hobo_fields 1.3.0.pre14 → 1.3.0.pre15

data/VERSION

@@ -1 +1 @@
-1.3.0.pre14
+1.3.0.pre15

data/lib/hobo_fields/types/email_address.rb

@@ -1,3 +1,5 @@
+require 'active_support/core_ext/string/output_safety'
+
 module HoboFields
   module Types
     class EmailAddress < String
@@ -13,7 +15,7 @@ module HoboFields
       end
 
       def to_html(xmldoctype = true)
-        self.sub('@', " at ").gsub('.', ' dot ')
+        ERB::Util.html_escape(self).sub('@', " at ").gsub('.', ' dot ')
       end
 
       HoboFields.register_type(:email_address, self)

data/lib/hobo_fields/types/enum_string.rb

@@ -85,7 +85,7 @@ module HoboFields
       end
 
       def to_html(xmldoctype = true)
-        self.class.translated_values[self]
+        self.class.translated_values[self].html_safe
       end
 
       def ==(other)

data/lib/hobo_fields/types/lifecycle_state.rb

@@ -9,7 +9,7 @@ module HoboFields
       end
 
       def to_html(xmldoctype = true)
-        I18n.t("#{self.class.table_name}.states.#{self}", :default => self)
+        I18n.t("#{self.class.table_name}.states.#{self}", :default => self).html_safe
       end
     end
   end

data/lib/hobo_fields/types/password_string.rb

@@ -7,7 +7,7 @@ module HoboFields
       HoboFields.register_type(:password, self)
 
       def to_html(xmldoctype = true)
-        "[password hidden]"
+        I18n.t("hobo.password_hidden", :default => "[password hidden]").html_safe
       end
 
     end

data/lib/hobo_fields/types/raw_html_string.rb

@@ -3,7 +3,7 @@ module HoboFields
     class RawHtmlString < HoboFields::Types::Text
 
       def to_html(xmldoctype = true)
-        self
+        self.html_safe
       end
 
       HoboFields.register_type(:raw_html, self)

data/lib/hobo_fields/types/raw_markdown_string.rb

@@ -5,7 +5,7 @@ module HoboFields
       HoboFields.register_type(:raw_markdown, self)
 
       def to_html(xmldoctype = true)
-        blank? ? "" : Markdown.new(self).to_html
+        blank? ? "" : Markdown.new(self).to_html.html_safe
       end
 
     end

data/lib/hobo_fields/types/text.rb

@@ -1,13 +1,12 @@
+require 'active_support/core_ext/string/output_safety'
 module HoboFields
   module Types
     class Text < String
 
-      HTML_ESCAPE = { '&' => '&amp;', '"' => '&quot;', '>' => '&gt;', '<' => '&lt;' }
-
       COLUMN_TYPE = :text
 
       def to_html(xmldoctype = true)
-        gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.gsub("\n", "<br#{xmldoctype ? ' /' : ''}>\n")
+        ERB::Util.html_escape(self).gsub("\n", "<br#{xmldoctype ? ' /' : ''}>\n")
       end
 
       HoboFields.register_type(:text, self)

data/lib/hobo_fields/types/textile_string.rb

@@ -12,7 +12,7 @@ module HoboFields
         else
           textilized = RedCloth.new(self, [ :hard_breaks ])
           textilized.hard_breaks = true if textilized.respond_to?("hard_breaks=")
-          textilized.to_html
+          HoboFields::SanitizeHtml.sanitize(textilized.to_html)
         end
       end
 

data/lib/hobo_fields.rb

@@ -44,9 +44,7 @@ module HoboFields
   }
 
   @field_types   = PLAIN_TYPES.with_indifferent_access
-
   @never_wrap_types = Set.new([NilClass, Hobo::Boolean, TrueClass, FalseClass])
-
   attr_reader :field_types
 
   def to_class(type)
@@ -58,12 +56,10 @@ module HoboFields
     end
   end
 
-
   def to_name(type)
     field_types.key(type) || ALIAS_TYPES[type]
   end
 
-
   def can_wrap?(type, val)
     col_type = type::COLUMN_TYPE
     return false if val.blank? && (col_type == :integer || col_type == :float || col_type == :decimal)
@@ -72,22 +68,18 @@ module HoboFields
     (arity == 1 || arity == -1) && !@never_wrap_types.any? { |c| klass <= c }
   end
 
-
   def never_wrap(type)
     @never_wrap_types << type
   end
 
-
   def register_type(name, klass)
     field_types[name] = klass
   end
 
-
   def plain_type?(type_name)
     type_name.in?(PLAIN_TYPES)
   end
 
-
   def standard_class(name)
     class_name = STANDARD_TYPES[name]
     "HoboFields::Types::#{class_name}".constantize if class_name

data/test/rich_types.rdoctest

@@ -7,6 +7,13 @@ Our test requires to prepare the testapp:
 
     doctest_require: 'prepare_testapp'
 
