orb_template 0.1.3 → 0.2.2

data/lib/orb/ast/abstract_node.rb

@@ -3,17 +3,27 @@
 module ORB
   module AST
     class AbstractNode
-      attr_accessor :children, :attributes, :errors
+      attr_accessor :children, :attributes
+      attr_writer :errors
+
+      EMPTY_ARRAY = [].freeze
 
       def initialize(*_args)
         @children = []
-        @errors = []
+      end
+
+      def errors
+        @errors || EMPTY_ARRAY
       end
 
       def add_child(node)
         @children << node
       end
 
+      def add_error(error)
+        (@errors ||= []) << error
+      end
+
       def render(_context)
         raise "Not implemented - you must implement render in your subclass!"
       end

data/lib/orb/ast/control_expression_node.rb

@@ -13,14 +13,16 @@ module ORB
       def initialize(token)
         super
         @expression = token.value
+        @is_block = BLOCK_RE.match?(@expression)
+        @is_end = @expression == 'end' || @expression.strip == 'end'
       end
 
       def block?
-        @expression =~ BLOCK_RE
+        @is_block
       end
 
       def end?
-        @expression.strip == 'end'
+        @is_end
       end
     end
   end

data/lib/orb/ast/printing_expression_node.rb

@@ -11,14 +11,16 @@ module ORB
       def initialize(token)
         super
         @expression = token.value
+        @is_block = BLOCK_RE.match?(@expression)
+        @is_end = @expression == 'end' || @expression.strip == 'end'
       end
 
       def block?
-        @expression =~ BLOCK_RE
+        @is_block
       end
 
       def end?
-        @expression.strip == 'end'
+        @is_end
       end
 
       def render(_context)

data/lib/orb/patterns.rb

@@ -4,7 +4,7 @@ module ORB
   module Patterns
     SPACE_CHARS                   = /\s/
     TAG_NAME                      = %r{[^\s>/=$]+}
-    ATTRIBUTE_NAME                = %r{[^\s>/=]+}
+    ATTRIBUTE_NAME                = /[a-zA-Z_:][-a-zA-Z0-9_:.]*/
     UNQUOTED_VALUE_INVALID_CHARS  = /["'=<`]/
     UNQUOTED_VALUE                = %r{[^\s/>]+}
     BLOCK_NAME_CHARS              = /[^\s}]+/
@@ -37,5 +37,17 @@ module ORB
     CRLF                          = /\r\n/
     BLANK                         = /[[:blank:]]/
     OTHER                         = /./
+
+    # Greedy multi-character patterns for bulk scanning in each tokenizer state.
+    # Each pattern excludes only the characters that could start a delimiter in
+    # that state, so the tokenizer consumes runs of "boring" text in one match
+    # instead of character-by-character.
+    INITIAL_TEXT                  = /[^\n\r{<]+/
+    EXPRESSION_TEXT               = /[^\n\r{}]+/
+    COMMENT_TEXT                  = /[^\n\r-]+/
+    VERBATIM_TEXT                 = /[^\n\r<]+/
+    SINGLE_QUOTED_TEXT            = /[^\n\r']+/
+    DOUBLE_QUOTED_TEXT            = /[^\n\r"]+/
+    BLOCK_CONTENT_TEXT            = /[^{}\n\r]+/
   end
 end

data/lib/orb/temple/attributes_compiler.rb

@@ -81,15 +81,16 @@ module ORB
       # an attribute can be a static string, a dynamic expression,
       # or a boolean attribute (an attribute without a value, e.g. disabled, checked, etc.)
       #
-      # For boolean attributes, we return a [:dynamic, "nil"] expression, so that the
-      # final render for the attribute will be `attribute` instead of `attribute="true"`
+      # Compile a single attribute into Temple core abstraction.
+      # Boolean attributes emit [:static, ""] directly instead of [:dynamic, "nil"]
+      # to avoid unnecessary Ripper analysis in Temple's StaticAnalyzer filter.
       def compile_attribute(attribute)
         if attribute.string?
           [:html, :attr, attribute.name, [:static, attribute.value]]
         elsif attribute.bool?
-          [:html, :attr, attribute.name, [:dynamic, "nil"]]
+          [:html, :attr, attribute.name, [:static, ""]]
         elsif attribute.expression?
-          [:html, :attr, attribute.name, [:dynamic, attribute.value]]
+          [:html, :attr, attribute.name, [:escape, true, [:dynamic, attribute.value]]]
         end
       end
 
