brakeman 5.0.0.pre1 → 5.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (162) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +23 -0
  3. data/bundle/load.rb +9 -8
  4. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/CHANGELOG.md +8 -1
  5. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/FAQ.md +0 -0
  6. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/Gemfile +0 -0
  7. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/MIT-LICENSE +0 -0
  8. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/README.md +0 -0
  9. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/REFERENCE.md +9 -5
  10. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/TODO +0 -0
  11. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/haml.gemspec +1 -1
  12. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml.rb +0 -0
  13. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/attribute_builder.rb +0 -0
  14. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/attribute_compiler.rb +0 -0
  15. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/attribute_parser.rb +0 -0
  16. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/buffer.rb +0 -0
  17. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/compiler.rb +0 -0
  18. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/engine.rb +0 -0
  19. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/error.rb +0 -0
  20. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/escapable.rb +0 -0
  21. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/exec.rb +0 -0
  22. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/filters.rb +0 -0
  23. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/generator.rb +0 -0
  24. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers.rb +0 -0
  25. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/action_view_extensions.rb +0 -0
  26. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/action_view_mods.rb +0 -0
  27. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
  28. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/safe_erubi_template.rb +0 -0
  29. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/safe_erubis_template.rb +0 -0
  30. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/helpers/xss_mods.rb +0 -0
  31. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/options.rb +0 -0
  32. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/parser.rb +31 -3
  33. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/plugin.rb +0 -0
  34. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/railtie.rb +0 -0
  35. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/sass_rails_filter.rb +0 -0
  36. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/template.rb +0 -0
  37. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/template/options.rb +0 -0
  38. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/temple_engine.rb +0 -0
  39. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/temple_line_counter.rb +0 -0
  40. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/util.rb +1 -1
  41. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/version.rb +1 -1
  42. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/yard/default/fulldoc/html/css/common.sass +0 -0
  43. data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/yard/default/layout/html/footer.erb +0 -0
  44. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/Gemfile +6 -0
  45. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/LICENSE.txt +22 -0
  46. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/NEWS.md +141 -0
  47. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/README.md +60 -0
  48. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attlistdecl.rb +63 -0
  49. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attribute.rb +205 -0
  50. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/cdata.rb +68 -0
  51. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/child.rb +97 -0
  52. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/comment.rb +80 -0
  53. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/doctype.rb +287 -0
  54. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/document.rb +291 -0
  55. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/attlistdecl.rb +11 -0
  56. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/dtd.rb +47 -0
  57. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/elementdecl.rb +18 -0
  58. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/entitydecl.rb +57 -0
  59. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/notationdecl.rb +40 -0
  60. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/element.rb +1269 -0
  61. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/encoding.rb +51 -0
  62. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/entity.rb +171 -0
  63. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/default.rb +116 -0
  64. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/pretty.rb +142 -0
  65. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/transitive.rb +58 -0
  66. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/functions.rb +447 -0
  67. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/instruction.rb +79 -0
  68. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/light/node.rb +196 -0
  69. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/namespace.rb +59 -0
  70. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/node.rb +76 -0
  71. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/output.rb +30 -0
  72. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parent.rb +166 -0
  73. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parseexception.rb +52 -0
  74. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/baseparser.rb +594 -0
  75. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/lightparser.rb +59 -0
  76. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/pullparser.rb +197 -0
  77. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/sax2parser.rb +273 -0
  78. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/streamparser.rb +61 -0
  79. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/treeparser.rb +101 -0
  80. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/ultralightparser.rb +57 -0
  81. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/xpathparser.rb +675 -0
  82. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/quickpath.rb +266 -0
  83. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/rexml.rb +32 -0
  84. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/sax2listener.rb +98 -0
