herb 0.9.1-aarch64-linux-gnu → 0.9.3-aarch64-linux-gnu

data/lib/herb/engine/compiler.rb

@@ -3,6 +3,8 @@
 module Herb
   class Engine
     class Compiler < ::Herb::Visitor
+      EXPRESSION_TOKEN_TYPES = [:expr, :expr_escaped, :expr_block, :expr_block_escaped].freeze
+
       attr_reader :tokens
 
       def initialize(engine, options = {})
@@ -10,13 +12,13 @@ module Herb
 
         @engine = engine
         @escape = options.fetch(:escape) { options.fetch(:escape_html, false) }
-        @attrfunc = options.fetch(:attrfunc, @escape ? "__herb.attr" : "::Herb::Engine.attr")
-        @jsfunc = options.fetch(:jsfunc, @escape ? "__herb.js" : "::Herb::Engine.js")
-        @cssfunc = options.fetch(:cssfunc, @escape ? "__herb.css" : "::Herb::Engine.css")
         @tokens = [] #: Array[untyped]
         @element_stack = [] #: Array[String]
         @context_stack = [:html_content]
         @trim_next_whitespace = false
+        @last_trim_consumed_newline = false
+        @pending_leading_whitespace = nil
+        @pending_leading_whitespace_insert_index = 0
       end
 
       def generate_output
@@ -28,26 +30,16 @@ module Herb
             @engine.send(:add_text, value)
           when :code
             @engine.send(:add_code, value)
-          when :expr
-            if [:attribute_value, :script_content, :style_content].include?(context)
-              add_context_aware_expression(value, context)
-            else
-              indicator = @escape ? "==" : "="
-              @engine.send(:add_expression, indicator, value)
-            end
-          when :expr_escaped
-            if [:attribute_value, :script_content, :style_content].include?(context)
-              add_context_aware_expression(value, context)
+          when :expr, :expr_escaped
+            indicator = indicator_for(type)
+
+            if context_aware_context?(context)
+              @engine.send(:add_context_aware_expression, indicator, value, context)
             else
-              indicator = @escape ? "=" : "=="
               @engine.send(:add_expression, indicator, value)
             end
-          when :expr_block
-            indicator = @escape ? "==" : "="
-            @engine.send(:add_expression_block, indicator, value)
-          when :expr_block_escaped
-            indicator = @escape ? "=" : "=="
-            @engine.send(:add_expression_block, indicator, value)
+          when :expr_block, :expr_block_escaped
+            @engine.send(:add_expression_block, indicator_for(type), value)
           when :expr_block_end
             @engine.send(:add_expression_block_end, value, escaped: escaped)
           end
@@ -59,43 +51,19 @@ module Herb
       end
 
       def visit_html_element_node(node)
-        tag_name = node.tag_name&.value&.downcase
-
-        @element_stack.push(tag_name) if tag_name
-
-        if tag_name == "script"
-          push_context(:script_content)
-        elsif tag_name == "style"
-          push_context(:style_content)
+        with_element_context(node) do
+          visit(node.open_tag)
+          visit_all(node.body)
+          visit(node.close_tag)
         end
-
-        visit(node.open_tag)
-        visit_all(node.body)
-        visit(node.close_tag)
-
-        pop_context if ["script", "style"].include?(tag_name)
-
-        @element_stack.pop if tag_name
       end
 
       def visit_html_conditional_element_node(node)
-        tag_name = node.tag_name&.value&.downcase
-
-        @element_stack.push(tag_name) if tag_name
-
-        if tag_name == "script"
-          push_context(:script_content)
-        elsif tag_name == "style"
-          push_context(:style_content)
+        with_element_context(node) do
+          visit(node.open_conditional)
+          visit_all(node.body)
+          visit(node.close_conditional)
         end
-
-        visit(node.open_conditional)
-        visit_all(node.body)
-        visit(node.close_conditional)
-
-        pop_context if ["script", "style"].include?(tag_name)
-
-        @element_stack.pop if tag_name
       end
 
       def visit_html_open_tag_node(node)
@@ -283,12 +251,16 @@ module Herb
                      else
                        [:expr_block, code, current_context]
                      end
+          @last_trim_consumed_newline = false
 
           visit_all(node.body)
           visit_erb_block_end_node(node.end_node, escaped: should_escape)
         else
           visit_erb_control_node(node) do
             visit_all(node.body)
+            visit(node.rescue_clause)
+            visit(node.else_clause)
+            visit(node.ensure_clause)
             visit(node.end_node)
           end
         end
@@ -302,10 +274,10 @@ module Herb
         code = node.content.value.strip
 
         if at_line_start?
-          lspace = extract_and_remove_lspace!
-          rspace = " \n"
+          leading_space = extract_and_remove_leading_space!
+          right_space = " \n"
 
