contextual 0.0.1-java

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in contextual.gemspec
+gemspec

data/README.md

@@ -0,0 +1,45 @@
+# Runtime Contextual Autoescaper
+
+A JRuby wrapper for [Mike Samuel's contextual HTML autoescaper](https://github.com/mikesamuel/html-contextual-autoescaper-java). Same one as [used by Google's Closure Templates](http://code.google.com/closure/templates/docs/security.html).
+
+## Example
+
+First, let's define an Erb template:
+
+```erb
+<% def helper(obj); "Hello, #{obj['world']}"; end %>
+
+<div style="color: <%= object['color'] %>">
+<a href="/<%= object['color'] %>?q=<%= object['world'] %>" onclick="alert('<%= helper(object) %>');return false"><%= helper(object) %></a>
+<script>(function () {  // Sleepy developers put sensitive info in comments.
+ var o = <%= object %>,
+ w = "<%= object['world'] %>";
+})();</script>
+</div>
+```
+
+Let's load the template and execute it:
+
+```ruby
+template = Erubis::ContextualEruby.new(template_string)
+
+object = {"world" => "<Cincinnati>", "color" => "blue"}
+puts template.result(binding())
+```
+
+Output:
+
+```html
+<div style="color: blue">
+<a href="/blue?q=%3cCincinnati%3e" onclick="alert('Hello, \x3cCincinnati\x3e');return false">Hello, &lt;Cincinnati&gt;</a>
+<script>(function () {
+ var o = {'world':'\x3cCincinnati\x3e','color':'blue'},
+ w = "\x3cCincinnati\x3e";
+})();</script>
+</div>
+```
+
+The safe parts are treated as literal chunks of HTML/CSS/JS, the query string parameters are auto URI encoded, same data is also auto escaped within the JS block, and the rendered object within the javascript block is automatically converted to JSON! Additionally, extra comments are removed, data is properly HTML escaped, and so forth.
+
+Contextual will also automatically strip variety of injection cases for JS, CSS, and HTML, and give you a [dozen other features](https://github.com/mikesamuel/html-contextual-autoescaper-java/tree/master/src/tests/com/google/autoesc) for free.
+

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+task :default => [:spec]
+task :test => [:spec]
+
+desc "run spec tests"
+RSpec::Core::RakeTask.new('spec') do |t|
+    t.pattern = 'spec/**_spec.rb'
+end
+

data/contextual.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "contextual/version"
+
+Gem::Specification.new do |s|
+  s.name        = "contextual"
+  s.version     = Contextual::VERSION
+  s.authors     = ["Ilya Grigorik"]
+  s.email       = ["ilya@igvita.com"]
+  s.homepage    = "https://github.com/igrigorik/contextual"
+  s.summary     = "Runtime contextual autoescaper"
+  s.description = s.summary
+
+  s.rubyforge_project = "contextual"
+  s.platform = "java"
+
+  s.add_development_dependency "rspec"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/contextual.rb

@@ -0,0 +1,3 @@
+require "contextual/version"
+require "contextual/contextual"
+require "contextual/rails_erubis" if defined? Rails

