RubyGems - lotus-view - Versions diffs - 0.3.0 → 0.4.0 - Mend

lotus-view 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/README.md +170 -1
data/lib/lotus/layout.rb +2 -0
data/lib/lotus/presenter.rb +46 -2
data/lib/lotus/view.rb +2 -0
data/lib/lotus/view/dsl.rb +21 -1
data/lib/lotus/view/escape.rb +180 -0
data/lib/lotus/view/rendering/layout_registry.rb +5 -6
data/lib/lotus/view/rendering/layout_scope.rb +8 -4
data/lib/lotus/view/rendering/registry.rb +3 -3
data/lib/lotus/view/rendering/scope.rb +10 -7
data/lib/lotus/view/version.rb +1 -1
data/lotus-view.gemspec +1 -1
metadata +6 -11

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e8fa1effeef34385f8e2500ab74842e8d196f9bf
-  data.tar.gz: 203e83425ed18d487d19cc825443fed66c53c86e
+  metadata.gz: 500bbc3ad33d7a944aa35980d6257df6c9653c01
+  data.tar.gz: 319d161fcdf16cbe089df0e178d8b07b5fd9ee09
 SHA512:
-  metadata.gz: 6b1317306b81d7579d3a3894ba2f22584f69f28039a0161a706c3d3cb7f89cc5a2b591c09e7c57b684d53870a9b96010a8db882717cd8a6ce0d9574f59be4b81
-  data.tar.gz: bee5b8b82b89c9e561bc89bffb53ba3a01028393934fb8bfa350e7fb13c240a305061a3c9b8196abadb710c13d3654b932a4986a609b06280c49c7abc24c6af0
+  metadata.gz: 0b99d764d671bdf5b5ad821f24aa4d1958f3e4fe92062018fc70b66c81dc799e8a3ad014c9f93e676e195485f4d174bb8e339a45be71a4b7f890f639d9509e8e
+  data.tar.gz: 1852df5e30fc12155bafb9c4a5ff23def34895b4ec376cceb2ef7d4adf57f6b2f109984a1d71a07a753bb2ede8291bac70b88989742a015d25998b1262cb98b0

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,15 @@
 # Lotus::View
 View layer for Lotus
+## v0.4.0 - 2015-03-23
+### Changed
+- [Luca Guidi] Autoescape concrete and virtual methods from presenters
+- [Luca Guidi] Autoescape concrete and virtual methods from views
+### Fixed
+- [Tom Kadwill] Improve error message for undefined method in view
+- [Luca Guidi] Ensure that layouts will include modules from `Configuration#prepare`
 ## v0.3.0 - 2014-12-23
 ### Added
 - [Trung Lê] When duplicate the framework, also duplicate `Presenter`

