brakeman 4.9.0 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +44 -0
- data/README.md +1 -1
- data/bundle/load.rb +4 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/CHANGELOG.md +16 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/FAQ.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/Gemfile +1 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/MIT-LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/README.md +2 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/REFERENCE.md +29 -7
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/TODO +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/haml.gemspec +2 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_builder.rb +3 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_compiler.rb +42 -31
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/buffer.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/error.rb +0 -0
- data/bundle/ruby/2.7.0/gems/haml-5.2.1/lib/haml/escapable.rb +77 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/exec.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/filters.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/generator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers.rb +7 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubi_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubis_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/xss_mods.rb +6 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/parser.rb +32 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/plugin.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/railtie.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/sass_rails_filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/template/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/temple_engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/temple_line_counter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/util.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/fulldoc/html/css/common.sass +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/layout/html/footer.erb +0 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/Gemfile +6 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/LICENSE.txt +22 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/NEWS.md +141 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/README.md +60 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attlistdecl.rb +63 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attribute.rb +205 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/cdata.rb +68 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/child.rb +97 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/comment.rb +80 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/doctype.rb +287 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/document.rb +291 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/attlistdecl.rb +11 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/dtd.rb +47 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/elementdecl.rb +18 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/entitydecl.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/notationdecl.rb +40 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/element.rb +1269 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/encoding.rb +51 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/entity.rb +171 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/default.rb +116 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/pretty.rb +142 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/transitive.rb +58 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/functions.rb +447 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/instruction.rb +79 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/light/node.rb +196 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/namespace.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/node.rb +76 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/output.rb +30 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parent.rb +166 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parseexception.rb +52 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/baseparser.rb +594 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/lightparser.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/pullparser.rb +197 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/sax2parser.rb +273 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/streamparser.rb +61 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/treeparser.rb +101 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/ultralightparser.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/xpathparser.rb +675 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/quickpath.rb +266 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/rexml.rb +32 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/sax2listener.rb +98 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/security.rb +28 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/source.rb +298 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/streamlistener.rb +93 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/text.rb +424 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/undefinednamespaceexception.rb +9 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/relaxng.rb +539 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validation.rb +144 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validationexception.rb +10 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmldecl.rb +130 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmltokens.rb +85 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath.rb +81 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath_parser.rb +968 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/rexml.gemspec +84 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/History.rdoc +41 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/Manifest.txt +2 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/compare/normalize.rb +43 -3
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/debugging.md +57 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/rp_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/rp_stringscanner.rb +0 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby20_parser.rb +7062 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby20_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby21_parser.rb +2603 -2576
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby21_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby22_parser.rb +7160 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby22_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby23_parser.rb +7175 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby23_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby24_parser.rb +7204 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby24_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby23_parser.rb → ruby_parser-3.15.1/lib/ruby25_parser.rb} +2867 -2826
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby25_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby25_parser.rb → ruby_parser-3.15.1/lib/ruby26_parser.rb} +2432 -2383
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby26_parser.y +91 -58
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby24_parser.rb → ruby_parser-3.15.1/lib/ruby27_parser.rb} +2432 -2383
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby27_parser.y +2657 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_lexer.rb +72 -40
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_lexer.rex +5 -6
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_lexer.rex.rb +6 -8
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_parser.rb +2 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_parser.yy +93 -58
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/lib/ruby_parser_extras.rb +49 -16
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/tools/munge.rb +9 -4
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.15.1}/tools/ripper.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/History.rdoc +12 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/pt_testcase.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/sexp_matcher.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/strict_sexp.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.0 → sexp_processor-4.15.2}/lib/unique.rb +0 -0
- data/lib/brakeman.rb +10 -0
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/base_check.rb +7 -1
- data/lib/brakeman/checks/check_execute.rb +2 -1
- data/lib/brakeman/checks/check_model_attributes.rb +1 -1
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +2 -2
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +24 -18
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +2 -3
- data/lib/brakeman/processors/alias_processor.rb +20 -4
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/haml_template_processor.rb +8 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +1 -1
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report.rb +15 -0
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +114 -0
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +1 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +44 -18
- data/lib/brakeman/tracker.rb +6 -0
- data/lib/brakeman/tracker/config.rb +76 -1
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/util.rb +9 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +143 -82
- data/bundle/ruby/2.7.0/gems/haml-5.1.2/lib/haml/escapable.rb +0 -50
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/debugging.md +0 -18
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby20_parser.rb +0 -7042
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby22_parser.rb +0 -7146
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby26_parser.rb +0 -7195
File without changes
|
File without changes
|
File without changes
|
@@ -607,9 +607,12 @@ MESSAGE
|
|
607
607
|
# @param text [String] The string to sanitize
|
608
608
|
# @return [String] The sanitized string
|
609
609
|
def html_escape(text)
|
610
|
-
|
610
|
+
CGI.escapeHTML(text.to_s)
