erb_safe_ext 1.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/erb_safe_ext.gemspec +20 -20
- data/lib/erb_safe_ext.rb +190 -190
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4bbe369982d016cef9f8a980d1f727714e0c6218
|
4
|
+
data.tar.gz: 0d289e416f94930154528c83498f7d6121be984c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b78bdf731aea95181a12eaa27200b58718ffad9e5a081705fa51dc22001b0c4fe2b52ee0a70152703a90c09ee8d2104fdb3bbc7036b196437baed53aa1b3c337
|
7
|
+
data.tar.gz: 133870f896dc7ae33daf71229e93c26d8136377c7b81c86773064462d2799bc4a5cdf74f2d58b4fa350594d3b6e678a5a68e3cb2ba2314ae81c181e29f95c1d4
|
data/README.md
CHANGED
@@ -15,7 +15,7 @@ $ gem install erb_safe_ext
|
|
15
15
|
## => <script>alert('safety:)');</script>
|
16
16
|
```
|
17
17
|
|
18
|
-
it will default wrap the dangerous code with `
|
18
|
+
it will default wrap the dangerous code with `ERB::Util.html_escape(code)`
|
19
19
|
|
20
20
|
works fine with ruby2.1.
|
21
21
|
|
data/erb_safe_ext.gemspec
CHANGED
@@ -1,20 +1,20 @@
|
|
1
|
-
# coding: utf-8
|
2
|
-
lib = File.expand_path('../lib', __FILE__)
|
3
|
-
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
-
require 'sinarey_cache/version'
|
5
|
-
|
6
|
-
Gem::Specification.new do |spec|
|
7
|
-
spec.name = "erb_safe_ext"
|
8
|
-
spec.version =
|
9
|
-
spec.authors = ["Jeffrey"]
|
10
|
-
spec.email = ["jeffrey6052@163.com"]
|
11
|
-
spec.description = "make ERB default html safe.protect from XSS attack."
|
12
|
-
spec.summary = "wrap the dangerous code with
|
13
|
-
spec.homepage = "
|
14
|
-
spec.license = "MIT"
|
15
|
-
|
16
|
-
spec.files = ['lib/erb_safe_ext.rb',
|
17
|
-
'test/erb_safe_test.rb',
|
18
|
-
'erb_safe_ext.gemspec',
|
19
|
-
'README.md']
|
20
|
-
end
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'sinarey_cache/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "erb_safe_ext"
|
8
|
+
spec.version = "1.0.1"
|
9
|
+
spec.authors = ["Jeffrey"]
|
10
|
+
spec.email = ["jeffrey6052@163.com"]
|
11
|
+
spec.description = "make ERB default html safe.protect from XSS attack."
|
12
|
+
spec.summary = "wrap the dangerous code with ERB::Util.html_escape()"
|
13
|
+
spec.homepage = ""
|
14
|
+
spec.license = "MIT"
|
15
|
+
|
16
|
+
spec.files = ['lib/erb_safe_ext.rb',
|
17
|
+
'test/erb_safe_test.rb',
|
18
|
+
'erb_safe_ext.gemspec',
|
19
|
+
'README.md']
|
20
|
+
end
|
data/lib/erb_safe_ext.rb
CHANGED
@@ -1,190 +1,190 @@
|
|
1
|
-
require 'erb'
|
2
|
-
require 'rack'
|
3
|
-
|
4
|
-
class ERB
|
5
|
-
class Compiler
|
6
|
-
def compile(s)
|
7
|
-
enc = s.encoding
|
8
|
-
raise ArgumentError, "#{enc} is not ASCII compatible" if enc.dummy?
|
9
|
-
s = s.dup.force_encoding("ASCII-8BIT") # don't use constant Enoding::ASCII_8BIT for miniruby
|
10
|
-
enc = detect_magic_comment(s) || enc
|
11
|
-
out = Buffer.new(self, enc)
|
12
|
-
content = ''
|
13
|
-
scanner = make_scanner(s)
|
14
|
-
scanner.scan do |token|
|
15
|
-
next if token.nil?