-          @tokens << [:expr_block_end, "#{lspace}#{code}#{rspace}", current_context, escaped]
+          @tokens << [:expr_block_end, "#{leading_space}#{code}#{right_space}", current_context, escaped]
           @trim_next_whitespace = true
         else
           @tokens << [:expr_block_end, code, current_context, escaped]
@@ -342,25 +314,23 @@ module Herb
         @context_stack.pop
       end
 
-      def add_context_aware_expression(code, context)
-        closing = code.include?("#") ? "\n))" : "))"
-
-        case context
-        when :attribute_value
-          @engine.send(:with_buffer) {
-            @engine.src << " << #{@attrfunc}((" << code << closing
-          }
-        when :script_content
-          @engine.send(:with_buffer) {
-            @engine.src << " << #{@jsfunc}((" << code << closing
-          }
-        when :style_content
-          @engine.send(:with_buffer) {
-            @engine.src << " << #{@cssfunc}((" << code << closing
-          }
-        else
-          @engine.send(:add_expression_result_escaped, code)
+      #: (untyped node) { () -> untyped } -> untyped
+      def with_element_context(node)
+        tag_name = node.tag_name&.value&.downcase
+
+        @element_stack.push(tag_name) if tag_name
+
+        if tag_name == "script"
+          push_context(:script_content)
+        elsif tag_name == "style"
+          push_context(:style_content)
         end
+
+        yield
+
+        pop_context if ["script", "style"].include?(tag_name)
+
+        @element_stack.pop if tag_name
       end
 
       def process_erb_tag(node, skip_comment_check: false)
@@ -368,11 +338,13 @@ module Herb
 
         if !skip_comment_check && erb_comment?(opening)
           has_left_trim = opening.start_with?("<%-")
+          follows_newline = leading_space_follows_newline?
           remove_trailing_whitespace_from_last_token! if has_left_trim
 
           if at_line_start?
-            extract_and_remove_lspace!
+            leading_space = extract_and_remove_leading_space!
             @trim_next_whitespace = true
+            save_pending_leading_whitespace!(leading_space) if !leading_space.empty? && follows_newline
           end
           return
         end
@@ -391,10 +363,17 @@ module Herb
         return if text.empty?
 
         if @trim_next_whitespace
+          @last_trim_consumed_newline = text.match?(/\A[ \t]*\r?\n/)
           text = text.sub(/\A[ \t]*\r?\n/, "")
           @trim_next_whitespace = false
+
+          restore_pending_leading_whitespace! unless @last_trim_consumed_newline
+        else
+          @last_trim_consumed_newline = false
         end
 
+        @pending_leading_whitespace = nil
+
         return if text.empty?
 
         @tokens << [:text, text, current_context]
@@ -410,10 +389,12 @@ module Herb
 
       def add_expression(code)
         @tokens << [:expr, code, current_context]
+        @last_trim_consumed_newline = false
       end
 
       def add_expression_escaped(code)
         @tokens << [:expr_escaped, code, current_context]
+        @last_trim_consumed_newline = false
       end
 
       def optimize_tokens(tokens)
@@ -497,12 +478,29 @@ module Herb
       end
 
       def process_erb_output(node, opening, code)
+        if @trim_next_whitespace && @pending_leading_whitespace
+          restore_pending_leading_whitespace!
+          @pending_leading_whitespace = nil
+          @trim_next_whitespace = false
+          @last_trim_consumed_newline = false
+        end
+
         has_right_trim = node.tag_closing&.value == "-%>"
         should_escape = should_escape_output?(opening)
         add_expression_with_escaping(code, should_escape)
         @trim_next_whitespace = true if has_right_trim
       end
 