data/README.md CHANGED Viewed

@@ -366,6 +366,10 @@ For instance, if [ERubis](http://www.kuwata-lab.com/erubis/) is loaded, it will
     <td>Scss</td>
     <td>scss</td>
   </tr>
+  <tr>
+    <td>Slim</td>
+    <td>slim</td>
+  </tr>
   <tr>
     <td>String</td>
     <td>str</td>
@@ -622,6 +626,171 @@ After this operation, all the class variables are frozen, in order to prevent ac
 **This is not necessary, when Lotus::View is used within a Lotus application.**
+### Security
+The output of views and presenters is always **autoescaped**.
+**ATTENTION:** In order to prevent XSS attacks, please read the instructions below.
+Because Lotus::View supports a lot of template engines, the escape happens at the level of the view.
+Most of the time everything happens automatically, but there are still some corner cases that need your manual intervention.
+#### View autoescape
+```ruby
+require 'lotus/view'
+User = Struct.new(:name)
+module Users
+  class Show
+    include Lotus::View
+    def user_name
+      user.name
+    end
+  end
+end
+# ERB template
+# <div id="user_name"><%= user_name %></div>
+user = User.new("<script>alert('xss')</script>")
+# THIS IS USEFUL FOR UNIT TESTING:
+template = Lotus::View::Template.new('users/show.html.erb')
+view     = Users::Show.new(template, user: user)
+view.user_name # => "&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;"
+# THIS IS THE RENDERING OUTPUT:
+Users::Show.render(format: :html, user: user)
+# => <div id="user_name">&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;</div>
+```
+#### Presenter autoescape
+```ruby
+require 'lotus/view'
+User = Struct.new(:name)
+class UserPresenter
+  include Lotus::Presenter
+end
+user      = User.new("<script>alert('xss')</script>")
+presenter = UserPresenter.new(user)
+presenter.name # => "&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;"
+```
+#### Escape entire objects
+We have seen that concrete methods in views are automatically escaped.
+This is great, but tedious if you need to print a lot of information from a given object.
+Imagine you have `user` as part of the view locals.
+If you want to use `<%= user.name %>` directly, **you're still vulnerable to XSS attacks**.
+You have two alternatives:
+  * To use a concrete presenter (eg. `UserPresenter`)
+  * Escape the entire object (see the example below)
+Both those solutions allow you to keep the template syntax unchanged, but to have a safer output.
+```ruby
+require 'lotus/view'
+User = Struct.new(:first_name, :last_name)
+module Users
+  class Show
+    include Lotus::View
+    def user
+      _escape locals[:user]
+    end
+  end
+end
+# ERB template:
+#
+# <div id="first_name">
+#   <%= user.first_name %>
+# </div>
+# <div id="last_name">
+#   <%= user.last_name %>
+# </div>
+first_name = "<script>alert('first_name')</script>"
+last_name  = "<script>alert('last_name')</script>"
+user = User.new(first_name, last_name)
+html = Users::Show.render(format: :html, user: user)
+html
+  # =>
+  # <div id="first_name">
+  #   &lt;script&gt;alert(&apos;first_name&apos;)&lt;&#x2F;script&gt;
+  # </div>
+  # <div id="last_name">
+  #   &lt;script&gt;alert(&apos;last_name&apos;)&lt;&#x2F;script&gt;
+  # </div>
+```
+#### Raw contents
+You can use `_raw` to mark an output as safe.
+Please note that **this may open your application to XSS attacks.**
+#### Raw contents in views
+```ruby
+require 'lotus/view'
+User = Struct.new(:name)
+module Users
+  class Show
+    include Lotus::View
+    def user_name
+      _raw user.name
+    end
+  end
+end
+# ERB template
+# <div id="user_name"><%= user_name %></div>
+user = User.new("<script>alert('xss')</script>")
+html = Users::Show.render(format: :html, user: user)
+html
+# => <div id="user_name"><script>alert('xss')</script></div>
+```
+#### Raw contents in presenters
+```ruby
+require 'lotus/view'
+User = Struct.new(:name)
+class UserPresenter
+  include Lotus::Presenter
+  def first_name
+    _raw @object.first_name
+  end
+end
+user      = User.new("<script>alert('xss')</script>")
+presenter = UserPresenter.new(user)
+presenter.name # => "<script>alert('xss')</script>"
+```
 ## Versioning
 __Lotus::View__ uses [Semantic Versioning 2.0.0](http://semver.org)
@@ -636,4 +805,4 @@ __Lotus::View__ uses [Semantic Versioning 2.0.0](http://semver.org)
 ## Copyright
-Copyright 2014 Luca Guidi – Released under MIT License
+Copyright 2014-2015 Luca Guidi – Released under MIT License

data/lib/lotus/layout.rb CHANGED Viewed

@@ -34,6 +34,8 @@ module Lotus
         self.configuration = conf.duplicate
       end
+      conf.copy!(base)
     end
     # Class level API

data/lib/lotus/presenter.rb CHANGED Viewed

@@ -1,9 +1,15 @@
+require 'lotus/view/escape'
 module Lotus
   # Presenter pattern implementation
   #
+  # It delegates to the wrapped object the missing method invocations.
+  #
+  # The output of concrete and delegated methods is escaped as XSS prevention.
+  #
   # @since 0.1.0
   #
-  # @example
+  # @example Basic usage
   #   require 'lotus/view'
   #
   #   class Map
@@ -48,7 +54,45 @@ module Lotus
   #
   #   # it has private access to the original object
   #   puts presenter.inspect_object # => #<Map:0x007fdeada0b2f0 @locations=["Rome", "Boston"]>
+  #
+  # @example Escape
+  #   require 'lotus/view'
+  #
+  #   User = Struct.new(:first_name, :last_name)
+  #
+  #   class UserPresenter
+  #     include Lotus::Presenter
+  #
+  #     def full_name
+  #       [first_name, last_name].join(' ')
+  #     end
+  #
+  #     def raw_first_name
+  #       _raw first_name
+  #     end
+  #   end
+  #
+  #   first_name = '<script>alert('xss')</script>'
+  #
+  #   user = User.new(first_name, nil)
+  #   presenter = UserPresenter.new(user)
+  #
+  #   presenter.full_name
+  #     # => "&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;"
+  #
+  #   presenter.raw_full_name
+  #      # => "<script>alert('xss')</script>"
   module Presenter
+    # Inject escape logic into the given class.
+    #
+    # @since 0.4.0
+    # @api private
+    #
+    # @see Lotus::View::Escape
+    def self.included(base)
+      base.extend ::Lotus::View::Escape
+    end
     # Initialize the presenter
     #
     # @param object [Object] the object to present
@@ -65,7 +109,7 @@ module Lotus
     # @since 0.1.0
     def method_missing(m, *args, &blk)
       if @object.respond_to?(m)
-        @object.__send__ m, *args, &blk
+        ::Lotus::View::Escape.html(@object.__send__(m, *args, &blk))
       else
         super
       end