@@ -115,9 +116,46 @@ module ORB
         end
       end
 
+      # Pre-build the variable name string with a single interpolation
       def prefixed_variable_name(name, prefix)
         "#{prefix}_arg_#{name.underscore}"
       end
+
+      # Combined single-pass compilation of captures and komponent args
+      # Returns [captures_array, args_string]
+      def compile_captures_and_args(attributes, prefix)
+        captures = []
+        args = {}
+        splats = []
+
+        attributes.each do |attribute|
+          if attribute.splat?
+            splats << attribute.value
+            next
+          end
+
+          var_name = prefixed_variable_name(attribute.name, prefix)
+
+          # Build capture
+          if attribute.string?
+            captures << [:code, "#{var_name} = \"#{attribute.value}\""]
+          elsif attribute.bool?
+            captures << [:code, "#{var_name} = true"]
+          elsif attribute.expression?
+            captures << [:code, "#{var_name} = #{attribute.value}"]
+          end
+
+          # Build args hash
+          args = args.deep_merge(dash_to_hash(attribute.name, var_name))
+        end
+
+        # Build the argument list
+        result_parts = []
+        result_parts << hash_to_args_list(args) unless args.empty?
+        result_parts += splats
+
+        [captures, result_parts.join(', ')]
+      end
     end
   end
 end

data/lib/orb/temple/compiler.rb

@@ -31,33 +31,33 @@ module ORB
       #
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
-      def transform(node, context = {})
+      def transform(node)
         if node.is_a?(ORB::AST::RootNode)
-          transform_children(node, context)
+          transform_children(node)
         elsif node.is_a?(ORB::AST::TextNode)
-          transform_text_node(node, context)
+          transform_text_node(node)
         elsif node.is_a?(ORB::AST::PrintingExpressionNode)
-          transform_printing_expression_node(node, context)
+          transform_printing_expression_node(node)
         elsif node.is_a?(ORB::AST::ControlExpressionNode)
-          transform_control_expression_node(node, context)
+          transform_control_expression_node(node)
         elsif node.is_a?(ORB::AST::TagNode) && node.compiler_directives?
-          transform_directives_for_tag_node(node, context)
+          transform_directives_for_tag_node(node)
         elsif node.is_a?(ORB::AST::TagNode) && node.dynamic?
-          transform_dynamic_tag_node(node, context)
+          transform_dynamic_tag_node(node)
         elsif node.is_a?(ORB::AST::TagNode) && node.html_tag?
-          transform_html_tag_node(node, context)
+          transform_html_tag_node(node)
         elsif node.is_a?(ORB::AST::TagNode) && node.component_tag?
-          transform_component_tag_node(node, context)
+          transform_component_tag_node(node)
         elsif node.is_a?(ORB::AST::TagNode) && node.component_slot_tag?
-          transform_component_slot_tag_node(node, context)
+          transform_component_slot_tag_node(node)
         elsif node.is_a?(ORB::AST::BlockNode)
-          transform_block_node(node, context)
+          transform_block_node(node)
         elsif node.is_a?(ORB::AST::PublicCommentNode)
-          transform_public_comment_node(node, context)
+          transform_public_comment_node(node)
         elsif node.is_a?(ORB::AST::PrivateCommentNode)
-          transform_private_comment_node(node, context)
+          transform_private_comment_node(node)
         elsif node.is_a?(ORB::AST::NewlineNode)
-          transform_newline_node(node, context)
+          transform_newline_node(node)
         elsif node.is_a?(ORB::Error)
           runtime_error(node)
         else
@@ -68,135 +68,123 @@ module ORB
       # rubocop:enable Metrics/PerceivedComplexity
 
       # Compile the children of a node and collect the result into a Temple expression
-      def transform_children(node, context)
-        [:multi, *node.children.map { |child| transform(child, context) }]
+      def transform_children(node)
+        [:multi, *node.children.map { |child| transform(child) }]
       end
 
