loofah-activerecord 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.gemtest +0 -0
- data/CHANGELOG.rdoc +8 -1
- data/Gemfile +19 -1
- data/Manifest.txt +3 -3
- data/README.rdoc +24 -21
- data/Rakefile +7 -8
- data/lib/loofah-activerecord.rb +6 -6
- data/lib/{loofah-activerecord → loofah/activerecord}/active_record.rb +0 -0
- data/lib/{loofah-activerecord → loofah/activerecord}/railtie.rb +2 -2
- data/lib/{loofah-activerecord → loofah/activerecord}/xss_foliate.rb +28 -4
- data/rails_test/Rakefile +102 -47
- data/rails_test/generate_test_directory +1 -1
- data/test/helper.rb +13 -3
- data/test/unit/test_active_record.rb +34 -38
- data/test/unit/test_xss_foliate.rb +66 -66
- metadata +178 -144
data/.gemtest
ADDED
File without changes
|
data/CHANGELOG.rdoc
CHANGED
data/Gemfile
CHANGED
@@ -1 +1,19 @@
|
|
1
|
-
|
1
|
+
# -*- ruby -*-
|
2
|
+
|
3
|
+
# DO NOT EDIT THIS FILE. Instead, edit Rakefile, and run `rake bundler:gemfile`.
|
4
|
+
|
5
|
+
source "https://rubygems.org/"
|
6
|
+
|
7
|
+
gem "loofah", ">=1.0.0"
|
8
|
+
|
9
|
+
gem "bundler", "~>1.2.0", :group => [:development, :test]
|
10
|
+
gem "hoe", "~>3.3", :group => [:development, :test]
|
11
|
+
gem "rr", "~>1.0", :group => [:development, :test]
|
12
|
+
gem "hoe-gemspec", ">=0", :group => [:development, :test]
|
13
|
+
gem "rdoc", "~>3.10", :group => [:development, :test]
|
14
|
+
gem "hoe-git", ">=0", :group => [:development, :test]
|
15
|
+
gem "hoe-bundler", ">=0", :group => [:development, :test]
|
16
|
+
gem "minitest", "~>2.2", :group => [:development, :test]
|
17
|
+
gem "acts_as_fu", ">=0.0.5", :group => [:development, :test]
|
18
|
+
|
19
|
+
# vim: syntax=ruby
|
data/Manifest.txt
CHANGED
@@ -5,9 +5,9 @@ Manifest.txt
|
|
5
5
|
README.rdoc
|
6
6
|
Rakefile
|
7
7
|
lib/loofah-activerecord.rb
|
8
|
-
lib/loofah
|
9
|
-
lib/loofah
|
10
|
-
lib/loofah
|
8
|
+
lib/loofah/activerecord/active_record.rb
|
9
|
+
lib/loofah/activerecord/railtie.rb
|
10
|
+
lib/loofah/activerecord/xss_foliate.rb
|
11
11
|
rails_test/Rakefile
|
12
12
|
rails_test/common/active_record/app/models/post.rb
|
13
13
|
rails_test/common/active_record/test/unit/posts_test.rb
|
data/README.rdoc
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
= loofah-activerecord
|
2
2
|
|
3
3
|
* http://github.com/flavorjones/loofah-activerecord
|
4
|
-
* http://loofah
|
5
|
-
* http://
|
4
|
+
* http://rubydoc.info/github/flavorjones/loofah-activerecord/master/frames
|
5
|
+
* http://librelist.com/browser/loofah
|
6
6
|
|
7
7
|
== Description
|
8
8
|
|
@@ -11,42 +11,45 @@ ActiveRecord models.
|
|
11
11
|
|
12
12
|
== Features
|
13
13
|
|
14
|
-
|
15
|
-
|
14
|
+
There are two ActiveRecord extensions included with loofah-activerecord:
|
15
|
+
|
16
16
|
* Loofah::ActiveRecordExtension is an *opt-in* sanitizer. You must explicitly declare attributes to be sanitized.
|
17
|
+
* Loofah::XssFoliate, a drop-in replacement for XssTerminate[http://github.com/look/xss_terminate/tree/master], is an *opt-out* sanitizer. By default all models and attributes are sanitized.
