RubyGems - escape_utils - Versions diffs - 0.2.3 → 0.2.4 - Mend

escape_utils 0.2.3 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

data/.gitignore +2 -1
data/CHANGELOG.md +4 -0
data/README.md +206 -0
data/benchmark/html_escape.rb +1 -0
data/benchmark/html_unescape.rb +1 -0
data/benchmark/javascript_escape.rb +1 -0
data/benchmark/javascript_unescape.rb +1 -0
data/benchmark/url_escape.rb +1 -0
data/benchmark/url_unescape.rb +1 -0
data/escape_utils.gemspec +0 -3
data/ext/escape_utils/buffer.c +228 -0
data/ext/escape_utils/buffer.h +91 -0
data/ext/escape_utils/escape_utils.c +111 -531
data/ext/escape_utils/houdini.h +15 -0
data/ext/escape_utils/houdini_html.c +214 -0
data/ext/escape_utils/houdini_js.c +148 -0
data/ext/escape_utils/houdini_uri.c +130 -0
data/ext/escape_utils/html_unescape.h +754 -0
data/ext/escape_utils/uri_escape.h +35 -0
data/lib/escape_utils.rb +2 -2
data/lib/escape_utils/html/cgi.rb +0 -2
data/lib/escape_utils/html/erb.rb +0 -2
data/lib/escape_utils/html/haml.rb +0 -2
data/lib/escape_utils/html/rack.rb +0 -2
data/lib/escape_utils/html_safety.rb +0 -2
data/lib/escape_utils/javascript/action_view.rb +0 -2
data/lib/escape_utils/url/cgi.rb +0 -2
data/lib/escape_utils/url/erb.rb +0 -2
data/lib/escape_utils/url/rack.rb +0 -2
data/lib/escape_utils/url/uri.rb +0 -2
data/lib/escape_utils/version.rb +1 -1
data/spec/html/escape_spec.rb +0 -1
data/spec/html/unescape_spec.rb +0 -1
data/spec/html_safety_spec.rb +0 -1
data/spec/javascript/escape_spec.rb +0 -1
data/spec/javascript/unescape_spec.rb +0 -1
data/spec/query/escape_spec.rb +0 -1
data/spec/query/unescape_spec.rb +1 -0
data/spec/spec_helper.rb +0 -1
data/spec/uri/escape_spec.rb +0 -1
data/spec/uri/unescape_spec.rb +1 -0
data/spec/url/escape_spec.rb +0 -1
data/spec/url/unescape_spec.rb +1 -0
metadata +16 -8
data/README.rdoc +0 -146

data/ext/escape_utils/houdini.h ADDED

@@ -0,0 +1,15 @@
+#ifndef __HOUDINI_H__
+#define __HOUDINI_H__
+#include "buffer.h"
+extern void houdini_escape_html(struct buf *ob, const uint8_t *src, size_t size, int secure);
+extern void houdini_unescape_html(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_escape_uri(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_escape_url(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_unescape_uri(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_unescape_url(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_escape_js(struct buf *ob, const uint8_t *src, size_t size);
+extern void houdini_unescape_js(struct buf *ob, const uint8_t *src, size_t size);
+#endif