  85. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/security.rb +28 -0
  86. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/source.rb +298 -0
  87. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/streamlistener.rb +93 -0
  88. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/text.rb +424 -0
  89. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/undefinednamespaceexception.rb +9 -0
  90. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/relaxng.rb +539 -0
  91. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validation.rb +144 -0
  92. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validationexception.rb +10 -0
  93. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmldecl.rb +130 -0
  94. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmltokens.rb +85 -0
  95. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath.rb +81 -0
  96. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath_parser.rb +968 -0
  97. data/bundle/ruby/2.7.0/gems/rexml-3.2.4/rexml.gemspec +84 -0
  98. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/History.rdoc +6 -0
  99. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/Manifest.txt +0 -0
  100. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/README.rdoc +0 -0
  101. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/compare/normalize.rb +0 -0
  102. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/debugging.md +0 -0
  103. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/rp_extensions.rb +0 -0
  104. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/rp_stringscanner.rb +0 -0
  105. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby20_parser.rb +0 -0
  106. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby20_parser.y +0 -0
  107. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby21_parser.rb +0 -0
  108. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby21_parser.y +0 -0
  109. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby22_parser.rb +0 -0
  110. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby22_parser.y +0 -0
  111. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby23_parser.rb +0 -0
  112. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby23_parser.y +0 -0
  113. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby24_parser.rb +0 -0
  114. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby24_parser.y +0 -0
  115. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby25_parser.rb +0 -0
  116. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby25_parser.y +0 -0
  117. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby26_parser.rb +0 -0
  118. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby26_parser.y +0 -0
  119. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby27_parser.rb +0 -0
  120. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby27_parser.y +0 -0
  121. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_lexer.rb +0 -0
  122. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_lexer.rex +0 -0
  123. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_lexer.rex.rb +0 -0
  124. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_parser.rb +0 -0
  125. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_parser.yy +0 -0
  126. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_parser_extras.rb +1 -1
  127. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/tools/munge.rb +0 -0
  128. data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/tools/ripper.rb +0 -0
  129. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/History.rdoc +6 -0
  130. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/Manifest.txt +0 -0
  131. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/README.rdoc +0 -0
  132. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/composite_sexp_processor.rb +0 -0
  133. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/pt_testcase.rb +0 -0
  134. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/sexp.rb +0 -0
  135. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/sexp_matcher.rb +0 -0
  136. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/sexp_processor.rb +1 -1
  137. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/strict_sexp.rb +0 -0
  138. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/unique.rb +0 -0
  139. data/lib/brakeman/checks/base_check.rb +7 -1
  140. data/lib/brakeman/checks/check_execute.rb +2 -1
  141. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  142. data/lib/brakeman/checks/check_sql.rb +1 -1
  143. data/lib/brakeman/file_parser.rb +5 -0
  144. data/lib/brakeman/processors/alias_processor.rb +20 -4
  145. data/lib/brakeman/processors/controller_processor.rb +1 -1
  146. data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
  147. data/lib/brakeman/processors/output_processor.rb +1 -1
  148. data/lib/brakeman/processors/template_alias_processor.rb +5 -0
  149. data/lib/brakeman/report/report_base.rb +0 -2
  150. data/lib/brakeman/report/report_csv.rb +37 -60
  151. data/lib/brakeman/report/report_junit.rb +2 -2
  152. data/lib/brakeman/report/report_sarif.rb +1 -1
  153. data/lib/brakeman/report/report_tabs.rb +1 -1
  154. data/lib/brakeman/report/report_text.rb +1 -1
  155. data/lib/brakeman/scanner.rb +3 -1
  156. data/lib/brakeman/tracker/config.rb +73 -0
  157. data/lib/brakeman/tracker/controller.rb +1 -1
  158. data/lib/brakeman/util.rb +2 -2
  159. data/lib/brakeman/version.rb +1 -1
  160. data/lib/brakeman/warning.rb +10 -2
  161. data/lib/ruby_parser/bm_sexp.rb +9 -9
  162. metadata +139 -85
@@ -0,0 +1,93 @@
1
+ # frozen_string_literal: false
2
+ module REXML
3
+ # A template for stream parser listeners.
4
+ # Note that the declarations (attlistdecl, elementdecl, etc) are trivially
5
+ # processed; REXML doesn't yet handle doctype entity declarations, so you
6
+ # have to parse them out yourself.
7
+ module StreamListener
8
+ # Called when a tag is encountered.
9
+ # @p name the tag name
10
+ # @p attrs an array of arrays of attribute/value pairs, suitable for
11
+ # use with assoc or rassoc. IE, <tag attr1="value1" attr2="value2">
12
+ # will result in
13
+ # tag_start( "tag", # [["attr1","value1"],["attr2","value2"]])
14
+ def tag_start name, attrs
15
+ end
16
+ # Called when the end tag is reached. In the case of <tag/>, tag_end
17
+ # will be called immediately after tag_start
18
+ # @p the name of the tag
19
+ def tag_end name
20
+ end
21
+ # Called when text is encountered in the document
22
+ # @p text the text content.
