escape_utils 1.2.2 → 1.3.0

data/ext/escape_utils/houdini_html_e.c

@@ -18,8 +18,8 @@
 static const char HTML_ESCAPE_TABLE[] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
-	0, 0, 1, 0, 0, 0, 2, 3, 0, 0, 0, 0, 0, 0, 0, 4, 
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 6, 0, 
+	0, 0, 1, 0, 0, 0, 2, 3, 0, 0, 0, 0, 0, 0, 0, 0, 
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 5, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 
@@ -35,24 +35,64 @@ static const char HTML_ESCAPE_TABLE[] = {
 };
 
 static const char *HTML_ESCAPES[] = {
-        "",
-        """,
-        "&",
-        "'",
-        "/",
-        "<",
-        ">"
+	"",
+	""",
+	"&",
+	"'",
+	"<",
+	">"
 };
 
+static const int HTML_ESCAPES_LENGTHS[] = {
+	0,
+	6,
+	5,
+	5,
+	4,
+	4
+};
+
+static int
+is_entity(const uint8_t *src, size_t size)
+{
+	size_t i = 0;
+
+	if (size == 0 || src[0] != '&')
+		return false;
+
+	if (size > 16)
+		size = 16;
+
+	if (size >= 4 && src[1] == '#') {
+		if (_isdigit(src[2])) {
+			for (i = 3; i < size && _isdigit(src[i]); ++i);
+		}
+		else if ((src[2] == 'x' || src[2] == 'X') && _isxdigit(src[3])) {
+			for (i = 4; i < size && _isxdigit(src[i]); ++i);
+		}
+		else return false;
+	}
+	else {
+		for (i = 1; i < size && _isasciialpha(src[i]); ++i);
+		if (i == 1) return false;
+	}
+
+	return i < size && src[i] == ';';
+}
+
 int
-houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure)
+houdini_escape_html_once(gh_buf *ob, const uint8_t *src, size_t size)
 {
 	size_t  i = 0, org, esc = 0;
 
 	while (i < size) {
 		org = i;
-		while (i < size && (esc = HTML_ESCAPE_TABLE[src[i]]) == 0)
+		while (i < size) {
+			esc = HTML_ESCAPE_TABLE[src[i]];
+			if (unlikely(esc != 0) && !is_entity(src + i, size - i))
+				break;
 			i++;
+		}
 
 		if (i > org) {
 			if (unlikely(org == 0)) {
@@ -69,22 +109,10 @@ houdini_escape_html0(gh_buf *ob, const uint8_t *src, size_t size, int secure)
 		if (unlikely(i >= size))
 			break;
 
-		/* The forward slash is only escaped in secure mode */
-		if (src[i] == '/' && !secure) {
-			gh_buf_putc(ob, '/');
-		} else {
-			gh_buf_puts(ob, HTML_ESCAPES[esc]);
-		}
+		gh_buf_put(ob, HTML_ESCAPES[esc], HTML_ESCAPES_LENGTHS[esc]);
 
 		i++;
 	}
 
 	return 1;
 }
-
-int
-houdini_escape_html(gh_buf *ob, const uint8_t *src, size_t size)
-{
-	return houdini_escape_html0(ob, src, size, 1);
-}
-

data/ext/escape_utils/houdini_uri_e.c

@@ -44,7 +44,7 @@ static const char URI_SAFE[] = {
 
 static int
 escape(gh_buf *ob, const uint8_t *src, size_t size,
-	const char *safe_table, bool escape_plus)
+	const char *safe_table)
 {
 	static const uint8_t hex_chars[] = "0123456789ABCDEF";
 
@@ -73,13 +73,9 @@ escape(gh_buf *ob, const uint8_t *src, size_t size,
 		if (i >= size)
 			break;
 