|
17
18
|
|
18
19
|
=== ActiveRecord Extension \#1: Opt-In
|
19
20
|
|
20
|
-
See Loofah::ActiveRecordExtension for full documentation. The
|
21
|
-
mixed into ActiveRecord are:
|
21
|
+
See Loofah::ActiveRecordExtension for full documentation. The class
|
22
|
+
methods mixed into ActiveRecord are:
|
22
23
|
|
23
|
-
*
|
24
|
-
*
|
24
|
+
* +html_document+
|
25
|
+
* +html_fragment+
|
25
26
|
|
26
27
|
which are used to declare how specific string and text attributes
|
27
|
-
should be scrubbed
|
28
|
+
should be scrubbed during +before_validation+.
|
28
29
|
|
29
30
|
# app/model/post.rb
|
30
31
|
class Post < ActiveRecord::Base
|
31
|
-
html_fragment :body, :scrub => :prune # scrubs
|
32
|
+
html_fragment :body, :scrub => :prune # scrubs `body` using the :prune scrubber
|
32
33
|
end
|
33
34
|
|
34
35
|
=== ActiveRecord Extension \#2: Opt-Out
|
35
36
|
|
36
|
-
See Loofah::XssFoliate::ClassMethods for more documentation. The
|
37
|
+
See Loofah::XssFoliate::ClassMethods for more documentation. The class
|
38
|
+
methods mixed into ActiveRecord are:
|
37
39
|
|
38
|
-
*
|
39
|
-
*
|
40
|
+
* +xss_foliate+
|
41
|
+
* +xss_foliated?+
|
40
42
|
|
41
43
|
which are used to declare how specific string and text attributes
|
42
|
-
should be scrubbed
|
44
|
+
should be scrubbed during +before_validation+.
|
43
45
|
|
44
|
-
Attributes are
|
45
|
-
specified or the attribute is present in an
|
46
|
+
Attributes are scrubbed with the +:strip+ scrubber by default, unless
|
47
|
+
another scrubber is specified or the attribute is present in an
|
48
|
+
+:except+ clause.
|
46
49
|
|
47
50
|
== Requirements
|
48
51
|
|
49
|
-
*
|
52
|
+
* Loofah >= 1.0.0
|
50
53
|
* Rails 3.0, 2.3, 2.2, 2.1, 2.0 or 1.2 (pow!)
|
51
54
|
|
52
55
|
== Installation
|
@@ -57,11 +60,11 @@ Unsurprisingly:
|
|
57
60
|
|
58
61
|
== Support
|
59
62
|
|
60
|
-
The bug tracker is available here
|
63
|
+
The bug tracker is available here:
|
61
64
|
|
62
|
-
* http://github.com/flavorjones/loofah/issues
|
65
|
+
* http://github.com/flavorjones/loofah-activerecord/issues
|
63
66
|
|
64
|
-
And the mailing list is on librelist (
|
67
|
+
And the mailing list is on librelist (the general Loofah mailing list):
|
65
68
|
|
66
69
|
* loofah@librelist.com / http://librelist.com
|
67
70
|
|
@@ -89,7 +92,7 @@ This library was split out of the Loofah project for version 1.0.0.
