escape_utils 0.2.3 → 0.2.4
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +2 -1
- data/CHANGELOG.md +4 -0
- data/README.md +206 -0
- data/benchmark/html_escape.rb +1 -0
- data/benchmark/html_unescape.rb +1 -0
- data/benchmark/javascript_escape.rb +1 -0
- data/benchmark/javascript_unescape.rb +1 -0
- data/benchmark/url_escape.rb +1 -0
- data/benchmark/url_unescape.rb +1 -0
- data/escape_utils.gemspec +0 -3
- data/ext/escape_utils/buffer.c +228 -0
- data/ext/escape_utils/buffer.h +91 -0
- data/ext/escape_utils/escape_utils.c +111 -531
- data/ext/escape_utils/houdini.h +15 -0
- data/ext/escape_utils/houdini_html.c +214 -0
- data/ext/escape_utils/houdini_js.c +148 -0
- data/ext/escape_utils/houdini_uri.c +130 -0
- data/ext/escape_utils/html_unescape.h +754 -0
- data/ext/escape_utils/uri_escape.h +35 -0
- data/lib/escape_utils.rb +2 -2
- data/lib/escape_utils/html/cgi.rb +0 -2
- data/lib/escape_utils/html/erb.rb +0 -2
- data/lib/escape_utils/html/haml.rb +0 -2
- data/lib/escape_utils/html/rack.rb +0 -2
- data/lib/escape_utils/html_safety.rb +0 -2
- data/lib/escape_utils/javascript/action_view.rb +0 -2
- data/lib/escape_utils/url/cgi.rb +0 -2
- data/lib/escape_utils/url/erb.rb +0 -2
- data/lib/escape_utils/url/rack.rb +0 -2
- data/lib/escape_utils/url/uri.rb +0 -2
- data/lib/escape_utils/version.rb +1 -1
- data/spec/html/escape_spec.rb +0 -1
- data/spec/html/unescape_spec.rb +0 -1
- data/spec/html_safety_spec.rb +0 -1
- data/spec/javascript/escape_spec.rb +0 -1
- data/spec/javascript/unescape_spec.rb +0 -1
- data/spec/query/escape_spec.rb +0 -1
- data/spec/query/unescape_spec.rb +1 -0
- data/spec/spec_helper.rb +0 -1
- data/spec/uri/escape_spec.rb +0 -1
- data/spec/uri/unescape_spec.rb +1 -0
- data/spec/url/escape_spec.rb +0 -1
- data/spec/url/unescape_spec.rb +1 -0
- metadata +16 -8
- data/README.rdoc +0 -146
@@ -0,0 +1,35 @@
|
|
1
|
+
static const char URL_SAFE[] = {
|
2
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
3
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
4
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0,
|
5
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
|
6
|
+
0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
7
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1,
|
8
|
+
0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
9
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0,
|
10
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
11
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
12
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
13
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
14
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
15
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
16
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
17
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, };
|
18
|
+
|
19
|
+
static const char URI_SAFE[] = {
|
20
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
21
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
22
|
+
0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
23
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1,
|
24
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
25
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1,
|
26
|
+
0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
27
|
+
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0,
|
28
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
29
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
30
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
31
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
32
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
33
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
34
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
35
|
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, };
|
data/lib/escape_utils.rb
CHANGED
@@ -1,9 +1,9 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
require 'escape_utils/escape_utils'
|
3
2
|
require 'escape_utils/version' unless defined? EscapeUtils::VERSION
|
4
3
|
|
5
|
-
EscapeUtils.send(:extend, EscapeUtils)
|
6
4
|
module EscapeUtils
|
5
|
+
extend self
|
6
|
+
|
7
7
|
# turn on/off the escaping of the '/' character during HTML escaping
|
8
8
|
# Escaping '/' is recommended by the OWASP - http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
|
9
9
|
# This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
|
data/lib/escape_utils/url/cgi.rb
CHANGED
data/lib/escape_utils/url/erb.rb
CHANGED
data/lib/escape_utils/url/uri.rb
CHANGED
data/lib/escape_utils/version.rb
CHANGED
data/spec/html/escape_spec.rb
CHANGED
data/spec/html/unescape_spec.rb
CHANGED
data/spec/html_safety_spec.rb
CHANGED
data/spec/query/escape_spec.rb
CHANGED
data/spec/query/unescape_spec.rb
CHANGED
data/spec/spec_helper.rb
CHANGED
data/spec/uri/escape_spec.rb
CHANGED
data/spec/uri/unescape_spec.rb
CHANGED
data/spec/url/escape_spec.rb
CHANGED
data/spec/url/unescape_spec.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: escape_utils
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 31
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 0
|
8
8
|
- 2
|
9
|
-
-
|
10
|
-
version: 0.2.
