RubyGems - erb_safe_ext - Versions diffs - 1.0.4 → 2.0.0 - Mend

erb_safe_ext 1.0.4 → 2.0.0

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +32 -18
data/erb_safe_ext.gemspec +2 -3
data/lib/erb_safe_ext.rb +11 -11
data/test/erb_safe_test.rb +2 -2
metadata +3 -4
data/lib/erb_safe_ext/sinatra/exception_template.rb +0 -295

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9640d5151b33178ab899dc49ead4fcaa156c873d
-  data.tar.gz: 9526e84f5cb6bc45b697d37304b82f069c5d2003
+  metadata.gz: cbac85e6c4525ea6453f8c540faec4c117a0e9a5
+  data.tar.gz: 091cbfca9bcac393e36d3f7d2fb13f3f173f5635
 SHA512:
-  metadata.gz: ae4dac2679ad428b821d2960d39e4a6fa8e045335ff4c2e8573e2a96b5bf8948f24134a0c6eb2744c2b60d8ed0ce18d852fc50cf1ab3715d085494cd7eff922a
-  data.tar.gz: 0b9d7e9198b49e3c0837e970155bee80ad397c0427c296fef183f1d5d57acd1e671f3ff2cf2d340d6ce852b5578b3848cd5882876a8ff0ec9b07f9055cf8d188
+  metadata.gz: daf0a0c99d16be082a70f8a0830cb4eb1df13b9408a6bef6f6bf07f68084914c772375f1ae5b7989f95bdca0d68ff4bf41c7d7efa9efd76ec474425423645e8c
+  data.tar.gz: 533d66182bef84054e88cb8398721aafb8efa2a4f89d87759b94984f2245ac4848cf697321fe6d2df977f0820eec63361e2d52735c91043850bff5ccfa9ae004

data/README.md CHANGED

@@ -1,6 +1,8 @@
 # erb_safe_ext
-a gem make ERB html safe default.Protect from XSS attack.
+add method to erb. Protect from XSS attack.
+I think change the origin `<%=` method is not always good. maybe add  a `<%~` method is better.
 ## Install
@@ -10,6 +12,33 @@ $ gem install erb_safe_ext
 ## Introduction
+``` erb
+<%~ "<script>alert('safety:)');</script>" %>
+## &lt;script&gt;alert(&#39;safety:)&#39;);&lt;/script&gt;
+```
+``` erb
+<%= "<script>alert('danger!');</script>" %>
+## <script>alert('danger!');</script>
+```
+## Test code
+``` ruby
+require 'erb_safe_ext'
+template = ERB.new <<-EOF
+<%~ "<script>alert('safety:)');</script>" %>
+<%= "<script>alert('danger!');</script>" %>
+----finish----
+EOF
+puts template.result
+```
+# readme about version <= 1.0.4
+## Introduction
 ``` erb
 <%= "<script>alert('safety:)');</script>" %>
 ## &lt;script&gt;alert(&#39;safety:)&#39;);&lt;/script&gt;
@@ -19,8 +48,6 @@ it will default wrap the dangerous code with `ERB::Util.html_escape(code)`
 works fine with ruby2.0.
-I didn't test this code with other version ruby, you may test yourself.
 the `<%==` is the backup of ERB's original `<%=` function.
 ``` erb
@@ -28,7 +55,6 @@ the `<%==` is the backup of ERB's original `<%=` function.
 ## <script>alert('danger!');</script>
 ```
 ## Test code
 ``` ruby
@@ -45,28 +71,16 @@ puts template.result
 ## About Sinatra
 work fine with sinatra(current version is 1.4.4).
-but you should know that sinatra use [tilt](http://rubygems.org/gems/tilt) to render template.
-and sinatra also got Runtime Dependencies with `tilt >= 1.3.4, ~> 1.3`, that will do something make this gem lose effectiveness when you got `erubis` in your environment.
-So don't do following things:
+but don't do following things:
 1. `require 'erubis'`
 2. add gems that dependent on erubis, such as `better_errors` (you may find out all dependences in file `Gemfile.lock`)
 ### Sinatra exception template
 the original sinatra exception template display ugly with erb_safe_ext, so I rewrite it.
 ``` ruby
 require 'sinatra/base'
 require 'erb_safe_ext/sinatra/exception_template'
-```
-yeah.happy coding:)
+```

data/erb_safe_ext.gemspec CHANGED

@@ -5,16 +5,15 @@ require 'sinarey_cache/version'
 Gem::Specification.new do |spec|
   spec.name          = "erb_safe_ext"
-  spec.version       = "1.0.4"
+  spec.version       = "2.0.0"
   spec.authors       = ["Jeffrey"]
   spec.email         = ["jeffrey6052@163.com"]
-  spec.description   = "make ERB default html safe.protect from XSS attack."