+    >>
+     ActiveRecord::Migration.create_table :articles do |t|
+       t.text :body
+       t.string :status
+     end
+    >>
+
 {.hidden}
 
 ## `to_html` method
@@ -26,26 +33,33 @@ This class defines the methods `to_html` to customize the way the type is render
         # Loud text always renderd in caps.
         # It's rude to shout too much so it's not allowed to be
         # longer than 100 characters
-        class LoudText < String
+        >>
+         class LoudText < String
 
-          COLUMN_TYPE = :string
+           COLUMN_TYPE = :string
 
-          HoboFields.register_type(:loud, self)
+           HoboFields.register_type(:loud, self)
 
-          def validate
-            "is too long (you shouldn't shout that much)" if length > 100
-          end
+           def validate
+             "is too long (you shouldn't shout that much)" if length > 100
+           end
 
-          def format
-            # make sure we have enough exclamation marks
-            self =~ /!!!$/ ? self + "!!!" : self
-          end
+           def format
+             # make sure we have enough exclamation marks
+             self =~ /!!!$/ ? self + "!!!" : self
+           end
 
-          def to_html(xmldoctype = true)
-            upcase
-          end
+           def to_html(xmldoctype = true)
+             upcase
+           end
 
-        end
+         end
+        >>
+
+        >> LoudText.new("foO<BAa").to_html
+        => "FOO<BAA"
+        >> LoudText.new("foO<BAa").to_html.html_safe?
+        => false
 
 If you place this class in `app/rich_types/loud_text.rb`, Hobo will load it automatically.
 
@@ -81,10 +95,41 @@ Provides validation of correct email address format.
         >> bad.validate
         => "is invalid"
 
+        >> nasty = HoboFields::Types::EmailAddress.new("foo<nasty>&lt;nasty&gt;@baa.com")
+        >> nasty.to_html
+        => "foo&lt;nasty&gt;&lt;nasty&gt; at baa dot com"
+        >> nasty.to_html.html_safe?
+        => true
+
 ### `HoboFields::Types::HtmlString`
 
 `HtmlString` provides no special behavior. The main reason for using this type is that the `to_html` method does not do any html-escaping. Use this for columns that store raw HTML in the database.
 
+        # no safety treatments are done by `to_html`.
+        # even if `nasty.to_html` is actually unsafe, it is marked as html_safe.
+        >> nasty = HoboFields::Types::HtmlString.new("p1<p>p2</p>p3<nasty>p4</nasty>p5&lt;script&gt;p6<script>p7</script>p8")
+        >> nasty.to_html
+        => "p1<p>p2</p>p3<nasty>p4</nasty>p5&lt;script&gt;p6<script>p7</script>p8"
+        >> nasty.to_html.html_safe?
+        => true
+
+        >>
+         class Article < ActiveRecord::Base
+           fields do
+             body HoboFields::Types::HtmlString
+           end
+         end
+        >> article = Article.create!(:body => "</div>>>p1<p>p2</p>p3<nasty>p4</nasty>p5&lt;script&gt;p6<script>p7</script>p8")
+        # some unsafe html fragements are removed on save,
+        # but there's no guarantees that it is well-formed
+        >> article.body
+        => "</div>>>p1<p>p2</p>p3p4p5&lt;script&gt;p6p8"
+        >> article.body == article.body.to_html
+        => true
+        >> article.body.to_html.html_safe?
+        => true
+
+
 ### `HoboFields::Types::MarkdownString`
 
 `HoboFields::Types::MarkdownString` provides a `to_html` that renders markdown syntax into html. It requires the bluecloth gem.
@@ -97,12 +142,17 @@ Provides validation of correct email address format.
           And text can be *emphasised*
           )
         >> markdown.to_html
-        >> markdown = HoboFields::Types::MarkdownString.new "# This is a heading\n\nAnd text can be *emphasised*\n"
-        =>""
-        <h1>This is a heading</h1>
+        => "<h1>This is a heading</h1>\n\n<p>And text can be <em>emphasised</em></p>"
+        >> markdown.to_html.html_safe?
+        => true
 
-        <p>And text can be <em>emphasised</em></p>
-        >>
+        # some unsafe html fragements are removed by `to_html`,
+        # but there's no guarantees that it is well-formed
+        >> markdown = HoboFields::Types::MarkdownString.new("</div>>>p1<script>p2")
+        >> markdown.to_html
+        => "<p></div>>>p1</p>"
+        >> markdown.to_html.html_safe?
+        => true
 
 ### `HoboFields::Types::TextileString`
 
@@ -114,7 +164,16 @@ Provides validation of correct email address format.
          )
         >> textile.to_html
         => "<p>Text can be <em>emphasised</em></p>"
-        >>
+        >> textile.to_html.html_safe?
+        => true
+
+        # some unsafe html fragements are removed by `to_html`,
+        # but there's no guarantees that it is well-formed
+        >> textile = HoboFields::Types::TextileString.new("</div>>>p1<script>p2")
+        >> textile.to_html
+        => "<p></div>&gt;&gt;p1</p>"
+        >> textile.to_html.html_safe?
+        => true
 
 ### `HoboFields::Types::Text`
 
@@ -124,16 +183,25 @@ Provides validation of correct email address format.
 