|
611
611
|
end
|
612
612
|
|
613
|
+
# Always escape text regardless of html_safe?
|
614
|
+
alias_method :html_escape_without_haml_xss, :html_escape
|
615
|
+
|
613
616
|
HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
|
614
617
|
|
615
618
|
# Escapes HTML entities in `text`, but without escaping an ampersand
|
@@ -622,6 +625,9 @@ MESSAGE
|
|
622
625
|
text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
|
623
626
|
end
|
624
627
|
|
628
|
+
# Always escape text once regardless of html_safe?
|
629
|
+
alias_method :escape_once_without_haml_xss, :escape_once
|
630
|
+
|
625
631
|
# Returns whether or not the current template is a Haml template.
|
626
632
|
#
|
627
633
|
# This function, unlike other {Haml::Helpers} functions,
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_extensions.rb
RENAMED
File without changes
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/action_view_xss_mods.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubi_template.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/safe_erubis_template.rb
RENAMED
File without changes
|
@@ -8,12 +8,15 @@ module Haml
|
|
8
8
|
# to work with Rails' XSS protection methods.
|
9
9
|
module XssMods
|
10
10
|
def self.included(base)
|
11
|
-
%w[
|
12
|
-
precede succeed capture_haml haml_concat haml_internal_concat haml_indent
|
13
|
-
escape_once].each do |name|
|
11
|
+
%w[find_and_preserve preserve list_of surround
|
12
|
+
precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
|
14
13
|
base.send(:alias_method, "#{name}_without_haml_xss", name)
|
15
14
|
base.send(:alias_method, name, "#{name}_with_haml_xss")
|
16
15
|
end
|
16
|
+
# Those two always have _without_haml_xss
|
17
|
+
%w[html_escape escape_once].each do |name|
|
18
|
+
base.send(:alias_method, name, "#{name}_with_haml_xss")
|
19
|
+
end
|
17
20
|
end
|
18
21
|
|
19
22
|
# Don't escape text that's already safe,
|
File without changes
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require 'ripper'
|
3
4
|
require 'strscan'
|
4
5
|
|
5
6
|
module Haml
|
@@ -90,6 +91,9 @@ module Haml
|
|
90
91
|
ID_KEY = 'id'.freeze
|
91
92
|
CLASS_KEY = 'class'.freeze
|
92
93
|
|
94
|
+
# Used for scanning old attributes, substituting the first '{'
|
95
|
+
METHOD_CALL_PREFIX = 'a('
|
96
|
+
|
93
97
|
def initialize(options)
|
94
98
|
@options = Options.wrap(options)
|
95
99
|
# Record the indent levels of "if" statements to validate the subsequent
|
@@ -307,7 +311,7 @@ module Haml
|
|
307
311
|
return ParseNode.new(:plain, line.index + 1, :text => line.text)
|
308
312
|
end
|
309
313
|
|
310
|
-
escape_html = @options.escape_html if escape_html.nil?
|
314
|
+
escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
|
311
315
|
line.text = unescape_interpolation(line.text, escape_html)
|
312
316
|
script(line, false)
|
313
317
|
end
|
@@ -651,13 +655,18 @@ module Haml
|
|
651
655
|
# @return [String] rest
|
652
656
|
# @return [Integer] last_line
|
653
657
|
def parse_old_attributes(text)
|
654
|
-
text = text.dup
|
655
658
|
last_line = @line.index + 1
|
656
659
|
|
657
660
|
begin
|
658
|
-
|
661
|
+
# Old attributes often look like a valid Hash literal, but it sometimes allow code like
|
662
|
+
# `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
|
663
|
+
#
|
664
|
+
# To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
|
665
|
+
# 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
|
666
|
+
balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
|
667
|
+
attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
|
659
668
|
rescue SyntaxError => e
|
660
|
-
if
|
669
|
+
if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
|
661
670
|
text << "\n#{@next_line.text}"
|
662
671
|
last_line += 1
|
663
672
|
next_line
|
@@ -811,6 +820,25 @@ module Haml
|
|
811
820
|
Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
|
812
821
|
end
|
813
822
|
|
823
|
+
# Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
|
824
|
+
def balance_tokens(buf, start, finish, count: 0)
|
825
|
+
text = ''.dup
|
826
|
+
Ripper.lex(buf).each do |_, token, str|
|
827
|
+
text << str
|
828
|
+
case token
|
829
|
+
when start
|
830
|
+
count += 1
|
831
|
+
when finish
|
832
|
+
count -= 1
|
833
|
+
end
|
834
|
+
|
835
|
+
if count == 0
|
836
|
+
return text, buf.sub(text, '')
|
837
|
+
end
|
838
|
+
end
|
839
|
+
raise SyntaxError.new(Error.message(:unbalanced_brackets))
|
840
|
+
end
|
841
|
+
|
814
842
|
def block_opened?
