RubyGems - erb_safe_ext - Versions diffs - 1.0.4 → 2.0.0 - Mend

erb_safe_ext 1.0.4 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +32 -18
data/erb_safe_ext.gemspec +2 -3
data/lib/erb_safe_ext.rb +11 -11
data/test/erb_safe_test.rb +2 -2
metadata +3 -4
data/lib/erb_safe_ext/sinatra/exception_template.rb +0 -295

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9640d5151b33178ab899dc49ead4fcaa156c873d
-  data.tar.gz: 9526e84f5cb6bc45b697d37304b82f069c5d2003
+  metadata.gz: cbac85e6c4525ea6453f8c540faec4c117a0e9a5
+  data.tar.gz: 091cbfca9bcac393e36d3f7d2fb13f3f173f5635
 SHA512:
-  metadata.gz: ae4dac2679ad428b821d2960d39e4a6fa8e045335ff4c2e8573e2a96b5bf8948f24134a0c6eb2744c2b60d8ed0ce18d852fc50cf1ab3715d085494cd7eff922a
-  data.tar.gz: 0b9d7e9198b49e3c0837e970155bee80ad397c0427c296fef183f1d5d57acd1e671f3ff2cf2d340d6ce852b5578b3848cd5882876a8ff0ec9b07f9055cf8d188
+  metadata.gz: daf0a0c99d16be082a70f8a0830cb4eb1df13b9408a6bef6f6bf07f68084914c772375f1ae5b7989f95bdca0d68ff4bf41c7d7efa9efd76ec474425423645e8c
+  data.tar.gz: 533d66182bef84054e88cb8398721aafb8efa2a4f89d87759b94984f2245ac4848cf697321fe6d2df977f0820eec63361e2d52735c91043850bff5ccfa9ae004

data/README.md CHANGED

@@ -1,6 +1,8 @@
 # erb_safe_ext
-a gem make ERB html safe default.Protect from XSS attack.
+add method to erb. Protect from XSS attack.
+I think change the origin `<%=` method is not always good. maybe add  a `<%~` method is better.
 ## Install
@@ -10,6 +12,33 @@ $ gem install erb_safe_ext
 ## Introduction
+``` erb
+<%~ "<script>alert('safety:)');</script>" %>
+## &lt;script&gt;alert(&#39;safety:)&#39;);&lt;/script&gt;
+```
+``` erb
+<%= "<script>alert('danger!');</script>" %>
+## <script>alert('danger!');</script>
+```
+## Test code
+``` ruby
+require 'erb_safe_ext'
+template = ERB.new <<-EOF
+<%~ "<script>alert('safety:)');</script>" %>
+<%= "<script>alert('danger!');</script>" %>
+----finish----
+EOF
+puts template.result
+```
+# readme about version <= 1.0.4
+## Introduction
 ``` erb
 <%= "<script>alert('safety:)');</script>" %>
 ## &lt;script&gt;alert(&#39;safety:)&#39;);&lt;/script&gt;
@@ -19,8 +48,6 @@ it will default wrap the dangerous code with `ERB::Util.html_escape(code)`
 works fine with ruby2.0.
-I didn't test this code with other version ruby, you may test yourself.
 the `<%==` is the backup of ERB's original `<%=` function.
 ``` erb
@@ -28,7 +55,6 @@ the `<%==` is the backup of ERB's original `<%=` function.
 ## <script>alert('danger!');</script>
 ```
 ## Test code
 ``` ruby
@@ -45,28 +71,16 @@ puts template.result
 ## About Sinatra
 work fine with sinatra(current version is 1.4.4).
-but you should know that sinatra use [tilt](http://rubygems.org/gems/tilt) to render template.
-and sinatra also got Runtime Dependencies with `tilt >= 1.3.4, ~> 1.3`, that will do something make this gem lose effectiveness when you got `erubis` in your environment.
-So don't do following things:
+but don't do following things:
 1. `require 'erubis'`
 2. add gems that dependent on erubis, such as `better_errors` (you may find out all dependences in file `Gemfile.lock`)
 ### Sinatra exception template
 the original sinatra exception template display ugly with erb_safe_ext, so I rewrite it.