|
9
|
+
- 4
|
10
|
+
version: 0.2.4
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Brian Lopez
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2011-
|
18
|
+
date: 2011-09-07 00:00:00 -07:00
|
19
19
|
default_executable:
|
20
20
|
dependencies:
|
21
21
|
- !ruby/object:Gem::Dependency
|
@@ -126,15 +126,15 @@ executables: []
|
|
126
126
|
|
127
127
|
extensions:
|
128
128
|
- ext/escape_utils/extconf.rb
|
129
|
-
extra_rdoc_files:
|
130
|
-
|
129
|
+
extra_rdoc_files: []
|
130
|
+
|
131
131
|
files:
|
132
132
|
- .gitignore
|
133
133
|
- .rspec
|
134
134
|
- CHANGELOG.md
|
135
135
|
- Gemfile
|
136
136
|
- MIT-LICENSE
|
137
|
-
- README.
|
137
|
+
- README.md
|
138
138
|
- Rakefile
|
139
139
|
- benchmark/html_escape.rb
|
140
140
|
- benchmark/html_unescape.rb
|
@@ -143,8 +143,16 @@ files:
|
|
143
143
|
- benchmark/url_escape.rb
|
144
144
|
- benchmark/url_unescape.rb
|
145
145
|
- escape_utils.gemspec
|
146
|
+
- ext/escape_utils/buffer.c
|
147
|
+
- ext/escape_utils/buffer.h
|
146
148
|
- ext/escape_utils/escape_utils.c
|
147
149
|
- ext/escape_utils/extconf.rb
|
150
|
+
- ext/escape_utils/houdini.h
|
151
|
+
- ext/escape_utils/houdini_html.c
|
152
|
+
- ext/escape_utils/houdini_js.c
|
153
|
+
- ext/escape_utils/houdini_uri.c
|
154
|
+
- ext/escape_utils/html_unescape.h
|
155
|
+
- ext/escape_utils/uri_escape.h
|
148
156
|
- lib/escape_utils.rb
|
149
157
|
- lib/escape_utils/html/cgi.rb
|
150
158
|
- lib/escape_utils/html/erb.rb
|
@@ -201,7 +209,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
201
209
|
requirements: []
|
202
210
|
|
203
211
|
rubyforge_project:
|
204
|
-
rubygems_version: 1.6.
|
212
|
+
rubygems_version: 1.6.2
|
205
213
|
signing_key:
|
206
214
|
specification_version: 3
|
207
215
|
summary: Faster string escaping routines for your web apps
|
data/README.rdoc
DELETED
@@ -1,146 +0,0 @@
|
|
1
|
-
= escape_utils
|
2
|
-
|
3
|
-
Being as though we're all html escaping everything these days, why not make it faster?
|
4
|
-
|
5
|
-
For character encoding in 1.9, we'll return strings in whatever Encoding.default_internal is set to or utf-8 otherwise.
|
6
|
-
|
7
|
-
It has monkey-patches for Rack::Utils, CGI, URI, ERB::Util and Haml and ActionView so you can drop this in and have your app start escaping fast as balls in no time
|
8
|
-
|
9
|
-
It supports HTML, URL, URI and Javascript escaping/unescaping.
|
10
|
-
|
11
|
-
== Installing
|
12
|
-
|
13
|
-
gem install escape_utils
|
14
|
-
|
15
|
-
== Usage
|
16
|
-
|
17
|
-
=== HTML
|
18
|
-
|
19
|
-
==== Escaping
|
20
|
-
|
21
|
-
html = `curl -s http://maps.google.com`
|
22
|
-
escaped_html = EscapeUtils.escape_html(html)
|
23
|
-
|
24
|
-
==== Unescaping
|
25
|
-
|
26
|
-
html = `curl -s http://maps.google.com`
|
27
|
-
escaped_html = EscapeUtils.escape_html(html)
|
28
|
-
html = EscapeUtils.unescape_html(escaped_html)
|
29
|
-
|
30
|
-
==== Monkey Patches
|
31
|
-
|
32
|
-
require 'escape_utils/html/rack' # to patch Rack::Utils
|
33
|
-
require 'escape_utils/html/erb' # to patch ERB::Util
|
34
|
-
require 'escape_utils/html/cgi' # to patch CGI
|
35
|
-
require 'escape_utils/html/haml' # to patch Haml::Helpers
|
36
|
-
|
37
|
-
=== URL
|
38
|
-
|
39
|
-
Use (un)escape_uri to get RFC-compliant escaping (like PHP rawurlencode).
|
40
|
-
|
41
|
-
Use (un)escape_url to get CGI escaping (where space is +).