|
815
843
|
@next_line.tabs > @line.tabs
|
816
844
|
end
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -213,7 +213,7 @@ MSG
|
|
213
213
|
scan.scan(/\w+/)
|
214
214
|
end
|
215
215
|
content = eval("\"#{interpolated}\"")
|
216
|
-
content
|
216
|
+
content = "#{char}#{content}" if char == '@' || char == '$'
|
217
217
|
content = "Haml::Helpers.html_escape((#{content}))" if escape_html
|
218
218
|
|
219
219
|
res << "\#{#{content}}"
|
data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/yard/default/fulldoc/html/css/common.sass
RENAMED
File without changes
|
File without changes
|
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
|
2
|
+
|
3
|
+
Redistribution and use in source and binary forms, with or without
|
4
|
+
modification, are permitted provided that the following conditions
|
5
|
+
are met:
|
6
|
+
1. Redistributions of source code must retain the above copyright
|
7
|
+
notice, this list of conditions and the following disclaimer.
|
8
|
+
2. Redistributions in binary form must reproduce the above copyright
|
9
|
+
notice, this list of conditions and the following disclaimer in the
|
10
|
+
documentation and/or other materials provided with the distribution.
|
11
|
+
|
12
|
+
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
13
|
+
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
14
|
+
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
15
|
+
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
16
|
+
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
17
|
+
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
18
|
+
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
19
|
+
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
20
|
+
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
21
|
+
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
22
|
+
SUCH DAMAGE.
|
@@ -0,0 +1,141 @@
|
|
1
|
+
# News
|
2
|
+
|
3
|
+
## 3.2.4 - 2020-01-31 {#version-3-2-4}
|
4
|
+
|
5
|
+
### Improvements
|
6
|
+
|
7
|
+
* Don't use `taint` with Ruby 2.7 or later.
|
8
|
+
[GitHub#21][Patch by Jeremy Evans]
|
9
|
+
|
10
|
+
### Fixes
|
11
|
+
|
12
|
+
* Fixed a `elsif` typo.
|
13
|
+
[GitHub#22][Patch by Nobuyoshi Nakada]
|
14
|
+
|
15
|
+
### Thanks
|
16
|
+
|
17
|
+
* Jeremy Evans
|
18
|
+
|
19
|
+
* Nobuyoshi Nakada
|
20
|
+
|
21
|
+
## 3.2.3 - 2019-10-12 {#version-3-2-3}
|
22
|
+
|
23
|
+
### Fixes
|
24
|
+
|
25
|
+
* Fixed a bug that `REXML::XMLDecl#close` doesn't copy `@writethis`.
|
26
|
+
[GitHub#20][Patch by hirura]
|
27
|
+
|
28
|
+
### Thanks
|
29
|
+
|
30
|
+
* hirura
|
31
|
+
|
32
|
+
## 3.2.2 - 2019-06-03 {#version-3-2-2}
|
33
|
+
|
34
|
+
### Fixes
|
35
|
+
|
36
|
+
* xpath: Fixed a bug for equality and relational expressions.
|
37
|
+
[GitHub#17][Reported by Mirko Budszuhn]
|
38
|
+
|
39
|
+
* xpath: Fixed `boolean()` implementation.
|
40
|
+
|
41
|
+
* xpath: Fixed `local_name()` with nonexistent node.
|
42
|
+
|
43
|
+
* xpath: Fixed `number()` implementation with node set.
|
44
|
+
[GitHub#18][Reported by Mirko Budszuhn]
|
45
|
+
|
46
|
+
### Thanks
|
47
|
+
|
48
|
+
* Mirko Budszuhn
|
49
|
+
|
50
|
+
## 3.2.1 - 2019-05-04 {#version-3-2-1}
|
51
|
+
|
52
|
+
### Improvements
|
53
|
+
|
54
|
+
* Improved error message.
|
55
|
+
[GitHub#12][Patch by FUJI Goro]
|
56
|
+
|
57
|
+
* Improved error message.
