escape_utils 0.2.4 → 0.3.0

data/ext/escape_utils/houdini_js_u.c

@@ -0,0 +1,60 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "houdini.h"
+
+int
+houdini_unescape_js(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	size_t  i = 0, org, ch;
+
+	while (i < size) {
+		org = i;
+		while (i < size && src[i] != '\\')
+			i++;
+
+		if (likely(i > org)) {
+			if (unlikely(org == 0)) {
+				if (i >= size)
+					return 0;
+
+				gh_buf_grow(ob, HOUDINI_UNESCAPED_SIZE(size));
+			}
+
+			gh_buf_put(ob, src + org, i - org);
+		}
+
+		/* escaping */
+		if (i == size)
+			break;
+
+		if (++i == size) {
+			gh_buf_putc(ob, '\\');
+			break;
+		}
+
+		ch = src[i];
+
+		switch (ch) {
+		case 'n':
+			ch = '\n';
+			/* pass through */
+
+		case '\\':
+		case '\'':
+		case '\"':
+		case '/':
+			gh_buf_putc(ob, ch);
+			i++;
+			break;
+
+		default:
+			gh_buf_putc(ob, '\\');
+			break;
+		}
+	}
+
+	return 1;
+}
+

data/ext/escape_utils/{uri_escape.h → houdini_uri_e.c}

@@ -1,3 +1,9 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "houdini.h"
+
 static const char URL_SAFE[] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
@@ -14,7 +20,8 @@ static const char URL_SAFE[] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, };
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
 
 static const char URI_SAFE[] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
@@ -32,4 +39,63 @@ static const char URI_SAFE[] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, };
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static int
+escape(gh_buf *ob, const uint8_t *src, size_t size, int is_url)
+{
+	static const uint8_t hex_chars[] = "0123456789ABCDEF";
+	const char *safe_table = is_url ? URL_SAFE : URI_SAFE;
+
+	size_t  i = 0, org;
+	uint8_t hex_str[3];
+
+	hex_str[0] = '%';
+
+	while (i < size) {
+		org = i;
+		while (i < size && safe_table[src[i]] != 0)
+			i++;
+
+		if (likely(i > org)) {
+			if (unlikely(org == 0)) {
+				if (i >= size)
+					return 0;
+
+				gh_buf_grow(ob, HOUDINI_ESCAPED_SIZE(size));
+			}
+
+			gh_buf_put(ob, src + org, i - org);
+		}
+
+		/* escaping */
+		if (i >= size)
+			break;
+
+		if (src[i] == ' ' && is_url) {
+			gh_buf_putc(ob, '+');
+		} else {
+			hex_str[1] = hex_chars[(src[i] >> 4) & 0xF];
+			hex_str[2] = hex_chars[src[i] & 0xF];
+			gh_buf_put(ob, hex_str, 3);
+		}
+
+		i++;
+	}
+
+	return 1;
+}
+
+int
+houdini_escape_uri(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	return escape(ob, src, size, 0);
+}
+
+int
+houdini_escape_url(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	return escape(ob, src, size, 1);
+}
+

data/ext/escape_utils/houdini_uri_u.c

@@ -0,0 +1,65 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "houdini.h"
+
+#define hex2c(c) ((c | 32) % 39 - 9)
+
+static int
+unescape(gh_buf *ob, const uint8_t *src, size_t size, int is_url)
+{
+	size_t  i = 0, org;
+
+	while (i < size) {
+		org = i;
+		while (i < size && src[i] != '%')
+			i++;
+
+		if (likely(i > org)) {
+			if (unlikely(org == 0)) {
+				if (i >= size && !is_url)
+					return 0;
+
+				gh_buf_grow(ob, HOUDINI_UNESCAPED_SIZE(size));
+			}
+
+			gh_buf_put(ob, src + org, i - org);
+		}
+
+		/* escaping */
+		if (i >= size)
+			break;
+
+		i++;
+
+		if (i + 1 < size && _isxdigit(src[i]) && _isxdigit(src[i + 1])) {
+			unsigned char new_char = (hex2c(src[i]) << 4) + hex2c(src[i + 1]);
+			gh_buf_putc(ob, new_char);
+			i += 2;
+		} else {
+			gh_buf_putc(ob, '%');
+		}
+	}
+
+	if (is_url) {
+		char *find = (char *)gh_buf_cstr(ob);
+		while ((find = strchr(find, '+')) != NULL)
+			*find = ' ';
+	}
+
+	return 1;
+}
+
+int
+houdini_unescape_uri(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	return unescape(ob, src, size, 0);
+}
+
+int
+houdini_unescape_url(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	return unescape(ob, src, size, 1);
+}
+

data/ext/escape_utils/houdini_xml_e.c

@@ -0,0 +1,136 @@
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "houdini.h"
+
+/**
+ * & --> &amp;
+ * < --> &lt;
+ * > --> &gt;
+ * " --> &quot;
+ * ' --> &apos;
+ */
+static const char *LOOKUP_CODES[] = {
+	"", /* reserved: use literal single character */
+	"", /* unused */
+	"", /* reserved: 2 character UTF-8 */
+	"", /* reserved: 3 character UTF-8 */
+	"", /* reserved: 4 character UTF-8 */
+	"?", /* invalid UTF-8 character */
+	"&quot;",
+	"&amp;",
+	"&apos;",
+	"&lt;",
+	"&gt;"
+};
+
+static const char CODE_INVALID = 5;
+
+static const char XML_LOOKUP_TABLE[] = {
+	/* ASCII: 0xxxxxxx */
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 0, 0, 5, 5, 0, 5, 5,
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+	0, 0, 6, 0, 0, 0, 7, 8, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 0,10, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+	/* Invalid UTF-8 char start: 10xxxxxx */
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+	5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+
+	/* Multibyte UTF-8 */
+
+	/* 2 bytes: 110xxxxx */
+	2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+	2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+
+	/* 3 bytes: 1110xxxx */
+	3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+
+	/* 4 bytes: 11110xxx */
+	4, 4, 4, 4, 4, 4, 4, 4,
+
+	/* Invalid UTF-8: 11111xxx */
+	5, 5, 5, 5, 5, 5, 5, 5,
+};
+
+int
+houdini_escape_xml(gh_buf *ob, const uint8_t *src, size_t size)
+{
+	size_t i = 0;
+	unsigned char code = 0;
+
+	gh_buf_grow(ob, HOUDINI_ESCAPED_SIZE(size));
+
+	while (i < size) {
+		size_t start, end;
+
+		start = end = i;
+
+		while (i < size) {
+			unsigned int byte;
+
+			byte = src[i++];
+			code = XML_LOOKUP_TABLE[byte];
+
+			if (!code) {
+				/* single character used literally */
+			} else if (code >= CODE_INVALID) {
+				break; /* insert lookup code string */
+			} else if (code > size - end) {
+				code = CODE_INVALID; /* truncated UTF-8 character */
+				break;
+			} else {
+				unsigned int chr = byte & (0xff >> code);
+
+				while (--code) {
+					byte = src[i++];
+					if ((byte & 0xc0) != 0x80) {
+						code = CODE_INVALID;
+						break;
+					}
+					chr = (chr << 6) + (byte & 0x3f);
+				}
+
+				switch (i - end) {
+					case 2:
+						if (chr < 0x80)
+							code = CODE_INVALID;
+						break;
+					case 3:
+						if (chr < 0x800 ||
+						    (chr > 0xd7ff && chr < 0xe000) ||
+							chr > 0xfffd)
+							code = CODE_INVALID;
+						break;
+					case 4:
+						if (chr < 0x10000 || chr > 0x10ffff)
+							code = CODE_INVALID;
+						break;
+					default:
+						break;
+				}
+				if (code == CODE_INVALID)
+					break;
+			}
+			end = i;
+		}
+
+		if (end > start)
+			gh_buf_put(ob, src + start, end - start);
+
+		/* escaping */
+		if (end >= size)
+			break;
+
+		gh_buf_puts(ob, LOOKUP_CODES[code]);
+	}
+
+	return 1;
+}

data/lib/escape_utils/version.rb

@@ -1,3 +1,3 @@
 module EscapeUtils
-  VERSION = "0.2.4"
+  VERSION = "0.3.0"
 end

data/lib/escape_utils/xml/builder.rb

@@ -0,0 +1,8 @@
+module Builder
+  class XmlBase < BlankSlate
+    private
+    def _escape(text)
+      EscapeUtils.escape_xml(text.to_s)
+    end
+  end
+end

data/test/helper.rb

@@ -0,0 +1,14 @@
+# Basic test environment.
+
+# blah fuck this
+require 'rubygems' if !defined?(Gem)
+require 'bundler/setup'
+
+require 'escape_utils'
+
+# bring in minitest
+require 'minitest/autorun'
+
+# put lib and test dirs directly on load path
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+$LOAD_PATH.unshift File.expand_path('..', __FILE__)