+      def indicator_for(type)
+        escaped = [:expr_escaped, :expr_block_escaped].include?(type)
+
+        escaped ^ @escape ? "==" : "="
+      end
+
+      def context_aware_context?(context)
+        [:attribute_value, :script_content, :style_content].include?(context)
+      end
+
       def should_escape_output?(opening)
         is_double_equals = opening == "<%=="
         is_double_equals ? !@escape : @escape
@@ -517,78 +515,119 @@ module Herb
       end
 
       def at_line_start?
-        @tokens.empty? ||
-          @tokens.last[0] != :text ||
-          @tokens.last[1].empty? ||
-          @tokens.last[1].end_with?("\n") ||
-          (@tokens.last[1] =~ /\A[ \t]+\z/ && preceding_token_ends_with_newline?) ||
-          @tokens.last[1] =~ /\n[ \t]+\z/
+        return true if @tokens.empty?
+
+        last_type = @tokens.last[0]
+        last_value = @tokens.last[1]
+
+        if last_type == :text
+          last_value.empty? || last_value.end_with?("\n") || (last_value =~ /\A[ \t]+\z/ && preceding_token_ends_with_newline?) || last_value =~ /\n[ \t]+\z/
+        elsif EXPRESSION_TOKEN_TYPES.include?(last_type)
+          @last_trim_consumed_newline
+        else
+          last_value.end_with?("\n")
+        end
       end
 
       def preceding_token_ends_with_newline?
         return true unless @tokens.length >= 2
 
         preceding = @tokens[-2]
-        return false if [:expr, :expr_escaped, :expr_block, :expr_block_escaped, :expr_block_end].include?(preceding[0])
+        return @last_trim_consumed_newline if EXPRESSION_TOKEN_TYPES.include?(preceding[0])
+        return preceding[1].end_with?("\n") if preceding[0] == :expr_block_end
         return true unless preceding[0] == :text
 
         preceding[1].end_with?("\n")
       end
 
-      def extract_lspace
-        return "" unless @tokens.last && @tokens.last[0] == :text
+      def last_text_token
+        return unless @tokens.last && @tokens.last[0] == :text
 
-        text = @tokens.last[1]
+        @tokens.last
+      end
+
+      def extract_leading_space
+        token = last_text_token
+        return "" unless token
+
+        text = token[1]
 
         return Regexp.last_match(1) if text =~ /\n([ \t]+)\z/ || text =~ /\A([ \t]+)\z/
 
         ""
       end
 
-      def extract_and_remove_lspace!
-        lspace = extract_lspace
-        return lspace if lspace.empty?
+      def leading_space_follows_newline?
+        token = last_text_token
+        return false unless token
+
+        token[1].match?(/\n[ \t]+\z/)
+      end
+
+      def extract_and_remove_leading_space!
+        leading_space = extract_leading_space
+        return leading_space if leading_space.empty?
 
         text = @tokens.last[1]
+
         if text =~ /\n[ \t]+\z/
           text.sub!(/[ \t]+\z/, "")
         elsif text =~ /\A[ \t]+\z/
           text.replace("")
         end
+
         @tokens.last[1] = text
 
-        lspace
+        leading_space
       end
 
       def apply_trim(node, code)
         has_left_trim = node.tag_opening.value.start_with?("<%-")
-        node.tag_closing&.value
 
-        remove_trailing_whitespace_from_last_token! if has_left_trim
+        follows_newline = leading_space_follows_newline?
+        removed_whitespace = has_left_trim ? remove_trailing_whitespace_from_last_token! : ""
 
         if at_line_start?
-          lspace = extract_and_remove_lspace!
-          rspace = Herb::Engine.heredoc?(code) ? "\n" : " \n"
+          leading_space = extract_and_remove_leading_space!
+          effective_leading_space = leading_space.empty? ? removed_whitespace : leading_space
+          right_space = Herb::Engine.heredoc?(code) ? "\n" : " \n"
 
-          @tokens << [:code, "#{lspace}#{code}#{rspace}", current_context]
+          @pending_leading_whitespace_insert_index = @tokens.length
+          @pending_leading_whitespace = effective_leading_space if !effective_leading_space.empty? && follows_newline
+          @tokens << [:code, "#{effective_leading_space}#{code}#{right_space}", current_context]
           @trim_next_whitespace = true
         else
           @tokens << [:code, code, current_context]
         end
       end
 