|
42
|
-
|
43
|
-
==== Escaping
|
44
|
-
|
45
|
-
url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
|
46
|
-
escaped_url = EscapeUtils.escape_url(url)
|
47
|
-
|
48
|
-
==== Unescaping
|
49
|
-
|
50
|
-
url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mcEA~!!#*YH*>@!U"
|
51
|
-
escaped_url = EscapeUtils.escape_url(url)
|
52
|
-
EscapeUtils.unescape_url(escaped_url) == url # => true
|
53
|
-
|
54
|
-
=== Javascript
|
55
|
-
|
56
|
-
==== Escaping
|
57
|
-
|
58
|
-
javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
|
59
|
-
escaped_javascript = EscapeUtils.escape_javascript(javascript)
|
60
|
-
|
61
|
-
==== Unescaping
|
62
|
-
|
63
|
-
javascript = `curl -s http://code.jquery.com/jquery-1.4.2.js`
|
64
|
-
escaped_javascript = EscapeUtils.escape_javascript(javascript)
|
65
|
-
EscapeUtils.unescape_javascript(escaped_javascript) == javascript # => true
|
66
|
-
|
67
|
-
==== Monkey Patches
|
68
|
-
|
69
|
-
require 'escape_utils/javascript/action_view' # to patch ActionView::Helpers::JavaScriptHelper
|
70
|
-
|
71
|
-
== Benchmarks
|
72
|
-
|
73
|
-
In my testing, escaping html is around 10-30x faster than the pure ruby implementations in wide use today.
|
74
|
-
While unescaping html is around 40-100x faster than CGI.unescapeHTML which is also pure ruby.
|
75
|
-
Escaping Javascript is around 16-30x faster.
|
76
|
-
|
77
|
-
This output is from my laptop using the benchmark scripts in the benchmarks folder.
|
78
|
-
|
79
|
-
=== HTML
|
80
|
-
|
81
|
-
==== Escaping
|
82
|
-
|
83
|
-
Rack::Utils.escape_html
|
84
|
-
9.650000 0.090000 9.740000 ( 9.750756)
|
85
|
-
Haml::Helpers.html_escape
|
86
|
-
9.310000 0.110000 9.420000 ( 9.417317)
|
87
|
-
ERB::Util.html_escape
|
88
|
-
5.330000 0.390000 5.720000 ( 5.748394)
|
89
|
-
CGI.escapeHTML
|
90
|
-
5.370000 0.380000 5.750000 ( 5.791344)
|
91
|
-
FasterHTMLEscape.html_escape
|
92
|
-
0.520000 0.010000 0.530000 ( 0.539485)
|
93
|
-
fast_xs_extra#fast_xs_html
|
94
|
-
0.310000 0.030000 0.340000 ( 0.336734)
|
95
|
-
EscapeUtils.escape_html
|
96
|
-
0.200000 0.050000 0.250000 ( 0.258839)
|
97
|
-
|
98
|
-
==== Unescaping
|
99
|
-
|
100
|
-
CGI.unescapeHTML
|
101
|
-
16.520000 0.080000 16.600000 ( 16.853888)
|
102
|
-
EscapeUtils.unescape_html
|
103
|
-
0.120000 0.040000 0.160000 ( 0.162696)
|
104
|
-
|
105
|
-
=== Javascript
|
106
|
-
|
107
|
-
==== Escaping
|
108
|
-
|
109
|
-
ActionView::Helpers::JavaScriptHelper#escape_javascript
|
110
|
-
3.810000 0.100000 3.910000 ( 3.925557)
|
111
|
-
EscapeUtils.escape_javascript
|
112
|
-
0.200000 0.040000 0.240000 ( 0.236692)
|
113
|
-
|
114
|
-
==== Unescaping
|
115
|
-
|
116
|
-
I didn't look that hard, but I'm not aware of another ruby library that does Javascript unescaping to benchmark against. Anyone know of any?
|
117
|
-
|
118
|
-
=== URL
|
119
|
-
|
120
|
-
==== Escaping
|
121
|
-
|
122
|
-
ERB::Util.url_encode
|
123
|
-
0.520000 0.010000 0.530000 ( 0.529277)
|
124
|
-
Rack::Utils.escape
|
125
|
-
0.460000 0.010000 0.470000 ( 0.466962)
|
126
|
-
CGI.escape
|
127
|
-
0.440000 0.000000 0.440000 ( 0.443017)
|
128
|
-
URLEscape#escape
|
129
|
-
0.040000 0.000000 0.040000 ( 0.045661)
|
130
|
-
fast_xs_extra#fast_xs_url
|
131
|
-
0.010000 0.000000 0.010000 ( 0.015429)
|
132
|
-
EscapeUtils.escape_url
|
133
|
-
0.010000 0.000000 0.010000 ( 0.010843)
|
134
|
-
|
135
|
-
==== Unescaping
|
136
|
-
|
137
|
-
Rack::Utils.unescape
|
138
|
-
0.250000 0.010000 0.260000 ( 0.257558)
|
139
|
-
CGI.unescape
|
140
|
-
0.250000 0.000000 0.250000 ( 0.257837)
|
141
|
-
URLEscape#unescape
|
142
|
-
0.040000 0.000000 0.040000 ( 0.031548)
|
143
|
-
fast_xs_extra#fast_uxs_cgi
|
144
|
-
0.010000 0.000000 0.010000 ( 0.006062)
|
145
|
-
EscapeUtils.unescape_url
|
146
|
-
0.000000 0.000000 0.000000 ( 0.005679)
|