RubyGems - inquisition - Versions diffs - 0.2 → 0.3 - Mend

inquisition 0.2 → 0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/README.rdoc CHANGED

@@ -1,4 +1,4 @@
-= inquisition
+= Inquisition
 == Introduction
@@ -9,14 +9,21 @@ It keeps your strings heresy-free.
 Inquisition offers you three methods on Object:
-  cleanse_attr *attributes
-  cleanse_attr_reader *attributes
-  cleanse_attr_writer *attributes
+  cleanse_attr *attributes, options
+  cleanse_attr_reader *attributes, options
+  cleanse_attr_writer *attributes, options
 These methods will wrap your getters and/or setters for an attribute through a
 HTML5 Sanitizer.  This should help to protect against most kinds of cross site
 scripting attacks.
+For example:
+  cleanse_attr :name, :allow => {:name => /(<strong>)/}
+The above example will clean all values written to or read from the name
+attribute, but will not remove strong tags.
 == Installation
   sudo gem install thumblemonks-inquisition

data/lib/inquisition.rb CHANGED

@@ -10,6 +10,14 @@ module Inquisition
     klass.extend(ClassMethods)
   end
+  def self.sanitize(value, allow)
+    if allow && match = Regexp.new(allow).match(value)
+      [HTML5libSanitize.sanitize_html(match.pre_match), match.to_a.first, self.sanitize(match.post_match, allow)].join
+    else
+      HTML5libSanitize.sanitize_html(value)
+    end
+  end
   module ClassMethods
     def sanitize_attribute(*attributes)
       sanitize_attribute_reader(*attributes)
@@ -17,34 +25,49 @@ module Inquisition
     end
     def sanitize_attribute_reader(*attributes)
-      write_inheritable_attribute(:cleansed_attr_readers, attributes)
-      class_inheritable_reader(:cleansed_attr_readers)
-      define_method(:read_attribute_with_cleansing) do |attribute|
-        value = read_attribute_without_cleansing(attribute)
-        if cleansed_attr_readers.include?(attribute.to_sym) && !value.blank?
-          HTML5libSanitize.sanitize_html(value)
-        else
-          value
+      options = attributes.last.is_a?(::Hash) ? attributes.pop : {}
+      if respond_to?(:cleansed_attr_readers)
+        write_inheritable_attribute(:cleansed_attr_readers, cleansed_attr_readers.concat(attributes))
+        write_inheritable_attribute(:cleansed_attr_reader_options, cleansed_attr_reader_options.merge(options))
+      else
+        write_inheritable_attribute(:cleansed_attr_readers, attributes)
+        write_inheritable_attribute(:cleansed_attr_reader_options, options)
+        class_inheritable_reader(:cleansed_attr_readers)
+        class_inheritable_reader(:cleansed_attr_reader_options)
+        define_method(:read_attribute_with_cleansing) do |attribute|
+          value = read_attribute_without_cleansing(attribute)
+          if cleansed_attr_readers.include?(attribute.to_sym) && !value.blank?
+            Inquisition.sanitize(value,cleansed_attr_reader_options[:allow][attribute.to_sym])
+          else
+            value
+          end
         end
+        alias_method_chain :read_attribute, :cleansing
       end
-      alias_method_chain :read_attribute, :cleansing
       attributes.each { |attr| define_method(attr.to_sym) { read_attribute(attr.to_sym) } }
     end
     def sanitize_attribute_writer(*attributes)
-      write_inheritable_attribute(:cleansed_attr_writers, attributes)
-      class_inheritable_reader(:cleansed_attr_writers)
+      options = attributes.last.is_a?(::Hash) ? attributes.pop : {}
+      if respond_to?(:cleansed_attr_writers)
+        write_inheritable_attribute(:cleansed_attr_writers, cleansed_attr_writers.concat(attributes))
+        write_inheritable_attribute(:cleansed_attr_writer_options, cleansed_attr_writer_options.merge(options))
+      else
+        write_inheritable_attribute(:cleansed_attr_writers, attributes)
+        write_inheritable_attribute(:cleansed_attr_writer_options, options)
+        class_inheritable_reader(:cleansed_attr_writers)
+        class_inheritable_reader(:cleansed_attr_writer_options)
-      define_method(:write_attribute_with_cleansing) do |attribute, value|
-        if cleansed_attr_writers.include?(attribute.to_sym) && !value.blank?
-          value = HTML5libSanitize.sanitize_html(value)
+        define_method(:write_attribute_with_cleansing) do |attribute, value|
+          if cleansed_attr_writers.include?(attribute.to_sym) && !value.blank?
+            Inquisition.sanitize(value,cleansed_attr_writer_options[:allow][attribute.to_sym])
+          end
+          write_attribute_without_cleansing(attribute, value)
         end
-        write_attribute_without_cleansing(attribute, value)
+        alias_method_chain :write_attribute, :cleansing
       end
-      alias_method_chain :write_attribute, :cleansing
     end
   end #Class Methods
 end #Inquisition

