escape_escape_escape 0.3.0 → 1.1.0

data/specs/as_ruby/0003-css_selector.rb

@@ -0,0 +1,12 @@
+
+
+it     'returns string if valid'
+input  '#my_box div.hello:hover'
+output '#my_box div.hello:hover'
+
+
+it     'raises Invalid if it contains unallowed chars:'
+input  '$my_box'
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+

data/specs/as_ruby/0003-css_value.rb

@@ -0,0 +1,53 @@
+
+it     'sanitizes :css :expression regardless of the case'
+input  "eXprEssioN(alert('xss!'));"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it    'sanitizes :css :expression when ( or ) is an html entity: ( )'
+input "eXprEssioN(alert('xss!'))"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+
+it     'sanitizes :css :expression when ( is html entity regardless of case: &rPaR;'
+input  "eXprEssioN&rPaR;alert('xss!'))"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it     'sanitizes css_href'
+input  "smtp://file.com/img.png"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it    'sanitizes css_href event if slash is html entity: /'
+input "smtp://file.com/img.png"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it    'sanitizes css_href event if slash is html entity: /'
+input "smtp://file.com/img.png"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+
+it     'sanitizes css_href event if slash is html entity: /' 
+input  "smtp://file.com/img.png"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it     'sanitizes css_href with encoded slashes' 
+input  "smtp://file.com/img.png"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it    'sanitizes javascript: href'
+input 'jAvAscript://alert()'
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it    'sanitizes javascript: href with encoded colons:'
+input "javascript://alert()"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it     'sanitizes javascript: href with encoded slashes'
+input  "javascript://alert()"
+raises Escape_Escape_Escape::Invalid, /contains invalid chars/
+
+it     'returns cleaned string'
+input  '1px solid #000'
+output '1px solid #000'
+
+
+

data/specs/as_ruby/0004-==.rb

@@ -0,0 +1,5 @@
+
+it     'has the same REGEX_UNSUITABLE_CHARS as Sanitize'
+input  Escape_Escape_Escape::REGEX_UNSUITABLE_CHARS
+output Sanitize::REGEX_UNSUITABLE_CHARS 
+

data/specs/as_ruby/0020-href.rb

@@ -0,0 +1,118 @@
+
+
+it     "raises Invalid_HREF if scheme is whitespace padded:"
+input  "javascript ://alert()"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if scheme is whitespace padded, slash encoded:"
+input  "javascript :&sOL;/alert()"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if colon encode: : :"
+input  "javascript://alert()"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if colon encode: : :"
+input  "javascript://alert()"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if colon encode: : :"
+input  "javascript://alert()"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if string is whitespace padded:"
+input  "   javascript://alert()  "
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+
+it     "raises Invalid_HREF if string is whitespace padded, multi-case:"
+input  "   javaSCript ://alert()  "
+raises Escape_Escape_Escape::Invalid_HREF, /javaSCript/i
+
+
+it     "escapes  valid /path"
+input  "/path/mine/&"
+output "/path/mine/&"
+
+
+it    "raises Invalid_HREF if invalid uri:"
+input "javascript:alert(s)"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+it    "raises Invalid_HREF if invalid uri"
+input "javascript:alert(s)"
+raises Escape_Escape_Escape::Invalid_HREF, /javascript/
+
+it     "escapes valid https uri"
+input  "https://www.yahoo.com/&"
+output "https://www.yahoo.com/&"
+
+
+it     "escapes valid uri"
+input  "http://www.yahoo.com/&"
+output "http://www.yahoo.com/&"
+
+
+it     "escapes valid relative path:"
+input  "/path/mine/&"
+output "/path/mine/&"
+
+
+it     "raises Invalid_HREF if it contains unicode:"
+input  "http://кц.рф"
+raises Escape_Escape_Escape::Invalid_HREF, /bad URI/
+
+
+it    'normalizes address:'
+input "hTTp://wWw.test.com/"
+output "http://wWw.test.com/"
+
+
+it     'fails w/ Invalid_HREF if invalid uri: < :'
+input  "http://www.test.com/<something/"
+raises Escape_Escape_Escape::Invalid_HREF, /http:\/\/www.test.com\/<something\//
+
+
+it     'returns html escaped chars: \' :'
+input  "http://www.test.com/?test='something/"
+output "http:&#47;&#47;www.test.com&#47;?test=&#39;something&#47;"
+
+
+it    'fails w/ Invalid_HREF if HTML entities in uri:'
+input "http://6&#9;6.000146.0x7.147/"
+raises Escape_Escape_Escape::Invalid_HREF, /bad URI/
+
+
+it     'fails w/ Invalid_HREF if path contains html entities:'
+input  "http://www.test.com/&nbsp;s/"
+raises Escape_Escape_Escape::Invalid_HREF, /bad URI/
+
+
+it     'fails w/ Invalid_HREF if query string contains HTML entities:'
+input  "http://www.test.com/s/test?t&nbsp;test"
+raises Escape_Escape_Escape::Invalid_HREF, /bad URI/
+
+
+
+it     'does not re-escaped already escaped :href'
+input  "http:&#47;&#47;www.example.com&#47;"
+output "http:&#47;&#47;www.example.com&#47;"
+
+
+it     'lower-cases scheme'
+input  "hTTp://www.example.com/"
+output "http:&#47;&#47;www.example.com&#47;"
+
+
+it    'fails w/ Invalid_HREF if contains &sol;, regardless of case:'
+input  "htTp:&soL;&sOl;file.com/img.png"
+raises Escape_Escape_Escape::Invalid_HREF, /address is invalid/
+
+
+
+