|
|
89
92
|
|
90
93
|
The MIT License
|
91
94
|
|
92
|
-
Copyright (c) 2009, 2010 by Mike Dalessio
|
95
|
+
Copyright (c) 2009, 2010, 2011 by Mike Dalessio
|
93
96
|
|
94
97
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
95
98
|
of this software and associated documentation files (the "Software"), to deal
|
data/Rakefile
CHANGED
@@ -14,10 +14,14 @@ Hoe.spec "loofah-activerecord" do
|
|
14
14
|
self.readme_file = "README.rdoc"
|
15
15
|
|
16
16
|
extra_deps << ["loofah", ">= 1.0.0"]
|
17
|
-
|
18
|
-
extra_dev_deps << ["
|
17
|
+
|
18
|
+
extra_dev_deps << ["minitest", "~>2.2"]
|
19
|
+
extra_dev_deps << ["rr", "~>1.0"]
|
19
20
|
extra_dev_deps << ["acts_as_fu", ">=0.0.5"]
|
20
|
-
extra_dev_deps << ["bundler", "
|
21
|
+
extra_dev_deps << ["bundler", "~>1.2.0"]
|
22
|
+
extra_dev_deps << ["hoe-git", ">=0"]
|
23
|
+
extra_dev_deps << ["hoe-bundler", ">=0"]
|
24
|
+
extra_dev_deps << ["hoe-gemspec", ">=0"]
|
21
25
|
end
|
22
26
|
|
23
27
|
load "rails_test/Rakefile"
|
@@ -40,11 +44,6 @@ task :fix_css do
|
|
40
44
|
margin-top : .5em ;
|
41
45
|
}
|
42
46
|
|
43
|
-
#main ul, div#documentation ul {
|
44
|
-
list-style-type : disc ! IMPORTANT ;
|
45
|
-
list-style-position : inside ! IMPORTANT ;
|
46
|
-
}
|
47
|
-
|
48
47
|
h2 + ul {
|
49
48
|
margin-top : 1em;
|
50
49
|
}
|
data/lib/loofah-activerecord.rb
CHANGED
@@ -3,17 +3,17 @@ $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__))) unless $LOAD_PATH.i
|
|
3
3
|
require 'loofah'
|
4
4
|
|
5
5
|
module Loofah::ActiveRecord
|
6
|
-
VERSION = "1.
|
6
|
+
VERSION = "1.1.0"
|
7
7
|
end
|
8
8
|
|
9
9
|
if defined?(Rails) && Rails::VERSION::MAJOR == 3
|
10
|
-
require 'loofah
|
10
|
+
require 'loofah/activerecord/railtie'
|
11
11
|
elsif defined? Rails.configuration and Rails.configuration.frameworks.include?([:active_record]) # >= 2.1
|
12
12
|
Rails.configuration.after_initialize do
|
13
|
-
require 'loofah
|
14
|
-
require 'loofah
|
13
|
+
require 'loofah/activerecord/active_record'
|
14
|
+
require 'loofah/activerecord/xss_foliate'
|
15
15
|
end
|
16
16
|
elsif defined? ActiveRecord::Base # <= 2.0
|
17
|
-
require 'loofah
|
18
|
-
require 'loofah
|
17
|
+
require 'loofah/activerecord/active_record'
|
18
|
+
require 'loofah/activerecord/xss_foliate'
|
19
19
|
end
|
File without changes
|
@@ -4,8 +4,8 @@ module Loofah::ActiveRecord
|
|
4
4
|
initializer "loofah-activerecord.initialize" do |app|
|
5
5
|
activerecord_railtie = app.railties.all.select {|railtie| railtie.class.to_s == "ActiveRecord::Railtie" }
|
6
6
|
if activerecord_railtie
|
7
|
-
require 'loofah
|
8
|
-
require 'loofah
|
7
|
+
require 'loofah/activerecord/active_record'
|
8
|
+
require 'loofah/activerecord/xss_foliate'
|
9
9
|
end
|
10
10
|
end
|
11
11
|
end
|
@@ -88,6 +88,13 @@ module Loofah
|
|
88
88
|
REAL_OPTIONS = VALID_OPTIONS - ALIASED_OPTIONS.keys
|
89
89
|
# :startdoc:
|
90
90
|
|
91
|
+
def self.extended(base)
|
92
|
+
# Rails 3.0 and later
|
93
|
+
if base.respond_to?(:class_attribute)
|
94
|
+
base.send(:class_attribute, :xss_foliate_options)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
91
98
|
#
|
92
99
|
# Annotate your model with this method to specify which fields
|
93
100
|
# you want scrubbed, and how you want them scrubbed. XssFoliate
|
@@ -120,7 +127,10 @@ module Loofah
|
|
120
127
|
#
|
121
128
|
def xss_foliate(options = {})
|
122
129
|
callback_already_declared = \
|
123
|
-
if respond_to?(:
|
130
|
+
if respond_to?(:class_attribute)
|
131
|
+
# Rails 3.0 and later
|
132
|
+
false
|
133
|
+
elsif respond_to?(:before_validation_callback_chain)
|
124
134
|
# Rails 2.1 and later
|
125
135
|
before_validation_callback_chain.any? {|cb| cb.method == :xss_foliate_fields}
|
126
136
|
else
|
@@ -131,7 +141,10 @@ module Loofah
|
|
131
141
|
|
132
142
|
unless callback_already_declared
|
133
143
|
before_validation :xss_foliate_fields
|
134
|
-
|
144
|
+
unless respond_to?(:class_attribute)
|
145
|
+
# Rails 3.0 and later
|
146
|
+
class_inheritable_reader :xss_foliate_options
|
147
|
+
end
|
135
148
|
include XssFoliate::InstanceMethods
|
136
149
|
end
|
137
150
|
|
@@ -147,7 +160,12 @@ module Loofah
|
|
147
160
|
options[real] += Array(options.delete(option)).collect { |val| val.to_sym } if options[option]
|
148
161
|
end
|
149
162
|
|
150
|
-
|
163
|
+
if respond_to?(:class_attribute)
|
164
|
+
# Rails 3.0 and later
|
165
|
+
self.xss_foliate_options = options
|
166
|
+
else
|
167
|
+
write_inheritable_attribute(:xss_foliate_options, options)
|
168
|
+
end
|
151
169
|
end
|
152
170
|
|
153
171
|
#
|
@@ -155,7 +173,13 @@ module Loofah
|
|
155
173
|
# xss_foliation to its attributes. Could be useful in test suites.
|
156
174
|
#
|
157
175
|
def xss_foliated?
|
158
|
-
options =
|
176
|
+
options =
|
177
|
+
if respond_to?(:class_attribute)
|
178
|
+
# Rails 3.0 and later
|
179
|
+
xss_foliate_options
|
180
|
+
else
|
181
|
+
read_inheritable_attribute(:xss_foliate_options)
|
182
|
+
end
|
159
183
|
! (options.nil? || options.empty?)
|
160
184
|
end
|
161
185
|
end
|
data/rails_test/Rakefile
CHANGED
@@ -1,63 +1,118 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
1
|
+
namespace "test" do
|
2
|
+
require "bundler"
|
3
|
+
require "yaml"
|
4
|
+
|
5
|
+
def gem_versions_for rails_version
|
6
|
+
mm = rails_version.split(".")[0,2].join(".")
|
7
|
+
YAML.load_file("gem-versions.yml")[mm]
|
8
|
+
end
|
6
9
|
|
7
|
-
def
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
gem "rails", "=#{version}"
|
17
|
-
gem "loofah", :path => File.join(File.dirname(__FILE__),"../../../loofah")
|
18
|
-
gem "loofah-activerecord", :path => File.join(File.dirname(__FILE__),"../..")
|
19
|
-
gem "sqlite3-ruby", :require => "sqlite3"
|
20
|
-
GEM
|
10
|
+
def ruby_version_for rails_version
|
11
|
+
mmp = if rails_version =~ /^([12]\.|3\.0)/
|
12
|
+
"1.8.7"
|
13
|
+
else
|
14
|
+
"1.9.3"
|
15
|
+
end
|
16
|
+
|
17
|
+
rbenv_versions = `rbenv versions`.split("\n").map do |line|
|
18
|
+
line[2..-1].split.first
|
21
19
|
end
|
22
|
-
|
20
|
+
|
21
|
+
desired_version = rbenv_versions.reverse.select do |rbenv_version|
|
22
|
+
rbenv_version =~ /^#{mmp}/
|
23
|
+
end.first
|
24
|
+
|
25
|
+
raise "ERROR: No Ruby version matching #{mmp} installed with rbenv" if desired_version.nil?
