contextual 0.0.1-java → 0.0.2-java
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +3 -0
- data/contextual.gemspec +3 -0
- data/lib/contextual.rb +2 -1
- data/lib/contextual/contextual.rb +1 -1
- data/lib/contextual/rails.rb +10 -0
- data/lib/contextual/safe_erubis.rb +44 -0
- data/lib/contextual/version.rb +1 -1
- data/spec/contextual_spec.rb +9 -0
- data/spec/rails_spec.rb +21 -0
- data/spec/safe_erubis_spec.rb +19 -0
- metadata +72 -50
- data/lib/contextual/rails_erubis.rb +0 -94
data/README.md
CHANGED
@@ -43,3 +43,6 @@ The safe parts are treated as literal chunks of HTML/CSS/JS, the query string pa
|
|
43
43
|
|
44
44
|
Contextual will also automatically strip variety of injection cases for JS, CSS, and HTML, and give you a [dozen other features](https://github.com/mikesamuel/html-contextual-autoescaper-java/tree/master/src/tests/com/google/autoesc) for free.
|
45
45
|
|
46
|
+
### License
|
47
|
+
|
48
|
+
(MIT License) - Copyright (c) 2012 Ilya Grigorik
|
data/contextual.gemspec
CHANGED
@@ -16,6 +16,9 @@ Gem::Specification.new do |s|
|
|
16
16
|
|
17
17
|
s.add_development_dependency "rspec"
|
18
18
|
|
19
|
+
# Only required to test rails integration
|
20
|
+
s.add_development_dependency 'rails'
|
21
|
+
|
19
22
|
s.files = `git ls-files`.split("\n")
|
20
23
|
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
21
24
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
data/lib/contextual.rb
CHANGED
@@ -0,0 +1,10 @@
|
|
1
|
+
require 'contextual/safe_erubis'
|
2
|
+
|
3
|
+
ActiveSupport.on_load(:action_view) do
|
4
|
+
ActionView::Template::Handlers::SafeErubis = Contextual::SafeErubis
|
5
|
+
ActionView::Template::Handlers::ERB.erb_implementation = Contextual::SafeErubis
|
6
|
+
|
7
|
+
# Make sure ActionView::OutputBuffer is loaded before we override it
|
8
|
+
require 'action_view/buffers'
|
9
|
+
ActionView::OutputBuffer = ::Erubis::ContextualBuffer
|
10
|
+
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
module Contextual
|
2
|
+
class SafeErubis < ::Erubis::Eruby
|
3
|
+
BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
|
4
|
+
|
5
|
+
def add_preamble(src)
|
6
|
+
src << "@output_buffer = output_buffer || Erubis::ContextualBuffer.new; "
|
7
|
+
end
|
8
|
+
|
9
|
+
def add_text(src, text)
|
10
|
+
if !text.empty?
|
11
|
+
src << "@output_buffer.concat('" << text.to_s.gsub("'", "\\\\'") << "');"
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
def add_expr_literal(src, code)
|
16
|
+
if code =~ BLOCK_EXPR
|
17
|
+
src << '@output_buffer.append= ' << code
|
18
|
+
else
|
19
|
+
src << <<-SRC
|
20
|
+
val = (#{code.to_s});
|
21
|
+
if (val.html_safe?);
|
22
|
+
@output_buffer.append=(val);
|
23
|
+
else;
|
24
|
+
@output_buffer.safe_append=(val);
|
25
|
+
end;
|
26
|
+
SRC
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def add_expr_escaped(src, code)
|
31
|
+
if code =~ BLOCK_EXPR
|
32
|
+
src << "@output_buffer.append= " << code
|
33
|
+
else
|
34
|
+
src << "@output_buffer.append(" << code << ");"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def add_postamble(src)
|
39
|
+
src << "@output_buffer.close \n"
|
40
|
+
# src << "p [:CONTEXTUAL,@output_buffer, @output_buffer.to_s, @output_buffer.to_s.html_safe.html_safe?]\n"
|
41
|
+
src << "@output_buffer.to_s.html_safe"
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
data/lib/contextual/version.rb
CHANGED
data/spec/contextual_spec.rb
CHANGED
@@ -67,4 +67,13 @@ describe Contextual do
|
|
67
67
|
res.should == exp
|
68
68
|
end
|
69
69
|
|
70
|
+
it "should render fixnums" do
|
71
|
+
template = Erubis::ContextualEruby.new <<-TEMPLATE
|
72
|
+
Number: <%= 42 %>
|
73
|
+
TEMPLATE
|
74
|
+
|
75
|
+
result = template.result(binding)
|
76
|
+
|
77
|
+
result.should =~ /Number: 42/
|
78
|
+
end
|
70
79
|
end
|
data/spec/rails_spec.rb
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
require 'rails'
|
2
|
+
|
3
|
+
require 'contextual'
|
4
|
+
|
5
|
+
# make sure railtie is loaded in case some other
|
6
|
+
# test task required contextual before rails was loaded
|
7
|
+
require 'contextual/rails'
|
8
|
+
|
9
|
+
# Force the load hooks to be run for action_view
|
10
|
+
require 'action_view'
|
11
|
+
require 'action_view/base'
|
12
|
+
|
13
|
+
describe "Contextual load hooks" do
|
14
|
+
it "should add SafeErubis as template handler" do
|
15
|
+
ActionView::Template::Handlers::SafeErubis.should == Contextual::SafeErubis
|
16
|
+
end
|
17
|
+
|
18
|
+
it "should be able to load action_view/buffers alright" do
|
19
|
+
require 'action_view/buffers'
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require 'contextual/safe_erubis'
|
2
|
+
|
3
|
+
describe Contextual do
|
4
|
+
it 'should allow fixnums' do
|
5
|
+
template = Contextual::SafeErubis.new <<-TEMPLATE
|
6
|
+
Number: <%= 42 %>
|
7
|
+
TEMPLATE
|
8
|
+
|
9
|
+
result = template.result(binding)
|
10
|
+
|
11
|
+
result.should =~ /Number:\s*42/
|
12
|
+
end
|
13
|
+
|
14
|
+
private
|
15
|
+
|
16
|
+
def output_buffer
|
17
|
+
::Erubis::ContextualBuffer.new
|
18
|
+
end
|
19
|
+
end
|
metadata
CHANGED
@@ -1,71 +1,93 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: contextual
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.1
|
3
|
+
version: !ruby/object:Gem::Version
|
5
4
|
prerelease:
|
5
|
+
version: 0.0.2
|
6
6
|
platform: java
|
7
|
-
authors:
|
8
|
-
- Ilya Grigorik
|
7
|
+
authors:
|
8
|
+
- Ilya Grigorik
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
12
|
+
|
13
|
+
date: 2012-05-24 00:00:00 Z
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: rspec
|
17
|
+
prerelease: false
|
18
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
19
|
+
none: false
|
20
|
+
requirements:
|
21
|
+
- - ">="
|
22
|
+
- !ruby/object:Gem::Version
|
23
|
+
version: "0"
|
24
|
+
type: :development
|
25
|
+
version_requirements: *id001
|
26
|
+
- !ruby/object:Gem::Dependency
|
27
|
+
name: rails
|
28
|
+
prerelease: false
|
29
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
30
|
+
none: false
|
31
|
+
requirements:
|
32
|
+
- - ">="
|
33
|
+
- !ruby/object:Gem::Version
|
34
|
+
version: "0"
|
35
|
+
type: :development
|
36
|
+
version_requirements: *id002
|
25
37
|
description: Runtime contextual autoescaper
|
26
|
-
email:
|
27
|
-
- ilya@igvita.com
|
38
|
+
email:
|
39
|
+
- ilya@igvita.com
|
28
40
|
executables: []
|
41
|
+
|
29
42
|
extensions: []
|
43
|
+
|
30
44
|
extra_rdoc_files: []
|
31
|
-
|
32
|
-
|
33
|
-
- .
|
34
|
-
-
|
35
|
-
-
|
36
|
-
-
|
37
|
-
-
|
38
|
-
-
|
39
|
-
- lib/contextual
|
40
|
-
- lib/contextual/
|
41
|
-
- lib/contextual/
|
42
|
-
- lib/
|
43
|
-
- lib/
|
44
|
-
-
|
45
|
+
|
46
|
+
files:
|
47
|
+
- .gitignore
|
48
|
+
- .rspec
|
49
|
+
- Gemfile
|
50
|
+
- README.md
|
51
|
+
- Rakefile
|
52
|
+
- contextual.gemspec
|
53
|
+
- lib/contextual.rb
|
54
|
+
- lib/contextual/contextual.rb
|
55
|
+
- lib/contextual/rails.rb
|
56
|
+
- lib/contextual/safe_erubis.rb
|
57
|
+
- lib/contextual/version.rb
|
58
|
+
- lib/ext/autoesc.jar
|
59
|
+
- lib/ext/guava.jar
|
60
|
+
- spec/contextual_spec.rb
|
61
|
+
- spec/rails_spec.rb
|
62
|
+
- spec/safe_erubis_spec.rb
|
45
63
|
homepage: https://github.com/igrigorik/contextual
|
46
64
|
licenses: []
|
65
|
+
|
47
66
|
post_install_message:
|
48
67
|
rdoc_options: []
|
49
|
-
|
50
|
-
|
51
|
-
|
68
|
+
|
69
|
+
require_paths:
|
70
|
+
- lib
|
71
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
52
72
|
none: false
|
53
|
-
requirements:
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - ">="
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: "0"
|
77
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
58
78
|
none: false
|
59
|
-
requirements:
|
60
|
-
|
61
|
-
|
62
|
-
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: "0"
|
63
83
|
requirements: []
|
84
|
+
|
64
85
|
rubyforge_project: contextual
|
65
|
-
rubygems_version: 1.8.