data/specs/as_ruby/0030-clean_utf8.rb

@@ -0,0 +1,34 @@
+it     "replaces tabs with 2 spaces"
+input  "<p>hello\tagain</p>"
+output "<p>hello  again</p>"
+
+it     "removes \\r"
+input  "hi \r\r again"
+output "hi  again"
+
+it     "does not remove \\n"
+input  "<p>hello\nagain</p>"
+output "<p>hello\nagain</p>"
+
+it     "does not remove multiple \\n"
+input  "<p>hello\n \nagain</p>"
+output "<p>hello\n \nagain</p>"
+
+it     "normalizes string"
+input  "Ⅷ"
+output "VIII"
+
+it     "normalizes string"
+input  "\u2167"
+output "VIII"
+
+
+it "replaces nb spaces (160 codepoint) with regular ' ' spaces"
+input [160, 160,64, 116, 119, 101, 108, 108, 121, 109, 101, 160, 102, 105, 108, 109].
+    inject('', :<<)
+
+output "@twellyme film"
+
+it     "replaces tabs with spaces"
+input  "a\t \ta"
+output "a     a"

data/specs/as_ruby/0040-escape.rb

@@ -0,0 +1,41 @@
+
+
+
+it 'turns numerics into strings: 1.004'
+input 1.004
+output '1.004'
+
+
+it 'raises Invalid if Object'
+input Object.new
+raises Escape_Escape_Escape::Invalid, /Not a String, Number, Array, or Hash/i
+
+
+it 'escapes all String keys in nested objects'
+input({"   a >" => {" a >  " => "<b>test</b>"}})
+output({
+  "a &gt;" => {
+    "a &gt;" => "&lt;b&gt;test&lt;&#47;b&gt;"
+  }
+})
+
+
+it 'escapes all Symbol keys in nested objects'
+input({:"   a >   " => {:" a >" => "<b>test</b>"}})
+output({
+  :"a &gt;" => {
+    :"a &gt;" => "&lt;b&gt;test&lt;&#47;b&gt;"
+  }
+})
+
+
+
+it 'escapes all values in nested objects'
+input(  {name: {name: "<b>test</b>"}} )
+output( {name: {name: "&lt;b&gt;test&lt;&#47;b&gt;"}} )
+
+
+
+it 'escapes all values in nested arrays'
+input  [{name:{name: '<b>test</b>'}}]
+output [{name: {name: "&lt;b&gt;test&lt;&#47;b&gt;"}}]

data/specs/escape_escape_escape.rb

@@ -1,35 +1,147 @@
 
+require 'Bacon_Colored'
+require 'escape_escape_escape'
+require 'pry'
+
 require "multi_json"
 require "escape_escape_escape"
+require 'sanitize'
+
+BRACKETS = <<-EOF.split.join(' ')
+< %3C &lt &lt; &LT &LT; &#60 &#060 &#0060
+&#00060 &#000060 &#0000060 &#60; &#060; &#0060; &#00060;
+&#000060; &#0000060; &#x3c &#x03c &#x003c &#x0003c &#x00003c
+&#x000003c &#x3c; &#x03c; &#x003c; &#x0003c; &#x00003c;
+&#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c
+&#X3c; &#X03c; &#X003c; &#X0003c; &#X00003c; &#X000003c;
+&#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C &#x3C; &#x03C;
+&#x003C; &#x0003C; &#x00003C; &#x000003C; &#X3C &#X03C
+&#X003C &#X0003C &#X00003C &#X000003C &#X3C; &#X03C; &#X003C; &#X0003C;
+&#X00003C; &#X000003C; \x3c \x3C \u003c \u003C
+EOF
+
+
+class It_Dsl
+  class << self
+
+    def tests
+      @tests ||= []
+    end
+
+    def args
+      @args ||= []
+    end
+
+    def describe str
+      tests << {:describe => str, :tests=>[]}
+    end
+
+    def it str
+      args << str
+    end
+
+    def input o
+      args << o
+    end
+
+    def << t
+      if !args.empty?
+        fail "Unknown values pending for: #{tests.last[:describe]}: #{args.inspect}, #{o.inspect}"
+      end
+
+      t[:it] = if t[:it].strip[/:\z/]
+                    "#{t[:it]} #{t[:input]}"
+                  else
+                    t[:it]
+                  end
+
+      tests.last[:tests] << t
+    end
+
+    def stack arr
+      self << {it: args.shift, input: args.pop, stack: arr}
+    end
+
+    def raises o, m
+      self << {it: args.shift, input: args.pop, raises: [o, m]}
+    end
+
+    def output o
+      self << {it: args.shift, input: args.pop, output: o}
+    end
+
+  end # === class << self
+end # == class It_Dsl
+
+# =================================================
+glob = ENV['RUBY_TEST_FILE'].to_s.strip.empty? ?
+  "specs/as_ruby/*.rb" :
+  ENV['RUBY_TEST_FILE']
+# =================================================
+
+Dir.glob(glob).sort.each { |f|
+
+  contents    = File.read f
+  method_name = File.basename(f).gsub(/\A\d+-|\.rb\z/, '')
+
+  It_Dsl.describe method_name.to_sym
+  It_Dsl.instance_eval contents, f
+
+} # === Dir.glob
+
+
+It_Dsl.tests.each { |o|
+
+  describe o[:describe] do
+    o[:tests].each { |t|
+      it t[:it] do
+
+        case
+
+        when o[:describe] == :==
+          t[:input].should == t[:output]
+
+        when t.has_key?(:output)
+          Escape_Escape_Escape.send(o[:describe], t[:input])
+          .should == t[:output]
+
+        when !t.has_key?(:output) && t[:raises]
+          should.raise(t[:raises].first) {
+            Escape_Escape_Escape.send(o[:describe], t[:input])
+          }.message.should.match(t[:raises].last)
+
+        when t.has_key?(:stack) && t[:stack].is_a?(Array)
+
+          stack = t[:stack]
+          actual = Escape_Escape_Escape.send(o[:describe], t[:input])
+          target = stack.pop
 