|
26
|
+
|
27
|
+
desired_version
|
23
28
|
end
|
24
|
-
end
|
25
29
|
|
26
|
-
def
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
30
|
+
def dir_to_version_and_flavor dir
|
31
|
+
dir =~ /rails-([^-]+)-(.*)/
|
32
|
+
return [$1, $2]
|
33
|
+
end
|
34
|
+
|
35
|
+
def run(cmd, rbenv_version=nil)
|
36
|
+
puts "* running: #{cmd}"
|
31
37
|
begin
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
+
if rbenv_version
|
39
|
+
puts " (with ruby version #{rbenv_version})"
|
40
|
+
ENV['RBENV_VERSION'] = rbenv_version
|
41
|
+
cmd = "rbenv exec #{cmd}"
|
42
|
+
end
|
43
|
+
system cmd
|
44
|
+
ensure
|
45
|
+
ENV.delete('RBENV_VERSION')
|
38
46
|
end
|
47
|
+
raise "ERROR running command" unless $? == 0
|
39
48
|
end
|
40
|
-
end
|
41
49
|
|
42
|
-
def
|
43
|
-
|
44
|
-
|
45
|
-
|
50
|
+
def setup_rails_app dir
|
51
|
+
version, flavor = *(dir_to_version_and_flavor dir)
|
52
|
+
ruby_version = ruby_version_for version
|
53
|
+
|
54
|
+
run "./generate_test_directory #{version} #{flavor}"
|
55
|
+
bundler_cache = File.expand_path("bundler_cache")
|
56
|
+
snowflakes = Array gem_versions_for(version)
|
57
|
+
Dir.chdir dir do
|
58
|
+
File.open("Gemfile", "w") do |gemfile|
|
59
|
+
gemfile.write <<-GEM
|
60
|
+
source :gemcutter
|
61
|
+
gem "rails", "=#{version}"
|
62
|
+
gem "loofah", :path => File.join(File.dirname(__FILE__),"../../../loofah")
|
63
|
+
gem "loofah-activerecord", :path => File.join(File.dirname(__FILE__),"../..")
|
64
|
+
gem "sqlite3-ruby", :require => "sqlite3"
|
65
|
+
GEM
|
66
|
+
snowflakes.each { |name, versionspec| gemfile.puts %Q{gem "#{name}", "#{versionspec}"} }
|
67
|
+
end
|
68
|
+
FileUtils.rm_f "Gemfile.lock"
|
69
|
+
Bundler.with_clean_env do
|
70
|
+
begin
|
71
|
+
run "bundle install --quiet --local --path=#{bundler_cache}", ruby_version
|
72
|
+
rescue
|
73
|
+
run "bundle install --quiet --path=#{bundler_cache}", ruby_version
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
46
77
|
end
|
47
|
-
end
|
48
78
|
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
79
|
+
def test_rails_app dir
|
80
|
+
version, flavor = *(dir_to_version_and_flavor dir)
|
81
|
+
ruby_version = ruby_version_for version
|
82
|
+
|
83
|
+
@results ||= {}
|
84
|
+
Dir.chdir(dir) do
|
85
|
+
ENV['RAILS_ENV'] = "test"
|
86
|
+
FileUtils.mkdir_p "log"
|
87
|
+
begin
|
88
|
+
run "touch db/test.sqlite3" # db:create doesn't exist before rails 2.0
|
89
|
+
Bundler.with_clean_env { run "bundle exec rake db:migrate test:units", ruby_version }
|
90
|
+
rescue Object
|
91
|
+
@results[dir] = "FAIL"
|
92
|
+
else
|
93
|
+
@results[dir] = "SUCCESS"
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
def print_results
|
99
|
+
puts "----- RESULTS -----"
|
100
|
+
@results.keys.sort.each do |key|
|
101
|
+
puts "* #{key}: #{@results[key]}"
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
Dir["#{File.dirname(__FILE__)}/rails-*"].sort.each do |fqdir|
|
106
|
+
dir = File.basename fqdir
|
107
|
+
desc "test #{dir}"
|
108
|
+
task "#{dir}" do
|
109
|
+
Dir.chdir(File.dirname(__FILE__)) do
|
110
|
+
setup_rails_app dir
|
111
|
+
test_rails_app dir
|
112
|
+
end
|
56
113
|
end
|
57
114
|
end
|
58
|
-
end
|
59
115
|
|
60
|
-
namespace :test do
|
61
116
|
desc "run tests across various versions of Rails"
|
62
117
|
task :rails do
|
63
118
|
Dir["#{File.dirname(__FILE__)}/rails-*"].sort.reverse.each do |fqdir|
|