data/lib/lotus/view.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require 'lotus/view/version'
 require 'lotus/view/configuration'
 require 'lotus/view/inheritable'
 require 'lotus/view/rendering'
+require 'lotus/view/escape'
 require 'lotus/view/dsl'
 require 'lotus/layout'
 require 'lotus/presenter'
@@ -270,6 +271,7 @@ module Lotus
         extend Inheritable.dup
         extend Dsl.dup
         extend Rendering.dup
+        extend Escape.dup
         include Utils::ClassAttribute
         class_attribute :configuration

data/lib/lotus/view/dsl.rb CHANGED Viewed

@@ -212,12 +212,13 @@ module Lotus
       end
       # When a value is given, it specifies the layout.
+      # When false is given, Lotus::View::Rendering::NullLayout is returned.
       # Otherwise, it returns the previously specified layout.
       #
       # When the global configuration is set (`Lotus::View.layout=`), after the
       # loading process, it will return that layout if not otherwise specified.
       #
-      # @param value [Symbol,nil] the layout name
+      # @param value [Symbol, FalseClass, nil] the layout name
       #
       # @return [Symbol, nil] the specified layout for this view, if set
       #
@@ -294,9 +295,28 @@ module Lotus
       #
       #   Lotus::View.load!
       #   Articles::Show.layout # => :articles
+      #
+      # @example Disable layout for the view
+      #   require 'lotus/view'
+      #
+      #   class ApplicationLayout
+      #     include Lotus::Layout
+      #   end
+      #
+      #   module Articles
+      #     class Show
+      #       include Lotus::View
+      #       layout false
+      #     end
+      #   end
+      #
+      #   Lotus::View.load!
+      #   Articles::Show.layout # => Lotus::View::Rendering::NullLayout
       def layout(value = nil)
         if value.nil?
           @_layout ||= Rendering::LayoutFinder.find(@layout || configuration.layout, configuration.namespace)
+        elsif !value
+          @layout = Lotus::View::Rendering::NullLayout
         else
           @layout = value
         end

