RubyGems - erb_safe_ext - Versions diffs - 1.0 - Mend

erb_safe_ext 1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4b0b6a5f0daa578acddae3d8949d930a82785e59
+  data.tar.gz: 1c853f1d551d56c70c6fc61461e63f85a6dd99d3
+SHA512:
+  metadata.gz: fc649276d7b03e42808a468a92209cb40aa802036f7efddbe19f03c3dc6524c72c644b73ef5c5b901c181b030aaa8ea26598fe01f47a6b2d092f43ca566b4aad
+  data.tar.gz: 1624272061c380efd61ed94b731e210308ce35f84bf6e4bca722c9ec7a72e8f07c18c0286cb590fd35ca43b2d3a7b7c2e172b0a487e4e01dd4a1fe6a5be9f36d

data/README.md ADDED Viewed

@@ -0,0 +1,45 @@
+# erb_safe_ext
+a gem make ERB html safe default.Protect from XSS attack.
+## Install
+```sh
+$ gem install erb_safe_ext
+```
+## Introduction
+``` erb
+<%= "<script>alert('safety:)');</script>" %>
+## => &lt;script&gt;alert(&#x27;safety:)&#x27;);&lt;&#x2F;script&gt;
+```
+it will default wrap the dangerous code with `Rack::Utils.escape_html(code)`
+works fine with ruby2.1.
+I didn't test this code with other version ruby, you may test yourself.
+the `<%==` is the backup of ERB's original `<%=` function.
+``` erb
+<%== "<script>alert('danger!');</script>" %>
+## => <script>alert('danger!');</script>
+```
+Test code
+``` ruby
+require 'erb_safe_ext'
+template = ERB.new <<-EOF
+<%= "<script>alert('safety:)');</script>" %>
+<%#= 'here' -%>
+<%== "<script>alert('danger!');</script>" %>
+----finish----
+EOF
+puts template.result
+```

data/erb_safe_ext.gemspec ADDED Viewed

@@ -0,0 +1,20 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'sinarey_cache/version'
+Gem::Specification.new do |spec|
+  spec.name          = "erb_safe_ext"
+  spec.version       = '1.0'
+  spec.authors       = ["Jeffrey"]
+  spec.email         = ["jeffrey6052@163.com"]
+  spec.description   = "make ERB default html safe.protect from XSS attack."
+  spec.summary       = "wrap the dangerous code with Rack::Utils.escape_html()"
+  spec.homepage      = "https://github.com/maymay25/erb_safe_ext"
+  spec.license       = "MIT"
+  spec.files         = ['lib/erb_safe_ext.rb',
+                        'test/erb_safe_test.rb',
+                        'erb_safe_ext.gemspec',
+                        'README.md']
+end

data/lib/erb_safe_ext.rb ADDED Viewed

@@ -0,0 +1,190 @@
+require 'erb'
+require 'rack'
+class ERB
+  class Compiler
+    def compile(s)
+      enc = s.encoding
+      raise ArgumentError, "#{enc} is not ASCII compatible" if enc.dummy?
+      s = s.dup.force_encoding("ASCII-8BIT") # don't use constant Enoding::ASCII_8BIT for miniruby
+      enc = detect_magic_comment(s) || enc
+      out = Buffer.new(self, enc)
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+        next if token.nil?
+        next if token == ''
+        if scanner.stag.nil?
+          case token
+          when PercentLine
+            add_put_cmd(out, content) if content.size > 0
+            content = ''
+            out.push(token.to_s)
+            out.cr
+          when :cr
+            out.cr
+          when '<%', '<%==', '<%=', '<%#'
+            scanner.stag = token
+            add_put_cmd(out, content) if content.size > 0
+            content = ''
+          when "\n"
+            content << "\n"
+            add_put_cmd(out, content)
+            content = ''
+          when '<%%'
+            content << '<%'
+          else
+            content << token
+          end
+        else
+          case token
+          when '%>'
+            case scanner.stag
+            when '<%'
+              if content[-1] == ?\n
+                content.chop!
+                out.push(content)
+                out.cr
+              else
+                out.push(content)
+              end
+            when '<%=='
+              add_insert_cmd(out, content)
+            when '<%='
+              add_insert_escapehtml_cmd(out, content)
+            when '<%#'
+              # out.push("# #{content_dump(content)}")
+            end
+            scanner.stag = nil
+            content = ''
+          when '%%>'
+            content << '%>'
+          else
+            content << token
+          end
+        end
+      end
+      add_put_cmd(out, content) if content.size > 0
+      out.close
+      return out.script, enc
+    end
+    def add_insert_escapehtml_cmd(out, content)
+      out.push("#{@insert_cmd}(('#{Rack::Utils.escape_html(eval(content))}').to_s)")
+    end
+    class TrimScanner < Scanner
+      def scan_line(line)
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            yield(token)
+          end
+        end
+      end
+      def trim_line1(line)
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            if token == "%>\n"
+              yield('%>')
+              yield(:cr)
+            else
+              yield(token)
+            end
+          end
+        end
+      end
+      def trim_line2(line)
+        head = nil
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            head = token unless head
+            if token == "%>\n"
+              yield('%>')
+              if is_erb_stag?(head)
+                yield(:cr)
+              else
+                yield("\n")
+              end
+              head = nil
+            else
+              yield(token)
+              head = nil if token == "\n"
+            end
+          end
+        end
+      end
+      def explicit_trim_line(line)
+        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            if @stag.nil? && /[ \t]*<%-/ =~ token
+              yield('<%')
+            elsif @stag && token == "-%>\n"
+              yield('%>')
+              yield(:cr)
+            elsif @stag && token == '-%>'
+              yield('%>')
+            else
+              yield(token)
+            end
+          end
+        end
+      end
+      ERB_STAG << '<%=='
+      def is_erb_stag?(s)
+        ERB_STAG.member?(s)
+      end
+    end
+    Scanner.default_scanner = TrimScanner
+    class SimpleScanner < Scanner # :nodoc:
+      def scan
+        @src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            yield(token)
+          end
+        end
+      end
+    end
+    Scanner.regist_scanner(SimpleScanner, nil, false)
+    begin
+      require 'strscan'
+      class SimpleScanner2 < Scanner # :nodoc:
+        def scan
+          stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
+          etag_reg = /(.*?)(%%>|%>|\z)/m
+          scanner = StringScanner.new(@src)
+          while ! scanner.eos?
+            scanner.scan(@stag ? etag_reg : stag_reg)
+            yield(scanner[1])
+            yield(scanner[2])
+          end
+        end
+      end
+      Scanner.regist_scanner(SimpleScanner2, nil, false)
+      class ExplicitScanner < Scanner # :nodoc:
+        def scan
+          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
+          etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
+          scanner = StringScanner.new(@src)
+          while ! scanner.eos?
+            scanner.scan(@stag ? etag_reg : stag_reg)
+            yield(scanner[1])
+            elem = scanner[2]
+            if /[ \t]*<%-/ =~ elem
+              yield('<%')
+            elsif elem == '-%>'
+              yield('%>')
+              yield(:cr) if scanner.scan(/(\n|\z)/)
+            else
+              yield(elem)
+            end
+          end
+        end
+      end
+      Scanner.regist_scanner(ExplicitScanner, '-', false)
+    rescue LoadError
+    end
+  end
+end

data/test/erb_safe_test.rb ADDED Viewed

@@ -0,0 +1,14 @@
+$:.unshift File.expand_path("../lib", __dir__)
+require 'erb_safe_ext'
+template = ERB.new <<-EOF
+<%= "hello, #{'world'}." %>
+<%= "<script>alert('safety:)');</script>" %>
+<%== "<script>alert('danger!');</script>" %>
+this is the end.
+EOF
+puts template.result

metadata ADDED Viewed

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+name: erb_safe_ext
+version: !ruby/object:Gem::Version
+  version: '1.0'
+platform: ruby
+authors:
+- Jeffrey
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-02-27 00:00:00.000000000 Z
+dependencies: []
+description: make ERB default html safe.protect from XSS attack.
+email:
+- jeffrey6052@163.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/erb_safe_ext.rb
+- test/erb_safe_test.rb
+- erb_safe_ext.gemspec
+- README.md
+homepage: https://github.com/maymay25/erb_safe_ext
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.0.14
+signing_key:
+specification_version: 4
+summary: wrap the dangerous code with Rack::Utils.escape_html()
+test_files: []