RubyGems - inquisition - Versions diffs - 0.2 → 0.3 - Mend

inquisition 0.2 → 0.3

Files changed (5) hide show

data/README.rdoc CHANGED

@@ -1,4 +1,4 @@
-= inquisition
+= Inquisition
 == Introduction
@@ -9,14 +9,21 @@ It keeps your strings heresy-free.
 Inquisition offers you three methods on Object:
-  cleanse_attr *attributes
-  cleanse_attr_reader *attributes
-  cleanse_attr_writer *attributes
+  cleanse_attr *attributes, options
+  cleanse_attr_reader *attributes, options
+  cleanse_attr_writer *attributes, options
 These methods will wrap your getters and/or setters for an attribute through a
 HTML5 Sanitizer.  This should help to protect against most kinds of cross site
 scripting attacks.
+For example:
+  cleanse_attr :name, :allow => {:name => /(<strong>)/}
+The above example will clean all values written to or read from the name
+attribute, but will not remove strong tags.
 == Installation
   sudo gem install thumblemonks-inquisition

data/lib/inquisition.rb CHANGED

@@ -10,6 +10,14 @@ module Inquisition
     klass.extend(ClassMethods)
   end
+  def self.sanitize(value, allow)
+    if allow && match = Regexp.new(allow).match(value)
+      [HTML5libSanitize.sanitize_html(match.pre_match), match.to_a.first, self.sanitize(match.post_match, allow)].join
+    else
+      HTML5libSanitize.sanitize_html(value)
+    end
+  end
   module ClassMethods
     def sanitize_attribute(*attributes)
       sanitize_attribute_reader(*attributes)
@@ -17,34 +25,49 @@ module Inquisition
     end
     def sanitize_attribute_reader(*attributes)
-      write_inheritable_attribute(:cleansed_attr_readers, attributes)
-      class_inheritable_reader(:cleansed_attr_readers)
-      define_method(:read_attribute_with_cleansing) do |attribute|
-        value = read_attribute_without_cleansing(attribute)
-        if cleansed_attr_readers.include?(attribute.to_sym) && !value.blank?
-          HTML5libSanitize.sanitize_html(value)
-        else
-          value
+      options = attributes.last.is_a?(::Hash) ? attributes.pop : {}
+      if respond_to?(:cleansed_attr_readers)
+        write_inheritable_attribute(:cleansed_attr_readers, cleansed_attr_readers.concat(attributes))
+        write_inheritable_attribute(:cleansed_attr_reader_options, cleansed_attr_reader_options.merge(options))
+      else
+        write_inheritable_attribute(:cleansed_attr_readers, attributes)
+        write_inheritable_attribute(:cleansed_attr_reader_options, options)
+        class_inheritable_reader(:cleansed_attr_readers)
+        class_inheritable_reader(:cleansed_attr_reader_options)
+        define_method(:read_attribute_with_cleansing) do |attribute|
+          value = read_attribute_without_cleansing(attribute)
+          if cleansed_attr_readers.include?(attribute.to_sym) && !value.blank?
+            Inquisition.sanitize(value,cleansed_attr_reader_options[:allow][attribute.to_sym])
+          else
+            value
+          end
         end
+        alias_method_chain :read_attribute, :cleansing
       end
-      alias_method_chain :read_attribute, :cleansing
       attributes.each { |attr| define_method(attr.to_sym) { read_attribute(attr.to_sym) } }
     end
     def sanitize_attribute_writer(*attributes)
-      write_inheritable_attribute(:cleansed_attr_writers, attributes)
-      class_inheritable_reader(:cleansed_attr_writers)
+      options = attributes.last.is_a?(::Hash) ? attributes.pop : {}
+      if respond_to?(:cleansed_attr_writers)
+        write_inheritable_attribute(:cleansed_attr_writers, cleansed_attr_writers.concat(attributes))
+        write_inheritable_attribute(:cleansed_attr_writer_options, cleansed_attr_writer_options.merge(options))
+      else
+        write_inheritable_attribute(:cleansed_attr_writers, attributes)
+        write_inheritable_attribute(:cleansed_attr_writer_options, options)
+        class_inheritable_reader(:cleansed_attr_writers)
+        class_inheritable_reader(:cleansed_attr_writer_options)
-      define_method(:write_attribute_with_cleansing) do |attribute, value|
-        if cleansed_attr_writers.include?(attribute.to_sym) && !value.blank?
-          value = HTML5libSanitize.sanitize_html(value)
+        define_method(:write_attribute_with_cleansing) do |attribute, value|
+          if cleansed_attr_writers.include?(attribute.to_sym) && !value.blank?
+            Inquisition.sanitize(value,cleansed_attr_writer_options[:allow][attribute.to_sym])
+          end
+          write_attribute_without_cleansing(attribute, value)
         end
-        write_attribute_without_cleansing(attribute, value)
+        alias_method_chain :write_attribute, :cleansing
       end
-      alias_method_chain :write_attribute, :cleansing
     end
   end #Class Methods
 end #Inquisition

data/test/inquisition_test.rb CHANGED

@@ -47,4 +47,41 @@ class InquisitionTest < Test::Unit::TestCase
       assert_equal nil, @whisky.name
     end
   end
+  context "allowing a single character" do
+    setup do
+      @dumb_phrase = "Central Time (US & Canada)"
+      @clean_dumb  = "Central Time (US &amp; Canada)"
+      @whisky = Whisky.new(:description => @dumb_phrase, :name => @dumb_phrase)
+    end
+    should "allow ampersands in the description" do
+      assert_equal @dumb_phrase, @whisky.description
+    end
+    should "not allow ampersands in the name" do
+      assert_equal @clean_dumb, @whisky.name
+    end
+  end
+  context "allowing a regexp" do
+    setup do
+      @dumb_phrase = "<buttes> hey guy, I think <buttes> about <buttes>, because i have no clear opinion on <buttes>"
+      @clean_phrase = "&lt;buttes&gt; hey guy, I think &lt;buttes&gt; about &lt;buttes&gt;, because i have no clear opinion on &lt;buttes&gt;"
+      @whisky = Whisky.new(:measure => @dumb_phrase, :name => @dumb_phrase)
+    end
+    should "allow the regexp'd phrase in the measure" do
+      assert_equal @dumb_phrase, @whisky.measure
+    end
+    should "not allow the regexp'd phrase in the name" do
+      assert_equal @clean_phrase, @whisky.name
+    end
+    should "still clean non-matched parts" do
+      @whisky.measure = "<script>alert('Cragganmore')</script>"
+      assert_equal "&lt;script&gt;alert('Cragganmore')&lt;/script&gt;", @whisky.measure
+    end
+  end
 end

data/test/models.rb CHANGED

@@ -3,7 +3,7 @@ ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => File
 class CreateSchema < ActiveRecord::Migration
   def self.up
     create_table :whiskies, :force => true do |t|
-      t.string :name, :origin, :description
+      t.string :name, :origin, :description, :measure
       t.integer :abv
     end
     create_table :animals, :force => true do |t|
@@ -21,7 +21,7 @@ class Animal < ActiveRecord::Base
 end
 class Whisky < ActiveRecord::Base
-  sanitize_attribute :name, :description
+  sanitize_attribute :name, :description, :measure, :allow => { :description => "&", :measure => /(<buttes>)/ }
   def drink
     "You quaffed #{description}"

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inquisition
 version: !ruby/object:Gem::Version
-  version: "0.2"
+  version: "0.3"
 platform: ruby
 authors:
 - toothrot
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-07-06 00:00:00 -05:00
+date: 2009-11-11 00:00:00 -06:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -69,7 +69,7 @@ requirements: []
 rubyforge_project:
 rubygems_version: 1.3.5
 signing_key:
-specification_version: 2
+specification_version: 3
 summary: Inquisition is a fancy way to protect your ActiveRecord attributes from XSS
 test_files: []