brakeman 4.10.0 → 5.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +52 -0
- data/README.md +11 -2
- data/bundle/load.rb +4 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/CHANGELOG.md +16 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/FAQ.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/Gemfile +1 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/MIT-LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/README.md +2 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/REFERENCE.md +29 -7
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/TODO +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/haml.gemspec +2 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_builder.rb +3 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_compiler.rb +42 -31
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/buffer.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/error.rb +0 -0
- data/bundle/ruby/2.7.0/gems/haml-5.2.1/lib/haml/escapable.rb +77 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/exec.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/filters.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/generator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers.rb +7 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubi_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubis_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/xss_mods.rb +6 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/parser.rb +32 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/plugin.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/railtie.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/sass_rails_filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/template/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/temple_engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/temple_line_counter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/util.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/fulldoc/html/css/common.sass +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/layout/html/footer.erb +0 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt +22 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md +178 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/README.md +48 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml.rb +3 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/attlistdecl.rb +63 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/attribute.rb +205 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/cdata.rb +68 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/child.rb +97 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/comment.rb +80 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/doctype.rb +311 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/document.rb +451 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/attlistdecl.rb +11 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/dtd.rb +47 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/elementdecl.rb +18 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/entitydecl.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/notationdecl.rb +40 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/element.rb +2599 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/encoding.rb +51 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/entity.rb +171 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/default.rb +116 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/pretty.rb +142 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/transitive.rb +58 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/functions.rb +447 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/instruction.rb +79 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/light/node.rb +188 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/namespace.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/node.rb +76 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/output.rb +30 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parent.rb +166 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parseexception.rb +52 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +694 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/lightparser.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb +197 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb +273 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/streamparser.rb +61 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/treeparser.rb +101 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/ultralightparser.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb +689 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/quickpath.rb +266 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/rexml.rb +37 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/sax2listener.rb +98 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/security.rb +28 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/source.rb +298 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/streamlistener.rb +93 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/text.rb +424 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/undefinednamespaceexception.rb +9 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/relaxng.rb +539 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/validation.rb +144 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/validationexception.rb +10 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xmldecl.rb +130 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xmltokens.rb +85 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xpath.rb +81 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb +974 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/History.rdoc +25 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/Manifest.txt +2 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/compare/normalize.rb +2 -2
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/debugging.md +190 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/rp_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/rp_stringscanner.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby20_parser.rb +2550 -2537
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby20_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby21_parser.rb +7148 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby21_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby22_parser.rb +7185 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby22_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby23_parser.rb +2585 -2561
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby23_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby24_parser.rb +2622 -2607
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby24_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby25_parser.rb +2612 -2598
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby25_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby26_parser.rb +2610 -2594
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby26_parser.y +10 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby27_parser.rb +7358 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby27_parser.y +47 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby30_parser.rb +7358 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby30_parser.y +2703 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_lexer.rb +19 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_lexer.rex +1 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_lexer.rex.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_parser.rb +2 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_parser.yy +57 -1
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/lib/ruby_parser_extras.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/tools/munge.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.16.0}/tools/ripper.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/History.rdoc +12 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/pt_testcase.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/sexp_matcher.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/strict_sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.3}/lib/unique.rb +0 -0
- data/lib/brakeman.rb +17 -4
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
- data/lib/brakeman/checks/check_sql.rb +1 -1
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +24 -18
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +26 -3
- data/lib/brakeman/processors/alias_processor.rb +40 -13
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report.rb +8 -0
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +1 -1
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +44 -18
- data/lib/brakeman/tracker.rb +6 -0
- data/lib/brakeman/tracker/config.rb +73 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/util.rb +9 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +143 -84
- data/bundle/ruby/2.7.0/gems/haml-5.1.2/lib/haml/escapable.rb +0 -50
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/debugging.md +0 -57
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby21_parser.rb +0 -7140
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby22_parser.rb +0 -7160
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib/ruby27_parser.rb +0 -7224