23
+ def text text
24
+ end
25
+ # Called when an instruction is encountered. EG: <?xsl sheet='foo'?>
26
+ # @p name the instruction name; in the example, "xsl"
27
+ # @p instruction the rest of the instruction. In the example,
28
+ # "sheet='foo'"
29
+ def instruction name, instruction
30
+ end
31
+ # Called when a comment is encountered.
32
+ # @p comment The content of the comment
33
+ def comment comment
34
+ end
35
+ # Handles a doctype declaration. Any attributes of the doctype which are
36
+ # not supplied will be nil. # EG, <!DOCTYPE me PUBLIC "foo" "bar">
37
+ # @p name the name of the doctype; EG, "me"
38
+ # @p pub_sys "PUBLIC", "SYSTEM", or nil. EG, "PUBLIC"
39
+ # @p long_name the supplied long name, or nil. EG, "foo"
40
+ # @p uri the uri of the doctype, or nil. EG, "bar"
41
+ def doctype name, pub_sys, long_name, uri
42
+ end
43
+ # Called when the doctype is done
44
+ def doctype_end
45
+ end
46
+ # If a doctype includes an ATTLIST declaration, it will cause this
47
+ # method to be called. The content is the declaration itself, unparsed.
48
+ # EG, <!ATTLIST el attr CDATA #REQUIRED> will come to this method as "el
49
+ # attr CDATA #REQUIRED". This is the same for all of the .*decl
50
+ # methods.
51
+ def attlistdecl element_name, attributes, raw_content
52
+ end
53
+ # <!ELEMENT ...>
54
+ def elementdecl content
55
+ end
56
+ # <!ENTITY ...>
57
+ # The argument passed to this method is an array of the entity
58
+ # declaration. It can be in a number of formats, but in general it
59
+ # returns (example, result):
60
+ # <!ENTITY % YN '"Yes"'>
61
+ # ["YN", "\"Yes\"", "%"]
62
+ # <!ENTITY % YN 'Yes'>
63
+ # ["YN", "Yes", "%"]
64
+ # <!ENTITY WhatHeSaid "He said %YN;">
65
+ # ["WhatHeSaid", "He said %YN;"]
66
+ # <!ENTITY open-hatch SYSTEM "http://www.textuality.com/boilerplate/OpenHatch.xml">
67
+ # ["open-hatch", "SYSTEM", "http://www.textuality.com/boilerplate/OpenHatch.xml"]
68
+ # <!ENTITY open-hatch PUBLIC "-//Textuality//TEXT Standard open-hatch boilerplate//EN" "http://www.textuality.com/boilerplate/OpenHatch.xml">
69
+ # ["open-hatch", "PUBLIC", "-//Textuality//TEXT Standard open-hatch boilerplate//EN", "http://www.textuality.com/boilerplate/OpenHatch.xml"]
70
+ # <!ENTITY hatch-pic SYSTEM "../grafix/OpenHatch.gif" NDATA gif>
71
+ # ["hatch-pic", "SYSTEM", "../grafix/OpenHatch.gif", "gif"]
72
+ def entitydecl content
73
+ end
74
+ # <!NOTATION ...>
75
+ def notationdecl content
76
+ end
77
+ # Called when %foo; is encountered in a doctype declaration.
78
+ # @p content "foo"
79
+ def entity content
80
+ end
81
+ # Called when <![CDATA[ ... ]]> is encountered in a document.
82
+ # @p content "..."
83
+ def cdata content
84
+ end
85
+ # Called when an XML PI is encountered in the document.