data/ext/escape_utils/houdini_html.c ADDED

@@ -0,0 +1,214 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include "houdini.h"
+#include "html_unescape.h"
+#define ESCAPE_GROW_FACTOR(x) (((x) * 12) / 10) /* this is very scientific, yes */
+#define UNESCAPE_GROW_FACTOR(x) (x) /* unescaping shouldn't grow our buffer */
+/* Helper _isdigit methods -- do not trust the current locale */
+int _isxdigit(int c)
+{
+	return strchr("0123456789ABCDEFabcdef", c) != NULL;
+}
+int _isdigit(int c)
+{
+	return (c >= '0' && c <= '9');
+}
+/**
+ * According to the OWASP rules:
+ *
+ * & --> &amp;
+ * < --> &lt;
+ * > --> &gt;
+ * " --> &quot;
+ * ' --> &#x27;     &apos; is not recommended
+ * / --> &#x2F;     forward slash is included as it helps end an HTML entity
+ *
+ */
+static const char HTML_ESCAPE_TABLE[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 1, 0, 0, 0, 2, 3, 0, 0, 0, 0, 0, 0, 0, 4,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 6, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
+static const char *HTML_ESCAPES[] = {
+        "",
+        "&quot;",
+        "&amp;",
+        "&#39;",
+        "&#47;",
+        "&lt;",
+        "&gt;"
+};
+void
+houdini_escape_html(struct buf *ob, const uint8_t *src, size_t size, int secure)
+{
+	size_t  i = 0, org, esc;
+	bufgrow(ob, ESCAPE_GROW_FACTOR(size));
+	while (i < size) {
+		org = i;
+		while (i < size && (esc = HTML_ESCAPE_TABLE[src[i]]) == 0)
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i >= size)
+			break;
+		/* The forward slash is only escaped in secure mode */
+		if (src[i] == '/' && !secure) {
+			bufputc(ob, '/');
+		} else {
+			bufputs(ob, HTML_ESCAPES[esc]);
+		}
+		i++;
+	}
+}
+static inline void
+bufput_utf8(struct buf *ob, int c)
+{
+	unsigned char unichar[4];
+	if (c < 0x80) {
+		bufputc(ob, c);
+	}
+	else if (c < 0x800) {
+		unichar[0] = 192 + (c / 64);
+		unichar[1] = 128 + (c % 64);
+		bufput(ob, unichar, 2);
+	}
+	else if (c - 0xd800u < 0x800) {
+		bufputc(ob, '?');
+	}
+	else if (c < 0x10000) {
+		unichar[0] = 224 + (c / 4096);
+		unichar[1] = 128 + (c / 64) % 64;
+		unichar[2] = 128 + (c % 64);
+		bufput(ob, unichar, 3);
+	}
+	else if (c < 0x110000) {
+		unichar[0] = 240 + (c / 262144);
+		unichar[1] = 128 + (c / 4096) % 64;
+		unichar[2] = 128 + (c / 64) % 64;
+		unichar[3] = 128 + (c % 64);
+		bufput(ob, unichar, 4);
+	}
+	else {
+		bufputc(ob, '?');
+	}
+}
+static size_t
+unescape_ent(struct buf *ob, const uint8_t *src, size_t size)
+{
+	size_t i = 0;
+	if (size > 3 && src[0] == '#') {
+		int codepoint = 0;
+		if (_isdigit(src[1])) {
+			for (i = 1; i < size && _isdigit(src[i]); ++i)
+				codepoint = (codepoint * 10) + (src[i] - '0');
+		}
+		else if (src[1] == 'x' || src[1] == 'X') {
+			for (i = 2; i < size && _isxdigit(src[i]); ++i)
+				codepoint = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+		}
+		if (i < size && src[i] == ';') {
+			bufput_utf8(ob, codepoint);
+			return i + 1;
+		}
+	}
+	else {
+		if (size > MAX_WORD_LENGTH)
+			size = MAX_WORD_LENGTH;
+		for (i = MIN_WORD_LENGTH; i < size; ++i) {
+			if (src[i] == ' ')
+				break;
+			if (src[i] == ';') {
+				const struct html_ent *entity = find_entity((char *)src, i);
+				if (entity != NULL) {
+					bufput(ob, entity->utf8, entity->utf8_len);
+					return i + 1;
+				}
+				break;
+			}
+		}
+	}
+	bufputc(ob, '&');
+	return 0;
+}
+void
+houdini_unescape_html(struct buf *ob, const uint8_t *src, size_t size)
+{
+	size_t  i = 0, org;
+	bufgrow(ob, UNESCAPE_GROW_FACTOR(size));
+	while (i < size) {
+		org = i;
+		while (i < size && src[i] != '&')
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i >= size)
+			break;
+		i++;
+		i += unescape_ent(ob, src + i, size - i);
+	}
+}
+#ifdef TEST
+int main()
+{
+	const char TEST_STRING[] = "This &#x2663; is & just &quot;an example&diams;&quot;";
+	struct buf *buffer;
+	buffer = bufnew(128);
+	houdini_unescape_html(buffer, TEST_STRING, strlen(TEST_STRING));
+	printf("Result: %.*s\n", (int)buffer->size, buffer->data);
+	bufrelease(buffer);
+	return 0;
+}
+#endif