       # Compile a TextNode into a Temple expression
-      def transform_text_node(node, _context)
+      def transform_text_node(node)
         [:static, node.text]
       end
 
       # Compile an PExpressionNode into a Temple expression
-      def transform_printing_expression_node(node, context)
+      def transform_printing_expression_node(node)
         if node.block?
           tmp = @identity.generate(:variable)
           [:multi,
-            # Capture the result of the code in a variable. We can't do
-            # `[:dynamic, code]` because it's probably not a complete
-            # expression (which is a requirement for Temple).
             [
               :block, "#{tmp} = #{node.expression}",
-
-              # Capture the content of a block in a separate buffer. This means
-              # that `yield` will not output the content to the current buffer,
-              # but rather return the output.
-              #
-              # The capturing can be disabled with the option :disable_capture.
-              # Output code in the block writes directly to the output buffer then.
-              # Rails handles this by replacing the output buffer for helpers.
               if @options.fetch(:disable_capture, false)
-                transform_children(node, context)
+                transform_children(node)
               else
-                [:capture, @identity.generate(:variable), transform_children(node, context)]
+                [:capture, @identity.generate(:variable), transform_children(node)]
               end
             ],
-            # Output the content.
             [:escape, true, [:dynamic, tmp]]]
         elsif node.children.any?
-          [:multi, [:escape, true, [:dynamic, node.expression]], transform_children(node, context)]
+          [:multi, [:escape, true, [:dynamic, node.expression]], transform_children(node)]
         else
           [:escape, true, [:dynamic, node.expression]]
         end
       end
 
       # Compile an NPExpressionNode into a Temple expression
-      def transform_control_expression_node(node, context)
+      def transform_control_expression_node(node)
         if node.block?
           tmp = @identity.generate(:variable)
           [:multi,
-            [:block, "#{tmp} = #{node.expression}", transform_children(node, context)]]
+            [:block, "#{tmp} = #{node.expression}", transform_children(node)]]
         elsif node.children.any?
-          [:multi, [:code, node.expression], transform_children(node, context)]
+          [:multi, [:code, node.expression], transform_children(node)]
         else
           [:code, node.expression]
         end
       end
 
       # Compile an HTML TagNode into a Temple expression
-      def transform_html_tag_node(node, context)
-        [:orb, :tag, node.tag, node.attributes, transform_children(node, context)]
+      def transform_html_tag_node(node)
+        [:orb, :tag, node.tag, node.attributes, transform_children(node)]
       end
 
       # Compile a component TagNode into a Temple expression
-      def transform_component_tag_node(node, context)
-        [:orb, :component, node, transform_children(node, context)]
+      def transform_component_tag_node(node)
+        [:orb, :component, node, transform_children(node)]
       end
 
       # Compile a component slot TagNode into a Temple expression
-      def transform_component_slot_tag_node(node, context)
-        [:orb, :slot, node, transform_children(node, context)]
+      def transform_component_slot_tag_node(node)
+        [:orb, :slot, node, transform_children(node)]
       end
 
       # Compile a block node into a Temple expression
-      def transform_block_node(node, context)
+      def transform_block_node(node)
         case node.name
         when :if
-          [:orb, :if, node.expression, transform_children(node, context)]
+          [:orb, :if, node.expression, transform_children(node)]
         when :for
-          [:orb, :for, node.expression, transform_children(node, context)]
+          [:orb, :for, node.expression, transform_children(node)]
         else
           [:static, 'Unknown block node']
         end
       end
 
       # Compile a comment node into a Temple expression
-      def transform_public_comment_node(node, _context)
+      def transform_public_comment_node(node)
         [:html, :comment, [:static, node.text]]
       end
 
       # Compile a private_comment node into a Temple expression
-      def transform_private_comment_node(_node, _context)
+      def transform_private_comment_node(_node)
         [:static, ""]
       end
 
       # Compile a newline node into a Temple expression
-      def transform_newline_node(_node, _context)
+      def transform_newline_node(_node)
         [:newline]
       end
 