|
16
|
-
next if token == ''
|
17
|
-
if scanner.stag.nil?
|
18
|
-
case token
|
19
|
-
when PercentLine
|
20
|
-
add_put_cmd(out, content) if content.size > 0
|
21
|
-
content = ''
|
22
|
-
out.push(token.to_s)
|
23
|
-
out.cr
|
24
|
-
when :cr
|
25
|
-
out.cr
|
26
|
-
when '<%', '<%==', '<%=', '<%#'
|
27
|
-
scanner.stag = token
|
28
|
-
add_put_cmd(out, content) if content.size > 0
|
29
|
-
content = ''
|
30
|
-
when "\n"
|
31
|
-
content << "\n"
|
32
|
-
add_put_cmd(out, content)
|
33
|
-
content = ''
|
34
|
-
when '<%%'
|
35
|
-
content << '<%'
|
36
|
-
else
|
37
|
-
content << token
|
38
|
-
end
|
39
|
-
else
|
40
|
-
case token
|
41
|
-
when '%>'
|
42
|
-
case scanner.stag
|
43
|
-
when '<%'
|
44
|
-
if content[-1] == ?\n
|
45
|
-
content.chop!
|
46
|
-
out.push(content)
|
47
|
-
out.cr
|
48
|
-
else
|
49
|
-
out.push(content)
|
50
|
-
end
|
51
|
-
when '<%=='
|
52
|
-
add_insert_cmd(out, content)
|
53
|
-
when '<%='
|
54
|
-
add_insert_escapehtml_cmd(out, content)
|
55
|
-
when '<%#'
|
56
|
-
# out.push("# #{content_dump(content)}")
|
57
|
-
end
|
58
|
-
scanner.stag = nil
|
59
|
-
content = ''
|
60
|
-
when '%%>'
|
61
|
-
content << '%>'
|
62
|
-
else
|
63
|
-
content << token
|
64
|
-
end
|
65
|
-
end
|
66
|
-
end
|
67
|
-
add_put_cmd(out, content) if content.size > 0
|
68
|
-
out.close
|
69
|
-
return out.script, enc
|
70
|
-
end
|
71
|
-
def add_insert_escapehtml_cmd(out, content)
|
72
|
-
out.push("#{@insert_cmd}((
|
73
|
-
end
|
74
|
-
class TrimScanner < Scanner
|
75
|
-
def scan_line(line)
|
76
|
-
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
|
77
|
-
tokens.each do |token|
|
78
|
-
next if token.empty?
|
79
|
-
yield(token)
|
80
|
-
end
|
81
|
-
end
|
82
|
-
end
|
83
|
-
def trim_line1(line)
|
84
|
-
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
|
85
|
-
tokens.each do |token|
|
86
|
-
next if token.empty?
|
87
|
-
if token == "%>\n"
|
88
|
-
yield('%>')
|
89
|
-
yield(:cr)
|
90
|
-
else
|
91
|
-
yield(token)
|
92
|
-
end
|
93
|
-
end
|
94
|
-
end
|
95
|
-
end
|
96
|
-
def trim_line2(line)
|
97
|
-
head = nil
|
98
|
-
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
|
99
|
-
tokens.each do |token|
|
100
|
-
next if token.empty?
|
101
|
-
head = token unless head
|
102
|
-
if token == "%>\n"
|
103
|
-
yield('%>')
|
104
|
-
if is_erb_stag?(head)
|
105
|
-
yield(:cr)
|
106
|
-
else
|
107
|
-
yield("\n")
|
108
|
-
end
|
109
|
-
head = nil
|
110
|
-
else
|
111
|
-
yield(token)
|
112
|
-
head = nil if token == "\n"
|
113
|
-
end
|
114
|
-
end
|
115
|
-
end
|
116
|
-
end
|
117
|
-
def explicit_trim_line(line)
|
118
|
-
line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
|
119
|
-
tokens.each do |token|
|
120
|
-
next if token.empty?
