escape_utils 0.1.8 → 0.1.9

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.1.9 (October 15th, 2010)
+* add a flag as an optional 2nd parameter to EscapeUtils.escape_html to disable/enable the escaping of the '/' character. Defaults to the new flag EscapeUtils.html_secure
+
 ## 0.1.8 (September 29th, 2010)
 * fix URI escaping one last time ;)
 

data/README.rdoc

@@ -8,6 +8,8 @@ For character encoding in 1.9, we'll return strings in whatever Encoding.default
 
 It has monkey-patches for Rack::Utils, CGI, ERB::Util and Haml and ActionView so you can drop this in and have your app start escaping fast as balls in no time
 
+It supports HTML, URL, URI and Javascript escaping/unescaping.
+
 == Installing
 
   gem install escape_utils
@@ -34,6 +36,19 @@ It has monkey-patches for Rack::Utils, CGI, ERB::Util and Haml and ActionView so
   require 'escape_utils/html/cgi' # to patch CGI
   require 'escape_utils/html/haml' # to patch Haml::Helpers
 
+=== URL
+
+==== Escaping
+
+  url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
+  escaped_url = EscapeUtils.url_escape(url)
+
+==== Unescaping
+
+  url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
+  escaped_url = EscapeUtils.url_escape(url)
+  EscapeUtils.url_unescape(escaped_url) == url # => true
+
 === Javascript
 
 ==== Escaping
@@ -41,6 +56,12 @@ It has monkey-patches for Rack::Utils, CGI, ERB::Util and Haml and ActionView so
   javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
   escaped_javascript = EscapeUtils.escape_javascript(javascript)
 
+==== Unescaping
+
+  javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
+  escaped_javascript = EscapeUtils.escape_javascript(javascript)
+  EscapeUtils.unescape_javascript(escaped_javascript) == javascript # => true
+
 ==== Monkey Patches
 
   require 'escape_utils/javascript/action_view' # to patch ActionView::Helpers::JavaScriptHelper

data/VERSION

@@ -1 +1 @@
-0.1.8
+0.1.9

data/escape_utils.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{escape_utils}
-  s.version = "0.1.8"
+  s.version = "0.1.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Brian Lopez"]
-  s.date = %q{2010-09-29}
+  s.date = %q{2010-10-15}
   s.email = %q{seniorlopez@gmail.com}
   s.extensions = ["ext/extconf.rb"]
   s.extra_rdoc_files = [

data/ext/escape_utils.c

@@ -4,47 +4,43 @@
 static rb_encoding *utf8Encoding;
 #endif
 
+static VALUE mEscapeUtils;
+static ID rb_html_secure;
+
 #define IS_HEX(c) (c >= 48 || c <= 57) && (c >= 65 || c <= 70) && (c >= 97 || c <= 102)
 #define NOT_HEX(c) (c < 48 || c > 57) && (c < 65 || c > 90) && (c < 97 || c > 122)
 #define UNHEX(c) (c >= '0' && c <= '9' ? c - '0' : c >= 'A' && c <= 'F' ? c - 'A' + 10 : c - 'a' + 10)
 #define URI_SAFE(c) (c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c== 45 || c == 46 || c == 95 || c == 126
 //                  ALPHA / DIGIT / "-" / "." / "_" / "~"
 
-static size_t escape_html(unsigned char *out, const unsigned char *in, size_t in_len) {
+static size_t escape_html(unsigned char *out, const unsigned char *in, size_t in_len, unsigned short int secure) {
   size_t total = 0;
   unsigned char curChar;
 