-		if (src[i] == ' ' && escape_plus) {
-			gh_buf_putc(ob, '+');
-		} else {
-			hex_str[1] = hex_chars[(src[i] >> 4) & 0xF];
-			hex_str[2] = hex_chars[src[i] & 0xF];
-			gh_buf_put(ob, hex_str, 3);
-		}
+		hex_str[1] = hex_chars[(src[i] >> 4) & 0xF];
+		hex_str[2] = hex_chars[src[i] & 0xF];
+		gh_buf_put(ob, hex_str, 3);
 
 		i++;
 	}
@@ -90,18 +86,11 @@ escape(gh_buf *ob, const uint8_t *src, size_t size,
 int
 houdini_escape_uri(gh_buf *ob, const uint8_t *src, size_t size)
 {
-	return escape(ob, src, size, URI_SAFE, false);
+	return escape(ob, src, size, URI_SAFE);
 }
 
 int
 houdini_escape_uri_component(gh_buf *ob, const uint8_t *src, size_t size)
 {
-	return escape(ob, src, size, URL_SAFE, false);
-}
-
-int
-houdini_escape_url(gh_buf *ob, const uint8_t *src, size_t size)
-{
-	return escape(ob, src, size, URL_SAFE, true);
+	return escape(ob, src, size, URL_SAFE);
 }
-

data/ext/escape_utils/houdini_uri_u.c

@@ -7,13 +7,13 @@
 #define hex2c(c) ((c | 32) % 39 - 9)
 
 static int
-unescape(gh_buf *ob, const uint8_t *src, size_t size, bool unescape_plus)
+unescape(gh_buf *ob, const uint8_t *src, size_t size)
 {
 	size_t  i = 0, org;
 
 	while (i < size) {
 		org = i;
-		while (i < size && src[i] != '%' && src[i] != '+')
+		while (i < size && src[i] != '%')
 			i++;
 
 		if (likely(i > org)) {
@@ -31,11 +31,7 @@ unescape(gh_buf *ob, const uint8_t *src, size_t size, bool unescape_plus)
 		if (i >= size)
 			break;
 
-		if (src[i++] == '+') {
-			gh_buf_putc(ob, unescape_plus ? ' ' : '+');
-			continue;
-		}
-
+		i++;
 		if (i + 1 < size && _isxdigit(src[i]) && _isxdigit(src[i + 1])) {
 			unsigned char new_char = (hex2c(src[i]) << 4) + hex2c(src[i + 1]);
 			gh_buf_putc(ob, new_char);
@@ -51,18 +47,12 @@ unescape(gh_buf *ob, const uint8_t *src, size_t size, bool unescape_plus)
 int
 houdini_unescape_uri(gh_buf *ob, const uint8_t *src, size_t size)
 {
-	return unescape(ob, src, size, false);
+	return unescape(ob, src, size);
 }
 
 int
 houdini_unescape_uri_component(gh_buf *ob, const uint8_t *src, size_t size)
 {
-	return unescape(ob, src, size, false);
-}
-
-int
-houdini_unescape_url(gh_buf *ob, const uint8_t *src, size_t size)
-{
-	return unescape(ob, src, size, true);
+	return unescape(ob, src, size);
 }
 

data/ext/escape_utils/houdini_xml_e.c

@@ -25,6 +25,20 @@ static const char *LOOKUP_CODES[] = {
 	">"
 };
 
+static const int LOOKUP_CODES_LENGTHS[] = {
+	0,
+	0,
+	0,
+	0,
+	0,
+	1,
+	6,
+	5,
+	6,
+	4,
+	4
+};
+
 static const char CODE_INVALID = 5;
 
 static const char XML_LOOKUP_TABLE[] = {
@@ -129,7 +143,7 @@ houdini_escape_xml(gh_buf *ob, const uint8_t *src, size_t size)
 		if (end >= size)
 			break;
 
-		gh_buf_puts(ob, LOOKUP_CODES[code]);
+		gh_buf_put(ob, LOOKUP_CODES[code], LOOKUP_CODES_LENGTHS[code]);
 	}
 
 	return 1;

data/lib/escape_utils/html/cgi.rb

@@ -1,11 +1,13 @@
-class CGI
-  extend ::EscapeUtils::HtmlSafety
-
-  class << self
-    alias escapeHTML _escape_html
+module EscapeUtils
+  module CGIHtmlSafety
+    def escapeHTML(html)
+      ::EscapeUtils::HtmlSafety.escape_once(html) { |s| super(s) }
+    end
 
-    def unescapeHTML(s)
-      EscapeUtils.unescape_html(s.to_s)
+    def unescapeHTML(html)
+      super(html.to_s)
     end
   end
-end
+end
+
+CGI.singleton_class.prepend(EscapeUtils::CGIHtmlSafety)

data/lib/escape_utils/html/erb.rb

@@ -1,10 +1 @@
-class ERB
-  module Util
-    include ::EscapeUtils::HtmlSafety
-
-    alias html_escape _escape_html
-    alias h html_escape
-    module_function :h
-    module_function :html_escape
-  end
-end
+require 'escape_utils/html/cgi' # ERB delegates to EscapeUtils.escapeHTML

data/lib/escape_utils/html/haml.rb

@@ -1,7 +1 @@
-module Haml
-  module Helpers
-    include ::EscapeUtils::HtmlSafety
-
-    alias html_escape _escape_html
-  end
-end
+require 'escape_utils/html/cgi' # HAML delegates to EscapeUtils.escapeHTML

data/lib/escape_utils/html/rack.rb

@@ -1,8 +1,8 @@
 module Rack
   module Utils
-    include ::EscapeUtils::HtmlSafety
-
-    alias escape_html _escape_html
+    def escape_html(html)
+      ::EscapeUtils::HtmlSafety.escape_once(html) { |s| CGI.escapeHTML(s) }
+    end
     module_function :escape_html
   end
 end

data/lib/escape_utils/html_safety.rb

@@ -1,6 +1,15 @@
 module EscapeUtils
   module HtmlSafety
     if "".respond_to? :html_safe?
+      def self.escape_once(s)
+        s = s.to_s
+        if s.html_safe?
+          s.html_safe
+        else
+          yield(s).html_safe
+        end
+      end
+
       def _escape_html(s)
         if s.html_safe?
           s.to_s.html_safe
@@ -9,6 +18,10 @@ module EscapeUtils
         end
       end
     else
+      def self.escape_once(s)
+        yield s.to_s
+      end
+
       def _escape_html(s)
         EscapeUtils.escape_html(s.to_s)
       end

data/lib/escape_utils/url/cgi.rb

@@ -1,8 +0,0 @@
-class CGI
-  def self.escape(s)
-    EscapeUtils.escape_url(s.to_s)
-  end
-  def self.unescape(s)
-    EscapeUtils.unescape_url(s.to_s)
-  end
-end

data/lib/escape_utils/url/erb.rb

@@ -1,7 +1,7 @@
 class ERB
   module Util
     def url_encode(s)
-      EscapeUtils.escape_url(s.to_s)
+      EscapeUtils.escape_uri(s.to_s)
     end
     alias u url_encode
     module_function :u

data/lib/escape_utils/url/uri.rb

@@ -1,8 +1,12 @@
-module URI
-  def self.escape(s, unsafe=nil)
-    EscapeUtils.escape_uri(s.to_s)
+require 'uri'
+
+if URI.respond_to?(:escape) # Was removed in Ruby 3.0. Let's not bring it back
+  module URI
+    def self.escape(s, unsafe=nil)
+      EscapeUtils.escape_uri(s.to_s)
+    end
+    def self.unescape(s)
+      EscapeUtils.unescape_uri(s.to_s)
+    end
   end
-  def self.unescape(s)
-    EscapeUtils.unescape_uri(s.to_s)
-  end
-end
+end

data/lib/escape_utils/version.rb

@@ -1,3 +1,3 @@
 module EscapeUtils
-  VERSION = "1.2.2"
+  VERSION = "1.3.0"
 end

data/lib/escape_utils.rb

@@ -1,22 +1,74 @@
+require 'cgi'
 require 'escape_utils/escape_utils'
 require 'escape_utils/version' unless defined? EscapeUtils::VERSION
 
 module EscapeUtils
   extend self
 
-  # turn on/off the escaping of the '/' character during HTML escaping
-  # Escaping '/' is recommended by the OWASP - http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
-  # This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
-  def self.html_secure
-    @html_secure
+  def html_secure
+    warn "EscapeUtils.html_secure is deprecated"
+    false
+  end
+
+  def html_secure=(val)
+    warn "EscapeUtils.html_secure is deprecated"
   end
-  self.html_secure = true
 
   # Default String class to return from HTML escaping
-  def self.html_safe_string_class
-    @html_safe_string_class
+  attr_reader :html_safe_string_class
+
+  def html_safe_string_class=(klass)
+    unless String >= klass
+      raise ArgumentError, "EscapeUtils.html_safe_string_class must inherit from ::String"
+    end
+    @html_safe_string_class = klass
   end
+
   self.html_safe_string_class = String
 
   autoload :HtmlSafety, 'escape_utils/html_safety'
-end
+
+  def self.escape_html_once_as_html_safe(html)
+    escaped = escape_html_once(html)
+    if String == @html_safe_string_class
+      escaped
+    else
+      escaped = @html_safe_string_class.new(escaped)
+      escaped.instance_variable_set(:@html_safe, true)
+      escaped
+    end
+  end
+
+  def self.escape_html(html, secure = false)
+    warn "EscapeUtils.escape_html is deprecated. Use GCI.escapeHTML instead, it's faster"
+    CGI.escapeHTML(html)
+  end
+
+  def self.escape_html_as_html_safe(html)
+    warn "EscapeUtils.escape_html_as_html_safe is deprecated. Use GCI.escapeHTML(str).html_safe instead, it's faster"
+
+    escaped = CGI.escapeHTML(html)
+    if String == @html_safe_string_class
+      escaped
+    else
+      escaped = @html_safe_string_class.new(escaped)
+      escaped.instance_variable_set(:@html_safe, true)
+      escaped
+    end
+  end
+
+  def self.unescape_html(html)
+    warn "EscapeUtils.unescape_html is deprecated. Use GCI.unescapeHTML instead, performance is similar"
+    CGI.unescapeHTML(html)
+  end
+
+  def self.escape_url(string)
+    warn "EscapeUtils.escape_url is deprecated. Use CGI.escape instead, performance is similar"
+    CGI.escape(string)
+  end
+
+  def self.unescape_url(string)
+    warn "EscapeUtils.unescape_url is deprecated. Use CGI.unescape instead, performance is similar"
+    CGI.unescape(string)
+  end
+end

data/test/helper.rb

@@ -1,11 +1,24 @@
 # Basic test environment.
 
-# blah fuck this
-require 'rubygems' if !defined?(Gem)
-require 'bundler/setup'
+module HideOwnWarnings
+  def warn(message)
+    unless message.include?("EscapeUtils")
+      super
+    end
+  end
+end
+Warning.prepend(HideOwnWarnings)
 
+require 'bundler/setup'
 require 'escape_utils'
 
+require 'active_support'
+require 'active_support/json'
+require "active_support/core_ext/string/output_safety"
+
+require 'action_view'
+require 'action_view/helpers'
+
 # bring in minitest
 require 'minitest/autorun'
 

data/test/html/escape_test.rb

@@ -1,9 +1,18 @@
 require File.expand_path("../../helper", __FILE__)
 
-class MyCustomHtmlSafeString < String
-end
-
 class HtmlEscapeTest < Minitest::Test
+  MyCustomHtmlSafeString = Class.new(String)
+
+  def setup
+    @_previous_safe = EscapeUtils.html_secure
+    @_previous_class = EscapeUtils.html_safe_string_class
+  end
+
+  def teardown
+    EscapeUtils.html_secure = @_previous_safe
+    EscapeUtils.html_safe_string_class = @_previous_class
+  end
+
   def test_escape_source_encoding_is_maintained
     source = 'foobar'
     str = EscapeUtils.escape_html_as_html_safe(source)
@@ -29,38 +38,53 @@ class HtmlEscapeTest < Minitest::Test
   end
 
   def test_escape_basic_html_with_secure
-    assert_equal "&lt;some_tag&#47;&gt;", EscapeUtils.escape_html("<some_tag/>")
+    assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>")
 
-    secure_before = EscapeUtils.html_secure
     EscapeUtils.html_secure = true
-    assert_equal "&lt;some_tag&#47;&gt;", EscapeUtils.escape_html("<some_tag/>")
-    EscapeUtils.html_secure = secure_before
+    assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>")
   end
 
   def test_escape_basic_html_without_secure
     assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>", false)
 
-    secure_before = EscapeUtils.html_secure
     EscapeUtils.html_secure = false
     assert_equal "&lt;some_tag/&gt;", EscapeUtils.escape_html("<some_tag/>")
-    EscapeUtils.html_secure = secure_before
   end
 
   def test_escape_double_quotes
-    assert_equal "&lt;some_tag some_attr=&quot;some value&quot;&#47;&gt;", EscapeUtils.escape_html("<some_tag some_attr=\"some value\"/>")
+    assert_equal "&lt;some_tag some_attr=&quot;some value&quot;/&gt;", EscapeUtils.escape_html("<some_tag some_attr=\"some value\"/>")
   end
 
   def test_escape_single_quotes
-    assert_equal "&lt;some_tag some_attr=&#39;some value&#39;&#47;&gt;", EscapeUtils.escape_html("<some_tag some_attr='some value'/>")
+    assert_equal "&lt;some_tag some_attr=&#39;some value&#39;/&gt;", EscapeUtils.escape_html("<some_tag some_attr='some value'/>")
   end
 
   def test_escape_ampersand
-    assert_equal "&lt;b&gt;Bourbon &amp; Branch&lt;&#47;b&gt;", EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
-  end
-
-  def test_returns_original_if_not_escaped
-    str = 'foobar'
-    assert_equal str.object_id, EscapeUtils.escape_html(str).object_id
+    assert_equal "&lt;b&gt;Bourbon &amp; Branch&lt;/b&gt;", EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
+  end
+
+  def test_escape_html_once
+    {
+      '&<' => '&amp;&lt;',
+      '&amp;&lt;&x;' => '&amp;&lt;&x;',
+      '&amp' => '&amp;amp',
+      '&!;' => '&amp;!;',
+      '&#0;' => '&#0;',
+      '&#10;' => '&#10;',
+      '&#10' => '&amp;#10',
+      '&#10000000000;' => '&#10000000000;',
+      '&#x0;' => '&#x0;',
+      '&#xf0;' => '&#xf0;',
+      '&#xf0' => '&amp;#xf0',
+      '&#x;' => '&amp;#x;',
+      '&#xfoo;' => '&amp;#xfoo;',
+      '&#;' => '&amp;#;',
+      '&#foo;' => '&amp;#foo;',
+      'foo&amp;bar' => 'foo&amp;bar',
+    }.each do |(input, output)|
+      assert_equal output, EscapeUtils.escape_html_once(input)
+      assert_equal output, EscapeUtils.escape_html_once_as_html_safe(input)
+    end
   end
 
   def test_html_safe_escape_default_works
@@ -69,27 +93,21 @@ class HtmlEscapeTest < Minitest::Test
   end
 
   def test_returns_custom_string_class
-    klass_before = EscapeUtils.html_safe_string_class
     EscapeUtils.html_safe_string_class = MyCustomHtmlSafeString
 
     str = EscapeUtils.escape_html_as_html_safe('foobar')
     assert_equal 'foobar', str
     assert_equal MyCustomHtmlSafeString, str.class
     assert_equal true, str.instance_variable_get(:@html_safe)
-  ensure
-    EscapeUtils.html_safe_string_class = klass_before
   end
 
   def test_returns_custom_string_class_when_string_requires_escaping
-    klass_before = EscapeUtils.html_safe_string_class
     EscapeUtils.html_safe_string_class = MyCustomHtmlSafeString
 
     str = EscapeUtils.escape_html_as_html_safe("<script>")
     assert_equal "&lt;script&gt;", str
     assert_equal MyCustomHtmlSafeString, str.class
     assert_equal true, str.instance_variable_get(:@html_safe)
-  ensure
-    EscapeUtils.html_safe_string_class = klass_before
   end
 
   def test_html_safe_string_class_descends_string
@@ -105,22 +123,6 @@ class HtmlEscapeTest < Minitest::Test
     end
   end
 
-  def test_utf8_or_ascii_input_only
-    str = "<b>Bourbon & Branch</b>"
-
-    str.force_encoding 'ISO-8859-1'
-    assert_raises Encoding::CompatibilityError do
-      EscapeUtils.escape_html(str)
-    end
-
-    str.force_encoding 'UTF-8'
-    begin
-      EscapeUtils.escape_html(str)
-    rescue Encoding::CompatibilityError => e
-      assert_nil e, "#{e.class.name} raised, expected not to"
-    end
-  end
-
   def test_return_value_is_tagged_as_utf8
     str = "<b>Bourbon & Branch</b>".encode('utf-8')
     assert_equal Encoding.find('UTF-8'), EscapeUtils.escape_html(str).encoding

data/test/html/unescape_test.rb

@@ -23,22 +23,6 @@ class HtmlUnescapeTest < Minitest::Test
     assert_equal "&lt", EscapeUtils.unescape_html("&lt")
   end
 
-  def test_input_must_be_utf8_or_ascii
-    escaped = EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
-
-    escaped.force_encoding 'ISO-8859-1'
-    assert_raises Encoding::CompatibilityError do
-      EscapeUtils.unescape_html(escaped)
-    end
-
-    escaped.force_encoding 'UTF-8'
-    begin
-      EscapeUtils.unescape_html(escaped)
-    rescue Encoding::CompatibilityError => e
-      assert_nil e, "#{e.class.name} raised, expected not to"
-    end
-  end
-
   def test_return_value_is_tagged_as_utf8
     escaped = EscapeUtils.escape_html("<b>Bourbon & Branch</b>")
     assert_equal Encoding.find('UTF-8'), EscapeUtils.unescape_html(escaped).encoding

data/test/html_safety_test.rb

@@ -1,37 +1,11 @@
 require File.expand_path("../helper", __FILE__)
 
-class Object
-  def html_safe?
-    false
-  end
-end
-
-class TestSafeBuffer < String
-  def html_safe?
-    true
-  end
-
-  def html_safe
-    self
-  end
-
-  def to_s
-    self
-  end
-end
-
-class String
-  def html_safe
-    TestSafeBuffer.new(self)
-  end
-end
-
 class HtmlEscapeTest < Minitest::Test
   include EscapeUtils::HtmlSafety
 
   def test_marks_escaped_strings_safe
     escaped = _escape_html("<strong>unsafe</strong>")
-    assert_equal "&lt;strong&gt;unsafe&lt;&#47;strong&gt;", escaped
+    assert_equal "&lt;strong&gt;unsafe&lt;/strong&gt;", escaped
     assert escaped.html_safe?
   end