       # Compile a tag node with directives
-      def transform_directives_for_tag_node(node, context)
+      def transform_directives_for_tag_node(node)
         # First, process any :if directives
         if_directive = node.directives.fetch(:if, false)
         if if_directive
           node.remove_directive(:if)
           return [:if,
             if_directive,
-            transform(node, context)]
+            transform(node)]
         end
 
         # Second, process any :for directives
         for_directive = node.directives.fetch(:for, false)
         if for_directive
           node.remove_directive(:for)
-          return [:orb, :for, for_directive, transform(node, context)]
+          return [:orb, :for, for_directive, transform(node)]
         end
 
         # Last, render as a dynamic node expression
-        transform(node, context)
+        transform(node)
       end
 
       # Compile a dynamic tag node
-      def transform_dynamic_tag_node(node, context)
-        [:orb, :dynamic, node, transform_children(node, context)]
+      def transform_dynamic_tag_node(node)
+        [:orb, :dynamic, node, transform_children(node)]
       end
 
       # Helper or raising exceptions during compilation
       def runtime_error(error)
         [:multi].tap do |temple|
           (error.line - 1).times { temple << [:newline] } if error.line
-          temple << [:code, %[raise ORB::Error.new(%q[#{error.message}], #{error.line.inspect})]]
+          temple << [:code, "raise ORB::Error.new(#{error.message.inspect}, #{error.line.inspect})"]
         end
       end
     end

data/lib/orb/temple/engine.rb

@@ -30,7 +30,10 @@ module ORB
       html :Fast
       filter :Ambles
       filter :Escapable
-      filter :StaticAnalyzer
+      # NOTE: StaticAnalyzer intentionally omitted. It calls Ripper.lex + Ripper.parse
+      # on every [:dynamic, ...] node to check if it's actually a static expression.
+      # ORB's compiler never emits static expressions as :dynamic nodes, so this
+      # filter always concludes "not static" -- pure overhead (Ripper is expensive).
       filter :ControlFlow
       filter :MultiFlattener
       filter :StaticMerger

data/lib/orb/temple/filters.rb

@@ -3,6 +3,24 @@
 module ORB
   module Temple
     class Filters < ::Temple::Filter
+      # Valid HTML tag names: starts with a letter, followed by letters, digits, or hyphens.
+      # Used to validate dynamic tag names before interpolation into generated Ruby code.
+      VALID_HTML_TAG_NAME = /\A[a-zA-Z][a-zA-Z0-9-]*\z/
+
+      # Valid Ruby constant path: one or more segments like Foo, Foo::Bar, Foo::Bar::Baz.
+      # Each segment starts with an uppercase letter followed by word characters.
+      # Used to validate component names before interpolation into generated Ruby code.
+      VALID_COMPONENT_NAME = /\A[A-Z]\w*(::[A-Z]\w*)*\z/
+
+      # Valid Ruby identifier for use as a method name suffix in with_[name] slot calls.
+      # Used to validate slot names before interpolation into generated Ruby code.
+      VALID_SLOT_NAME = /\A[a-z_]\w*\z/
+
+      # Valid :for expression: single identifier or tuple-destructured identifiers
+      # (e.g., "item in items", "key, value in hash", "(key, value) in hash")
+      # followed by " in " and the collection expression.
+      VALID_FOR_EXPRESSION = /\A\s*(\(?[a-z_]\w*(?:\s*,\s*[a-z_]\w*)*\)?)\s+in\s+(.+)\z/m
+
       def initialize(options = {})
         @options = options
         @attributes_compiler = AttributesCompiler.new
@@ -32,15 +50,19 @@ module ORB
         name = node.tag.gsub('.', '::')
         komponent = ORB.lookup_component(name)
         komponent_name = komponent || name
+        unless komponent_name.match?(VALID_COMPONENT_NAME)
+          raise ORB::SyntaxError.new("Invalid component name: #{komponent_name.inspect}", 0)
+        end
 
         block_name = "__orb__#{komponent_name.rpartition('::').last.underscore}"
         block_name = node.directives.fetch(:with, block_name)
+        unless block_name.match?(VALID_SLOT_NAME)
+          raise ORB::SyntaxError.new("Invalid :with directive value: must be a valid Ruby identifier", 0)
+        end
 