|
58
|
+
[GitHub#16][Patch by ujihisa]
|
59
|
+
|
60
|
+
* Improved documentation markup.
|
61
|
+
[GitHub#14][Patch by Alyssa Ross]
|
62
|
+
|
63
|
+
### Fixes
|
64
|
+
|
65
|
+
* Fixed a bug that `nil` variable value raises an unexpected exception.
|
66
|
+
[GitHub#13][Patch by Alyssa Ross]
|
67
|
+
|
68
|
+
### Thanks
|
69
|
+
|
70
|
+
* FUJI Goro
|
71
|
+
|
72
|
+
* Alyssa Ross
|
73
|
+
|
74
|
+
* ujihisa
|
75
|
+
|
76
|
+
## 3.2.0 - 2019-01-01 {#version-3-2-0}
|
77
|
+
|
78
|
+
### Fixes
|
79
|
+
|
80
|
+
* Fixed a bug that no namespace attribute isn't matched with prefix.
|
81
|
+
|
82
|
+
[ruby-list:50731][Reported by Yasuhiro KIMURA]
|
83
|
+
|
84
|
+
* Fixed a bug that the default namespace is applied to attribute names.
|
85
|
+
|
86
|
+
NOTE: It's a backward incompatible change. If your program has any
|
87
|
+
problem with this change, please report it. We may revert this fix.
|
88
|
+
|
89
|
+
* `REXML::Attribute#prefix` returns `""` for no namespace attribute.
|
90
|
+
|
91
|
+
* `REXML::Attribute#namespace` returns `""` for no namespace attribute.
|
92
|
+
|
93
|
+
### Thanks
|
94
|
+
|
95
|
+
* Yasuhiro KIMURA
|
96
|
+
|
97
|
+
## 3.1.9 - 2018-12-20 {#version-3-1-9}
|
98
|
+
|
99
|
+
### Improvements
|
100
|
+
|
101
|
+
* Improved backward compatibility.
|
102
|
+
|
103
|
+
Restored `REXML::Parsers::BaseParser::UNQME_STR` because it's used
|
104
|
+
by kramdown.
|
105
|
+
|
106
|
+
## 3.1.8 - 2018-12-20 {#version-3-1-8}
|
107
|
+
|
108
|
+
### Improvements
|
109
|
+
|
110
|
+
* Added support for customizing quote character in prologue.
|
111
|
+
[GitHub#8][Bug #9367][Reported by Takashi Oguma]
|
112
|
+
|
113
|
+
* You can use `"` as quote character by specifying `:quote` to
|
114
|
+
`REXML::Document#context[:prologue_quote]`.
|
115
|
+
|
116
|
+
* You can use `'` as quote character by specifying `:apostrophe`
|
117
|
+
to `REXML::Document#context[:prologue_quote]`.
|
118
|
+
|
119
|
+
* Added processing instruction target check. The target must not nil.
|
120
|
+
[GitHub#7][Reported by Ariel Zelivansky]
|
121
|
+
|
122
|
+
* Added name check for element and attribute.
|
123
|
+
[GitHub#7][Reported by Ariel Zelivansky]
|
124
|
+
|
125
|
+
* Stopped to use `Exception`.
|
126
|
+
[GitHub#9][Patch by Jean Boussier]
|
127
|
+
|
128
|
+
### Fixes
|
129
|
+
|
130
|
+
* Fixed a bug that `REXML::Text#clone` escapes value twice.
|
131
|
+
[ruby-dev:50626][Bug #15058][Reported by Ryosuke Nanba]
|
132
|
+
|
133
|
+
### Thanks
|
134
|
+
|
135
|
+
* Takashi Oguma
|
136
|
+
|
137
|
+
* Ariel Zelivansky
|
138
|
+
|
139
|
+
* Jean Boussier
|
140
|
+
|
141
|
+
* Ryosuke Nanba
|
@@ -0,0 +1,60 @@
|
|
1
|
+
# REXML
|
2
|
+
|
3
|
+
REXML was inspired by the Electric XML library for Java, which features an easy-to-use API, small size, and speed. Hopefully, REXML, designed with the same philosophy, has these same features. I've tried to keep the API as intuitive as possible, and have followed the Ruby methodology for method naming and code flow, rather than mirroring the Java API.
|
4
|
+
|
5
|
+
REXML supports both tree and stream document parsing. Stream parsing is faster (about 1.5 times as fast). However, with stream parsing, you don't get access to features such as XPath.