File without changes
|
@@ -0,0 +1,77 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Haml
|
4
|
+
# Like Temple::Filters::Escapable, but with support for escaping by
|
5
|
+
# Haml::Herlpers.html_escape and Haml::Herlpers.escape_once.
|
6
|
+
class Escapable < Temple::Filter
|
7
|
+
# Special value of `flag` to ignore html_safe?
|
8
|
+
EscapeSafeBuffer = Struct.new(:value)
|
9
|
+
|
10
|
+
def initialize(*)
|
11
|
+
super
|
12
|
+
@escape = false
|
13
|
+
@escape_safe_buffer = false
|
14
|
+
end
|
15
|
+
|
16
|
+
def on_escape(flag, exp)
|
17
|
+
old_escape, old_escape_safe_buffer = @escape, @escape_safe_buffer
|
18
|
+
@escape_safe_buffer = flag.is_a?(EscapeSafeBuffer)
|
19
|
+
@escape = @escape_safe_buffer ? flag.value : flag
|
20
|
+
compile(exp)
|
21
|
+
ensure
|
22
|
+
@escape, @escape_safe_buffer = old_escape, old_escape_safe_buffer
|
23
|
+
end
|
24
|
+
|
25
|
+
# The same as Haml::AttributeBuilder.build_attributes
|
26
|
+
def on_static(value)
|
27
|
+
[:static,
|
28
|
+
if @escape == :once
|
29
|
+
escape_once(value)
|
30
|
+
elsif @escape
|
31
|
+
escape(value)
|
32
|
+
else
|
33
|
+
value
|
34
|
+
end
|
35
|
+
]
|
36
|
+
end
|
37
|
+
|
38
|
+
# The same as Haml::AttributeBuilder.build_attributes
|
39
|
+
def on_dynamic(value)
|
40
|
+
[:dynamic,
|
41
|
+
if @escape == :once
|
42
|
+
escape_once_code(value)
|
43
|
+
elsif @escape
|
44
|
+
escape_code(value)
|
45
|
+
else
|
46
|
+
"(#{value}).to_s"
|
47
|
+
end
|
48
|
+
]
|
49
|
+
end
|
50
|
+
|
51
|
+
private
|
52
|
+
|
53
|
+
def escape_once(value)
|
54
|
+
if @escape_safe_buffer
|
55
|
+
::Haml::Helpers.escape_once_without_haml_xss(value)
|
56
|
+
else
|
57
|
+
::Haml::Helpers.escape_once(value)
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
def escape(value)
|
62
|
+
if @escape_safe_buffer
|
63
|
+
::Haml::Helpers.html_escape_without_haml_xss(value)
|
64
|
+
else
|
65
|
+
::Haml::Helpers.html_escape(value)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
def escape_once_code(value)
|
70
|
+
"::Haml::Helpers.escape_once#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
|
71
|
+
end
|
72
|
+
|
73
|
+
def escape_code(value)
|
74
|
+
"::Haml::Helpers.html_escape#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
File without changes
|
File without changes
|
File without changes
|
@@ -607,9 +607,12 @@ MESSAGE
|
|
607
607
|
# @param text [String] The string to sanitize
|
608
608
|
# @return [String] The sanitized string
|
609
609
|
def html_escape(text)
|
610
|
-
|
610
|
+
CGI.escapeHTML(text.to_s)
|
611
611
|
end
|
612
612
|
|
613
|
+
# Always escape text regardless of html_safe?
|
614
|
+
alias_method :html_escape_without_haml_xss, :html_escape
|
615
|
+
|
613
616
|
HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
|
614
617
|
|
615
618
|
# Escapes HTML entities in `text`, but without escaping an ampersand
|
@@ -622,6 +625,9 @@ MESSAGE
|
|
622
625
|
text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
|
623
626
|
end
|
624
627
|
|
628
|
+
# Always escape text once regardless of html_safe?
|
629
|
+
alias_method :escape_once_without_haml_xss, :escape_once
|
630
|
+
|
625
631
|
# Returns whether or not the current template is a Haml template.
|
626
632
|
#
|
627
633
|
# This function, unlike other {Haml::Helpers} functions,
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_extensions.rb
RENAMED
File without changes
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_xss_mods.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubi_template.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubis_template.rb