|
86
|
+
rubygems_version: 1.8.15
|
66
87
|
signing_key:
|
67
88
|
specification_version: 3
|
68
89
|
summary: Runtime contextual autoescaper
|
69
|
-
test_files:
|
70
|
-
- spec/contextual_spec.rb
|
71
|
-
|
90
|
+
test_files:
|
91
|
+
- spec/contextual_spec.rb
|
92
|
+
- spec/rails_spec.rb
|
93
|
+
- spec/safe_erubis_spec.rb
|
@@ -1,94 +0,0 @@
|
|
1
|
-
module ActionView
|
2
|
-
class Template
|
3
|
-
module Handlers
|
4
|
-
|
5
|
-
# class Erubis < ::Erubis::Eruby
|
6
|
-
# def add_preamble(src)
|
7
|
-
# src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
|
8
|
-
# end
|
9
|
-
#
|
10
|
-
# def add_text(src, text)
|
11
|
-
# return if text.empty?
|
12
|
-
# p [:add_text, :safe_concat, text]
|
13
|
-
# src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
|
14
|
-
# end
|
15
|
-
#
|
16
|
-
# BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
|
17
|
-
#
|
18
|
-
# def add_expr_literal(src, code)
|
19
|
-
# if code =~ BLOCK_EXPR
|
20
|
-
# p [:add_expr_literal, :block_append=, code]
|
21
|
-
#
|
22
|
-
# src << '@output_buffer.append= ' << code
|
23
|
-
# else
|
24
|
-
# p [:add_expr_literal, :append=, code]
|
25
|
-
#
|
26
|
-
# src << '@output_buffer.append= (' << code << ');'
|
27
|
-
# end
|
28
|
-
# end
|
29
|
-
#
|
30
|
-
# def add_expr_escaped(src, code)
|
31
|
-
# if code =~ BLOCK_EXPR
|
32
|
-
# p [:add_expr_escaped, :safe_append=, code]
|
33
|
-
#
|
34
|
-
# src << "@output_buffer.safe_append= " << code
|
35
|
-
# else
|
36
|
-
# p [:add_expr_escaped, :safe_concat, code]
|
37
|
-
# src << "@output_buffer.safe_concat((" << code << ").to_s);"
|
38
|
-
# end
|
39
|
-
# end
|
40
|
-
#
|
41
|
-
# def add_postamble(src)
|
42
|
-
# src << '@output_buffer.to_s'
|
43
|
-
# end
|
44
|
-
# end
|
45
|
-
|
46
|
-
class SafeErubis < ::Erubis::Eruby
|
47
|
-
BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
|
48
|
-
|
49
|
-
def add_preamble(src)
|
50
|
-
src << "@output_buffer = output_buffer || Erubis::ContextualBuffer.new; "
|
51
|
-
end
|
52
|
-
|
53
|
-
def add_text(src, text)
|
54
|
-
if !text.empty?
|
55
|
-
src << "@output_buffer.concat('" << text.to_s.gsub("'", "\\\\'") << "');"
|
56
|
-
end
|
57
|
-
end
|
58
|
-
|
59
|
-
def add_expr_literal(src, code)
|
60
|
-
if code =~ BLOCK_EXPR
|
61
|
-
src << '@output_buffer.append= ' << code
|
62
|
-
else
|
63
|
-
src << <<-SRC
|
64
|
-
val = (#{code.to_s});
|
65
|
-
if (val.html_safe?);
|
66
|
-
@output_buffer.append=(val);
|
67
|
-
else;
|
68
|
-
@output_buffer.safe_append=(val);
|
69
|
-
end;
|
70
|
-
SRC
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
74
|
-
def add_expr_escaped(src, code)
|
75
|
-
if code =~ BLOCK_EXPR
|
76
|
-
src << "@output_buffer.append= " << code
|
77
|
-
else
|
78
|
-
src << "@output_buffer.append(" << code << ");"
|
79
|
-
end
|
80
|
-
end
|
81
|
-
|
82
|
-
def add_postamble(src)
|
83
|
-
src << "@output_buffer.close \n"
|
84
|
-
# src << "p [:CONTEXTUAL,@output_buffer, @output_buffer.to_s, @output_buffer.to_s.html_safe.html_safe?]\n"
|
85
|
-
src << "@output_buffer.to_s.html_safe"
|
86
|
-
end
|
87
|
-
end
|
88
|
-
|
89
|
-
ERB.erb_implementation = SafeErubis
|
90
|
-
ActionView::OutputBuffer = ::Erubis::ContextualBuffer
|
91
|
-
|
92
|
-
end
|
93
|
-
end
|
94
|
-
end
|