better_html 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ec252f7eed899fcb25b28c2bd6de281b0763163b
+  data.tar.gz: 19f784180d9754171e1c0efa5c129ea30f5f00de
+SHA512:
+  metadata.gz: cfbac115849137341db904e89c6bade3008d95e85a73eda51e4db11aa338384050cb81bb3bf0828528c704dd01469dcd02a071ca8e06e8e0e7138b098ac558ea
+  data.tar.gz: 47181e232f471e71de3699fd9a325268d6deafae7a01ae831221d5dcb952f9ab1deea8a04f6a8147b62a566a820762f3abccad4f555f5cf5d982741a1cb1814c

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2016 Francois Chagnon
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,30 @@
+begin
+  require 'bundler/setup'
+  require "bundler/gem_tasks"
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'BetterHtml'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/lib/better_html.rb

@@ -0,0 +1,53 @@
+require 'active_support/core_ext/hash/keys'
+
+module BetterHtml
+  class Config
+    # regex to validate "foo" in "<foo>"
+    cattr_accessor :partial_tag_name_pattern
+    self.partial_tag_name_pattern = /\A[a-z0-9\-\:]+\z/
+
+    # regex to validate "bar" in "<foo bar=1>"
+    cattr_accessor :partial_attribute_name_pattern
+    self.partial_attribute_name_pattern = /\A[a-zA-Z0-9\-\:]+\z/
+
+    # true if "<foo bar='1'>" is valid syntax
+    cattr_accessor :allow_single_quoted_attributes
+    self.allow_single_quoted_attributes = false
+
+    # true if "<foo bar=1>" is valid syntax
+    cattr_accessor :allow_unquoted_attributes
+    self.allow_unquoted_attributes = false
+
+    # all methods that return "javascript-safe" strings
+    cattr_accessor :javascript_safe_methods
+    self.javascript_safe_methods = ['to_json']
+
+    # name of all html attributes that may contain javascript
+    cattr_accessor :javascript_attribute_names
+    self.javascript_attribute_names = [/\Aon/i]
+
+    cattr_accessor :template_exclusion_filter_block
+
+    def self.template_exclusion_filter(&block)
+      self.template_exclusion_filter_block = block
+    end
+
+    cattr_accessor :lodash_safe_javascript_expression
+    self.lodash_safe_javascript_expression = [/\AJSON\.stringify\(/]
+  end
+
+  def self.config
+    @config ||= Config.new
+    yield @config if block_given?
+    @config
+  end
+end
+
+require 'better_html/version'
+require 'better_html/helpers'
+require 'better_html/errors'
+require 'better_html/html_attributes'
+require 'better_html/node_iterator'
+require 'better_html/tree'
+
+require 'better_html/railtie' if defined?(Rails)

data/lib/better_html/better_erb.rb

@@ -0,0 +1,68 @@
+require 'action_view'
+if ActionView.version < Gem::Version.new("5.1")
+require 'better_html/better_erb/erubis_implementation'
+else
+require 'better_html/better_erb/erubi_implementation'
+end
+require 'better_html/better_erb/validated_output_buffer'
+
+
+class BetterHtml::BetterErb
+  cattr_accessor :content_types
+  if ActionView.version < Gem::Version.new("5.1")
+    self.content_types = {
+      'html.erb' => BetterHtml::BetterErb::ErubisImplementation
+    }
+  else
+    self.content_types = {
+      'html.erb' => BetterHtml::BetterErb::ErubiImplementation
+    }
+  end
+
+  def self.prepend!
+    ActionView::Template::Handlers::ERB.prepend(ConditionalImplementation)
+  end
+
+  private
+
+  module ConditionalImplementation
+
+    def call(template)
+      generate(template)
+    end
+
+    private
+
+    def generate(template)
+      # First, convert to BINARY, so in case the encoding is
+      # wrong, we can still find an encoding tag
+      # (<%# encoding %>) inside the String using a regular
+      # expression
+
+      filename = template.identifier.split("/").last
+      exts = filename.split(".")
+      exts = exts[1..exts.length].join(".")
+      template_source = template.source.dup.force_encoding(Encoding::ASCII_8BIT)
+
+      erb = template_source.gsub(ActionView::Template::Handlers::ERB::ENCODING_TAG, '')
+      encoding = $2
+
+      erb.force_encoding valid_encoding(template.source.dup, encoding)
+
+      # Always make sure we return a String in the default_internal
+      erb.encode!
+
+      excluded_template = !!BetterHtml::Config.template_exclusion_filter_block&.call(template.identifier)
+      klass = BetterHtml::BetterErb.content_types[exts] unless excluded_template
+      klass ||= self.class.erb_implementation
+
+      generator = klass.new(
+        erb,
+        :escape => (self.class.escape_whitelist.include? template.type),
+        :trim => (self.class.erb_trim_mode == "-")
+      )
+      generator.validate! if generator.respond_to?(:validate!)
+      generator.src
+    end
+  end
+end