RENAMED
File without changes
|
@@ -8,12 +8,15 @@ module Haml
|
|
8
8
|
# to work with Rails' XSS protection methods.
|
9
9
|
module XssMods
|
10
10
|
def self.included(base)
|
11
|
-
%w[
|
12
|
-
precede succeed capture_haml haml_concat haml_internal_concat haml_indent
|
13
|
-
escape_once].each do |name|
|
11
|
+
%w[find_and_preserve preserve list_of surround
|
12
|
+
precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
|
14
13
|
base.send(:alias_method, "#{name}_without_haml_xss", name)
|
15
14
|
base.send(:alias_method, name, "#{name}_with_haml_xss")
|
16
15
|
end
|
16
|
+
# Those two always have _without_haml_xss
|
17
|
+
%w[html_escape escape_once].each do |name|
|
18
|
+
base.send(:alias_method, name, "#{name}_with_haml_xss")
|
19
|
+
end
|
17
20
|
end
|
18
21
|
|
19
22
|
# Don't escape text that's already safe,
|
File without changes
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require 'ripper'
|
3
4
|
require 'strscan'
|
4
5
|
|
5
6
|
module Haml
|
@@ -90,6 +91,9 @@ module Haml
|
|
90
91
|
ID_KEY = 'id'.freeze
|
91
92
|
CLASS_KEY = 'class'.freeze
|
92
93
|
|
94
|
+
# Used for scanning old attributes, substituting the first '{'
|
95
|
+
METHOD_CALL_PREFIX = 'a('
|
96
|
+
|
93
97
|
def initialize(options)
|
94
98
|
@options = Options.wrap(options)
|
95
99
|
# Record the indent levels of "if" statements to validate the subsequent
|
@@ -307,7 +311,7 @@ module Haml
|
|
307
311
|
return ParseNode.new(:plain, line.index + 1, :text => line.text)
|
308
312
|
end
|
309
313
|
|
310
|
-
escape_html = @options.escape_html if escape_html.nil?
|
314
|
+
escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
|
311
315
|
line.text = unescape_interpolation(line.text, escape_html)
|
312
316
|
script(line, false)
|
313
317
|
end
|
@@ -651,13 +655,18 @@ module Haml
|
|
651
655
|
# @return [String] rest
|
652
656
|
# @return [Integer] last_line
|
653
657
|
def parse_old_attributes(text)
|
654
|
-
text = text.dup
|
655
658
|
last_line = @line.index + 1
|
656
659
|
|
657
660
|
begin
|
658
|
-
|
661
|
+
# Old attributes often look like a valid Hash literal, but it sometimes allow code like
|
662
|
+
# `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
|
663
|
+
#
|
664
|
+
# To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
|
665
|
+
# 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
|
666
|
+
balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
|
667
|
+
attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
|
659
668
|
rescue SyntaxError => e
|
660
|
-
if
|
669
|
+
if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
|
661
670
|
text << "\n#{@next_line.text}"
|
662
671
|
last_line += 1
|
663
672
|
next_line
|
@@ -811,6 +820,25 @@ module Haml
|
|
811
820
|
Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
|
812
821
|
end
|
813
822
|
|
823
|
+
# Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
|
824
|
+
def balance_tokens(buf, start, finish, count: 0)
|
825
|
+
text = ''.dup
|
826
|
+
Ripper.lex(buf).each do |_, token, str|
|
827
|
+
text << str
|
828
|
+
case token
|
829
|
+
when start
|
830
|
+
count += 1
|
831
|
+
when finish
|
832
|
+
count -= 1
|
833
|
+
end
|
834
|
+
|
835
|
+
if count == 0
|
836
|
+
return text, buf.sub(text, '')
|
837
|
+
end
|
838
|
+
end
|
839
|
+
raise SyntaxError.new(Error.message(:unbalanced_brackets))
|
840
|
+
end
|
841
|
+
|
814
842
|
def block_opened?
|
815
843
|
@next_line.tabs > @line.tabs
|
816
844
|
end
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -213,7 +213,7 @@ MSG
|
|
213
213
|
scan.scan(/\w+/)
|
214
214
|
end
|
215
215
|
content = eval("\"#{interpolated}\"")
|
216
|
-
content
|
216
|
+
content = "#{char}#{content}" if char == '@' || char == '$'
|
217
217
|
content = "Haml::Helpers.html_escape((#{content}))" if escape_html
|
218
218
|
|
219
219
|
res << "\#{#{content}}"
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/fulldoc/html/css/common.sass
RENAMED
File without changes
|
File without changes
|
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
|
2
|
+
|
3
|
+
Redistribution and use in source and binary forms, with or without
|
4
|
+
modification, are permitted provided that the following conditions
|
5
|
+
are met:
|
6
|
+
1. Redistributions of source code must retain the above copyright
|
7
|
+
notice, this list of conditions and the following disclaimer.
