gettext_i18n_rails 0.2.14 → 0.2.15

data/Readme.md

@@ -134,11 +134,16 @@ namespace-aware translation
 
 XSS / html_safe
 ===============
-If you trust your translators and all your usages of % on translations:  
-(% on string is atm buggy with always staying html_safe, no matter what was replaced)
+If you trust your translators and all your usages of % on translations:<br/>
     # config/environment.rb
     GettextI18nRails.translations_are_html_safe = true
 
+String % vs html_safe is buggy (can be used for XSS on 1.8 and is always non-safe in 1.9)<br/>
+My recommended fix is: `require 'gettext_i18n_rails/string_interpolate_fix'`
+
+ - safe stays safe (escape added strings)
+ - unsafe stays unsafe (do not escape added strings)
+
 ActiveRecord - error messages
 =============================
 ActiveRecord error messages are translated through Rails::I18n, but
@@ -194,10 +199,6 @@ lib/tasks/gettext.rake:
       end
     end
 
-TODO
-=====
- - fix % on string to respect html_safe: `("<a>%{x}</a>".html_safe % {:x=>'<script>y</script>'})` should escape the `<script>y</script>` part) 
-
 Contributors
 ======
  - [ruby gettext extractor](http://github.com/retoo/ruby_gettext_extractor/tree/master) from [retoo](http://github.com/retoo)
@@ -208,6 +209,6 @@ Contributors
  - [Anh Hai Trinh](http://blog.onideas.ws)
  - [ed0h](http://github.com/ed0h)
 
-[Michael Grosser](http://grosser.it)  
-grosser.michael@gmail.com  
+[Michael Grosser](http://grosser.it)<br/>
+grosser.michael@gmail.com<br/>
 Hereby placed under public domain, do what you want, just do not hold me accountable...

data/VERSION

@@ -1 +1 @@
-0.2.14
+0.2.15

data/gettext_i18n_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{gettext_i18n_rails}
-  s.version = "0.2.14"
+  s.version = "0.2.15"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Michael Grosser"]
-  s.date = %q{2011-01-28}
+  s.date = %q{2011-02-10}
   s.email = %q{grosser.michael@gmail.com}
   s.files = [
     "Rakefile",
@@ -27,11 +27,13 @@ Gem::Specification.new do |s|
     "lib/gettext_i18n_rails/model_attributes_finder.rb",
     "lib/gettext_i18n_rails/railtie.rb",
     "lib/gettext_i18n_rails/ruby_gettext_extractor.rb",
+    "lib/gettext_i18n_rails/string_interpolate_fix.rb",
     "lib/gettext_i18n_rails/tasks.rb",
     "lib/tasks/gettext_rails_i18n.rake",
     "spec/gettext_i18n_rails/action_controller_spec.rb",
     "spec/gettext_i18n_rails/active_record_spec.rb",
     "spec/gettext_i18n_rails/backend_spec.rb",
+    "spec/gettext_i18n_rails/string_interpolate_fix_spec.rb",
     "spec/gettext_i18n_rails_spec.rb",
     "spec/spec_helper.rb"
   ]
@@ -43,6 +45,7 @@ Gem::Specification.new do |s|
     "spec/gettext_i18n_rails/action_controller_spec.rb",
     "spec/gettext_i18n_rails/active_record_spec.rb",
     "spec/gettext_i18n_rails/backend_spec.rb",
+    "spec/gettext_i18n_rails/string_interpolate_fix_spec.rb",
     "spec/gettext_i18n_rails_spec.rb",
     "spec/spec_helper.rb"
   ]

data/lib/gettext_i18n_rails/string_interpolate_fix.rb

@@ -0,0 +1,20 @@
+needed = "".respond_to?(:html_safe) and
+  (
+    "".html_safe % {:x => '<br/>'} == '<br/>' or
+    not ("".html_safe % {:x=>'a'}).html_safe?
+  )
+
+if needed
+  class String
+    alias :interpolate_without_html_safe :%
+
+    def %(*args)
+      if args.first.is_a?(Hash) and html_safe?
+        safe_replacement = Hash[args.first.map{|k,v| [k,ERB::Util.h(v)] }]
+        interpolate_without_html_safe(safe_replacement).html_safe
+      else
+        interpolate_without_html_safe(*args).dup # make sure its not html_safe
+      end
+    end
+  end
+end

data/spec/gettext_i18n_rails/string_interpolate_fix_spec.rb

@@ -0,0 +1,32 @@
+require File.expand_path("../spec_helper", File.dirname(__FILE__))
+require 'gettext_i18n_rails/string_interpolate_fix'
+
+describe "String#%" do
+  it "is not safe if it was not safe" do
+    result = ("<br/>%{x}" % {:x => 'a'})
+    result.should == '<br/>a'
+    result.html_safe?.should == false
+  end
+
+  it "stays safe if it was safe" do
+    result = ("<br/>%{x}".html_safe % {:x => 'a'})
+    result.should == '<br/>a'
+    result.html_safe?.should == true
+  end
+
+  it "escapes unsafe added to safe" do
+    result = ("<br/>%{x}".html_safe % {:x => '<br/>'})
+    result.should == '<br/>&lt;br/&gt;'
+    result.html_safe?.should == true
+  end
+
+  it "does not escape unsafe if it was unsafe" do
+    result = ("<br/>%{x}" % {:x => '<br/>'})
+    result.should == '<br/><br/>'
+    result.html_safe?.should == false
+  end
+
+  it "does not break array replacement" do
+    "%ssd" % ['a'].should == "asd"
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: gettext_i18n_rails
 version: !ruby/object:Gem::Version 
-  hash: 11
+  hash: 9
   prerelease: 
   segments: 
   - 0
   - 2
-  - 14
-  version: 0.2.14
+  - 15
+  version: 0.2.15
 platform: ruby
 authors: 
 - Michael Grosser
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-28 00:00:00 +01:00
+date: 2011-02-10 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -56,11 +56,13 @@ files:
 - lib/gettext_i18n_rails/model_attributes_finder.rb
 - lib/gettext_i18n_rails/railtie.rb
 - lib/gettext_i18n_rails/ruby_gettext_extractor.rb
+- lib/gettext_i18n_rails/string_interpolate_fix.rb
 - lib/gettext_i18n_rails/tasks.rb
 - lib/tasks/gettext_rails_i18n.rake
 - spec/gettext_i18n_rails/action_controller_spec.rb
 - spec/gettext_i18n_rails/active_record_spec.rb
 - spec/gettext_i18n_rails/backend_spec.rb
+- spec/gettext_i18n_rails/string_interpolate_fix_spec.rb
 - spec/gettext_i18n_rails_spec.rb
 - spec/spec_helper.rb
 has_rdoc: true
@@ -101,5 +103,6 @@ test_files:
 - spec/gettext_i18n_rails/action_controller_spec.rb
 - spec/gettext_i18n_rails/active_record_spec.rb
 - spec/gettext_i18n_rails/backend_spec.rb
+- spec/gettext_i18n_rails/string_interpolate_fix_spec.rb
 - spec/gettext_i18n_rails_spec.rb
 - spec/spec_helper.rb