liquid-autoescape 2.0.0 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -6
- data/lib/liquid/autoescape/configuration.rb +1 -1
- data/lib/liquid/autoescape/errors.rb +1 -1
- data/lib/liquid/autoescape/exemption.rb +2 -2
- data/lib/liquid/autoescape/filters.rb +2 -2
- data/lib/liquid/autoescape/liquid_ext/variable.rb +5 -5
- data/lib/liquid/autoescape/version.rb +1 -1
- data/lib/liquid/autoescape.rb +4 -4
- data/spec/functional/autoescape_tag_spec.rb +24 -2
- data/spec/unit/autoescape_spec.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 46da4857eefb1fa19dfbfca0f73cb03e7869e6cfe2ffbf2dce80d3a0b49b78f5
|
4
|
+
data.tar.gz: 2700c5d7f303d09f3ac2f6a0b4160e7f11a86920e09b8dec0d08b61684239d4a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ec72a9037fef0ad0fdc43a8ff93d0cc9b5257a8ac223cc24878b4c0304805a7b2ada9fb1dce16101b5d06be2eaa7528e9364539eb013b0ff2065b06abfe056df
|
7
|
+
data.tar.gz: 6b4e20285bbdbbaa132af2bf8026df09c19e8d4bc0d0cb12c0072ce4a4c3ceb3ca4d08fce4faa133e69322c5683fa75f0576be4a464cbec1bc72e18f19b020f2
|
data/README.md
CHANGED
@@ -3,12 +3,14 @@
|
|
3
3
|
[![Build Status](https://travis-ci.org/Within3/liquid-autoescape.svg)](https://travis-ci.org/Within3/liquid-autoescape)
|
4
4
|
|
5
5
|
This adds an `{% autoescape %}` block tag to Liquid that causes all variables
|
6
|
-
referenced within it to be escaped for display in an HTML context.
|
6
|
+
referenced within it to be escaped for display in an HTML context. It also adds
|
7
|
+
the ability to enable global auto-escaping of all variables by default, and
|
8
|
+
provides a set of tools for not escaping variables that are known to be safe.
|
7
9
|
|
8
10
|
## Requirements
|
9
11
|
|
10
12
|
* Ruby >= 2.2
|
11
|
-
* Liquid 2
|
13
|
+
* Liquid >= 2.3
|
12
14
|
|
13
15
|
## Basic Usage
|
14
16
|
|
@@ -43,7 +45,7 @@ escaped, use the `skip_escape` filter.
|
|
43
45
|
## Advanced Usage
|
44
46
|
|
45
47
|
Autoescaping can be customized to work better with your environment via a
|
46
|
-
Ruby-level configuration object. To configure
|
48
|
+
Ruby-level configuration object. To configure auto-escaping, use the `config`
|
47
49
|
object exposed by `Liquid::Autoescape.configure` in any Ruby file loaded before
|
48
50
|
templates are rendered.
|
49
51
|
|
@@ -55,7 +57,7 @@ Liquid::Autoescape.configure do |config|
|
|
55
57
|
end
|
56
58
|
```
|
57
59
|
|
58
|
-
The
|
60
|
+
The auto-escape options that can be configured are detailed below.
|
59
61
|
|
60
62
|
### Trusted Filters
|
61
63
|
|
@@ -128,7 +130,7 @@ As mentioned above, each exemption function is passed an object that describes a
|
|
128
130
|
Liquid variable as used in a template. This object exposes the variable's name,
|
129
131
|
as well as a list of any filters that it uses. These values can be used by each
|
130
132
|
exemption function to determine whether a variable should be exempt from
|
131
|
-
|
133
|
+
auto-escaping, as shown by the code below:
|
132
134
|
|
133
135
|
```ruby
|
134
136
|
Liquid::Autoescape.configure do |config|
|
@@ -164,7 +166,7 @@ Escaped: {{ variable }}
|
|
164
166
|
Not Escaped: {{ variable | skip_escape }}
|
165
167
|
```
|
166
168
|
|
167
|
-
Additionally,
|
169
|
+
Additionally, auto-escaping can be selectively disabled within a block when
|
168
170
|
running in global mode:
|
169
171
|
|
170
172
|
```liquid
|
@@ -4,7 +4,7 @@ require "liquid/autoescape/exemption_list"
|
|
4
4
|
module Liquid
|
5
5
|
module Autoescape
|
6
6
|
|
7
|
-
# A configuration file for setting
|
7
|
+
# A configuration file for setting auto-escape options
|
8
8
|
class Configuration
|
9
9
|
|
10
10
|
# @return [Liquid::Autoescape::ExemptionList] The list of custom exemptions
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module Liquid
|
2
2
|
module Autoescape
|
3
3
|
|
4
|
-
# The base error from which all other
|
4
|
+
# The base error from which all other auto-escape errors inherit
|
5
5
|
class AutoescapeError < StandardError; end
|
6
6
|
|
7
7
|
# An error raised when an exemption encounters an issue
|
@@ -7,7 +7,7 @@ module Liquid
|
|
7
7
|
#
|
8
8
|
# Exemptions are created from functions that accept a template variable and
|
9
9
|
# and return a boolean value indicating whether or not the variable is
|
10
|
-
# exempt from
|
10
|
+
# exempt from auto-escaping.
|
11
11
|
#
|
12
12
|
# @example An exemption based on a variable's name
|
13
13
|
# exemption = Exemption.new do |variable|
|
@@ -20,7 +20,7 @@ module Liquid
|
|
20
20
|
# end
|
21
21
|
class Exemption
|
22
22
|
|
23
|
-
# Create a new
|
23
|
+
# Create a new auto-escaping exemption
|
24
24
|
#
|
25
25
|
# This requires a filter function to be provided that will be passed a
|
26
26
|
# +TemplateVariable+ instance that it can use to return a boolean
|
@@ -3,10 +3,10 @@ require "liquid"
|
|
3
3
|
module Liquid
|
4
4
|
module Autoescape
|
5
5
|
|
6
|
-
# Liquid filters used to support the autoescape tag
|
6
|
+
# Liquid filters used to support the {% autoescape %} tag
|
7
7
|
module Filters
|
8
8
|
|
9
|
-
# Flag an input as exempt from
|
9
|
+
# Flag an input as exempt from auto-escaping
|
10
10
|
#
|
11
11
|
# This is a non-transformative filter that works by registering itself
|
12
12
|
# in a variable's filter chain. If a variable detects this in its
|
@@ -10,11 +10,11 @@ module Liquid
|
|
10
10
|
|
11
11
|
# Possibly render the variable with HTML escaping applied
|
12
12
|
#
|
13
|
-
# If the
|
14
|
-
# or Liquid
|
15
|
-
# through the global exemption list to determine if it is exempt
|
16
|
-
#
|
17
|
-
# with all unsafe HTML characters escaped. In all other cases, the
|
13
|
+
# If the auto-escaping context variable has been set by the {% autoescape %}
|
14
|
+
# tag or Liquid auto-escaping is globally enabled, this will run the
|
15
|
+
# variable through the global exemption list to determine if it is exempt
|
16
|
+
# from auto-escaping. If it is not, its contents will be rendered as a
|
17
|
+
# string with all unsafe HTML characters escaped. In all other cases, the
|
18
18
|
# original, unescaped value of the variable will be rendered.
|
19
19
|
#
|
20
20
|
# @param [Liquid::Context] context The variable's rendering context
|
data/lib/liquid/autoescape.rb
CHANGED
@@ -5,14 +5,14 @@ require "liquid/autoescape/tags/autoescape"
|
|
5
5
|
module Liquid
|
6
6
|
module Autoescape
|
7
7
|
|
8
|
-
# The context variable that stores the
|
8
|
+
# The context variable that stores the auto-escape state
|
9
9
|
#
|
10
10
|
# @private
|
11
11
|
ENABLED_FLAG = "liquid_autoescape_enabled".freeze
|
12
12
|
|
13
|
-
# Configure Liquid
|
13
|
+
# Configure Liquid auto-escaping
|
14
14
|
#
|
15
|
-
# @yieldparam [Liquid::Autoescape::Configuration] config The
|
15
|
+
# @yieldparam [Liquid::Autoescape::Configuration] config The auto-escape configuration
|
16
16
|
def self.configure
|
17
17
|
yield(configuration)
|
18
18
|
end
|
@@ -22,7 +22,7 @@ module Liquid
|
|
22
22
|
configuration.reset
|
23
23
|
end
|
24
24
|
|
25
|
-
# The current
|
25
|
+
# The current auto-escape configuration
|
26
26
|
#
|
27
27
|
# @return [Liquid::Autoescape::Configuration]
|
28
28
|
def self.configuration
|
@@ -93,7 +93,15 @@ describe "{% autoescape %}" do
|
|
93
93
|
)
|
94
94
|
end
|
95
95
|
|
96
|
-
it "supports
|
96
|
+
it "supports nested auto-escaping contexts" do
|
97
|
+
verify_template_output(
|
98
|
+
"{% autoescape true %}{{ variable }}{% autoescape false %}{{ variable }}{% autoescape true %}{{ variable }}{% endautoescape %}{% endautoescape %}{% endautoescape %}",
|
99
|
+
"&&&",
|
100
|
+
"variable" => "&"
|
101
|
+
)
|
102
|
+
end
|
103
|
+
|
104
|
+
it "supports reading the auto-escaping state from a variable" do
|
97
105
|
verify_template_output(
|
98
106
|
"{% autoescape escape %}{{ variable }}{% endautoescape %}",
|
99
107
|
"&",
|
@@ -107,6 +115,20 @@ describe "{% autoescape %}" do
|
|
107
115
|
expect { Liquid::Template.parse(invalid) }.to raise_error(Liquid::SyntaxError)
|
108
116
|
end
|
109
117
|
|
118
|
+
it "does not escape captured variables" do
|
119
|
+
verify_template_output(
|
120
|
+
"{% autoescape %}{% capture variable %}&{% endcapture %}{% endautoescape %}{{ variable }}",
|
121
|
+
"&"
|
122
|
+
)
|
123
|
+
end
|
124
|
+
|
125
|
+
it "can prevent escaping of assigned variables" do
|
126
|
+
verify_template_output(
|
127
|
+
'{% autoescape %}{% autoescape false %}{% assign variable = "&" %}{% endautoescape %}{{ variable }}{% endautoescape %}{{ variable }}',
|
128
|
+
"&&"
|
129
|
+
)
|
130
|
+
end
|
131
|
+
|
110
132
|
describe "configuration options" do
|
111
133
|
|
112
134
|
after(:each) { Liquid::Autoescape.reconfigure }
|
@@ -143,7 +165,7 @@ describe "{% autoescape %}" do
|
|
143
165
|
)
|
144
166
|
end
|
145
167
|
|
146
|
-
it "supports opting out of
|
168
|
+
it "supports opting out of auto-escaping within a block" do
|
147
169
|
verify_template_output(
|
148
170
|
"{{ variable }}{% autoescape false %}{{ variable }}{{ variable }}{% endautoescape %}",
|
149
171
|
"&&&",
|
@@ -8,7 +8,7 @@ module Liquid
|
|
8
8
|
|
9
9
|
describe ".configure" do
|
10
10
|
|
11
|
-
it "allows
|
11
|
+
it "allows auto-escape settings to be customized" do
|
12
12
|
Autoescape.configure do |config|
|
13
13
|
expect(config).to be_an_instance_of(Autoescape::Configuration)
|
14
14
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: liquid-autoescape
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Within3
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-03-
|
11
|
+
date: 2019-03-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: liquid
|