86
+ # EG: <?xml version="1.0" encoding="utf"?>
87
+ # @p version the version attribute value. EG, "1.0"
88
+ # @p encoding the encoding attribute value, or nil. EG, "utf"
89
+ # @p standalone the standalone attribute value, or nil. EG, nil
90
+ def xmldecl version, encoding, standalone
91
+ end
92
+ end
93
+ end
@@ -0,0 +1,424 @@
1
+ # frozen_string_literal: false
2
+ require_relative 'security'
3
+ require_relative 'entity'
4
+ require_relative 'doctype'
5
+ require_relative 'child'
6
+ require_relative 'doctype'
7
+ require_relative 'parseexception'
8
+
9
+ module REXML
10
+ # Represents text nodes in an XML document
11
+ class Text < Child
12
+ include Comparable
13
+ # The order in which the substitutions occur
14
+ SPECIALS = [ /&(?!#?[\w-]+;)/u, /</u, />/u, /"/u, /'/u, /\r/u ]
15
+ SUBSTITUTES = ['&amp;', '&lt;', '&gt;', '&quot;', '&apos;', '&#13;']
16
+ # Characters which are substituted in written strings
17
+ SLAICEPS = [ '<', '>', '"', "'", '&' ]
18
+ SETUTITSBUS = [ /&lt;/u, /&gt;/u, /&quot;/u, /&apos;/u, /&amp;/u ]
19
+
20
+ # If +raw+ is true, then REXML leaves the value alone
21
+ attr_accessor :raw
22
+
23
+ NEEDS_A_SECOND_CHECK = /(<|&((#{Entity::NAME});|(#0*((?:\d+)|(?:x[a-fA-F0-9]+)));)?)/um
24
+ NUMERICENTITY = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
25
+ VALID_CHAR = [
26
+ 0x9, 0xA, 0xD,
27
+ (0x20..0xD7FF),
28
+ (0xE000..0xFFFD),
29
+ (0x10000..0x10FFFF)
30
+ ]
31
+
32
+ if String.method_defined? :encode
33
+ VALID_XML_CHARS = Regexp.new('^['+
34
+ VALID_CHAR.map { |item|
35
+ case item
36
+ when Integer
37
+ [item].pack('U').force_encoding('utf-8')
38
+ when Range
39
+ [item.first, '-'.ord, item.last].pack('UUU').force_encoding('utf-8')
40
+ end
41
+ }.join +
42
+ ']*$')
43
+ else
44
+ VALID_XML_CHARS = /^(
45
+ [\x09\x0A\x0D\x20-\x7E] # ASCII
46
+ | [\xC2-\xDF][\x80-\xBF] # non-overlong 2-byte
47
+ | \xE0[\xA0-\xBF][\x80-\xBF] # excluding overlongs
48
+ | [\xE1-\xEC\xEE][\x80-\xBF]{2} # straight 3-byte
49
+ | \xEF[\x80-\xBE]{2} #
50
+ | \xEF\xBF[\x80-\xBD] # excluding U+fffe and U+ffff
51
+ | \xED[\x80-\x9F][\x80-\xBF] # excluding surrogates
52
+ | \xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3
53
+ | [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15
54
+ | \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16
55
+ )*$/nx;
56
+ end
57
+
58
+ # Constructor
59
+ # +arg+ if a String, the content is set to the String. If a Text,
60
+ # the object is shallowly cloned.
61
+ #
62
+ # +respect_whitespace+ (boolean, false) if true, whitespace is
63
+ # respected
64
+ #
65
+ # +parent+ (nil) if this is a Parent object, the parent
66
+ # will be set to this.
67
+ #
68
+ # +raw+ (nil) This argument can be given three values.
69
+ # If true, then the value of used to construct this object is expected to
70
+ # contain no unescaped XML markup, and REXML will not change the text. If
71
+ # this value is false, the string may contain any characters, and REXML will
72
+ # escape any and all defined entities whose values are contained in the
73
+ # text. If this value is nil (the default), then the raw value of the
74
+ # parent will be used as the raw value for this node. If there is no raw
75
+ # value for the parent, and no value is supplied, the default is false.
76
+ # Use this field if you have entities defined for some text, and you don't
77
+ # want REXML to escape that text in output.
78
+ # Text.new( "<&", false, nil, false ) #-> "&lt;&amp;"
79
+ # Text.new( "&lt;&amp;", false, nil, false ) #-> "&amp;lt;&amp;amp;"
80
+ # Text.new( "<&", false, nil, true ) #-> Parse exception
81
+ # Text.new( "&lt;&amp;", false, nil, true ) #-> "&lt;&amp;"
82
+ # # Assume that the entity "s" is defined to be "sean"
83
+ # # and that the entity "r" is defined to be "russell"
84
+ # Text.new( "sean russell" ) #-> "&s; &r;"
85
+ # Text.new( "sean russell", false, nil, true ) #-> "sean russell"
86
+ #
87
+ # +entity_filter+ (nil) This can be an array of entities to match in the
88
+ # supplied text. This argument is only useful if +raw+ is set to false.