data/lib/lotus/view/escape.rb ADDED Viewed

@@ -0,0 +1,180 @@
+require 'lotus/utils/escape'
+require 'lotus/presenter'
+module Lotus
+  module View
+    # Auto escape logic for views and presenters.
+    #
+    # @since 0.4.0
+    module Escape
+      module InstanceMethods
+        private
+        # Mark the given string as safe to render.
+        #
+        # !!! ATTENTION !!! This may open your application to XSS attacks.
+        #
+        # @param string [String] the input string
+        #
+        # @return [Lotus::Utils::Escape::SafeString] the string marked as safe
+        #
+        # @since 0.4.0
+        # @api public
+        #
+        # @example View usage
+        #   require 'lotus/view'
+        #
+        #   User = Struct.new(:name)
+        #
+        #   module Users
+        #     class Show
+        #       include Lotus::View
+        #
+        #       def user_name
+        #         _raw user.name
+        #       end
+        #     end
+        #   end
+        #
+        #   # ERB template
+        #   # <div id="user_name"><%= user_name %></div>
+        #
+        #   user = User.new("<script>alert('xss')</script>")
+        #   html = Users::Show.render(format: :html, user: user)
+        #
+        #   html # => <div id="user_name"><script>alert('xss')</script></div>
+        #
+        # @example Presenter usage
+        #   require 'lotus/view'
+        #
+        #   User = Struct.new(:name)
+        #
+        #   class UserPresenter
+        #     include Lotus::Presenter
+        #
+        #     def name
+        #       _raw @object.name
+        #     end
+        #   end
+        #
+        #   user      = User.new("<script>alert('xss')</script>")
+        #   presenter = UserPresenter.new(user)
+        #
+        #   presenter.name # => "<script>alert('xss')</script>"
+        def _raw(string)
+          ::Lotus::Utils::Escape::SafeString.new(string)
+        end
+        # Force the output escape for the given object
+        #
+        # @param object [Object] the input object
+        #
+        # @return [Lotus::View::Escape::Presenter] a presenter with output
+        #   autoescape
+        #
+        # @since 0.4.0
+        # @api public
+        #
+        # @see Lotus::View::Escape::Presenter
+        #
+        # @example View usage
+        #   require 'lotus/view'
+        #
+        #   User = Struct.new(:first_name, :last_name)
+        #
+        #   module Users
+        #     class Show
+        #       include Lotus::View
+        #
+        #       def user
+        #         _escape locals[:user]
+        #       end
+        #     end
+        #   end
+        #
+        #   # ERB template:
+        #   #
+        #   # <div id="first_name">
+        #   #   <%= user.first_name %>
+        #   # </div>
+        #   # <div id="last_name">
+        #   #   <%= user.last_name %>
+        #   # </div>
+        #
+        #   first_name = "<script>alert('first_name')</script>"
+        #   last_name  = "<script>alert('last_name')</script>"
+        #
+        #   user = User.new(first_name, last_name)
+        #   html = Users::Show.render(format: :html, user: user)
+        #
+        #   html
+        #     # =>
+        #     # <div id="first_name">
+        #     #   &lt;script&gt;alert(&apos;first_name&apos;)&lt;&#x2F;script&gt;
+        #     # </div>
+        #     # <div id="last_name">
+        #     #   &lt;script&gt;alert(&apos;last_name&apos;)&lt;&#x2F;script&gt;
+        #     # </div>
+        def _escape(object)
+          ::Lotus::View::Escape::Presenter.new(object)
+        end
+      end
+      # Auto escape presenter
+      #
+      # @since 0.4.0
+      # @api private
+      #
+      # @see Lotus::View::Escape::InstanceMethods#_escape
+      class Presenter
+        include ::Lotus::Presenter
+      end
+      # Escape the given input if it's a string, otherwise return the oject as it is.
+      #
+      # @param input [Object] the input
+      #
+      # @return [Object,String] the escaped string or the given object
+      #
+      # @since 0.4.0
+      # @api private
+      def self.html(input)
+        case input
+        when String
+          Utils::Escape.html(input)
+        else
+          input
+        end
+      end
+      # Module extended override
+      #
+      # @since 0.4.0
+      # @api private
+      def self.extended(base)
+        base.class_eval do
+          include ::Lotus::Utils::ClassAttribute
+          include ::Lotus::View::Escape::InstanceMethods
+          class_attribute :autoescape_methods
+          self.autoescape_methods = {}
+        end
+      end
+      # Wraps concrete view methods with escape logic.
+      #
+      # @since 0.4.0
+      # @api private
+      def method_added(method_name)
+        unless autoescape_methods[method_name]
+          prepend Module.new {
+            module_eval %{
+              def #{ method_name }(*args, &blk); ::Lotus::View::Escape.html super; end
+            }
+          }
+          autoescape_methods[method_name] = true
+        end
+      end
+    end
+  end
+end

data/lib/lotus/view/rendering/layout_registry.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module Lotus
       # @since 0.1.0
       #
       # @see Lotus::Layout::ClassMethods#registry
-      class LayoutRegistry < ::Hash
+      class LayoutRegistry
         # Initialize the registry
         #
         # @param view [Class] the view
@@ -29,8 +29,7 @@ module Lotus
         # @api private
         # @since 0.1.0
         def initialize(view)
-          super()
+          @registry = {}
           @view = view
           prepare!
         end
@@ -50,15 +49,15 @@ module Lotus
         # @api private
         # @since 0.1.0
         def resolve(context)
-          fetch(format(context)) { NullTemplate.new }
+          @registry.fetch(format(context)) { NullTemplate.new }
         end
         protected
         def prepare!
           templates.each do |template|
-            merge! template.format => template
+            @registry.merge! template.format => template
           end
-          self.any? or raise MissingTemplateLayoutError.new(@view)
+          @registry.any? or raise MissingTemplateLayoutError.new(@view)
         end
         def templates

