erector 0.9.0.pre1 → 0.9.0

data/spec/rails2/rails_app/vendor/plugins/rails_xss/MIT-LICENSE

@@ -1,20 +0,0 @@
-Copyright (c) 2009 Koziarski Software Ltd.
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/spec/rails2/rails_app/vendor/plugins/rails_xss/README.markdown

@@ -1,90 +0,0 @@
-RailsXss
-========
-
-This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape.  This is consistent with the behaviour in Rails 3.0.
-
-Strings now have a notion of "html safe",  which is false by default.  Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first.
-
-All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified.  If you have your own helpers which return strings you *know* are safe,  you will need to explicitly tell rails that they're safe.  For an example, take the following helper.
-
-
-    def some_helper
-      (1..5).map do |i|
-        "<li>#{i}</li>"
-      end.join("\n")
-    end
-
-With this plugin installed, the html will be escaped.  So you will need to do one of the following:
-
-1) Use the raw helper in your template.  raw will ensure that your string is copied verbatim into the response body.
-
-    <%= raw some_helper %>
-
-2) Mark the string as safe in the helper itself:
-
-    def some_helper
-      (1..5).map do |i|
-        "<li>#{i}</li>"
-      end.join("\n").html_safe
-    end
-
-3) Use the safe_helper meta programming method:
-
-    module ApplicationHelper
-      def some_helper
-        #...
-      end
-      safe_helper :some_helper
-    end
-
-Example
--------
-
-BEFORE:
-
-    <%= params[:own_me] %>        => XSS attack
-    <%=h params[:own_me] %>       => No XSS
-    <%= @blog_post.content %>     => Displays the HTML
-
-AFTER:
-
-    <%= params[:own_me] %>        => No XSS
-    <%=h params[:own_me] %>       => No XSS (same result)
-    <%= @blog_post.content %>     => *escapes* the HTML
-    <%= raw @blog_post.content %> => Displays the HTML
-
-
-Gotchas
----
-
-#### textilize and simple_format do *not* return safe strings
-
-Both these methods support arbitrary HTML and are *not* safe to embed directly in your document.  You'll need to do something like:
-
-    <%= sanitize(textilize(@blog_post.content_textile)) %>
-
-#### Safe strings aren't magic.
-
-Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+.  All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like
-
-    value = something_safe
-    value.gsub!(/a/, params[:own_me])
-
-Don't do that.
-
-#### String interpolation won't be safe, even when it 'should' be
-
-    value = "#{something_safe}#{something_else_safe}"
-    value.html_safe? # => false
-
-This is intended functionality and can't be fixed.
-
-Getting Started
-===============
-
-1. Install rails 2.3.8 or higher, or freeze rails from 2-3-stable.
-2. Install erubis (gem install erubis)
-3. Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git)
-4. Report anything that breaks.
-
-Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license. For full details see MIT-LICENSE included in this distribution.

data/spec/rails2/rails_app/vendor/plugins/rails_xss/Rakefile

@@ -1,23 +0,0 @@
-require 'rake'
-require 'rake/testtask'
-require 'rake/rdoctask'
-
-desc 'Default: run unit tests.'
-task :default => :test
-
-desc 'Test the rails_xss plugin.'
-Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = true
-end
-
-desc 'Generate documentation for the rails_xss plugin.'
-Rake::RDocTask.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'RailsXss'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README')
-  rdoc.rdoc_files.include('lib/**/*.rb')
-end

data/spec/rails2/rails_app/vendor/plugins/rails_xss/init.rb

@@ -1,7 +0,0 @@
-unless $gems_rake_task
-  if Rails.version <= "2.3.7"
-    $stderr.puts "rails_xss requires Rails 2.3.8 or later. Please upgrade to enable automatic HTML safety."
-  else
-    require 'rails_xss'
-  end
-end

data/spec/rails2/rails_app/vendor/plugins/rails_xss/lib/rails_xss.rb

@@ -1,3 +0,0 @@
-require 'rails_xss/erubis'
-require 'rails_xss/action_view'
-require 'rails_xss/string_ext'

data/spec/rails2/rails_app/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb

@@ -1,87 +0,0 @@
-module ActionView
-  class Base
-    def self.xss_safe?
-      true
-    end
-
-    module WithSafeOutputBuffer
-      # Rails version of with_output_buffer uses '' as the default buf
-      def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc:
-        super buf
-      end
-    end
-
-    include WithSafeOutputBuffer
-  end
-
-  module Helpers
-    module TextHelper
-      def concat(string, unused_binding = nil)
-        if unused_binding
-          ActiveSupport::Deprecation.warn("The binding argument of #concat is no longer needed.  Please remove it from your views and helpers.", caller)
-        end
-
-        output_buffer.concat(string)
-      end
-
-      def simple_format_with_escaping(text, html_options = {})
-        simple_format_without_escaping(ERB::Util.h(text), html_options)
-      end
-      alias_method_chain :simple_format, :escaping
-    end
-
-    module TagHelper
-      private
-        def content_tag_string_with_escaping(name, content, options, escape = true)
-          content_tag_string_without_escaping(name, ERB::Util.h(content), options, escape)
-        end
-        alias_method_chain :content_tag_string, :escaping
-    end
-
-    module UrlHelper
-      def link_to(*args, &block)
-        if block_given?
-          options      = args.first || {}
-          html_options = args.second
-          concat(link_to(capture(&block), options, html_options))
-        else
-          name         = args.first
-          options      = args.second || {}
-          html_options = args.third
-
-          url = url_for(options)
-
-          if html_options
-            html_options = html_options.stringify_keys
-            href = html_options['href']
-            convert_options_to_javascript!(html_options, url)
-            tag_options = tag_options(html_options)
-          else
-            tag_options = nil
-          end
-
-          href_attr = "href=\"#{url}\"" unless href
-          "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
-        end
-      end
-    end
-  end
-end
-
-module RailsXss
-  module SafeHelpers
-    def safe_helper(*names)
-      names.each do |helper_method_name|
-        aliased_target, punctuation = helper_method_name.to_s.sub(/([?!=])$/, ''), $1
-        module_eval <<-END
-          def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block)
-            raw(#{aliased_target}_without_xss_safety#{punctuation}(*args, &block))
-          end
-        END
-        alias_method_chain helper_method_name, :xss_safety
-      end
-    end
-  end
-end
-
-Module.class_eval { include RailsXss::SafeHelpers }

data/spec/rails2/rails_app/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb

@@ -1,33 +0,0 @@
-require 'erubis/helpers/rails_helper'
-
-module RailsXss
-  class Erubis < ::Erubis::Eruby
-    def add_preamble(src)
-      src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
-    end
-
-    def add_text(src, text)
-      return if text.empty?
-      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-    end
-
-    def add_expr_literal(src, code)
-      if code =~ /\s*raw\s+(.*)/
-        src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
-      else
-        src << '@output_buffer << ((' << code << ').to_s);'
-      end
-    end
-
-    def add_expr_escaped(src, code)
-      src << '@output_buffer << ' << escaped_expr(code) << ';'
-    end
-
-    def add_postamble(src)
-      src << '@output_buffer.to_s'
-    end
-  end
-end
-
-Erubis::Helpers::RailsHelper.engine_class = RailsXss::Erubis
-Erubis::Helpers::RailsHelper.show_src = false

data/spec/rails2/rails_app/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb

@@ -1,52 +0,0 @@
-require 'active_support/deprecation'
-
-ActiveSupport::SafeBuffer.class_eval do
-  def concat(value)
-    if value.html_safe?
-      super(value)
-    else
-      super(ERB::Util.h(value))
-    end
-  end
-  alias << concat
-end
-
-class String
-  def html_safe?
-    defined?(@_rails_html_safe)
-  end
-
-  def html_safe!
-    ActiveSupport::Deprecation.warn("Use html_safe with your strings instead of html_safe! See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for the full story.", caller)
-    @_rails_html_safe = true
-    self
-  end
-
-  def add_with_safety(other)
-    result = add_without_safety(other)
-    if html_safe? && also_html_safe?(other)
-      result.html_safe!
-    else
-      result
-    end
-  end
-  alias_method :add_without_safety, :+
-  alias_method :+, :add_with_safety
-
-  def concat_with_safety(other_or_fixnum)
-    result = concat_without_safety(other_or_fixnum)
-    unless html_safe? && also_html_safe?(other_or_fixnum)
-      remove_instance_variable(:@_rails_html_safe) if defined?(@_rails_html_safe)
-    end
-    result
-  end
-
-  alias_method_chain :concat, :safety
-  undef_method :<<
-  alias_method :<<, :concat_with_safety
-
-  private
-    def also_html_safe?(other)
-      other.respond_to?(:html_safe?) && other.html_safe?
-    end
-end

data/spec/rails2/rails_app/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake

@@ -1,4 +0,0 @@
-# desc "Explaining what the task does"
-# task :rails_xss do
-#   # Task goes here
-# end

data/spec/rails2/rails_app/vendor/plugins/rails_xss/test/active_record_helper_test.rb