data/lib/better_html/better_erb/erubi_implementation.rb

@@ -0,0 +1,50 @@
+require 'action_view'
+require_relative 'runtime_checks'
+
+class BetterHtml::BetterErb
+  class ErubiImplementation < ActionView::Template::Handlers::ERB::Erubi
+    include RuntimeChecks
+
+    def add_text(text)
+      return if text.empty?
+
+      if text == "\n"
+        @parser.parse("\n")
+        @newline_pending += 1
+      else
+        src << "@output_buffer.safe_append='"
+        src << "\n" * @newline_pending if @newline_pending > 0
+        src << escape_text(text)
+        src << "'.freeze;"
+
+        @parser.parse(text) do |*args|
+          check_token(*args)
+        end
+
+        @newline_pending = 0
+      end
+    end
+
+    def add_expression(indicator, code)
+      if (indicator == "==") || @escape
+        add_expr_auto_escaped(src, code, false)
+      else
+        add_expr_auto_escaped(src, code, true)
+      end
+    end
+
+    def add_code(code)
+      flush_newline_if_pending(src)
+
+      block_check(src, "<%#{code}%>")
+      @parser.append_placeholder(code)
+      super
+    end
+
+    private
+
+    def escape_text(text)
+      text.gsub(/['\\]/, '\\\\\&')
+    end
+  end
+end

data/lib/better_html/better_erb/erubis_implementation.rb

@@ -0,0 +1,44 @@
+require 'action_view'
+require_relative 'runtime_checks'
+
+class BetterHtml::BetterErb
+  class ErubisImplementation < ActionView::Template::Handlers::Erubis
+    include RuntimeChecks
+
+    def add_text(src, text)
+      return if text.empty?
+
+      if text == "\n"
+        @parser.parse("\n")
+        @newline_pending += 1
+      else
+        src << "@output_buffer.safe_append='"
+        src << "\n" * @newline_pending if @newline_pending > 0
+        src << escape_text(text)
+        src << "'.freeze;"
+
+        @parser.parse(text) do |*args|
+          check_token(*args)
+        end
+
+        @newline_pending = 0
+      end
+    end
+
+    def add_expr_literal(src, code)
+      add_expr_auto_escaped(src, code, true)
+    end
+
+    def add_expr_escaped(src, code)
+      add_expr_auto_escaped(src, code, false)
+    end
+
+    def add_stmt(src, code)
+      flush_newline_if_pending(src)
+
+      block_check(src, "<%#{code}%>")
+      @parser.append_placeholder(code)
+      super
+    end
+  end
+end