data/test/inquisition_test.rb CHANGED

@@ -47,4 +47,41 @@ class InquisitionTest < Test::Unit::TestCase
       assert_equal nil, @whisky.name
     end
   end
+  context "allowing a single character" do
+    setup do
+      @dumb_phrase = "Central Time (US & Canada)"
+      @clean_dumb  = "Central Time (US &amp; Canada)"
+      @whisky = Whisky.new(:description => @dumb_phrase, :name => @dumb_phrase)
+    end
+    should "allow ampersands in the description" do
+      assert_equal @dumb_phrase, @whisky.description
+    end
+    should "not allow ampersands in the name" do
+      assert_equal @clean_dumb, @whisky.name
+    end
+  end
+  context "allowing a regexp" do
+    setup do
+      @dumb_phrase = "<buttes> hey guy, I think <buttes> about <buttes>, because i have no clear opinion on <buttes>"
+      @clean_phrase = "&lt;buttes&gt; hey guy, I think &lt;buttes&gt; about &lt;buttes&gt;, because i have no clear opinion on &lt;buttes&gt;"
+      @whisky = Whisky.new(:measure => @dumb_phrase, :name => @dumb_phrase)
+    end
+    should "allow the regexp'd phrase in the measure" do
+      assert_equal @dumb_phrase, @whisky.measure
+    end
+    should "not allow the regexp'd phrase in the name" do
+      assert_equal @clean_phrase, @whisky.name
+    end
+    should "still clean non-matched parts" do
+      @whisky.measure = "<script>alert('Cragganmore')</script>"
+      assert_equal "&lt;script&gt;alert('Cragganmore')&lt;/script&gt;", @whisky.measure
+    end
+  end
 end

data/test/models.rb CHANGED

@@ -3,7 +3,7 @@ ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => File
 class CreateSchema < ActiveRecord::Migration
   def self.up
     create_table :whiskies, :force => true do |t|
-      t.string :name, :origin, :description
+      t.string :name, :origin, :description, :measure
       t.integer :abv
     end
     create_table :animals, :force => true do |t|
@@ -21,7 +21,7 @@ class Animal < ActiveRecord::Base
 end
 class Whisky < ActiveRecord::Base
-  sanitize_attribute :name, :description
+  sanitize_attribute :name, :description, :measure, :allow => { :description => "&", :measure => /(<buttes>)/ }
   def drink
     "You quaffed #{description}"

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inquisition
 version: !ruby/object:Gem::Version
-  version: "0.2"
+  version: "0.3"
 platform: ruby
 authors:
 - toothrot
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-07-06 00:00:00 -05:00
+date: 2009-11-11 00:00:00 -06:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -69,7 +69,7 @@ requirements: []
 rubyforge_project:
 rubygems_version: 1.3.5
 signing_key:
-specification_version: 2
+specification_version: 3
 summary: Inquisition is a fancy way to protect your ActiveRecord attributes from XSS
 test_files: []