|
121
|
-
if @stag.nil? && /[ \t]*<%-/ =~ token
|
122
|
-
yield('<%')
|
123
|
-
elsif @stag && token == "-%>\n"
|
124
|
-
yield('%>')
|
125
|
-
yield(:cr)
|
126
|
-
elsif @stag && token == '-%>'
|
127
|
-
yield('%>')
|
128
|
-
else
|
129
|
-
yield(token)
|
130
|
-
end
|
131
|
-
end
|
132
|
-
end
|
133
|
-
end
|
134
|
-
ERB_STAG << '<%=='
|
135
|
-
def is_erb_stag?(s)
|
136
|
-
ERB_STAG.member?(s)
|
137
|
-
end
|
138
|
-
end
|
139
|
-
Scanner.default_scanner = TrimScanner
|
140
|
-
class SimpleScanner < Scanner # :nodoc:
|
141
|
-
def scan
|
142
|
-
@src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
|
143
|
-
tokens.each do |token|
|
144
|
-
next if token.empty?
|
145
|
-
yield(token)
|
146
|
-
end
|
147
|
-
end
|
148
|
-
end
|
149
|
-
end
|
150
|
-
Scanner.regist_scanner(SimpleScanner, nil, false)
|
151
|
-
begin
|
152
|
-
require 'strscan'
|
153
|
-
class SimpleScanner2 < Scanner # :nodoc:
|
154
|
-
def scan
|
155
|
-
stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
|
156
|
-
etag_reg = /(.*?)(%%>|%>|\z)/m
|
157
|
-
scanner = StringScanner.new(@src)
|
158
|
-
while ! scanner.eos?
|
159
|
-
scanner.scan(@stag ? etag_reg : stag_reg)
|
160
|
-
yield(scanner[1])
|
161
|
-
yield(scanner[2])
|
162
|
-
end
|
163
|
-
end
|
164
|
-
end
|
165
|
-
Scanner.regist_scanner(SimpleScanner2, nil, false)
|
166
|
-
class ExplicitScanner < Scanner # :nodoc:
|
167
|
-
def scan
|
168
|
-
stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
|
169
|
-
etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
|
170
|
-
scanner = StringScanner.new(@src)
|
171
|
-
while ! scanner.eos?
|
172
|
-
scanner.scan(@stag ? etag_reg : stag_reg)
|
173
|
-
yield(scanner[1])
|
174
|
-
elem = scanner[2]
|
175
|
-
if /[ \t]*<%-/ =~ elem
|
176
|
-
yield('<%')
|
177
|
-
elsif elem == '-%>'
|
178
|
-
yield('%>')
|
179
|
-
yield(:cr) if scanner.scan(/(\n|\z)/)
|
180
|
-
else
|
181
|
-
yield(elem)
|
182
|
-
end
|
183
|
-
end
|
184
|
-
end
|
185
|
-
end
|
186
|
-
Scanner.regist_scanner(ExplicitScanner, '-', false)
|
187
|
-
rescue LoadError
|
188
|
-
end
|
189
|
-
end
|
190
|
-
end
|
1
|
+
require 'erb'
|
2
|
+
require 'rack'
|
3
|
+
|
4
|
+
class ERB
|
5
|
+
class Compiler
|
6
|
+
def compile(s)
|
7
|
+
enc = s.encoding
|
8
|
+
raise ArgumentError, "#{enc} is not ASCII compatible" if enc.dummy?
|
9
|
+
s = s.dup.force_encoding("ASCII-8BIT") # don't use constant Enoding::ASCII_8BIT for miniruby
|
10
|
+
enc = detect_magic_comment(s) || enc
|
11
|
+
out = Buffer.new(self, enc)
|
12
|
+
content = ''
|
13
|
+
scanner = make_scanner(s)
|
14
|
+
scanner.scan do |token|
|
15
|
+
next if token.nil?
|
16
|
+
next if token == ''
|
17
|
+
if scanner.stag.nil?
|
18
|
+
case token
|
19
|
+
when PercentLine
|
20
|
+
add_put_cmd(out, content) if content.size > 0
|
21
|
+
content = ''
|
22
|
+
out.push(token.to_s)
|
23
|
+
out.cr
|
24
|
+
when :cr
|
25
|
+
out.cr
|
26
|
+
when '<%', '<%==', '<%=', '<%#'
|
27
|
+
scanner.stag = token
|
28
|
+
add_put_cmd(out, content) if content.size > 0
|
29
|
+
content = ''
|
30
|
+
when "\n"
|
31
|
+
content << "\n"
|
32
|
+
add_put_cmd(out, content)
|
33
|
+
content = ''
|
34
|
+
when '<%%'
|
35
|
+
content << '<%'
|
36
|
+
else
|
37
|
+
content << token
|
38
|
+
end
|
39
|
+
else
|
40
|
+
case token
|
41
|
+
when '%>'
|
42
|
+
case scanner.stag
|
43
|
+
when '<%'
|
44
|
+
if content[-1] == ?\n
|
45
|
+
content.chop!
|
46
|
+
out.push(content)
|
47
|
+
out.cr
|
48
|
+
else
|
49
|
+
out.push(content)
|
50
|
+
end
|
51
|
+
when '<%=='
|
52
|
+
add_insert_cmd(out, content)
|
53
|
+
when '<%='
|
54
|
+
add_insert_escapehtml_cmd(out, content)
|
55
|
+
when '<%#'
|
56
|
+
# out.push("# #{content_dump(content)}")
|
57
|
+
end
|
58
|
+
scanner.stag = nil
|
59
|
+
content = ''
|
60
|
+
when '%%>'
|
61
|
+
content << '%>'
|
62
|
+
else
|
63
|
+
content << token
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
add_put_cmd(out, content) if content.size > 0
|
68
|
+
out.close
|
69
|
+
return out.script, enc
|
70
|
+
end
|
71
|
+
def add_insert_escapehtml_cmd(out, content)
|
72
|
+
out.push("#{@insert_cmd}(ERB::Util.html_escape(#{content}))")
|
73
|
+
end
|
74
|
+
class TrimScanner < Scanner
|
75
|
+
def scan_line(line)
|
76
|
+
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
|
77
|
+
tokens.each do |token|
|
78
|
+
next if token.empty?
|
79
|
+
yield(token)
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
def trim_line1(line)
|
84
|
+
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
|
85
|
+
tokens.each do |token|
|
86
|
+
next if token.empty?
|
87
|
+
if token == "%>\n"
|
88
|
+
yield('%>')
|
89
|
+
yield(:cr)
|
90
|
+
else
|
91
|
+
yield(token)
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
def trim_line2(line)
|
97
|
+
head = nil
|
98
|
+
line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
|
99
|
+
tokens.each do |token|
|
100
|
+
next if token.empty?
|
101
|
+
head = token unless head
|
102
|
+
if token == "%>\n"
|
103
|
+
yield('%>')
|
104
|
+
if is_erb_stag?(head)
|
105
|
+
yield(:cr)
|
106
|
+
else
|
107
|
+
yield("\n")
|
108
|
+
end
|
109
|
+
head = nil
|
110
|
+
else
|
111
|
+
yield(token)
|
112
|
+
head = nil if token == "\n"
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
117
|
+
def explicit_trim_line(line)
|
118
|
+
line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
|
119
|
+
tokens.each do |token|
|
120
|
+
next if token.empty?