|
8
|
+
2. Redistributions in binary form must reproduce the above copyright
|
9
|
+
notice, this list of conditions and the following disclaimer in the
|
10
|
+
documentation and/or other materials provided with the distribution.
|
11
|
+
|
12
|
+
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
13
|
+
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
14
|
+
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
15
|
+
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
16
|
+
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
17
|
+
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
18
|
+
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
19
|
+
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
20
|
+
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
21
|
+
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
22
|
+
SUCH DAMAGE.
|
@@ -0,0 +1,178 @@
|
|
1
|
+
# News
|
2
|
+
|
3
|
+
## 3.2.5 - 2021-04-05 {#version-3-2-5}
|
4
|
+
|
5
|
+
### Improvements
|
6
|
+
|
7
|
+
* Add more validations to XPath parser.
|
8
|
+
|
9
|
+
* `require "rexml/docuemnt"` by default.
|
10
|
+
[GitHub#36][Patch by Koichi ITO]
|
11
|
+
|
12
|
+
* Don't add `#dcloe` method to core classes globally.
|
13
|
+
[GitHub#37][Patch by Akira Matsuda]
|
14
|
+
|
15
|
+
* Add more documentations.
|
16
|
+
[Patch by Burdette Lamar]
|
17
|
+
|
18
|
+
* Added `REXML::Elements#parent`.
|
19
|
+
[GitHub#52][Patch by Burdette Lamar]
|
20
|
+
|
21
|
+
### Fixes
|
22
|
+
|
23
|
+
* Fixed a bug that `REXML::DocType#clone` doesn't copy external ID
|
24
|
+
information.
|
25
|
+
|
26
|
+
* Fixed round-trip vulnerability bugs.
|
27
|
+
See also: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
|
28
|
+
[HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]
|
29
|
+
|
30
|
+
### Thanks
|
31
|
+
|
32
|
+
* Koichi ITO
|
33
|
+
|
34
|
+
* Akira Matsuda
|
35
|
+
|
36
|
+
* Burdette Lamar
|
37
|
+
|
38
|
+
* Juho Nurminen
|
39
|
+
|
40
|
+
## 3.2.4 - 2020-01-31 {#version-3-2-4}
|
41
|
+
|
42
|
+
### Improvements
|
43
|
+
|
44
|
+
* Don't use `taint` with Ruby 2.7 or later.
|
45
|
+
[GitHub#21][Patch by Jeremy Evans]
|
46
|
+
|
47
|
+
### Fixes
|
48
|
+
|
49
|
+
* Fixed a `elsif` typo.
|
50
|
+
[GitHub#22][Patch by Nobuyoshi Nakada]
|
51
|
+
|
52
|
+
### Thanks
|
53
|
+
|
54
|
+
* Jeremy Evans
|
55
|
+
|
56
|
+
* Nobuyoshi Nakada
|
57
|
+
|
58
|
+
## 3.2.3 - 2019-10-12 {#version-3-2-3}
|
59
|
+
|
60
|
+
### Fixes
|
61
|
+
|
62
|
+
* Fixed a bug that `REXML::XMLDecl#close` doesn't copy `@writethis`.
|
63
|
+
[GitHub#20][Patch by hirura]
|
64
|
+
|
65
|
+
### Thanks
|
66
|
+
|
67
|
+
* hirura
|
68
|
+
|
69
|
+
## 3.2.2 - 2019-06-03 {#version-3-2-2}
|
70
|
+
|
71
|
+
### Fixes
|
72
|
+
|
73
|
+
* xpath: Fixed a bug for equality and relational expressions.
|
74
|
+
[GitHub#17][Reported by Mirko Budszuhn]
|
75
|
+
|
76
|
+
* xpath: Fixed `boolean()` implementation.
|
77
|
+
|
78
|
+
* xpath: Fixed `local_name()` with nonexistent node.
|
79
|
+
|
80
|
+
* xpath: Fixed `number()` implementation with node set.