   total = in_len;
   while (in_len) {
     curChar = *in++;
-    switch (curChar) {
-    case '<':
+
+    if (curChar == '<') {
       *out++ = '&'; *out++ = 'l'; *out++ = 't'; *out++ = ';';
       total += 3;
-      break;
-    case '>':
+    } else if (curChar == '>') {
       *out++ = '&'; *out++ = 'g'; *out++ = 't'; *out++ = ';';
       total += 3;
-      break;
-    case '&':
+    } else if (curChar == '&') {
       *out++ = '&'; *out++ = 'a'; *out++ = 'm'; *out++ = 'p'; *out++ = ';';
       total += 4;
-      break;
-    case '\'':
+    } else if (curChar == '\'') {
       *out++ = '&'; *out++ = '#'; *out++ = '3'; *out++ = '9'; *out++ = ';';
       total += 4;
-      break;
-    case '\"':
+    } else if (curChar == '\"') {
       *out++ = '&'; *out++ = 'q'; *out++ = 'u'; *out++ = 'o'; *out++ = 't'; *out++ = ';';
       total += 5;
-      break;
-    case '/':
+    } else if (secure && curChar == '/') {
       *out++ = '&'; *out++ = '#'; *out++ = '4'; *out++ = '7'; *out++ = ';';
       total += 4;
-      break;
-    default:
+    } else {
       *out++ = curChar;
-      break;
     }
     in_len--;
   }
@@ -282,7 +278,19 @@ static size_t unescape_uri(unsigned char *out, const unsigned char *in, size_t i
   return total;
 }
 
-static VALUE rb_escape_html(VALUE self, VALUE str) {
+static VALUE rb_escape_html(int argc, VALUE * argv, VALUE self) {
+  VALUE str, rb_secure = rb_funcall(mEscapeUtils, rb_html_secure, 0);
+  unsigned short secure = 1;
+  if (rb_secure == Qfalse) {
+    secure = 0;
+  }
+
+  if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
+    if (rb_secure == Qfalse) {
+      secure = 0;
+    }
+  }
+
   Check_Type(str, T_STRING);
 
   VALUE rb_output_buf;
@@ -298,7 +306,7 @@ static VALUE rb_escape_html(VALUE self, VALUE str) {
   unsigned char *outBuf = (unsigned char *)malloc(sizeof(unsigned char *)*(len*5));
 
   // perform our escape, returning the new string's length
-  new_len = escape_html(outBuf, inBuf, len);
+  new_len = escape_html(outBuf, inBuf, len, secure);
 
   // create our new ruby string
   rb_output_buf = rb_str_new((char *)outBuf, new_len);
@@ -572,26 +580,28 @@ static VALUE rb_unescape_uri(VALUE self, VALUE str) {
 
 /* Ruby Extension initializer */
 void Init_escape_utils_ext() {
-  VALUE mEscape = rb_define_module("EscapeUtils");
-  rb_define_method(mEscape,           "escape_html",          rb_escape_html,   1);
-  rb_define_module_function(mEscape,  "escape_html",          rb_escape_html,   1);
-  rb_define_method(mEscape,           "unescape_html",        rb_unescape_html, 1);
-  rb_define_module_function(mEscape,  "unescape_html",        rb_unescape_html, 1);
-  rb_define_method(mEscape,           "escape_javascript",    rb_escape_javascript, 1);
-  rb_define_module_function(mEscape,  "escape_javascript",    rb_escape_javascript, 1);
-  rb_define_method(mEscape,           "unescape_javascript",  rb_unescape_javascript, 1);
-  rb_define_module_function(mEscape,  "unescape_javascript",  rb_unescape_javascript, 1);
-  rb_define_method(mEscape,           "escape_url",           rb_escape_url, 1);
-  rb_define_module_function(mEscape,  "escape_url",           rb_escape_url, 1);
-  rb_define_method(mEscape,           "unescape_url",         rb_unescape_url, 1);
-  rb_define_module_function(mEscape,  "unescape_url",         rb_unescape_url, 1);
-  rb_define_method(mEscape,           "escape_uri",           rb_escape_uri, 1);
-  rb_define_module_function(mEscape,  "escape_uri",           rb_escape_uri, 1);
-  rb_define_method(mEscape,           "unescape_uri",         rb_unescape_uri, 1);
-  rb_define_module_function(mEscape,  "unescape_uri",         rb_unescape_uri, 1);
+  mEscapeUtils = rb_define_module("EscapeUtils");
+  rb_define_method(mEscapeUtils,           "escape_html",          rb_escape_html,   -1);
+  rb_define_module_function(mEscapeUtils,  "escape_html",          rb_escape_html,   -1);
+  rb_define_method(mEscapeUtils,           "unescape_html",        rb_unescape_html, 1);
+  rb_define_module_function(mEscapeUtils,  "unescape_html",        rb_unescape_html, 1);
+  rb_define_method(mEscapeUtils,           "escape_javascript",    rb_escape_javascript, 1);
+  rb_define_module_function(mEscapeUtils,  "escape_javascript",    rb_escape_javascript, 1);
+  rb_define_method(mEscapeUtils,           "unescape_javascript",  rb_unescape_javascript, 1);
+  rb_define_module_function(mEscapeUtils,  "unescape_javascript",  rb_unescape_javascript, 1);
+  rb_define_method(mEscapeUtils,           "escape_url",           rb_escape_url, 1);
+  rb_define_module_function(mEscapeUtils,  "escape_url",           rb_escape_url, 1);
+  rb_define_method(mEscapeUtils,           "unescape_url",         rb_unescape_url, 1);
+  rb_define_module_function(mEscapeUtils,  "unescape_url",         rb_unescape_url, 1);
+  rb_define_method(mEscapeUtils,           "escape_uri",           rb_escape_uri, 1);
+  rb_define_module_function(mEscapeUtils,  "escape_uri",           rb_escape_uri, 1);
+  rb_define_method(mEscapeUtils,           "unescape_uri",         rb_unescape_uri, 1);
+  rb_define_module_function(mEscapeUtils,  "unescape_uri",         rb_unescape_uri, 1);
 