data/lib/better_html/better_erb/runtime_checks.rb

@@ -0,0 +1,161 @@
+require 'html_tokenizer'
+require 'action_view'
+
+class BetterHtml::BetterErb
+  module RuntimeChecks
+    def initialize(*)
+      @parser = HtmlTokenizer::Parser.new
+      super
+    end
+
+    def validate!
+      check_parser_errors
+
+      unless @parser.context == :none
+        raise BetterHtml::HtmlError, 'Detected an open tag at the end of this document.'
+      end
+    end
+
+    private
+
+    def class_name
+      "BetterHtml::BetterErb::ValidatedOutputBuffer"
+    end
+
+    def wrap_method
+      "#{class_name}.wrap"
+    end
+
+    def add_expr_auto_escaped(src, code, auto_escape)
+      flush_newline_if_pending(src)
+
+      src << "#{wrap_method}(@output_buffer, (#{parser_context.inspect}), '#{escape_text(code)}'.freeze, #{auto_escape})"
+      method_name = "safe_#{@parser.context}_append"
+      if code =~ self.class::BLOCK_EXPR
+        block_check(src, "<%=#{code}%>")
+        src << ".#{method_name}= " << code
+      else
+        src << ".#{method_name}=(" << code << ");"
+      end
+      @parser.append_placeholder("<%=#{code}%>")
+    end
+
+    def parser_context
+      if [:quoted_value, :unquoted_value, :space_after_attribute].include?(@parser.context)
+        {
+          tag_name: @parser.tag_name,
+          attribute_name: @parser.attribute_name,
+          attribute_value: @parser.attribute_value,
+          attribute_quoted: @parser.attribute_quoted?,
+          quote_character: @parser.quote_character,
+        }
+      elsif [:attribute_name, :after_attribute_name, :after_equal].include?(@parser.context)
+        {
+          tag_name: @parser.tag_name,
+          attribute_name: @parser.attribute_name,
+        }
+      elsif [:tag, :tag_name, :tag_end].include?(@parser.context)
+        {
+          tag_name: @parser.tag_name,
+        }
+      elsif @parser.context == :rawtext
+        {
+          tag_name: @parser.tag_name,
+          rawtext_text: @parser.rawtext_text,
+        }
+      elsif @parser.context == :comment
+        {
+          comment_text: @parser.comment_text,
+        }
+      elsif [:none, :solidus_or_tag_name].include?(@parser.context)
+        {}
+      else
+        raise RuntimeError, "Tried to interpolate into unknown location #{@parser.context}."
+      end
+    end
+
+    def block_check(src, code)
+      unless @parser.context == :none || @parser.context == :rawtext
+        s = "Ruby statement not allowed.\n"
+        s << "In '#{@parser.context}' on line #{@parser.line_number} column #{@parser.column_number}:\n"
+        prefix = extract_line(@parser.line_number)
+        code = code.lines.first
+        s << "#{prefix}#{code}\n"
+        s << "#{' ' * prefix.size}#{'^' * code.size}"
+        raise BetterHtml::DontInterpolateHere, s
+      end
+    end
+
+    def check_parser_errors
+      errors = @parser.errors
+      return if errors.empty?
+
+      s = "#{errors.size} error(s) found in HTML document.\n"
+      errors.each do |error|
+        s = "#{error.message}\n"
+        s << "On line #{error.line} column #{error.column}:\n"
+        line = extract_line(error.line)
+        s << "#{line}\n"
+        s << "#{' ' * (error.column)}#{'^' * (line.size - error.column)}"
+      end
+
+      raise BetterHtml::HtmlError, s
+    end
+
+    def check_token(type, *args)
+      check_tag_name(type, *args) if type == :tag_name
+      check_attribute_name(type, *args) if type == :attribute_name
+      check_quoted_value(type, *args) if type == :attribute_quoted_value_start
+      check_unquoted_value(type, *args) if type == :attribute_unquoted_value
+    end
+
+    def check_tag_name(type, start, stop, line, column)
+      text = @parser.extract(start, stop)
+      return if text.upcase == "!DOCTYPE"
+      return if BetterHtml.config.partial_tag_name_pattern === text
+
+      s = "Invalid tag name #{text.inspect} does not match "\
+        "regular expression #{BetterHtml.config.partial_tag_name_pattern.inspect}\n"
+      s << build_location(line, column, text.size)
+      raise BetterHtml::HtmlError, s
+    end
+
+    def check_attribute_name(type, start, stop, line, column)
+      text = @parser.extract(start, stop)
+      return if BetterHtml.config.partial_attribute_name_pattern === text
+
+      s = "Invalid attribute name #{text.inspect} does not match "\
+        "regular expression #{BetterHtml.config.partial_attribute_name_pattern.inspect}\n"
+      s << build_location(line, column, text.size)
+      raise BetterHtml::HtmlError, s
+    end
+
+    def check_quoted_value(type, start, stop, line, column)
+      return if BetterHtml.config.allow_single_quoted_attributes
+      text = @parser.extract(start, stop)
+      return if text == '"'
+
+      s = "Single-quoted attributes are not allowed\n"
+      s << build_location(line, column, text.size)
+      raise BetterHtml::HtmlError, s
+    end
+
+    def check_unquoted_value(type, start, stop, line, column)
+      return if BetterHtml.config.allow_unquoted_attributes
+      s = "Unquoted attribute values are not allowed\n"
+      s << build_location(line, column, stop-start)
+      raise BetterHtml::HtmlError, s
+    end
+
+    def build_location(line, column, length)
+      s = "On line #{line} column #{column}:\n"
+      s << "#{extract_line(line)}\n"
+      s << "#{' ' * column}#{'^' * length}"
+    end
+
+    def extract_line(line)
+      line = @parser.document.lines[line-1]
+      line.nil? ? "" : line.gsub(/\n$/, '')
+    end
+  end
+end