data/lib/contextual/contextual.rb

@@ -0,0 +1,95 @@
+require "java"
+require "ext/guava"
+require "ext/autoesc"
+
+java_import com.google.autoesc.HTMLEscapingWriter
+
+require "rubygems"
+require "erubis"
+
+module Erubis
+  module ContextualEscapeEnhancer
+
+    def self.desc   # :nodoc:
+      "switch '<%= %>' to escaped and '<%== %>' to unescaped"
+    end
+
+    def add_expr(src, code, indicator)
+      case indicator
+      when '='
+        @escape ? add_expr_literal(src, code) : add_expr_escaped(src, code)
+      when '=='
+        @escape ? add_expr_escaped(src, code) : add_expr_literal(src, code)
+      when '==='
+        add_expr_debug(src, code)
+      end
+    end
+
+    def add_text(src, text)
+      if !text.empty?
+        src << " #{@bufvar}.writeSafe '" << text.to_s.gsub("'", "\\\\'") << "';"
+      end
+    end
+
+    def add_stmt(src, code)
+      src << code
+      src << ';' unless code[-1] == ?\n
+    end
+
+    def add_expr_literal(src, code)
+      src << " #{@bufvar}.writeSafe(" << code << ').to_s;'
+    end
+
+    def add_expr_escaped(src, code)
+      src << " #{@bufvar}.write(" << code << ').to_s;'
+    end
+  end
+
+  class ContextualBuffer
+    def initialize
+      @writer = java.io.StringWriter.new
+      @buf = HTMLEscapingWriter.new(@writer)
+    end
+
+    def writeSafe(code)
+      @buf.writeSafe(code)
+    end
+    alias :writeSafe= :writeSafe
+    alias :append= :writeSafe
+    alias :concat :writeSafe
+    alias :<< :writeSafe
+
+    def write(code)
+      @buf.write(code)
+    end
+    alias :write= :write
+    alias :safe_append= :write
+    alias :safe_concat :write
+
+    def to_s
+      @writer.to_s
+    end
+
+    def close
+      @writer.close
+    end
+
+    def presence
+      @writer.to_s.html_safe
+    end
+  end
+
+  class ContextualEruby < Eruby
+    include ContextualEscapeEnhancer
+
+    def add_preamble(src)
+      src << "#{@bufvar} = Erubis::ContextualBuffer.new; "
+    end
+
+    def add_postamble(src)
+      src << "\n" unless src[-1] == ?\n
+      src << "#{@bufvar}.close\n"
+      src << "#{@bufvar}.to_s\n"
+    end
+  end
+end

data/lib/contextual/rails_erubis.rb

@@ -0,0 +1,94 @@
+module ActionView
+  class Template
+    module Handlers
+
+      # class Erubis < ::Erubis::Eruby
+      #   def add_preamble(src)
+      #     src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
+      #   end
+      #
+      #   def add_text(src, text)
+      #     return if text.empty?
+      #     p [:add_text, :safe_concat, text]
+      #     src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+      #   end
+      #
+      #   BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+      #
+      #   def add_expr_literal(src, code)
+      #     if code =~ BLOCK_EXPR
+      #       p [:add_expr_literal, :block_append=, code]
+      #
+      #       src << '@output_buffer.append= ' << code
+      #     else
+      #       p [:add_expr_literal, :append=, code]
+      #
+      #       src << '@output_buffer.append= (' << code << ');'
+      #     end
+      #   end
+      #
+      #   def add_expr_escaped(src, code)
+      #     if code =~ BLOCK_EXPR
+      #       p [:add_expr_escaped, :safe_append=, code]
+      #
+      #       src << "@output_buffer.safe_append= " << code
+      #     else
+      #       p [:add_expr_escaped, :safe_concat, code]
+      #       src << "@output_buffer.safe_concat((" << code << ").to_s);"
+      #     end
+      #   end
+      #
+      #   def add_postamble(src)
+      #     src << '@output_buffer.to_s'
+      #   end
+      # end
+
+      class SafeErubis < ::Erubis::Eruby
+        BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+        def add_preamble(src)
+          src << "@output_buffer = output_buffer || Erubis::ContextualBuffer.new; "
+        end
+
+        def add_text(src, text)
+          if !text.empty?
+            src << "@output_buffer.concat('" << text.to_s.gsub("'", "\\\\'") << "');"
+          end
+        end
+
+        def add_expr_literal(src, code)
+          if code =~ BLOCK_EXPR
+            src << '@output_buffer.append= ' << code
+          else
+            src << <<-SRC
+              val = (#{code.to_s});
+              if (val.html_safe?);
+                @output_buffer.append=(val);
+              else;
+                @output_buffer.safe_append=(val);
+              end;
+            SRC
+          end
+        end
+
+        def add_expr_escaped(src, code)
+          if code =~ BLOCK_EXPR
+            src << "@output_buffer.append= " << code
+          else
+            src << "@output_buffer.append(" << code << ");"
+          end
+        end
+
+        def add_postamble(src)
+          src << "@output_buffer.close \n"
+          # src << "p [:CONTEXTUAL,@output_buffer, @output_buffer.to_s, @output_buffer.to_s.html_safe.html_safe?]\n"
+          src << "@output_buffer.to_s.html_safe"
+        end
+      end
+
+      ERB.erb_implementation = SafeErubis
+      ActionView::OutputBuffer = ::Erubis::ContextualBuffer
+
+    end
+  end
+end