          Cat & Mouse)
         >> text.to_html
-        =>
-         "Tom &amp; Jerry<br />
-         <br />
-         Cat &amp; Mouse"
-        >>
+        => "Tom &amp; Jerry<br />\n<br />\n         Cat &amp; Mouse"
+        >> text.to_html.html_safe?
+        => true
+
+        # `to_html` always returns actually html-safe string
+        >> text = HoboFields::Types::Text.new("</div>>>p1<script>p2")
+        >> text.to_html
+        => "&lt;/div&gt;&gt;&gt;p1&lt;script&gt;p2"
+        >> text.to_html.html_safe?
+        => true
 
 ### `HoboFields::Types::PasswordString`
 
 `HoboFields::Types::PasswordString` provides a simple `to_html` to prevent accidental display of a password. It simply returns "`[password hidden]`". The type is also used to indicate the need for an `<input type='password'>`
 
+        >> HoboFields::Types::PasswordString.new("pass<word>").to_html
+        => "[password hidden]"
+        >> HoboFields::Types::PasswordString.new("pass<word>").to_html.html_safe?
+        => true
 
 ## Enum Strings
 
@@ -217,6 +285,11 @@ Sometimes it's nice to have a proper type name. Here's one way you might go abou
         >> Article.attr_type :status
         => Article::Status
 
+        >> Article::Status::PUBLISHED.to_html
+        => "published"
+        >> Article::Status::PUBLISHED.to_html.html_safe?
+        => true
+
 ### Translating EnumString's
 
 Named EnumString's may be translated.   Here is an example fr.yml:
@@ -243,6 +316,8 @@ The translated value is available via `to_html`:
 
     >> Article::Status::PUBLISHED.to_html
     => "publiés"
+    >> Article::Status::PUBLISHED.to_html.html_safe?
+    => true
 
 Translations only work with named EnumString's.  The recommended way of naming the EnumString is to assign it to a constant, but if you do not wish to do this, you can supply the name in an option:
 
@@ -251,3 +326,29 @@ Translations only work with named EnumString's.  The recommended way of naming t
 
 `tableize` will be called on your name to provide the translation key.
 
+
+###
+
+### `HoboFields::Types::RawHtmlString`
+
+        # no safety treatments are done by `to_html`.
+        # even if `nasty.to_html` is actually unsafe, it is marked as html_safe.
+        >> nasty = HoboFields::Types::RawHtmlString.new("p1<p>p2</p>p3<nasty>p4</nasty>p5&lt;script&gt;p6<script>p7</script>p8")
+        >> nasty.to_html
+        => "p1<p>p2</p>p3<nasty>p4</nasty>p5&lt;script&gt;p6<script>p7</script>p8"
+        >> nasty.to_html.html_safe?
+        => true
+
+### `HoboFields::Types::RawMarkdownString`
+
+        # no safety treatments are done by `to_html`.
+        # even if `markdown.to_html` is actually unsafe, it is marked as html_safe.
+        >> markdown = HoboFields::Types::RawMarkdownString.new("</div>>>p1<script>p2")
+        >> markdown.to_html
+        => "<p></div>>>p1<script>p2</p>"
+        >> markdown.to_html.html_safe?
+        => true
+
+### `HoboFields::Types::SerializedObject`
+
+        # `SerializedObject` doesn't have `to_html`

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification 
 name: hobo_fields
 version: !ruby/object:Gem::Version 
-  hash: -1637175963
+  hash: -1637175966
   prerelease: true
   segments: 
   - 1
   - 3
   - 0
-  - pre14
-  version: 1.3.0.pre14
+  - pre15
+  version: 1.3.0.pre15
 platform: ruby
 authors: 
 - Tom Locke
@@ -16,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-10-27 00:00:00 -04:00
+date: 2010-11-03 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -43,13 +43,13 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: -1637175963
+        hash: -1637175966
         segments: 
         - 1
         - 3
         - 0
-        - pre14
-        version: 1.3.0.pre14
+        - pre15
+        version: 1.3.0.pre15
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency