erb_safe_ext 1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4b0b6a5f0daa578acddae3d8949d930a82785e59
+  data.tar.gz: 1c853f1d551d56c70c6fc61461e63f85a6dd99d3
+SHA512:
+  metadata.gz: fc649276d7b03e42808a468a92209cb40aa802036f7efddbe19f03c3dc6524c72c644b73ef5c5b901c181b030aaa8ea26598fe01f47a6b2d092f43ca566b4aad
+  data.tar.gz: 1624272061c380efd61ed94b731e210308ce35f84bf6e4bca722c9ec7a72e8f07c18c0286cb590fd35ca43b2d3a7b7c2e172b0a487e4e01dd4a1fe6a5be9f36d

data/README.md

@@ -0,0 +1,45 @@
+# erb_safe_ext
+
+a gem make ERB html safe default.Protect from XSS attack.
+
+## Install
+
+```sh
+$ gem install erb_safe_ext
+```
+
+## Introduction
+
+``` erb
+<%= "<script>alert('safety:)');</script>" %>
+## => &lt;script&gt;alert(&#x27;safety:)&#x27;);&lt;&#x2F;script&gt;
+```
+
+it will default wrap the dangerous code with `Rack::Utils.escape_html(code)`
+
+works fine with ruby2.1.
+
+I didn't test this code with other version ruby, you may test yourself.
+
+the `<%==` is the backup of ERB's original `<%=` function. 
+
+``` erb
+<%== "<script>alert('danger!');</script>" %>
+## => <script>alert('danger!');</script>
+```
+
+
+Test code
+
+``` ruby
+require 'erb_safe_ext'
+template = ERB.new <<-EOF
+<%= "<script>alert('safety:)');</script>" %>
+<%#= 'here' -%>
+<%== "<script>alert('danger!');</script>" %>
+----finish----
+EOF
+puts template.result
+```
+
+

data/erb_safe_ext.gemspec

@@ -0,0 +1,20 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'sinarey_cache/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "erb_safe_ext"
+  spec.version       = '1.0'
+  spec.authors       = ["Jeffrey"]
+  spec.email         = ["jeffrey6052@163.com"]
+  spec.description   = "make ERB default html safe.protect from XSS attack."
+  spec.summary       = "wrap the dangerous code with Rack::Utils.escape_html()"
+  spec.homepage      = "https://github.com/maymay25/erb_safe_ext"
+  spec.license       = "MIT"
+
+  spec.files         = ['lib/erb_safe_ext.rb',
+                        'test/erb_safe_test.rb',
+                        'erb_safe_ext.gemspec',
+                        'README.md']
+end

data/lib/erb_safe_ext.rb

@@ -0,0 +1,190 @@
+require 'erb'
+require 'rack'
+
+class ERB
+  class Compiler
+    def compile(s)
+      enc = s.encoding
+      raise ArgumentError, "#{enc} is not ASCII compatible" if enc.dummy?
+      s = s.dup.force_encoding("ASCII-8BIT") # don't use constant Enoding::ASCII_8BIT for miniruby
+      enc = detect_magic_comment(s) || enc
+      out = Buffer.new(self, enc)
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+        next if token.nil?
+        next if token == ''
+        if scanner.stag.nil?
+          case token
+          when PercentLine
+            add_put_cmd(out, content) if content.size > 0
+            content = ''
+            out.push(token.to_s)
+            out.cr
+          when :cr
+            out.cr
+          when '<%', '<%==', '<%=', '<%#'
+            scanner.stag = token
+            add_put_cmd(out, content) if content.size > 0
+            content = ''
+          when "\n"
+            content << "\n"
+            add_put_cmd(out, content)
+            content = ''
+          when '<%%'
+            content << '<%'
+          else
+            content << token
+          end
+        else
+          case token
+          when '%>'
+            case scanner.stag
+            when '<%'
+              if content[-1] == ?\n
+                content.chop!
+                out.push(content)
+                out.cr
+              else
+                out.push(content)
+              end
+            when '<%=='
+              add_insert_cmd(out, content)
+            when '<%='
+              add_insert_escapehtml_cmd(out, content)
+            when '<%#'
+              # out.push("# #{content_dump(content)}")
+            end
+            scanner.stag = nil
+            content = ''
+          when '%%>'
+            content << '%>'
+          else
+            content << token
+          end
+        end
+      end
+      add_put_cmd(out, content) if content.size > 0
+      out.close
+      return out.script, enc
+    end
+    def add_insert_escapehtml_cmd(out, content)
+      out.push("#{@insert_cmd}(('#{Rack::Utils.escape_html(eval(content))}').to_s)")
+    end
+    class TrimScanner < Scanner
+      def scan_line(line)
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            yield(token)
+          end
+        end
+      end
+      def trim_line1(line)
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            if token == "%>\n"
+              yield('%>')
+              yield(:cr)
+            else
+              yield(token)
+            end
+          end
+        end
+      end
+      def trim_line2(line)
+        head = nil
+        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            head = token unless head
+            if token == "%>\n"
+              yield('%>')
+              if is_erb_stag?(head)
+                yield(:cr)
+              else
+                yield("\n")
+              end
+              head = nil
+            else
+              yield(token)
+              head = nil if token == "\n"
+            end
+          end
+        end
+      end
+      def explicit_trim_line(line)
+        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            if @stag.nil? && /[ \t]*<%-/ =~ token
+              yield('<%')
+            elsif @stag && token == "-%>\n"
+              yield('%>')
+              yield(:cr)
+            elsif @stag && token == '-%>'
+              yield('%>')
+            else
+              yield(token)
+            end
+          end
+        end
+      end
+      ERB_STAG << '<%=='
+      def is_erb_stag?(s)
+        ERB_STAG.member?(s)
+      end
+    end
+    Scanner.default_scanner = TrimScanner
+    class SimpleScanner < Scanner # :nodoc:
+      def scan
+        @src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+          tokens.each do |token|
+            next if token.empty?
+            yield(token)
+          end
+        end
+      end
+    end
+    Scanner.regist_scanner(SimpleScanner, nil, false)
+    begin
+      require 'strscan'
+      class SimpleScanner2 < Scanner # :nodoc:
+        def scan
+          stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
+          etag_reg = /(.*?)(%%>|%>|\z)/m
+          scanner = StringScanner.new(@src)
+          while ! scanner.eos?
+            scanner.scan(@stag ? etag_reg : stag_reg)
+            yield(scanner[1])
+            yield(scanner[2])
+          end
+        end
+      end
+      Scanner.regist_scanner(SimpleScanner2, nil, false)
+      class ExplicitScanner < Scanner # :nodoc:
+        def scan
+          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
+          etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
+          scanner = StringScanner.new(@src)
+          while ! scanner.eos?
+            scanner.scan(@stag ? etag_reg : stag_reg)
+            yield(scanner[1])
+            elem = scanner[2]
+            if /[ \t]*<%-/ =~ elem
+              yield('<%')
+            elsif elem == '-%>'
+              yield('%>')
+              yield(:cr) if scanner.scan(/(\n|\z)/)
+            else
+              yield(elem)
+            end
+          end
+        end
+      end
+      Scanner.regist_scanner(ExplicitScanner, '-', false)
+    rescue LoadError
+    end
+  end
+end

data/test/erb_safe_test.rb

@@ -0,0 +1,14 @@
+
+$:.unshift File.expand_path("../lib", __dir__)
+
+require 'erb_safe_ext'
+
+template = ERB.new <<-EOF
+<%= "hello, #{'world'}." %>
+<%= "<script>alert('safety:)');</script>" %>
+<%== "<script>alert('danger!');</script>" %>
+this is the end.
+EOF
+puts template.result
+
+

metadata

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+name: erb_safe_ext
+version: !ruby/object:Gem::Version
+  version: '1.0'
+platform: ruby
+authors:
+- Jeffrey
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-02-27 00:00:00.000000000 Z
+dependencies: []
+description: make ERB default html safe.protect from XSS attack.
+email:
+- jeffrey6052@163.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/erb_safe_ext.rb
+- test/erb_safe_test.rb
+- erb_safe_ext.gemspec
+- README.md
+homepage: https://github.com/maymay25/erb_safe_ext
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: wrap the dangerous code with Rack::Utils.escape_html()
+test_files: []