89
+ # Text.new( "sean russell", false, nil, false, ["s"] ) #-> "&s; russell"
90
+ # Text.new( "sean russell", false, nil, true, ["s"] ) #-> "sean russell"
91
+ # In the last example, the +entity_filter+ argument is ignored.
92
+ #
93
+ # +illegal+ INTERNAL USE ONLY
94
+ def initialize(arg, respect_whitespace=false, parent=nil, raw=nil,
95
+ entity_filter=nil, illegal=NEEDS_A_SECOND_CHECK )
96
+
97
+ @raw = false
98
+ @parent = nil
99
+ @entity_filter = nil
100
+
101
+ if parent
102
+ super( parent )
103
+ @raw = parent.raw
104
+ end
105
+
106
+ if arg.kind_of? String
107
+ @string = arg.dup
108
+ elsif arg.kind_of? Text
109
+ @string = arg.instance_variable_get(:@string).dup
110
+ @raw = arg.raw
111
+ @entity_filter = arg.instance_variable_get(:@entity_filter)
112
+ else
113
+ raise "Illegal argument of type #{arg.type} for Text constructor (#{arg})"
114
+ end
115
+
116
+ @string.squeeze!(" \n\t") unless respect_whitespace
117
+ @string.gsub!(/\r\n?/, "\n")
118
+ @raw = raw unless raw.nil?
119
+ @entity_filter = entity_filter if entity_filter
120
+ clear_cache
121
+
122
+ Text.check(@string, illegal, doctype) if @raw
123
+ end
124
+
125
+ def parent= parent
126
+ super(parent)
127
+ Text.check(@string, NEEDS_A_SECOND_CHECK, doctype) if @raw and @parent
128
+ end
129
+
130
+ # check for illegal characters
131
+ def Text.check string, pattern, doctype
132
+
133
+ # illegal anywhere
134
+ if string !~ VALID_XML_CHARS
135
+ if String.method_defined? :encode
136
+ string.chars.each do |c|
137
+ case c.ord
138
+ when *VALID_CHAR
139
+ else
140
+ raise "Illegal character #{c.inspect} in raw string #{string.inspect}"
141
+ end
142
+ end
143
+ else
144
+ string.scan(/[\x00-\x7F]|[\x80-\xBF][\xC0-\xF0]*|[\xC0-\xF0]/n) do |c|
145
+ case c.unpack('U')
146
+ when *VALID_CHAR
147
+ else
148
+ raise "Illegal character #{c.inspect} in raw string #{string.inspect}"
149
+ end
150
+ end
151
+ end
152
+ end
153
+
154
+ # context sensitive
155
+ string.scan(pattern) do
156
+ if $1[-1] != ?;
157
+ raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
158
+ elsif $1[0] == ?&
159
+ if $5 and $5[0] == ?#
160
+ case ($5[1] == ?x ? $5[2..-1].to_i(16) : $5[1..-1].to_i)
161
+ when *VALID_CHAR
162
+ else
163
+ raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
164
+ end
165
+ # FIXME: below can't work but this needs API change.
166
+ # elsif @parent and $3 and !SUBSTITUTES.include?($1)
167
+ # if !doctype or !doctype.entities.has_key?($3)
168
+ # raise "Undeclared entity '#{$1}' in raw string \"#{string}\""
169
+ # end
170
+ end
171
+ end
172
+ end
173
+ end
174
+
175
+ def node_type
176
+ :text
177
+ end
178
+
179
+ def empty?
180
+ @string.size==0
181
+ end
182
+
183
+
184
+ def clone
185
+ return Text.new(self, true)
186
+ end
187
+
188
+
189
+ # Appends text to this text node. The text is appended in the +raw+ mode
190
+ # of this text node.
191
+ #
192
+ # +returns+ the text itself to enable method chain like
193
+ # 'text << "XXX" << "YYY"'.
194
+ def <<( to_append )
195
+ @string << to_append.gsub( /\r\n?/, "\n" )
196
+ clear_cache
197
+ self
198
+ end
199
+
200
+
201
+ # +other+ a String or a Text
202
+ # +returns+ the result of (to_s <=> arg.to_s)
203
+ def <=>( other )
204
+ to_s() <=> other.to_s
205
+ end
206
+
207
+ def doctype
208
+ if @parent
209
+ doc = @parent.document
210
+ doc.doctype if doc
211
+ end
212
+ end
213
+
214
+ REFERENCE = /#{Entity::REFERENCE}/
215
+ # Returns the string value of this text node. This string is always
216
+ # escaped, meaning that it is a valid XML text node string, and all
217
+ # entities that can be escaped, have been inserted. This method respects
218
+ # the entity filter set in the constructor.