 ``` ruby
 require 'sinatra/base'
 require 'erb_safe_ext/sinatra/exception_template'
-```
-yeah.happy coding:)
+```

data/erb_safe_ext.gemspec CHANGED

@@ -5,16 +5,15 @@ require 'sinarey_cache/version'
 Gem::Specification.new do |spec|
   spec.name          = "erb_safe_ext"
-  spec.version       = "1.0.4"
+  spec.version       = "2.0.0"
   spec.authors       = ["Jeffrey"]
   spec.email         = ["jeffrey6052@163.com"]
-  spec.description   = "make ERB default html safe.protect from XSS attack."
+  spec.description   = "add method to erb, protect from XSS attack."
   spec.summary       = "wrap the dangerous code with ERB::Util.html_escape()"
   spec.homepage      = "https://github.com/Jeffrey6052/erb_safe_ext"
   spec.license       = "MIT"
   spec.files         = ['lib/erb_safe_ext.rb',
-                        'lib/erb_safe_ext/sinatra/exception_template.rb',
                         'test/erb_safe_test.rb',
                         'erb_safe_ext.gemspec',
                         'README.md']

data/lib/erb_safe_ext.rb CHANGED

@@ -22,7 +22,7 @@ class ERB
             out.cr
           when :cr
             out.cr
-          when '<%', '<%==', '<%=', '<%#'
+          when '<%', '<%~', '<%=', '<%#'
             scanner.stag = token
             add_put_cmd(out, content) if content.size > 0
             content = ''
@@ -47,9 +47,9 @@ class ERB
               else
                 out.push(content)
               end
-            when '<%=='
-              add_insert_cmd(out, content)
             when '<%='
+              add_insert_cmd(out, content)
+            when '<%~'
               add_insert_escapehtml_cmd(out, content)
             when '<%#'
               # out.push("# #{content_dump(content)}")
@@ -72,7 +72,7 @@ class ERB
     end
     class TrimScanner < Scanner
       def scan_line(line)
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             yield(token)
@@ -80,7 +80,7 @@ class ERB
         end
       end
       def trim_line1(line)
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             if token == "%>\n"
@@ -94,7 +94,7 @@ class ERB
       end
       def trim_line2(line)
         head = nil
-        line.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
+        line.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>\n|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             head = token unless head
@@ -114,7 +114,7 @@ class ERB
         end
       end
       def explicit_trim_line(line)
-        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%==|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
+        line.scan(/(.*?)(^[ \t]*<%\-|<%\-|<%%|%%>|<%~|<%=|<%#|<%|-%>\n|-%>|%>|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             if @stag.nil? && /[ \t]*<%-/ =~ token
@@ -130,7 +130,7 @@ class ERB
           end
         end
       end
-      ERB_STAG << '<%=='
+      ERB_STAG << '<%~'
       def is_erb_stag?(s)
         ERB_STAG.member?(s)
       end
@@ -138,7 +138,7 @@ class ERB
     Scanner.default_scanner = TrimScanner
     class SimpleScanner < Scanner # :nodoc:
       def scan
-        @src.scan(/(.*?)(<%%|%%>|<%==|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
+        @src.scan(/(.*?)(<%%|%%>|<%~|<%=|<%#|<%|%>|\n|\z)/m) do |tokens|
           tokens.each do |token|
             next if token.empty?
             yield(token)
@@ -151,7 +151,7 @@ class ERB
       require 'strscan'
       class SimpleScanner2 < Scanner # :nodoc:
         def scan
-          stag_reg = /(.*?)(<%%|<%==|<%=|<%#|<%|\z)/m
+          stag_reg = /(.*?)(<%%|<%~|<%=|<%#|<%|\z)/m
           etag_reg = /(.*?)(%%>|%>|\z)/m
           scanner = StringScanner.new(@src)
           while ! scanner.eos?
@@ -164,7 +164,7 @@ class ERB
       Scanner.regist_scanner(SimpleScanner2, nil, false)
       class ExplicitScanner < Scanner # :nodoc:
         def scan
-          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%==|<%=|<%#|<%-|<%|\z)/m
+          stag_reg = /(.*?)(^[ \t]*<%-|<%%|<%~|<%=|<%#|<%-|<%|\z)/m
           etag_reg = /(.*?)(%%>|-%>|%>|\z)/m
           scanner = StringScanner.new(@src)
           while ! scanner.eos?

data/test/erb_safe_test.rb CHANGED

@@ -5,8 +5,8 @@ require 'erb_safe_ext'
 template = ERB.new <<-EOF
 <%= "hello, #{'world'}." %>
-<%= "<script>alert('safety:)');</script>" %>
-<%== "<script>alert('danger!');</script>" %>
+<%~ "<script>alert('safety:)');</script>" %>
+<%= "<script>alert('danger!');</script>" %>
 this is the end.
 EOF

metadata CHANGED

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: erb_safe_ext
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 2.0.0
 platform: ruby
 authors:
 - Jeffrey
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-04-22 00:00:00.000000000 Z
+date: 2014-06-30 00:00:00.000000000 Z
 dependencies: []
-description: make ERB default html safe.protect from XSS attack.
+description: add method to erb, protect from XSS attack.
 email:
 - jeffrey6052@163.com
 executables: []
@@ -18,7 +18,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/erb_safe_ext.rb
-- lib/erb_safe_ext/sinatra/exception_template.rb
 - test/erb_safe_test.rb
 - erb_safe_ext.gemspec
 - README.md

data/lib/erb_safe_ext/sinatra/exception_template.rb DELETED

@@ -1,295 +0,0 @@
-#modify sinatra original exception template,fixed to erb_safe_ext.
-module Sinatra
-  class ShowExceptions < Rack::ShowExceptions
-    defined?(TEMPLATE) and remove_const(:TEMPLATE)
-TEMPLATE = <<-HTML # :nodoc:
-<!DOCTYPE html>
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
-  <title><%= exception.class %> at <%= path %></title>
-  <script type="text/javascript">
-  //<!--
-  function toggle(id) {
-    var pre  = document.getElementById("pre-" + id);
-    var post = document.getElementById("post-" + id);
-    var context = document.getElementById("context-" + id);
-    if (pre.style.display == 'block') {
-      pre.style.display = 'none';
-      post.style.display = 'none';
-      context.style.background = "none";
-    } else {
-      pre.style.display = 'block';
-      post.style.display = 'block';
-      context.style.background = "#fffed9";
-    }
-  }
-  function toggleBacktrace(){
-    var bt = document.getElementById("backtrace");
-    var toggler = document.getElementById("expando");
-    if (bt.className == 'condensed') {
-      bt.className = 'expanded';
-      toggler.innerHTML = "(condense)";
-    } else {
-      bt.className = 'condensed';
-      toggler.innerHTML = "(expand)";
-    }
-  }
-  //-->
-  </script>
-<style type="text/css" media="screen">
-  *                   {margin: 0; padding: 0; border: 0; outline: 0;}
-  div.clear           {clear: both;}
-  body                {background: #EEEEEE; margin: 0; padding: 0;
-                       font-family: 'Lucida Grande', 'Lucida Sans Unicode',
-                       'Garuda';}
-  code                {font-family: 'Lucida Console', monospace;
-                       font-size: 12px;}
-  li                  {height: 18px;}
-  ul                  {list-style: none; margin: 0; padding: 0;}
-  ol:hover            {cursor: pointer;}
-  ol li               {white-space: pre;}
-  #explanation        {font-size: 12px; color: #666666;
-                       margin: 20px 0 0 100px;}
-/* WRAP */
-  #wrap               {width: 1000px; background: #FFFFFF; margin: 0 auto;
-                       padding: 30px 50px 20px 50px;
-                       border-left: 1px solid #DDDDDD;
-                       border-right: 1px solid #DDDDDD;}
-/* HEADER */
-  #header             {margin: 0 auto 25px auto;}
-  #header img         {float: left;}
-  #header #summary    {float: left; margin: 12px 0 0 20px; width:660px;
-                       font-family: 'Lucida Grande', 'Lucida Sans Unicode';}
-  h1                  {margin: 0; font-size: 36px; color: #981919;}
-  h2                  {margin: 0; font-size: 22px; color: #333333;}
-  #header ul          {margin: 0; font-size: 12px; color: #666666;}
-  #header ul li strong{color: #444444;}
-  #header ul li       {display: inline; padding: 0 10px;}
-  #header ul li.first {padding-left: 0;}
-  #header ul li.last  {border: 0; padding-right: 0;}
-/* BODY */
-  #backtrace,
-  #get,
-  #post,
-  #cookies,
-  #rack               {width: 980px; margin: 0 auto 10px auto;}
-  p#nav               {float: right; font-size: 14px;}
-/* BACKTRACE */
-  a#expando           {float: left; padding-left: 5px; color: #666666;
-                      font-size: 14px; text-decoration: none; cursor: pointer;}
-  a#expando:hover     {text-decoration: underline;}
-  h3                  {float: left; width: 100px; margin-bottom: 10px;
-                       color: #981919; font-size: 14px; font-weight: bold;}
-  #nav a              {color: #666666; text-decoration: none; padding: 0 5px;}
-  #backtrace li.frame-info {background: #f7f7f7; padding-left: 10px;
-                           font-size: 12px; color: #333333;}
-  #backtrace ul       {list-style-position: outside; border: 1px solid #E9E9E9;
-                       border-bottom: 0;}
-  #backtrace ol       {width: 920px; margin-left: 50px;
-                       font: 10px 'Lucida Console', monospace; color: #666666;}
-  #backtrace ol li    {border: 0; border-left: 1px solid #E9E9E9;
-                       padding: 2px 0;}
-  #backtrace ol code  {font-size: 10px; color: #555555; padding-left: 5px;}
-  #backtrace-ul li    {border-bottom: 1px solid #E9E9E9; height: auto;
-                       padding: 3px 0;}
-  #backtrace-ul .code {padding: 6px 0 4px 0;}
-  #backtrace.condensed .system,
-  #backtrace.condensed .framework {display:none;}
-/* REQUEST DATA */
-  p.no-data           {padding-top: 2px; font-size: 12px; color: #666666;}
-  table.req           {width: 980px; text-align: left; font-size: 12px;
-                       color: #666666; padding: 0; border-spacing: 0;
-                       border: 1px solid #EEEEEE; border-bottom: 0;
-                       border-left: 0;
-                       clear:both}
-  table.req tr th     {padding: 2px 10px; font-weight: bold;
-                       background: #F7F7F7; border-bottom: 1px solid #EEEEEE;
-                       border-left: 1px solid #EEEEEE;}
-  table.req tr td     {padding: 2px 20px 2px 10px;
-                       border-bottom: 1px solid #EEEEEE;
-                       border-left: 1px solid #EEEEEE;}
-/* HIDE PRE/POST CODE AT START */
-  .pre-context,
-  .post-context       {display: none;}
-  table td.code       {width:750px}
-  table td.code div   {width:750px;overflow:hidden}
-</style>
-</head>
-<body>
-  <div id="wrap">
-    <div id="header">
-      <img src="<%== env['SCRIPT_NAME'] %>/__sinatra__/500.png" alt="application error" height="161" width="313" />
-      <div id="summary">
-        <h1><strong><%= exception.class %></strong> at <strong><%= path %>
-          </strong></h1>
-        <h2><%= exception.message %></h2>
-        <ul>
-          <li class="first"><strong>file:</strong> <code>
-            <%= frames.first.filename.split("/").last %></code></li>
-          <li><strong>location:</strong> <code><%= frames.first.function %>
-            </code></li>
-          <li class="last"><strong>line:
-            </strong> <%= frames.first.lineno %></li>
-        </ul>
-      </div>
-      <div class="clear"></div>
-    </div>
-    <div id="backtrace" class='condensed'>
-      <h3>BACKTRACE</h3>
-      <p><a href="#" id="expando"
-            onclick="toggleBacktrace(); return false">(expand)</a></p>
-      <p id="nav"><strong>JUMP TO:</strong>
-         <a href="#get-info">GET</a>
-         <a href="#post-info">POST</a>