+  spec.description   = "add method to erb, protect from XSS attack."
   spec.summary       = "wrap the dangerous code with ERB::Util.html_escape()"
   spec.homepage      = "https://github.com/Jeffrey6052/erb_safe_ext"
   spec.license       = "MIT"
   spec.files         = ['lib/erb_safe_ext.rb',
-                        'lib/erb_safe_ext/sinatra/exception_template.rb',
                         'test/erb_safe_test.rb',
                         'erb_safe_ext.gemspec',
                         'README.md']

data/lib/erb_safe_ext.rb CHANGED

@@ -22,7 +22,7 @@ class ERB
             out.cr
           when :cr
             out.cr
-          when '<%', '<%==', '<%=', '<%#'
+          when '<%', '<%~', '<%=', '<%#'
             scanner.stag = token
             add_put_cmd(out, content) if content.size > 0
             content = ''
@@ -47,9 +47,9 @@ class ERB
               else
                 out.push(content)
               end
-            when '<%=='
-              add_insert_cmd(out, content)
             when '<%='
+              add_insert_cmd(out, content)
+            when '<%~'
               add_insert_escapehtml_cmd(out, content)
             when '<%#'
               # out.push("# #{content_dump(content)}")
@@ -72,7 +72,7 @@ class ERB
     end
     class TrimScanner < Scanner
       def scan_line(line)
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             yield(token)
@@ -80,7 +80,7 @@ class ERB
         end
       end
       def trim_line1(line)
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             if token == "%>\n"
@@ -94,7 +94,7 @@ class ERB
       end
       def trim_line2(line)
         head = nil
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             head = token unless head
@@ -114,7 +114,7 @@ class ERB
         end
       end
       def explicit_trim_line(line)
-        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
+        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%~|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             if @stag.nil? && /[ \t]*<%-/ =~ token
@@ -130,7 +130,7 @@ class ERB
           end
         end
       end
-      ERB_STAG << '<%=='
+      ERB_STAG << '<%~'
       def is_erb_stag?(s)
         ERB_STAG.member?(s)
       end
@@ -138,7 +138,7 @@ class ERB
     Scanner.default_scanner = TrimScanner
     class SimpleScanner < Scanner # :nodoc:
       def scan
-        @src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+        @src.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             yield(token)
@@ -151,7 +151,7 @@ class ERB
       require 'strscan'
       class SimpleScanner2 < Scanner # :nodoc:
         def scan
-          stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
+          stag_reg = /(.*?)(<%%|<%~|<%=|<%#|<%|\z)/m
           etag_reg = /(.*?)(%%>|%>|\z)/m
           scanner = StringScanner.new(@src)
           while ! scanner.eos?
@@ -164,7 +164,7 @@ class ERB
       Scanner.regist_scanner(SimpleScanner2, nil, false)
       class ExplicitScanner < Scanner # :nodoc:
         def scan
-          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
+          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%~|<%=|<%#|<%-|<%|\z)/m
           etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
           scanner = StringScanner.new(@src)
           while ! scanner.eos?

data/test/erb_safe_test.rb CHANGED

@@ -5,8 +5,8 @@ require 'erb_safe_ext'
 template = ERB.new <<-EOF
 <%= "hello, #{'world'}." %>
-<%= "<script>alert('safety:)');</script>" %>
-<%== "<script>alert('danger!');</script>" %>
+<%~ "<script>alert('safety:)');</script>" %>
+<%= "<script>alert('danger!');</script>" %>
 this is the end.
 EOF

metadata CHANGED

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: erb_safe_ext
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 2.0.0
 platform: ruby
 authors:
 - Jeffrey
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-04-22 00:00:00.000000000 Z
+date: 2014-06-30 00:00:00.000000000 Z
 dependencies: []
-description: make ERB default html safe.protect from XSS attack.
+description: add method to erb, protect from XSS attack.
 email:
 - jeffrey6052@163.com
 executables: []
@@ -18,7 +18,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/erb_safe_ext.rb
-- lib/erb_safe_ext/sinatra/exception_template.rb
 - test/erb_safe_test.rb
 - erb_safe_ext.gemspec
 - README.md

data/lib/erb_safe_ext/sinatra/exception_template.rb DELETED

@@ -1,295 +0,0 @@
-#modify sinatra original exception template,fixed to erb_safe_ext.