data/lib/better_html/better_erb/validated_output_buffer.rb

@@ -0,0 +1,166 @@
+module BetterHtml
+  class BetterErb
+    class ValidatedOutputBuffer
+      def self.wrap(output, context, code, auto_escape)
+        Context.new(output, context, code, auto_escape)
+      end
+
+      class Context
+        def initialize(output, context, code, auto_escape)
+          @output = output
+          @context = context
+          @code = code
+          @auto_escape = auto_escape
+        end
+
+        def safe_quoted_value_append=(value)
+          return if value.nil?
+          value = properly_escaped(value)
+
+          if value.include?(@context[:quote_character])
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a quoted attribute value. The value cannot contain the character #{@context[:quote_character]}."
+          end
+
+          @output.safe_append= value
+        end
+
+        def safe_unquoted_value_append=(value)
+          raise DontInterpolateHere, "Do not interpolate without quotes around this "\
+            "attribute value. Instead of "\
+            "<#{@context[:tag_name]} #{@context[:attribute_name]}=#{@context[:attribute_value]}<%=#{@code}%>> "\
+            "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}<%=#{@code}%>\">."
+        end
+
+        def safe_space_after_attribute_append=(value)
+          raise DontInterpolateHere, "Add a space after this attribute value. Instead of "\
+            "<#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\"<%=#{@code}%>> "\
+            "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\" <%=#{@code}%>>."
+        end
+
+        def safe_attribute_name_append=(value)
+          return if value.nil?
+          value = value.to_s
+
+          unless value =~ /\A[a-z0-9\-]*\z/
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a attribute name around '#{@context[:attribute_name]}<%=#{@code}%>'."
+          end
+
+          @output.safe_append= value
+        end
+
+        def safe_after_attribute_name_append=(value)
+          return if value.nil?
+
+          unless value.is_a?(BetterHtml::HtmlAttributes)
+            raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. "\
+              "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please "\
+              "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
+          end
+
+          @output.safe_append= value.to_s
+        end
+
+        def safe_after_equal_append=(value)
+          raise DontInterpolateHere, "Do not interpolate without quotes after "\
+            "attribute around '#{@context[:attribute_name]}=<%=#{@code}%>'."
+        end
+
+        def safe_tag_append=(value)
+          return if value.nil?
+
+          unless value.is_a?(BetterHtml::HtmlAttributes)
+            raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. "\
+              "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please "\
+              "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
+          end
+
+          @output.safe_append= value.to_s
+        end
+
+        def safe_tag_name_append=(value)
+          return if value.nil?
+          value = value.to_s
+
+          unless value =~ /\A[a-z0-9\:\-]*\z/
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a tag name around: <#{@context[:tag_name]}<%=#{@code}%>>."
+          end
+
+          @output.safe_append= value
+        end
+
+        def safe_rawtext_append=(value)
+          return if value.nil?
+
+          value = properly_escaped(value)
+
+          if @context[:tag_name].downcase == 'script' &&
+              (value =~ /<script/i || value =~ /<\/script/i)
+            # https://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a script tag around: <#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>. "\
+              "A script tag cannot contain <script or </script anywhere inside of it."
+          elsif value =~ /<#{Regexp.escape(@context[:tag_name].downcase)}/i ||
+              value =~ /<\/#{Regexp.escape(@context[:tag_name].downcase)}/i
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a #{@context[:tag_name].downcase} tag around: <#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>."
+          end
+
+          @output.safe_append= value
+        end
+
+        def safe_comment_append=(value)
+          return if value.nil?
+          value = properly_escaped(value)
+
+          # in a <!-- ...here --> we disallow -->
+          if value =~ /-->/
+            raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
+              "into a html comment around: <!--#{@context[:comment_text]}<%=#{@code}%>."
+          end
+
+          @output.safe_append= value
+        end
+
+        def safe_none_append=(value)
+          return if value.nil?
+          @output.safe_append= properly_escaped(value)
+        end
+
+        private
+
+        def properly_escaped(value)
+          if value.is_a?(ValidatedOutputBuffer)
+            # in html context, never escape a ValidatedOutputBuffer
+            value.to_s
+          else
+            # in html context, follow auto_escape rule
+            if @auto_escape
+              auto_escape_html_safe_value(value.to_s)
+            else
+              value.to_s
+            end
+          end
+        end
+
+        def auto_escape_html_safe_value(arg)
+          arg.html_safe? ? arg : CGI.escapeHTML(arg).html_safe
+        end
+      end
+
+      def html_safe?
+        true
+      end
+
+      def html_safe
+        self.class.new(@output)
+      end
+
+      def to_s
+        @output.html_safe
+      end
+    end
+  end
+end