-         <a href="#cookie-info">COOKIES</a>
-         <a href="#env-info">ENV</a>
-      </p>
-      <div class="clear"></div>
-      <ul id="backtrace-ul">
-      <% id = 1 %>
-      <% frames.each do |frame| %>
-          <% if frame.context_line && frame.context_line != "#" %>
-            <li class="frame-info <%== frame_class(frame) %>">
-              <code><%= frame.filename %></code> in
-                <code><strong><%= frame.function %></strong></code>
-            </li>
-            <li class="code <%== frame_class(frame) %>">
-              <% if frame.pre_context %>
-              <ol start="<%= frame.pre_context_lineno + 1 %>"
-                  class="pre-context" id="pre-<%== id %>"
-                  onclick="toggle(<%== id %>);">
-                <% frame.pre_context.each do |line| %>
-                <li class="pre-context-line"><code><%= line %></code></li>
-                <% end %>
-              </ol>
-              <% end %>
-              <ol start="<%== frame.lineno %>" class="context" id="<%== id %>"
-                  onclick="toggle(<%== id %>);">
-                <li class="context-line" id="context-<%== id %>"><code><%= frame.context_line %></code></li>
-              </ol>
-              <% if frame.post_context %>
-              <ol start="<%= frame.lineno + 1 %>" class="post-context"
-                  id="post-<%== id %>" onclick="toggle(<%== id %>);">
-                <% frame.post_context.each do |line| %>
-                <li class="post-context-line"><code><%= line %></code></li>
-                <% end %>
-              </ol>
-              <% end %>
-              <div class="clear"></div>
-            </li>
-          <% end %>
-        <% id += 1 %>
-      <% end %>
-      </ul>
-    </div> <!-- /BACKTRACE -->
-    <div id="get">
-      <h3 id="get-info">GET</h3>
-      <% if req.GET and not req.GET.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-           <% req.GET.sort_by { |k, v| k.to_s }.each { |key, val| %>
-          <tr>
-            <td><%= key %></td>
-            <td class="code"><div><%= val.inspect %></div></td>
-          </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No GET data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /GET -->
-    <div id="post">
-      <h3 id="post-info">POST</h3>
-      <% if req.POST and not req.POST.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-          <% req.POST.sort_by { |k, v| k.to_s }.each { |key, val| %>
-          <tr>
-            <td><%= key %></td>
-            <td class="code"><div><%= val.inspect %></div></td>
-          </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No POST data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /POST -->
-    <div id="cookies">
-      <h3 id="cookie-info">COOKIES</h3>
-      <% unless req.cookies.empty? %>
-        <table class="req">
-          <tr>
-            <th>Variable</th>
-            <th>Value</th>
-          </tr>
-          <% req.cookies.each { |key, val| %>
-            <tr>
-              <td><%= key %></td>
-              <td class="code"><div><%= val.inspect %></div></td>
-            </tr>
-          <% } %>
-        </table>
-      <% else %>
-        <p class="no-data">No cookie data.</p>
-      <% end %>
-      <div class="clear"></div>
-    </div> <!-- /COOKIES -->
-    <div id="rack">
-      <h3 id="env-info">Rack ENV</h3>
-      <table class="req">
-        <tr>
-          <th>Variable</th>
-          <th>Value</th>
-        </tr>
-         <% env.sort_by { |k, v| k.to_s }.each { |key, val| %>
-         <tr>
-           <td><%= key %></td>
-           <td class="code"><div><%= val %></div></td>
-         </tr>
-         <% } %>
-      </table>
-      <div class="clear"></div>
-    </div> <!-- /RACK ENV -->
-    <p id="explanation">You're seeing this error because you have
-enabled the <code>show_exceptions</code> setting.</p>
-  </div> <!-- /WRAP -->
-  </body>
-</html>
-HTML
-  end
-end