+      def save_pending_leading_whitespace!(whitespace)
+        @pending_leading_whitespace = whitespace
+        @pending_leading_whitespace_insert_index = @tokens.length
+      end
+
+      def restore_pending_leading_whitespace!
+        return unless @pending_leading_whitespace
+
+        @tokens.insert(@pending_leading_whitespace_insert_index, [:text, @pending_leading_whitespace, current_context])
+      end
+
       def remove_trailing_whitespace_from_last_token!
-        return unless @tokens.last && @tokens.last[0] == :text
+        token = last_text_token
+        return "" unless token
 
-        text = @tokens.last[1]
+        text = token[1]
+        removed = text[/[ \t]+\z/] || ""
 
         if text =~ /\n[ \t]+\z/
           text.sub!(/[ \t]+\z/, "")
-          @tokens.last[1] = text
+          token[1] = text
         elsif text =~ /\A[ \t]+\z/
           text.replace("")
-          @tokens.last[1] = text
+          token[1] = text
         end
+
+        removed
       end
     end
   end

data/lib/herb/engine/validators/security_validator.rb

@@ -28,6 +28,20 @@ module Herb
 
             next unless child.is_a?(Herb::AST::ERBContentNode) && erb_outputs?(child)
 
+            prism_node = child.prism
+
+            next if prism_node && tag_attributes_prism_node?(prism_node)
+
+            if prism_node && conditional_tag_attributes_prism_node?(prism_node)
+              add_security_error(
+                child.location,
+                "Avoid using conditional `tag.attributes` in attribute position.",
+                "Use `<% if ... %><%= tag.attributes(...) %><% end %>` instead."
+              )
+
+              next
+            end
+
             add_security_error(
               child.location,
               "ERB output tags (<%= %>) are not allowed in attribute position.",
@@ -48,6 +62,32 @@ module Herb
           end
         end
 
+        def tag_attributes_prism_node?(prism_node)
+          return false unless prism_node.is_a?(Prism::CallNode)
+          return false unless prism_node.name == :attributes
+
+          receiver = prism_node.receiver
+          return false unless receiver.is_a?(Prism::CallNode)
+
+          receiver.name == :tag
+        end
+
+        def conditional_tag_attributes_prism_node?(prism_node)
+          if prism_node.is_a?(Prism::IfNode) || prism_node.is_a?(Prism::UnlessNode)
+            body = prism_node.statements&.body
+            return false unless body
+            return false unless body.length == 1
+
+            return tag_attributes_prism_node?(body.first)
+          end
+
+          if prism_node.is_a?(Prism::AndNode) || prism_node.is_a?(Prism::OrNode)
+            return tag_attributes_prism_node?(prism_node.right)
+          end
+
+          false
+        end
+
         def add_security_error(location, message, suggestion)
           add_diagnostic(message, location, :error, code: "SecurityViolation", source: "SecurityValidator",
                                                     suggestion: suggestion)

data/lib/herb/engine.rb

@@ -55,6 +55,9 @@ module Herb
       @bufvar = properties[:bufvar] || properties[:outvar] || "_buf"
       @escape = properties.fetch(:escape) { properties.fetch(:escape_html, false) }
       @escapefunc = properties.fetch(:escapefunc, @escape ? "__herb.h" : "::Herb::Engine.h")
+      @attrfunc = properties.fetch(:attrfunc, @escape ? "__herb.attr" : "::Herb::Engine.attr")
+      @jsfunc = properties.fetch(:jsfunc, @escape ? "__herb.js" : "::Herb::Engine.js")
+      @cssfunc = properties.fetch(:cssfunc, @escape ? "__herb.css" : "::Herb::Engine.css")
       @src = properties[:src] || String.new
       @chain_appends = properties[:chain_appends]
       @buffer_on_stack = false
@@ -244,6 +247,24 @@ module Herb
       end
     end
 
+    def add_context_aware_expression(indicator, code, context)
+      escapefunc = context_escape_function(context)
+
+      if escapefunc.nil?
+        add_expression(indicator, code)
+      else
+        with_buffer { @src << " << #{escapefunc}((" << code << trailing_newline(code) << "))" }
+      end
+    end
+
+    def context_escape_function(context)
+      case context
+      when :attribute_value then @attrfunc
+      when :script_content then @jsfunc
+      when :style_content then @cssfunc
+      end
+    end
+
     def add_expression_result(code)
       with_buffer {
         @src << " << (" << code << trailing_newline(code) << ").to_s"