-module Sinatra
-  class ShowExceptions < Rack::ShowExceptions
-    defined?(TEMPLATE) and remove_const(:TEMPLATE)
-TEMPLATE = <<-HTML # :nodoc:
-<!DOCTYPE html>
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
-  <title><%= exception.class %> at <%= path %></title>
-  <script type="text/javascript">
-  //<!--
-  function toggle(id) {
-    var pre  = document.getElementById("pre-" + id);
-    var post = document.getElementById("post-" + id);
-    var context = document.getElementById("context-" + id);
-    if (pre.style.display == 'block') {
-      pre.style.display = 'none';
-      post.style.display = 'none';
-      context.style.background = "none";
-    } else {
-      pre.style.display = 'block';
-      post.style.display = 'block';
-      context.style.background = "#fffed9";
-    }
-  }
-  function toggleBacktrace(){
-    var bt = document.getElementById("backtrace");
-    var toggler = document.getElementById("expando");
-    if (bt.className == 'condensed') {
-      bt.className = 'expanded';
-      toggler.innerHTML = "(condense)";
-    } else {
-      bt.className = 'condensed';
-      toggler.innerHTML = "(expand)";
-    }
-  }
-  //-->
-  </script>
-<style type="text/css" media="screen">
-  *                   {margin: 0; padding: 0; border: 0; outline: 0;}
-  div.clear           {clear: both;}
-  body                {background: #EEEEEE; margin: 0; padding: 0;
-                       font-family: 'Lucida Grande', 'Lucida Sans Unicode',
-                       'Garuda';}
-  code                {font-family: 'Lucida Console', monospace;
-                       font-size: 12px;}
-  li                  {height: 18px;}
-  ul                  {list-style: none; margin: 0; padding: 0;}
-  ol:hover            {cursor: pointer;}
-  ol li               {white-space: pre;}
-  #explanation        {font-size: 12px; color: #666666;
-                       margin: 20px 0 0 100px;}
-/* WRAP */
-  #wrap               {width: 1000px; background: #FFFFFF; margin: 0 auto;
-                       padding: 30px 50px 20px 50px;
-                       border-left: 1px solid #DDDDDD;
-                       border-right: 1px solid #DDDDDD;}
-/* HEADER */
-  #header             {margin: 0 auto 25px auto;}
-  #header img         {float: left;}
-  #header #summary    {float: left; margin: 12px 0 0 20px; width:660px;
-                       font-family: 'Lucida Grande', 'Lucida Sans Unicode';}
-  h1                  {margin: 0; font-size: 36px; color: #981919;}
-  h2                  {margin: 0; font-size: 22px; color: #333333;}
-  #header ul          {margin: 0; font-size: 12px; color: #666666;}
-  #header ul li strong{color: #444444;}
-  #header ul li       {display: inline; padding: 0 10px;}
-  #header ul li.first {padding-left: 0;}
-  #header ul li.last  {border: 0; padding-right: 0;}
-/* BODY */
-  #backtrace,
-  #get,
-  #post,
-  #cookies,
-  #rack               {width: 980px; margin: 0 auto 10px auto;}
-  p#nav               {float: right; font-size: 14px;}
-/* BACKTRACE */
-  a#expando           {float: left; padding-left: 5px; color: #666666;
-                      font-size: 14px; text-decoration: none; cursor: pointer;}
-  a#expando:hover     {text-decoration: underline;}
-  h3                  {float: left; width: 100px; margin-bottom: 10px;
-                       color: #981919; font-size: 14px; font-weight: bold;}
-  #nav a              {color: #666666; text-decoration: none; padding: 0 5px;}
-  #backtrace li.frame-info {background: #f7f7f7; padding-left: 10px;
-                           font-size: 12px; color: #333333;}
-  #backtrace ul       {list-style-position: outside; border: 1px solid #E9E9E9;
-                       border-bottom: 0;}
-  #backtrace ol       {width: 920px; margin-left: 50px;
-                       font: 10px 'Lucida Console', monospace; color: #666666;}
-  #backtrace ol li    {border: 0; border-left: 1px solid #E9E9E9;
-                       padding: 2px 0;}
-  #backtrace ol code  {font-size: 10px; color: #555555; padding-left: 5px;}
-  #backtrace-ul li    {border-bottom: 1px solid #E9E9E9; height: auto;
-                       padding: 3px 0;}
-  #backtrace-ul .code {padding: 6px 0 4px 0;}
-  #backtrace.condensed .system,
-  #backtrace.condensed .framework {display:none;}
-/* REQUEST DATA */
-  p.no-data           {padding-top: 2px; font-size: 12px; color: #666666;}
-  table.req           {width: 980px; text-align: left; font-size: 12px;
-                       color: #666666; padding: 0; border-spacing: 0;
-                       border: 1px solid #EEEEEE; border-bottom: 0;
-                       border-left: 0;
-                       clear:both}
-  table.req tr th     {padding: 2px 10px; font-weight: bold;
-                       background: #F7F7F7; border-bottom: 1px solid #EEEEEE;
-                       border-left: 1px solid #EEEEEE;}
-  table.req tr td     {padding: 2px 20px 2px 10px;
-                       border-bottom: 1px solid #EEEEEE;
-                       border-left: 1px solid #EEEEEE;}
-/* HIDE PRE/POST CODE AT START */