@@ -1,74 +0,0 @@
-require 'test_helper'
-
-class ActiveRecordHelperTest < ActionView::TestCase
-  silence_warnings do
-    Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on)
-    Post.class_eval do
-      alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast)
-      alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast)
-      alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast)
-    end
-  end
-
-  def setup_post
-    @post = Post.new
-    def @post.errors
-      Class.new {
-        def on(field)
-          case field.to_s
-          when "author_name"
-            "can't be empty"
-          when "body"
-            true
-          else
-            false
-          end
-        end
-        def empty?() false end
-        def count() 1 end
-        def full_messages() [ "Author name can't be empty" ] end
-      }.new
-    end
-
-    def @post.new_record?() true end
-    def @post.to_param() nil end
-
-    def @post.column_for_attribute(attr_name)
-      Post.content_columns.select { |column| column.name == attr_name }.first
-    end
-
-    silence_warnings do
-      def Post.content_columns() [ Column.new(:string, "title", "Title"), Column.new(:text, "body", "Body") ] end
-    end
-
-    @post.title       = "Hello World"
-    @post.author_name = ""
-    @post.body        = "Back to the hill and over it again!"
-    @post.secret = 1
-    @post.written_on  = Date.new(2004, 6, 15)
-  end
-
-  def setup
-    setup_post
-
-    @response = ActionController::TestResponse.new
-
-    @controller = Object.new
-    def @controller.url_for(options)
-      options = options.symbolize_keys
-
-      [options[:action], options[:id].to_param].compact.join('/')
-    end
-  end
-
-  def test_text_field_with_errors_is_safe
-    assert text_field("post", "author_name").html_safe?
-  end
-
-  def test_text_field_with_errors
-    assert_dom_equal(
-      %(<div class="fieldWithErrors"><input id="post_author_name" name="post[author_name]" size="30" type="text" value="" /></div>),
-      text_field("post", "author_name")
-    )
-  end
-end

data/spec/rails2/rails_app/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb

@@ -1,49 +0,0 @@
-require 'test_helper'
-
-class AssetTagHelperTest < ActionView::TestCase
-  def setup
-    @controller = Class.new do
-      attr_accessor :request
-      def url_for(*args) "http://www.example.com" end
-    end.new
-  end
-
-  def test_auto_discovery_link_tag
-    assert_dom_equal(%(<link href="http://www.example.com" rel="Not so alternate" title="ATOM" type="application/atom+xml" />),
-                     auto_discovery_link_tag(:atom, {}, {:rel => "Not so alternate"}))
-  end
-
-  def test_javascript_include_tag_with_blank_asset_id
-    ENV["RAILS_ASSET_ID"] = ""
-    assert_dom_equal(%(<script src="/javascripts/test.js" type="text/javascript"></script>\n<script src="/javascripts/prototype.js" type="text/javascript"></script>\n<script src="/javascripts/effects.js" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js" type="text/javascript"></script>\n<script src="/javascripts/controls.js" type="text/javascript"></script>\n<script src="/javascripts/application.js" type="text/javascript"></script>),
-                     javascript_include_tag("test", :defaults))
-  end
-
-  def test_javascript_include_tag_with_given_asset_id
-    ENV["RAILS_ASSET_ID"] = "1"
-    assert_dom_equal(%(<script src="/javascripts/prototype.js?1" type="text/javascript"></script>\n<script src="/javascripts/effects.js?1" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js?1" type="text/javascript"></script>\n<script src="/javascripts/controls.js?1" type="text/javascript"></script>\n<script src="/javascripts/application.js?1" type="text/javascript"></script>),
-                     javascript_include_tag(:defaults))
-    ENV["RAILS_ASSET_ID"] = ""
-  end
-
-  def test_javascript_include_tag_is_html_safe
-    assert javascript_include_tag(:defaults).html_safe?
-    assert javascript_include_tag("prototype").html_safe?
-  end
-
-  def test_stylesheet_link_tag
-    assert_dom_equal(%(<link href="http://www.example.com/styles/style.css" media="screen" rel="stylesheet" type="text/css" />),
-                     stylesheet_link_tag("http://www.example.com/styles/style"))
-  end
-
-  def test_stylesheet_link_tag_is_html_safe
-    assert stylesheet_link_tag('dir/file').html_safe?
-    assert stylesheet_link_tag('dir/other/file', 'dir/file2').html_safe?
-    assert stylesheet_tag('dir/file', {}).html_safe?
-  end
-
-  def test_image_tag
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
-                     image_tag("mouse.png", :mouseover => image_path("mouse_over.png")))
-  end
-end