       def scan!
         while @scanner.rest?
           scanned = @scanner.scan_until(scan_pattern)
+
           if scanned.present?
             captures = scan_pattern.match(scanned).captures
-            if pre_match = captures[0]
-              add_text(pre_match) if pre_match.present?
+
+            if (pre_match = captures[0])
+              add_text(pre_match) if pre_match.present? # rubocop:disable Metrics/BlockNesting
             end
+
             match = captures[1]
-            if code = lodash_escape.match(match)
+
+            if (code = lodash_escape.match(match))
               add_lodash_tokens("=", code.captures[0])
-            elsif code = lodash_interpolate.match(match)
+            elsif (code = lodash_interpolate.match(match))
               add_lodash_tokens("!", code.captures[0])
-            elsif code = lodash_evaluate.match(match)
+            elsif (code = lodash_evaluate.match(match))
               add_lodash_tokens(nil, code.captures[0])
             else
-              raise RuntimeError, 'unexpected match'
+              raise "unexpected match"
             end
+
             @parser.append_placeholder(match)
           else
             text = @buffer.source[(@scanner.pos)..(@buffer.source.size)]
+
             add_text(text) unless text.blank?
+
             break
           end
         end
@@ -56,7 +64,7 @@ module BetterHtml
           patterns = [
             lodash_escape,
             lodash_interpolate,
-            lodash_evaluate
+            lodash_evaluate,
           ].map(&:source).join("|")
           Regexp.new("(?<pre_patch>.*?)(?<match>" + patterns + ")", Regexp::MULTILINE)
         end

data/lib/better_html/tokenizer/javascript_erb.rb

@@ -1,4 +1,6 @@
-require_relative 'base_erb'
+# frozen_string_literal: true
+
+require_relative "base_erb"
 
 module BetterHtml
   module Tokenizer

data/lib/better_html/tokenizer/location.rb

@@ -1,13 +1,24 @@
-require 'parser/source/buffer'
-require 'parser/source/range'
+# frozen_string_literal: true
+
+require "parser/source/buffer"
+require "parser/source/range"
 
 module BetterHtml
   module Tokenizer
     class Location < ::Parser::Source::Range
       def initialize(buffer, begin_pos, end_pos)
-        raise ArgumentError, 'first argument must be Parser::Source::Buffer' unless buffer.is_a?(::Parser::Source::Buffer)
-        raise ArgumentError, "begin_pos location #{begin_pos} is out of range for document of size #{buffer.source.size}" if begin_pos > buffer.source.size
-        raise ArgumentError, "end_pos location #{end_pos} is out of range for document of size #{buffer.source.size}" if (end_pos - 1) > buffer.source.size
+        raise ArgumentError,
+          "first argument must be Parser::Source::Buffer" unless buffer.is_a?(::Parser::Source::Buffer)
+
+        if begin_pos > buffer.source.size
+          raise ArgumentError,
+            "begin_pos location #{begin_pos} is out of range for document of size #{buffer.source.size}"
+        end
+
+        if (end_pos - 1) > buffer.source.size
+          raise ArgumentError,
+            "end_pos location #{end_pos} is out of range for document of size #{buffer.source.size}"
+        end
 
         super(buffer, begin_pos, end_pos)
       end
@@ -29,7 +40,7 @@ module BetterHtml
         spaces = source_line.scan(/\A\s*/).first
         column_without_spaces = [column - spaces.length, 0].max
         underscore_length = [[end_pos - begin_pos, source_line.length - column_without_spaces].min, 1].max
-        "#{source_line.gsub(/\A\s*/, '')}\n#{' ' * column_without_spaces}#{'^' * underscore_length}"
+        "#{source_line.gsub(/\A\s*/, "")}\n#{" " * column_without_spaces}#{"^" * underscore_length}"
       end
 
       def with(begin_pos: @begin_pos, end_pos: @end_pos)

data/lib/better_html/tokenizer/token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module BetterHtml
   module Tokenizer
     class Token

data/lib/better_html/tokenizer/token_array.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module BetterHtml
   module Tokenizer
     class TokenArray
@@ -8,26 +10,24 @@ module BetterHtml
       end
 
       def shift
-        raise RuntimeError, 'no tokens left to shift' if empty?
+        raise "no tokens left to shift" if empty?
+
         item = @list[@current]
         @current += 1
         item
       end
 
       def pop
-        raise RuntimeError, 'no tokens left to pop' if empty?
+        raise "no tokens left to pop" if empty?
+
         item = @list[@last - 1]
         @last -= 1
         item
       end
 
       def trim(type)
-        while current&.type == type
-          shift
-        end
-        while last&.type == type
-          pop
-        end
+        shift while current&.type == type
+        pop while last&.type == type
       end
 
       def empty?

data/lib/better_html/tree/attribute.rb

@@ -1,19 +1,23 @@
-require 'ast'
+# frozen_string_literal: true
+
+require "ast"
 
 module BetterHtml
   module Tree
     class Attribute
       attr_reader :node, :name_node, :equal_node, :value_node
 
+      class << self
+        def from_node(node)
+          new(node)
+        end
+      end
+
       def initialize(node)
         @node = node
         @name_node, @equal_node, @value_node = *node if @node.type == :attribute
       end
 
-      def self.from_node(node)
-        new(node)
-      end
-
       def erb?
         @node.type == :erb
       end
@@ -27,7 +31,7 @@ module BetterHtml
       end
 
       def value
-        parts = value_node.to_a.reject{ |node| node.is_a?(::AST::Node) && node.type == :quote }
+        parts = value_node.to_a.reject { |node| node.is_a?(::AST::Node) && node.type == :quote }
         parts.map { |s| s.is_a?(::AST::Node) ? s.loc.source : CGI.unescapeHTML(s) }.join
       end
     end

data/lib/better_html/tree/attributes_list.rb

@@ -1,14 +1,18 @@
-require 'better_html/tree/attribute'
+# frozen_string_literal: true
+
+require "better_html/tree/attribute"
 
 module BetterHtml
   module Tree
     class AttributesList
-      def initialize(list)
-        @list = list || []
+      class << self
+        def from_nodes(nodes)
+          new(nodes&.map { |node| Tree::Attribute.from_node(node) })
+        end
       end
 
-      def self.from_nodes(nodes)
-        new(nodes&.map { |node| Tree::Attribute.from_node(node) })
+      def initialize(list)
+        @list = list || []
       end
 
       def [](name)