-  .pre-context,
-  .post-context       {display: none;}
-  table td.code       {width:750px}
-  table td.code div   {width:750px;overflow:hidden}
-</style>
-</head>
-<body>
-  <div id="wrap">
-    <div id="header">
-      <img src="<%== env['SCRIPT_NAME'] %>/__sinatra__/500.png" alt="application error" height="161" width="313" />
-      <div id="summary">
-        <h1><strong><%= exception.class %></strong> at <strong><%= path %>
-          </strong></h1>
-        <h2><%= exception.message %></h2>
-        <ul>
-          <li class="first"><strong>file:</strong> <code>
-            <%= frames.first.filename.split("/").last %></code></li>
-          <li><strong>location:</strong> <code><%= frames.first.function %>
-            </code></li>
-          <li class="last"><strong>line:
-            </strong> <%= frames.first.lineno %></li>
-        </ul>
-      </div>
-      <div class="clear"></div>
-    </div>
-    <div id="backtrace" class='condensed'>
-      <h3>BACKTRACE</h3>
-      <p><a href="#" id="expando"
-            onclick="toggleBacktrace(); return false">(expand)</a></p>
-      <p id="nav"><strong>JUMP TO:</strong>
-         <a href="#get-info">GET</a>
-         <a href="#post-info">POST</a>
-         <a href="#cookie-info">COOKIES</a>
-         <a href="#env-info">ENV</a>
-      </p>
-      <div class="clear"></div>
-      <ul id="backtrace-ul">
-      <% id = 1 %>
-      <% frames.each do |frame| %>
-          <% if frame.context_line && frame.context_line != "#" %>
-            <li class="frame-info <%== frame_class(frame) %>">
-              <code><%= frame.filename %></code> in
-                <code><strong><%= frame.function %></strong></code>
-            </li>
-            <li class="code <%== frame_class(frame) %>">
-              <% if frame.pre_context %>
-              <ol start="<%= frame.pre_context_lineno + 1 %>"
-                  class="pre-context" id="pre-<%== id %>"
-                  onclick="toggle(<%== id %>);">
-                <% frame.pre_context.each do |line| %>
-                <li class="pre-context-line"><code><%= line %></code></li>
-                <% end %>
-              </ol>
-              <% end %>
-              <ol start="<%== frame.lineno %>" class="context" id="<%== id %>"
-                  onclick="toggle(<%== id %>);">
-                <li class="context-line" id="context-<%== id %>"><code><%= frame.context_line %></code></li>
-              </ol>
-              <% if frame.post_context %>
-              <ol start="<%= frame.lineno + 1 %>" class="post-context"
-                  id="post-<%== id %>" onclick="toggle(<%== id %>);">
-                <% frame.post_context.each do |line| %>
-                <li class="post-context-line"><code><%= line %></code></li>
-                <% end %>
-              </ol>
-              <% end %>
-              <div class="clear"></div>
-            </li>
-          <% end %>
-        <% id += 1 %>
-      <% end %>
-      </ul>
-    </div> <!-- /BACKTRACE -->
-    <div id="get">
-      <h3 id="get-info">GET</h3>
-      <% if req.GET and not req.GET.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-           <% req.GET.sort_by { |k, v| k.to_s }.each { |key, val| %>
-          <tr>
-            <td><%= key %></td>
-            <td class="code"><div><%= val.inspect %></div></td>
-          </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No GET data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /GET -->
-    <div id="post">
-      <h3 id="post-info">POST</h3>
-      <% if req.POST and not req.POST.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-          <% req.POST.sort_by { |k, v| k.to_s }.each { |key, val| %>
-          <tr>
-            <td><%= key %></td>
-            <td class="code"><div><%= val.inspect %></div></td>
-          </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No POST data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /POST -->
-    <div id="cookies">
-      <h3 id="cookie-info">COOKIES</h3>
-      <% unless req.cookies.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-          <% req.cookies.each { |key, val| %>
-            <tr>
-              <td><%= key %></td>
-              <td class="code"><div><%= val.inspect %></div></td>
-            </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No cookie data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /COOKIES -->
-    <div id="rack">
-      <h3 id="env-info">Rack ENV</h3>
-      <table class="req">
-        <tr>
-          <th>Variable</th>
-          <th>Value</th>
-        </tr>
-         <% env.sort_by { |k, v| k.to_s }.each { |key, val| %>
-         <tr>
-           <td><%= key %></td>
-           <td class="code"><div><%= val %></div></td>
-         </tr>
-         <% } %>
-      </table>
-      <div class="clear"></div>
-    </div> <!-- /RACK ENV -->
-    <p id="explanation">You're seeing this error because you have
-enabled the <code>show_exceptions</code> setting.</p>
-  </div> <!-- /WRAP -->
-  </body>
-</html>
-HTML
-  end
-end