219
+ #
220
+ # # Assume that the entity "s" is defined to be "sean", and that the
221
+ # # entity "r" is defined to be "russell"
222
+ # t = Text.new( "< & sean russell", false, nil, false, ['s'] )
223
+ # t.to_s #-> "&lt; &amp; &s; russell"
224
+ # t = Text.new( "< & &s; russell", false, nil, false )
225
+ # t.to_s #-> "&lt; &amp; &s; russell"
226
+ # u = Text.new( "sean russell", false, nil, true )
227
+ # u.to_s #-> "sean russell"
228
+ def to_s
229
+ return @string if @raw
230
+ @normalized ||= Text::normalize( @string, doctype, @entity_filter )
231
+ end
232
+
233
+ def inspect
234
+ @string.inspect
235
+ end
236
+
237
+ # Returns the string value of this text. This is the text without
238
+ # entities, as it might be used programmatically, or printed to the
239
+ # console. This ignores the 'raw' attribute setting, and any
240
+ # entity_filter.
241
+ #
242
+ # # Assume that the entity "s" is defined to be "sean", and that the
243
+ # # entity "r" is defined to be "russell"
244
+ # t = Text.new( "< & sean russell", false, nil, false, ['s'] )
245
+ # t.value #-> "< & sean russell"
246
+ # t = Text.new( "< & &s; russell", false, nil, false )
247
+ # t.value #-> "< & sean russell"
248
+ # u = Text.new( "sean russell", false, nil, true )
249
+ # u.value #-> "sean russell"
250
+ def value
251
+ @unnormalized ||= Text::unnormalize( @string, doctype )
252
+ end
253
+
254
+ # Sets the contents of this text node. This expects the text to be
255
+ # unnormalized. It returns self.
256
+ #
257
+ # e = Element.new( "a" )
258
+ # e.add_text( "foo" ) # <a>foo</a>
259
+ # e[0].value = "bar" # <a>bar</a>
260
+ # e[0].value = "<a>" # <a>&lt;a&gt;</a>
261
+ def value=( val )
262
+ @string = val.gsub( /\r\n?/, "\n" )
263
+ clear_cache
264
+ @raw = false
265
+ end
266
+
267
+ def wrap(string, width, addnewline=false)
268
+ # Recursively wrap string at width.
269
+ return string if string.length <= width
270
+ place = string.rindex(' ', width) # Position in string with last ' ' before cutoff
271
+ if addnewline then
272
+ return "\n" + string[0,place] + "\n" + wrap(string[place+1..-1], width)
273
+ else
274
+ return string[0,place] + "\n" + wrap(string[place+1..-1], width)
275
+ end
276
+ end
277
+
278
+ def indent_text(string, level=1, style="\t", indentfirstline=true)
279
+ return string if level < 0
280
+ new_string = ''
281
+ string.each_line { |line|
282
+ indent_string = style * level
283
+ new_line = (indent_string + line).sub(/[\s]+$/,'')
284
+ new_string << new_line
285
+ }
286
+ new_string.strip! unless indentfirstline
287
+ return new_string
288
+ end
289
+
290
+ # == DEPRECATED
291
+ # See REXML::Formatters
292
+ #
293
+ def write( writer, indent=-1, transitive=false, ie_hack=false )
294
+ Kernel.warn("#{self.class.name}.write is deprecated. See REXML::Formatters", uplevel: 1)
295
+ formatter = if indent > -1
296
+ REXML::Formatters::Pretty.new( indent )
297
+ else
298
+ REXML::Formatters::Default.new
299
+ end
300
+ formatter.write( self, writer )
301
+ end
302
+
303
+ # FIXME
304
+ # This probably won't work properly
305
+ def xpath
306
+ path = @parent.xpath
307
+ path += "/text()"
308
+ return path
309
+ end
310
+
311
+ # Writes out text, substituting special characters beforehand.