|
6
|
+
|
7
|
+
## Installation
|
8
|
+
|
9
|
+
Add this line to your application's Gemfile:
|
10
|
+
|
11
|
+
```ruby
|
12
|
+
gem 'rexml'
|
13
|
+
```
|
14
|
+
|
15
|
+
And then execute:
|
16
|
+
|
17
|
+
$ bundle
|
18
|
+
|
19
|
+
Or install it yourself as:
|
20
|
+
|
21
|
+
$ gem install rexml
|
22
|
+
|
23
|
+
## Usage
|
24
|
+
|
25
|
+
We'll start with parsing an XML document
|
26
|
+
|
27
|
+
```ruby
|
28
|
+
require "rexml/document"
|
29
|
+
file = File.new( "mydoc.xml" )
|
30
|
+
doc = REXML::Document.new file
|
31
|
+
```
|
32
|
+
|
33
|
+
Line 3 creates a new document and parses the supplied file. You can also do the following
|
34
|
+
|
35
|
+
```ruby
|
36
|
+
require "rexml/document"
|
37
|
+
include REXML # so that we don't have to prefix everything with REXML::...
|
38
|
+
string = <<EOF
|
39
|
+
<mydoc>
|
40
|
+
<someelement attribute="nanoo">Text, text, text</someelement>
|
41
|
+
</mydoc>
|
42
|
+
EOF
|
43
|
+
doc = Document.new string
|
44
|
+
```
|
45
|
+
|
46
|
+
So parsing a string is just as easy as parsing a file.
|
47
|
+
|
48
|
+
## Development
|
49
|
+
|
50
|
+
After checking out the repo, run `rake test` to run the tests.
|
51
|
+
|
52
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
53
|
+
|
54
|
+
## Contributing
|
55
|
+
|
56
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/ruby/rexml.
|
57
|
+
|
58
|
+
## License
|
59
|
+
|
60
|
+
The gem is available as open source under the terms of the [BSD-2-Clause](LICENSE.txt).
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# frozen_string_literal: false
|
2
|
+
#vim:ts=2 sw=2 noexpandtab:
|
3
|
+
require_relative 'child'
|
4
|
+
require_relative 'source'
|
5
|
+
|
6
|
+
module REXML
|
7
|
+
# This class needs:
|
8
|
+
# * Documentation
|
9
|
+
# * Work! Not all types of attlists are intelligently parsed, so we just
|
10
|
+
# spew back out what we get in. This works, but it would be better if
|
11
|
+
# we formatted the output ourselves.
|
12
|
+
#
|
13
|
+
# AttlistDecls provide *just* enough support to allow namespace
|
14
|
+
# declarations. If you need some sort of generalized support, or have an
|
15
|
+
# interesting idea about how to map the hideous, terrible design of DTD
|
16
|
+
# AttlistDecls onto an intuitive Ruby interface, let me know. I'm desperate
|
17
|
+
# for anything to make DTDs more palateable.
|
18
|
+
class AttlistDecl < Child
|
19
|
+
include Enumerable
|
20
|
+
|
21
|
+
# What is this? Got me.
|
22
|
+
attr_reader :element_name
|
23
|
+
|
24
|
+
# Create an AttlistDecl, pulling the information from a Source. Notice
|
25
|
+
# that this isn't very convenient; to create an AttlistDecl, you basically
|
26
|
+
# have to format it yourself, and then have the initializer parse it.
|
27
|
+
# Sorry, but for the foreseeable future, DTD support in REXML is pretty
|
28
|
+
# weak on convenience. Have I mentioned how much I hate DTDs?
|
29
|
+
def initialize(source)
|
30
|
+
super()
|
31
|
+
if (source.kind_of? Array)
|
32
|
+
@element_name, @pairs, @contents = *source
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# Access the attlist attribute/value pairs.
|
37
|
+
# value = attlist_decl[ attribute_name ]
|
38
|
+
def [](key)
|
39
|
+
@pairs[key]
|
40
|
+
end
|
41
|
+
|
42
|
+
# Whether an attlist declaration includes the given attribute definition
|
43
|
+
# if attlist_decl.include? "xmlns:foobar"
|
44
|
+
def include?(key)
|
45
|
+
@pairs.keys.include? key
|
46
|
+
end
|
47
|
+
|
48
|
+
# Iterate over the key/value pairs:
|
49
|
+
# attlist_decl.each { |attribute_name, attribute_value| ... }
|
50
|
+
def each(&block)
|
51
|
+
@pairs.each(&block)
|
52
|
+
end
|
53
|
+
|
54
|
+
# Write out exactly what we got in.
|
55
|
+
def write out, indent=-1
|
56
|
+
out << @contents
|
57
|
+
end
|
58
|
+
|
59
|
+
def node_type
|
60
|
+
:attlistdecl
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|