|
121
|
+
if @stag.nil? && /[ \t]*<%-/ =~ token
|
122
|
+
yield('<%')
|
123
|
+
elsif @stag && token == "-%>\n"
|
124
|
+
yield('%>')
|
125
|
+
yield(:cr)
|
126
|
+
elsif @stag && token == '-%>'
|
127
|
+
yield('%>')
|
128
|
+
else
|
129
|
+
yield(token)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
ERB_STAG << '<%=='
|
135
|
+
def is_erb_stag?(s)
|
136
|
+
ERB_STAG.member?(s)
|
137
|
+
end
|
138
|
+
end
|
139
|
+
Scanner.default_scanner = TrimScanner
|
140
|
+
class SimpleScanner < Scanner # :nodoc:
|
141
|
+
def scan
|
142
|
+
@src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
|
143
|
+
tokens.each do |token|
|
144
|
+
next if token.empty?
|
145
|
+
yield(token)
|
146
|
+
end
|
147
|
+
end
|
148
|
+
end
|
149
|
+
end
|
150
|
+
Scanner.regist_scanner(SimpleScanner, nil, false)
|
151
|
+
begin
|
152
|
+
require 'strscan'
|
153
|
+
class SimpleScanner2 < Scanner # :nodoc:
|
154
|
+
def scan
|
155
|
+
stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
|
156
|
+
etag_reg = /(.*?)(%%>|%>|\z)/m
|
157
|
+
scanner = StringScanner.new(@src)
|
158
|
+
while ! scanner.eos?
|
159
|
+
scanner.scan(@stag ? etag_reg : stag_reg)
|
160
|
+
yield(scanner[1])
|
161
|
+
yield(scanner[2])
|
162
|
+
end
|
163
|
+
end
|
164
|
+
end
|
165
|
+
Scanner.regist_scanner(SimpleScanner2, nil, false)
|
166
|
+
class ExplicitScanner < Scanner # :nodoc:
|
167
|
+
def scan
|
168
|
+
stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
|
169
|
+
etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
|
170
|
+
scanner = StringScanner.new(@src)
|
171
|
+
while ! scanner.eos?
|
172
|
+
scanner.scan(@stag ? etag_reg : stag_reg)
|
173
|
+
yield(scanner[1])
|
174
|
+
elem = scanner[2]
|
175
|
+
if /[ \t]*<%-/ =~ elem
|
176
|
+
yield('<%')
|
177
|
+
elsif elem == '-%>'
|
178
|
+
yield('%>')
|
179
|
+
yield(:cr) if scanner.scan(/(\n|\z)/)
|
180
|
+
else
|
181
|
+
yield(elem)
|
182
|
+
end
|
183
|
+
end
|
184
|
+
end
|
185
|
+
end
|
186
|
+
Scanner.regist_scanner(ExplicitScanner, '-', false)
|
187
|
+
rescue LoadError
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: erb_safe_ext
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeffrey
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-02-
|
11
|
+
date: 2014-02-28 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
13
|
description: make ERB default html safe.protect from XSS attack.
|
14
14
|
email:
|
@@ -21,7 +21,7 @@ files:
|
|
21
21
|
- test/erb_safe_test.rb
|
22
22
|
- erb_safe_ext.gemspec
|
23
23
|
- README.md
|
24
|
-
homepage:
|
24
|
+
homepage: ''
|
25
25
|
licenses:
|
26
26
|
- MIT
|
27
27
|
metadata: {}
|
@@ -31,12 +31,12 @@ require_paths:
|
|
31
31
|
- lib
|
32
32
|
required_ruby_version: !ruby/object:Gem::Requirement
|
33
33
|
requirements:
|
34
|
-
- -
|
34
|
+
- - ">="
|
35
35
|
- !ruby/object:Gem::Version
|
36
36
|
version: '0'
|
37
37
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
|
-
- -
|
39
|
+
- - ">="
|
40
40
|
- !ruby/object:Gem::Version
|
41
41
|
version: '0'
|
42
42
|
requirements: []
|
@@ -44,5 +44,5 @@ rubyforge_project:
|
|
44
44
|
rubygems_version: 2.0.14
|
45
45
|
signing_key:
|
46
46
|
specification_version: 4
|
47
|
-
summary: wrap the dangerous code with
|
47
|
+
summary: wrap the dangerous code with ERB::Util.html_escape()
|
48
48
|
test_files: []
|