data/test/html/escape_test.rb

@@ -0,0 +1,61 @@
+require File.expand_path("../../helper", __FILE__)
+
+class HtmlEscapeTest < MiniTest::Unit::TestCase
+  def test_escape_basic_html_with_secure
+    assert_equal "&lt;some_tag&#47;&gt;", EscapeUtils.escape_html("<some_tag/>")
+
+    secure_before = EscapeUtils.html_secure
+    EscapeUtils.html_secure = true
+    assert_equal "&lt;some_tag&#47;&gt;", EscapeUtils.escape_html("<some_tag/>")
+    EscapeUtils.html_secure = secure_before
+  end
+
+  def test_escape_basic_html_without_secure
+    assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>", false)
+
+    secure_before = EscapeUtils.html_secure
+    EscapeUtils.html_secure = false
+    assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>")
+    EscapeUtils.html_secure = secure_before
+  end
+
+  def test_escape_double_quotes
+    assert_equal "&lt;some_tag some_attr=&quot;some value&quot;&#47;&gt;", EscapeUtils.escape_html("<some_tag some_attr=\"some value\"/>")
+  end
+
+  def test_escape_single_quotes
+    assert_equal "&lt;some_tag some_attr=&#39;some value&#39;&#47;&gt;", EscapeUtils.escape_html("<some_tag some_attr='some value'/>")
+  end
+
+  def test_escape_ampersand
+    assert_equal "&lt;b&gt;Bourbon &amp; Branch&lt;&#47;b&gt;", EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
+  end
+
+  def test_returns_original_if_not_escaped
+    str = 'foobar'
+    assert_equal str.object_id, EscapeUtils.escape_html(str).object_id
+  end
+
+  if RUBY_VERSION =~ /^1.9/
+    def test_utf8_or_ascii_input_only
+      str = "<b>Bourbon & Branch</b>"
+
+      str.force_encoding 'ISO-8859-1'
+      assert_raises Encoding::CompatibilityError do
+        EscapeUtils.escape_html(str)
+      end
+
+      str.force_encoding 'UTF-8'
+      begin
+        EscapeUtils.escape_html(str)
+      rescue Encoding::CompatibilityError => e
+        assert_nil e, "#{e.class.name} raised, expected not to"
+      end
+    end
+
+    def test_return_value_is_tagged_as_utf8
+      str = "<b>Bourbon & Branch</b>".encode('utf-8')
+      assert_equal Encoding.find('UTF-8'), EscapeUtils.escape_html(str).encoding
+    end
+  end
+end

data/test/html/unescape_test.rb

@@ -0,0 +1,48 @@
+# encoding: utf-8
+require File.expand_path("../../helper", __FILE__)
+
+class HtmlUnescapeTest < MiniTest::Unit::TestCase
+  def test_basic_html
+    assert_equal "<some_tag/>", EscapeUtils.unescape_html("&lt;some_tag&#47;&gt;")
+  end
+
+  def test_double_quotes
+    assert_equal "<some_tag some_attr=\"some value\"/>", EscapeUtils.unescape_html("&lt;some_tag some_attr=&quot;some value&quot;&#47;&gt;")
+  end
+
+  def test_single_quotes
+    assert_equal "<some_tag some_attr='some value'/>", EscapeUtils.unescape_html("&lt;some_tag some_attr=&#39;some value&#39;&#47;&gt;")
+  end
+
+  def test_amperstand
+    assert_equal "<b>Bourbon & Branch</b>", EscapeUtils.unescape_html("&lt;b&gt;Bourbon &amp; Branch&lt;&#47;b&gt;")
+  end
+
+  def test_passes_through_incompletely_escaped_tags
+    assert_equal "&", EscapeUtils.unescape_html("&")
+    assert_equal "&lt", EscapeUtils.unescape_html("&lt")
+  end
+
+  if RUBY_VERSION =~ /^1.9/
+    def test_input_must_be_utf8_or_ascii
+      escaped = EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
+
+      escaped.force_encoding 'ISO-8859-1'
+      assert_raises Encoding::CompatibilityError do
+        EscapeUtils.unescape_html(escaped)
+      end
+
+      escaped.force_encoding 'UTF-8'
+      begin
+        EscapeUtils.unescape_html(escaped)
+      rescue Encoding::CompatibilityError => e
+        assert_nil e, "#{e.class.name} raised, expected not to"
+      end
+    end
+
+    def test_return_value_is_tagged_as_utf8
+      escaped = EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
+      assert_equal Encoding.find('UTF-8'), EscapeUtils.unescape_html(escaped).encoding
+    end
+  end
+end