data/ext/escape_utils/houdini_js.c ADDED

@@ -0,0 +1,148 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include "houdini.h"
+#define ESCAPE_GROW_FACTOR(x) (((x) * 12) / 10)
+#define UNESCAPE_GROW_FACTOR(x) (x)
+void
+houdini_unescape_js(struct buf *ob, const uint8_t *src, size_t size)
+{
+	size_t  i = 0, org, ch;
+	bufgrow(ob, UNESCAPE_GROW_FACTOR(size));
+	while (i < size) {
+		org = i;
+		while (i < size && src[i] != '\\')
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i == size)
+			break;
+		if (++i == size) {
+			bufputc(ob, '\\');
+			break;
+		}
+		ch = src[i];
+		switch (ch) {
+		case 'n':
+			ch = '\n';
+			/* pass through */
+		case '\\':
+		case '\'':
+		case '\"':
+		case '/':
+			bufputc(ob, ch);
+			i++;
+			break;
+		default:
+			bufputc(ob, '\\');
+			break;
+		}
+	}
+}
+static const char JS_ESCAPE[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
+void
+houdini_escape_js(struct buf *ob, const uint8_t *src, size_t size)
+{
+	size_t  i = 0, org, ch;
+	bufgrow(ob, ESCAPE_GROW_FACTOR(size));
+	while (i < size) {
+		org = i;
+		while (i < size && JS_ESCAPE[src[i]] == 0)
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i >= size)
+			break;
+		ch = src[i];
+		switch (ch) {
+		case '/':
+			/*
+			 * Escape only if preceded by a lt
+			 */
+			if (i && src[i - 1] == '<')
+				bufputc(ob, '\\');
+			bufputc(ob, ch);
+			break;
+		case '\r':
+			/*
+			 * Escape as \n, and skip the next \n if it's there
+			 */
+			if (i + 1 < size && src[i + 1] == '\n') i++;
+		case '\n':
+			/*
+			 * Escape actually as '\','n', not as '\', '\n'
+			 */
+			ch = 'n';
+		default:
+			/*
+			 * Normal escaping
+			 */
+			bufputc(ob, '\\');
+			bufputc(ob, ch);
+			break;
+		}
+		i++;
+	}
+}
+//#define TEST
+#ifdef TEST
+int main()
+{
+	const char TEST_STRING[] = "http% this \200 is a test";
+	struct buf *buffer;
+	buffer = bufnew(128);
+	houdini_escape_uri(buffer, TEST_STRING, strlen(TEST_STRING));
+	printf("Result: %.*s\n", (int)buffer->size, buffer->data);
+	bufrelease(buffer);
+	return 0;
+}
+#endif

data/ext/escape_utils/houdini_uri.c ADDED

@@ -0,0 +1,130 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include "houdini.h"
+#include "uri_escape.h"
+#define ESCAPE_GROW_FACTOR(x) (((x) * 12) / 10)
+#define UNESCAPE_GROW_FACTOR(x) (x)
+extern int _isxdigit(int c);
+static void
+escape(struct buf *ob, const uint8_t *src, size_t size, int is_url)
+{
+	static const char hex_chars[] = "0123456789ABCDEF";
+	const char *safe_table = is_url ? URL_SAFE : URI_SAFE;
+	size_t  i = 0, org;
+	char hex_str[3];
+	bufgrow(ob, ESCAPE_GROW_FACTOR(size));
+	hex_str[0] = '%';
+	while (i < size) {
+		org = i;
+		while (i < size && safe_table[src[i]] != 0)
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i >= size)
+			break;
+		if (src[i] == ' ' && is_url) {
+			bufputc(ob, '+');
+		} else {
+			hex_str[1] = hex_chars[(src[i] >> 4) & 0xF];
+			hex_str[2] = hex_chars[src[i] & 0xF];
+			bufput(ob, hex_str, 3);
+		}
+		i++;
+	}
+}
+#define hex2c(c) ((c | 32) % 39 - 9)
+static void
+unescape(struct buf *ob, const uint8_t *src, size_t size, int is_url)
+{
+	size_t  i = 0, org;
+	bufgrow(ob, UNESCAPE_GROW_FACTOR(size));
+	while (i < size) {
+		org = i;
+		while (i < size && src[i] != '%')
+			i++;
+		if (i > org)
+			bufput(ob, src + org, i - org);
+		/* escaping */
+		if (i >= size)
+			break;
+		i++;
+		if (i + 1 < size && _isxdigit(src[i]) && _isxdigit(src[i + 1])) {
+			unsigned char new_char = (hex2c(src[i]) << 4) + hex2c(src[i + 1]);
+			bufputc(ob, new_char);
+			i += 2;
+		} else {
+			bufputc(ob, '%');
+		}
+	}
+	if (is_url) {
+		char *find = (char *)bufcstr(ob);
+		while ((find = strchr(find, '+')) != NULL)
+			*find = ' ';
+	}
+}
+void
+houdini_escape_uri(struct buf *ob, const uint8_t *src, size_t size)
+{
+	return escape(ob, src, size, 0);
+}
+void
+houdini_escape_url(struct buf *ob, const uint8_t *src, size_t size)
+{
+	return escape(ob, src, size, 1);
+}
+void
+houdini_unescape_uri(struct buf *ob, const uint8_t *src, size_t size)
+{
+	return unescape(ob, src, size, 0);
+}
+void
+houdini_unescape_url(struct buf *ob, const uint8_t *src, size_t size)
+{
+	return unescape(ob, src, size, 1);
+}
+//#define TEST
+#ifdef TEST
+int main()
+{
+	const char TEST_STRING[] = "http% this \200 is a test";
+	struct buf *buffer;
+	buffer = bufnew(128);
+	houdini_escape_uri(buffer, TEST_STRING, strlen(TEST_STRING));
+	printf("Result: %.*s\n", (int)buffer->size, buffer->data);
+	bufrelease(buffer);
+	return 0;
+}
+#endif