|
81
|
+
[GitHub#18][Reported by Mirko Budszuhn]
|
82
|
+
|
83
|
+
### Thanks
|
84
|
+
|
85
|
+
* Mirko Budszuhn
|
86
|
+
|
87
|
+
## 3.2.1 - 2019-05-04 {#version-3-2-1}
|
88
|
+
|
89
|
+
### Improvements
|
90
|
+
|
91
|
+
* Improved error message.
|
92
|
+
[GitHub#12][Patch by FUJI Goro]
|
93
|
+
|
94
|
+
* Improved error message.
|
95
|
+
[GitHub#16][Patch by ujihisa]
|
96
|
+
|
97
|
+
* Improved documentation markup.
|
98
|
+
[GitHub#14][Patch by Alyssa Ross]
|
99
|
+
|
100
|
+
### Fixes
|
101
|
+
|
102
|
+
* Fixed a bug that `nil` variable value raises an unexpected exception.
|
103
|
+
[GitHub#13][Patch by Alyssa Ross]
|
104
|
+
|
105
|
+
### Thanks
|
106
|
+
|
107
|
+
* FUJI Goro
|
108
|
+
|
109
|
+
* Alyssa Ross
|
110
|
+
|
111
|
+
* ujihisa
|
112
|
+
|
113
|
+
## 3.2.0 - 2019-01-01 {#version-3-2-0}
|
114
|
+
|
115
|
+
### Fixes
|
116
|
+
|
117
|
+
* Fixed a bug that no namespace attribute isn't matched with prefix.
|
118
|
+
|
119
|
+
[ruby-list:50731][Reported by Yasuhiro KIMURA]
|
120
|
+
|
121
|
+
* Fixed a bug that the default namespace is applied to attribute names.
|
122
|
+
|
123
|
+
NOTE: It's a backward incompatible change. If your program has any
|
124
|
+
problem with this change, please report it. We may revert this fix.
|
125
|
+
|
126
|
+
* `REXML::Attribute#prefix` returns `""` for no namespace attribute.
|
127
|
+
|
128
|
+
* `REXML::Attribute#namespace` returns `""` for no namespace attribute.
|
129
|
+
|
130
|
+
### Thanks
|
131
|
+
|
132
|
+
* Yasuhiro KIMURA
|
133
|
+
|
134
|
+
## 3.1.9 - 2018-12-20 {#version-3-1-9}
|
135
|
+
|
136
|
+
### Improvements
|
137
|
+
|
138
|
+
* Improved backward compatibility.
|
139
|
+
|
140
|
+
Restored `REXML::Parsers::BaseParser::UNQME_STR` because it's used
|
141
|
+
by kramdown.
|
142
|
+
|
143
|
+
## 3.1.8 - 2018-12-20 {#version-3-1-8}
|
144
|
+
|
145
|
+
### Improvements
|
146
|
+
|
147
|
+
* Added support for customizing quote character in prologue.
|
148
|
+
[GitHub#8][Bug #9367][Reported by Takashi Oguma]
|
149
|
+
|
150
|
+
* You can use `"` as quote character by specifying `:quote` to
|
151
|
+
`REXML::Document#context[:prologue_quote]`.
|
152
|
+
|
153
|
+
* You can use `'` as quote character by specifying `:apostrophe`
|
154
|
+
to `REXML::Document#context[:prologue_quote]`.
|
155
|
+
|
156
|
+
* Added processing instruction target check. The target must not nil.
|
157
|
+
[GitHub#7][Reported by Ariel Zelivansky]
|
158
|
+
|
159
|
+
* Added name check for element and attribute.
|
160
|
+
[GitHub#7][Reported by Ariel Zelivansky]
|
161
|
+
|
162
|
+
* Stopped to use `Exception`.
|
163
|
+
[GitHub#9][Patch by Jean Boussier]
|
164
|
+
|
165
|
+
### Fixes
|
166
|
+
|
167
|
+
* Fixed a bug that `REXML::Text#clone` escapes value twice.
|
168
|
+
[ruby-dev:50626][Bug #15058][Reported by Ryosuke Nanba]
|
169
|
+
|
170
|
+
### Thanks
|
171
|
+
|
172
|
+
* Takashi Oguma
|
173
|
+
|
174
|
+
* Ariel Zelivansky
|
175
|
+
|
176
|
+
* Jean Boussier
|
177
|
+
|
178
|
+
* Ryosuke Nanba
|