-Dir.glob("specs/as_json/*.json").sort.each { |f|
-  contents = MultiJson.load(File.read f)
-  method_name = File.basename(f).gsub(/\A\d+-|\.json\Z/, '')
-  describe ":#{method_name}" do
-    contents.each { |t|
-      it t["it"] do
-        i      = t["input"]
-        o      = t["output"]
-        actual = Escape_Escape_Escape.send(method_name, i)
-
-        case o
-        when String
-          actual.should == o
-        when Array
-          target = o.pop
           begin
-            if o[1].is_a?(Array)
-              meth = o.shift
-              args = o.shift
+            case
+            when stack[1].is_a?(Array)
+              meth = stack.shift
+              args = stack.shift
               actual = actual.send(meth, *args)
+
+            when stack.first.is_a?(Symbol)
+              actual = actual.send(stack.shift)
+
             else
-              fail "Unknown method: #{o[0].inspect}"
+              fail "Unknown method: #{stack[0].inspect}"
+
             end
-          end while !o.empty?
+          end while !stack.empty?
 
           actual.should == target
+
+        else
+          fail "Unknown args for test: #{t.inspect}"
+
         end # === case
       end # === it
     }
   end
-}
+} # === It_Dsl
+
+
+

data/specs/lib/helpers.rb

@@ -0,0 +1 @@
+

metadata

@@ -1,29 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: escape_escape_escape
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.1.0
 platform: ruby
 authors:
 - da99
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-23 00:00:00.000000000 Z
+date: 2014-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: sanitize
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - ">"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 2.3.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - ">"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 2.3.5
+- !ruby/object:Gem::Dependency
+  name: escape_utils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: unf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.1.3
 - !ruby/object:Gem::Dependency
   name: htmlentities
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +150,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: sanitize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.1
 description: "\n    My way of escaping/encoding HTML with the proper entities.\n  "
 email:
 - i-hate-spam-1234567@mailinator.com
@@ -132,22 +174,21 @@ files:
 - ".gitignore"
 - Gemfile
 - LICENSE
-- LICENSE.txt
 - README.md
 - VERSION
 - escape_escape_escape.gemspec
-- lib/beta.rb
-- lib/e_e_e.js
 - lib/escape_escape_escape.rb
-- package.json
-- specs/as_json/0001-html.json
-- specs/as_json/0002-inner_html.json
-- specs/as_json/0010-text.json
+- specs/as_ruby/0001-html.rb
+- specs/as_ruby/0002-decode_html.rb
+- specs/as_ruby/0003-css_attr.rb
+- specs/as_ruby/0003-css_selector.rb
+- specs/as_ruby/0003-css_value.rb
+- specs/as_ruby/0004-==.rb
+- specs/as_ruby/0020-href.rb
+- specs/as_ruby/0030-clean_utf8.rb
+- specs/as_ruby/0040-escape.rb
 - specs/escape_escape_escape.rb
-- specs/helpers.rb
-- test/sanitize_attrs.js
-- test/sanitize_html.js
-- test/sanitize_un_escape.js
+- specs/lib/helpers.rb
 homepage: https://github.com/da99/escape_escape_escape
 licenses:
 - MIT
@@ -168,11 +209,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.3.0
+rubygems_version: 2.4.1
 signing_key: 
 specification_version: 4
 summary: My way of escaping/encoding HTML.
-test_files:
-- test/sanitize_attrs.js
-- test/sanitize_html.js
-- test/sanitize_un_escape.js
+test_files: []