312
+ # +out+ A String, IO, or any other object supporting <<( String )
313
+ # +input+ the text to substitute and the write out
314
+ #
315
+ # z=utf8.unpack("U*")
316
+ # ascOut=""
317
+ # z.each{|r|
318
+ # if r < 0x100
319
+ # ascOut.concat(r.chr)
320
+ # else
321
+ # ascOut.concat(sprintf("&#x%x;", r))
322
+ # end
323
+ # }
324
+ # puts ascOut
325
+ def write_with_substitution out, input
326
+ copy = input.clone
327
+ # Doing it like this rather than in a loop improves the speed
328
+ copy.gsub!( SPECIALS[0], SUBSTITUTES[0] )
329
+ copy.gsub!( SPECIALS[1], SUBSTITUTES[1] )
330
+ copy.gsub!( SPECIALS[2], SUBSTITUTES[2] )
331
+ copy.gsub!( SPECIALS[3], SUBSTITUTES[3] )
332
+ copy.gsub!( SPECIALS[4], SUBSTITUTES[4] )
333
+ copy.gsub!( SPECIALS[5], SUBSTITUTES[5] )
334
+ out << copy
335
+ end
336
+
337
+ private
338
+ def clear_cache
339
+ @normalized = nil
340
+ @unnormalized = nil
341
+ end
342
+
343
+ # Reads text, substituting entities
344
+ def Text::read_with_substitution( input, illegal=nil )
345
+ copy = input.clone
346
+
347
+ if copy =~ illegal
348
+ raise ParseException.new( "malformed text: Illegal character #$& in \"#{copy}\"" )
349
+ end if illegal
350
+
351
+ copy.gsub!( /\r\n?/, "\n" )
352
+ if copy.include? ?&
353
+ copy.gsub!( SETUTITSBUS[0], SLAICEPS[0] )
354
+ copy.gsub!( SETUTITSBUS[1], SLAICEPS[1] )
355
+ copy.gsub!( SETUTITSBUS[2], SLAICEPS[2] )
356
+ copy.gsub!( SETUTITSBUS[3], SLAICEPS[3] )
357
+ copy.gsub!( SETUTITSBUS[4], SLAICEPS[4] )
358
+ copy.gsub!( /&#0*((?:\d+)|(?:x[a-f0-9]+));/ ) {
359
+ m=$1
360
+ #m='0' if m==''
361
+ m = "0#{m}" if m[0] == ?x
362
+ [Integer(m)].pack('U*')
363
+ }
364
+ end
365
+ copy
366
+ end
367
+
368
+ EREFERENCE = /&(?!#{Entity::NAME};)/
369
+ # Escapes all possible entities
370
+ def Text::normalize( input, doctype=nil, entity_filter=nil )
371
+ copy = input.to_s
372
+ # Doing it like this rather than in a loop improves the speed
373
+ #copy = copy.gsub( EREFERENCE, '&amp;' )
374
+ copy = copy.gsub( "&", "&amp;" )
375
+ if doctype
376
+ # Replace all ampersands that aren't part of an entity
377
+ doctype.entities.each_value do |entity|
378
+ copy = copy.gsub( entity.value,
379
+ "&#{entity.name};" ) if entity.value and
380
+ not( entity_filter and entity_filter.include?(entity.name) )
381
+ end
382
+ else
383
+ # Replace all ampersands that aren't part of an entity
384
+ DocType::DEFAULT_ENTITIES.each_value do |entity|
385
+ copy = copy.gsub(entity.value, "&#{entity.name};" )
386
+ end
387
+ end
388
+ copy
389
+ end
390
+
391
+ # Unescapes all possible entities
392
+ def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
393
+ sum = 0
394
+ string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
395
+ s = Text.expand($&, doctype, filter)
396
+ if sum + s.bytesize > Security.entity_expansion_text_limit
397
+ raise "entity expansion has grown too large"
398
+ else
399
+ sum += s.bytesize
400
+ end
401
+ s
402
+ }
403
+ end
404
+
405
+ def Text.expand(ref, doctype, filter)
406
+ if ref[1] == ?#
407
+ if ref[2] == ?x
408
+ [ref[3...-1].to_i(16)].pack('U*')
409
+ else
410
+ [ref[2...-1].to_i].pack('U*')
411
+ end
412
+ elsif ref == '&amp;'
413
+ '&'
414
+ elsif filter and filter.include?( ref[1...-1] )
415
+ ref
416
+ elsif doctype
417
+ doctype.entity( ref[1...-1] ) or ref
418
+ else
419
+ entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
420
+ entity_value ? entity_value.value : ref
421
+ end
422
+ end
423
+ end
424
+ end