 #ifdef HAVE_RUBY_ENCODING_H
   utf8Encoding = rb_utf8_encoding();
 #endif
+
+  rb_html_secure = rb_intern("html_secure");
 }
 

data/lib/escape_utils.rb

@@ -4,7 +4,19 @@ require 'escape_utils_ext'
 
 EscapeUtils.send(:extend, EscapeUtils)
 module EscapeUtils
-  VERSION = "0.1.8"
+  VERSION = "0.1.9"
+
+  # turn on/off the escaping of the '/' character during HTML escaping
+  # Escaping '/' is recommended by the OWASP - http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+  # This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
+  @@html_secure = true
+
+  def self.html_secure
+    @@html_secure
+  end
+  def self.html_secure=(val)
+    @@html_secure = val
+  end
 
   autoload :HtmlSafety, 'escape_utils/html_safety'
 end

data/lib/escape_utils/html_safety.rb

@@ -7,12 +7,12 @@ module EscapeUtils
         if s.html_safe?
           s.to_s.html_safe
         else
-          EscapeUtils.escape_html(s.to_s).html_safe
+          EscapeUtils.escape_html(s.to_s, EscapeUtils.html_secure).html_safe
         end
       end
     else
       def _escape_html(s)
-        EscapeUtils.escape_html(s.to_s)
+        EscapeUtils.escape_html(s.to_s, EscapeUtils.html_secure)
       end
     end
   end

data/spec/html/escape_spec.rb

@@ -6,10 +6,20 @@ describe EscapeUtils, "escape_html" do
     EscapeUtils.should respond_to(:escape_html)
   end
 
-  it "should escape a basic html tag" do
+  it "should escape a basic html tag, also escaping the '/' character if the secure parameter is true" do
     EscapeUtils.escape_html("<some_tag/>").should eql("&lt;some_tag&#47;&gt;")
   end
 
+  it "should escape a basic html tag, not escaping the '/' character if the secure parameter is false" do
+    EscapeUtils.escape_html("<some_tag/>", false).should eql("&lt;some_tag/&gt;")
+  end
+
+  it "should escape a basic html tag, not escaping the '/' character if EscapeUtils.html_secure is false" do
+    EscapeUtils.html_secure = false
+    EscapeUtils.escape_html("<some_tag/>").should eql("&lt;some_tag/&gt;")
+    EscapeUtils.html_secure = true
+  end
+
   it "should escape double-quotes" do
     EscapeUtils.escape_html("<some_tag some_attr=\"some value\"/>").should eql("&lt;some_tag some_attr=&quot;some value&quot;&#47;&gt;")
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: escape_utils
 version: !ruby/object:Gem::Version 
-  hash: 11
+  hash: 9
   prerelease: false
   segments: 
   - 0
   - 1
-  - 8
-  version: 0.1.8
+  - 9
+  version: 0.1.9
 platform: ruby
 authors: 
 - Brian Lopez
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-29 00:00:00 -07:00
+date: 2010-10-15 00:00:00 -07:00
 default_executable: 
 dependencies: []