-        # We need to compile the attributes into a set of captures and a set of arguments
-        # since arguments passed to the view component constructor may be defined as
-        # dynamic expressions in our template, and we need to first capture their results.
-        arg_captures = @attributes_compiler.compile_captures(node.attributes, tmp)
-        args = @attributes_compiler.compile_komponent_args(node.attributes, tmp)
+        # Compile attributes in a single pass: captures for variable assignment +
+        # args string for the component constructor call.
+        arg_captures, args = @attributes_compiler.compile_captures_and_args(node.attributes, tmp)
 
         # Construct the render call for the view component
         code = "render #{komponent_name}.new(#{args}) do |#{block_name}|"
@@ -68,16 +90,20 @@ module ORB
       def on_orb_slot(node, content = [])
         tmp = unique_name
 
-        # We need to compile the attributes into a set of captures and a set of arguments
-        # since arguments passed to the view component constructor may be defined as
-        # dynamic expressions in our template, and we need to first capture their results.
-        arg_captures = @attributes_compiler.compile_captures(node.attributes, tmp)
-        args = @attributes_compiler.compile_komponent_args(node.attributes, tmp)
+        # Compile attributes in a single pass
+        arg_captures, args = @attributes_compiler.compile_captures_and_args(node.attributes, tmp)
 
         # Prepare the slot name, parent name, and block name
         slot_name = node.slot
+        unless slot_name.match?(VALID_SLOT_NAME)
+          raise ORB::SyntaxError.new("Invalid slot name: #{slot_name.inspect}", 0)
+        end
+
         parent_name = "__orb__#{node.component.underscore}"
         block_name = node.directives.fetch(:with, "__orb__#{slot_name}")
+        unless block_name.match?(VALID_SLOT_NAME)
+          raise ORB::SyntaxError.new("Invalid :with directive value: must be a valid Ruby identifier", 0)
+        end
 
         # Construct the code to call the slot on the parent component
         code = "#{parent_name}.with_#{slot_name}(#{args}) do |#{block_name}|"
@@ -107,7 +133,22 @@ module ORB
       # @param [Array] content The content to be rendered for each iteration
       # @return [Array] compiled Temple expression
       def on_orb_for(expression, content)
-        enumerator, collection = expression.split(' in ')
+        # Match single identifier or tuple-destructured identifiers (e.g., "key, value" or "(key, value)")
+        match = expression.match(VALID_FOR_EXPRESSION)
+        unless match
+          raise ORB::SyntaxError.new("Invalid :for expression: enumerator must be a valid Ruby identifier",
+            0)
+        end
+
+        enumerator = match[1]
+        collection = match[2]
+
+        # Reject semicolons in the collection expression to prevent statement injection.
+        # Legitimate complex expressions should be assigned in a {%...%} block first.
+        if collection.include?(';')
+          raise ORB::SyntaxError.new("Invalid :for collection expression: semicolons are not allowed", 0)
+        end
+
         code = "#{collection}.each do |#{enumerator}|"
 
         [:multi,
@@ -125,6 +166,10 @@ module ORB
           on_orb_slot(node, content)
         else
           # It's a dynamic HTML tag
+          unless node.tag.match?(VALID_HTML_TAG_NAME)
+            raise ORB::SyntaxError.new("Invalid tag name: #{node.tag.inspect}", 0)
+          end
+
           tmp = unique_name
           splats = @attributes_compiler.compile_splat_attributes(node.splat_attributes)
           code = "content_tag('#{node.tag}', #{splats}) do"

data/lib/orb/temple/identity.rb

@@ -9,7 +9,11 @@ module ORB
 
       def generate(prefix = nil)
         @unique_id += 1
-        ["_orb_compiler", prefix, @unique_id].compact.join('_')
+        if prefix
+          "_orb_compiler_#{prefix}_#{@unique_id}"
+        else
+          "_orb_compiler_#{@unique_id}"
+        end
       end
     end
   end

data/lib/orb/token.rb

@@ -9,7 +9,7 @@ module ORB
       @type = type
       @value = value
       @meta = meta
-      @line = line || 0
+      @line = meta[:line] || 0
     end
 
     def set_meta(key, value)