data/lib/lotus/view/rendering/layout_scope.rb CHANGED Viewed

@@ -33,8 +33,8 @@ module Lotus
         # @since 0.3.0
         def inspect
           base = "#<#{ self.class }:#{'%x' % (self.object_id << 1)}"
-          base << " @layout=\"#{@layout}\"" if @layout
-          base << " @scope=\"#{@scope}\"" if @scope
+          base << " @layout=\"#{@layout.inspect}\"" if @layout
+          base << " @scope=\"#{@scope.inspect}\"" if @scope
           base << ">"
         end
@@ -154,11 +154,15 @@ module Lotus
         #   # `article` will be looked up in the view scope first.
         #   # If not found, it will be searched within the layout.
         def method_missing(m, *args, &blk)
-          begin
+          if @scope.respond_to?(m)
             @scope.__send__(m, *args, &blk)
-          rescue
+          elsif @layout.respond_to?(m)
             @layout.__send__(m, *args, &blk)
+          else
+            super
           end
+        rescue ::NameError
+          ::Kernel.raise ::NoMethodError.new("undefined method `#{ m }' for #{ self.inspect }", m)
         end
         def renderer(options)

data/lib/lotus/view/rendering/registry.rb CHANGED Viewed

@@ -89,7 +89,7 @@ module Lotus
         #
         # @see Lotus::View::Rendering#render
         def resolve(context)
-          view, template = fetch(format(context)) { self[DEFAULT_FORMAT] }
+          view, template = @registry.fetch(format(context)) { @registry[DEFAULT_FORMAT] }
           view.new(template, context)
         end
@@ -101,13 +101,13 @@ module Lotus
         def prepare_views!
           views.each do |view|
-            merge! view.format || DEFAULT_FORMAT => [ view, template_for(view) ]
+            @registry.merge! view.format || DEFAULT_FORMAT => [ view, template_for(view) ]
           end
         end
         def prepare_templates!
           templates.each do |template|
-            merge! template.format => [ view_for(template), template ]
+            @registry.merge! template.format => [ view_for(template), template ]
           end
         end

data/lib/lotus/view/rendering/scope.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require 'lotus/utils/escape'
 require 'lotus/view/rendering/layout_scope'
 require 'lotus/view/rendering/template'
 require 'lotus/view/rendering/partial'
@@ -59,13 +60,15 @@ module Lotus
         protected
         def method_missing(m, *args, &block)
-          if @view.respond_to?(m)
-            @view.__send__ m, *args, &block
-          elsif @locals.key?(m)
-            @locals[m]
-          else
-            super
-          end
+          ::Lotus::View::Escape.html(
+            if @view.respond_to?(m)
+              @view.__send__ m, *args, &block
+            elsif @locals.key?(m)
+              @locals[m]
+            else
+              super
+            end
+          )
         end
       end
     end

data/lib/lotus/view/version.rb CHANGED Viewed

@@ -3,6 +3,6 @@ module Lotus
     # Defines the version
     #
     # @since 0.1.0
-    VERSION = '0.3.0'.freeze
+    VERSION = '0.4.0'.freeze
   end
 end

data/lotus-view.gemspec CHANGED Viewed

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.0.0'
   spec.add_runtime_dependency 'tilt',        '~> 2.0', '>= 2.0.1'
-  spec.add_runtime_dependency 'lotus-utils', '~> 0.3', '>= 0.3.2'
+  spec.add_runtime_dependency 'lotus-utils', '~> 0.4'
   spec.add_development_dependency 'bundler',  '~> 1.5'
   spec.add_development_dependency 'minitest', '~> 5'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lotus-view
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Luca Guidi
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-12-23 00:00:00.000000000 Z
+date: 2015-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tilt
@@ -36,20 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: '0.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: '0.4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +102,7 @@ files:
 - lib/lotus/view.rb
 - lib/lotus/view/configuration.rb
 - lib/lotus/view/dsl.rb
+- lib/lotus/view/escape.rb
 - lib/lotus/view/inheritable.rb
 - lib/lotus/view/rendering.rb
 - lib/lotus/view/rendering/layout_finder.rb
@@ -147,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: View layer for Lotus, with a separation between views and templates