data/lib/contextual/version.rb

@@ -0,0 +1,3 @@
+module Contextual
+  VERSION = "0.0.1"
+end

data/spec/contextual_spec.rb

@@ -0,0 +1,70 @@
+require "contextual"
+
+TEMPLATE = <<-eos
+<% def helper(obj); "Hello, \#{obj['world']}"; end %>
+
+<div style="color: <%= object['color'] %>">
+<a href="/<%= object['color'] %>?q=<%= object['world'] %>" onclick="alert('<%= helper(object) %>');return false"><%= helper(object) %></a>
+<script>(function () {  // Sleepy developers put sensitive info in comments.
+ var o = <%= object %>,
+ w = "<%= object['world'] %>";
+})();</script>
+</div>
+eos
+
+EXPECTED = <<-eos
+
+<div style="color: blue">
+<a href="/blue?q=%3cCincinnati%3e" onclick="alert('Hello, \\x3cCincinnati\\x3e');return false">Hello, &lt;Cincinnati&gt;</a>
+<script>(function () {
+ var o = {'world':'\\x3cCincinnati\\x3e','color':'blue'},
+ w = "\\x3cCincinnati\\x3e";
+})();</script>
+</div>
+eos
+
+describe Contextual do
+
+  it "should escape unsafe content" do
+    t = Erubis::ContextualEruby.new(" \
+      <% elements.each do |e| %> \
+        <%= e %> \
+      <% end %> \
+    ")
+
+    elements = ['<script>', '&bar', 'style="test"']
+    res = t.result(binding())
+
+    res.should match('&lt;script&gt;')
+    res.should match('&amp;bar')
+    res.should match('style=&#34;test&#34;')
+  end
+
+  it "should preserve safe content" do
+    t = Erubis::ContextualEruby.new("<ul><%= '<script>' %></ul>")
+    t.result.should match('<ul>&lt;script&gt;</ul>')
+  end
+
+  it "should allow explicit safe content" do
+    t = Erubis::ContextualEruby.new("<ul><%== '<script>' %></ul>")
+    t.result.should match('<ul><script></ul>')
+  end
+
+  it "should skip comments" do
+    t = Erubis::ContextualEruby.new("<%# some comment %>")
+    t.result.should be_empty
+  end
+
+  it "should render contextual template" do
+    object = {"world" => "<Cincinnati>", "color" => "blue"}
+    template = Erubis::ContextualEruby.new(TEMPLATE)
+    res = template.result(binding())
+
+    # don't worry about trailing whitespace
+    res = res.split("\n").map {|r| r.strip}
+    exp = EXPECTED.split("\n").map {|r| r.strip}
+
+    res.should == exp
+  end
+
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification
+name: contextual
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: java
+authors:
+- Ilya Grigorik
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2152973440 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2152973440
+description: Runtime contextual autoescaper
+email:
+- ilya@igvita.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- Gemfile
+- README.md
+- Rakefile
+- contextual.gemspec
+- lib/contextual.rb
+- lib/contextual/contextual.rb
+- lib/contextual/rails_erubis.rb
+- lib/contextual/version.rb
+- lib/ext/autoesc.jar
+- lib/ext/guava.jar
+- spec/contextual_spec.rb
+homepage: https://github.com/igrigorik/contextual
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: contextual
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Runtime contextual autoescaper
+test_files:
+- spec/contextual_spec.rb
+has_rdoc: