phlex 1.9.3 → 1.10.0

data/lib/phlex/context.rb

@@ -2,26 +2,63 @@
 
 # @api private
 class Phlex::Context
-	def initialize
-		@target = +""
+	def initialize(user_context = {})
+		@buffer = +""
 		@capturing = false
+		@user_context = user_context
+		@fragments = nil
+		@in_target_fragment = false
+		@halt_signal = nil
 	end
 
-	attr_accessor :target, :capturing
+	attr_accessor :buffer, :capturing, :user_context, :in_target_fragment
 
-	def capturing_into(new_target)
-		original_target = @target
+	attr_reader :fragments
+
+	# Added for backwards compatibility with phlex-rails. We can remove this with 2.0
+	def target
+		@buffer
+	end
+
+	def target_fragments(fragments)
+		@fragments = fragments.to_h { |it| [it, true] }
+	end
+
+	def around_render
+		return yield if !@fragments || @halt_signal
+
+		catch do |signal|
+			@halt_signal = signal
+			yield
+		end
+	end
+
+	def begin_target(id)
+		@in_target_fragment = id
+	end
+
+	def end_target
+		@fragments.delete(@in_target_fragment)
+		@in_target_fragment = false
+		throw @halt_signal if @fragments.length == 0
+	end
+
+	def capturing_into(new_buffer)
+		original_buffer = @buffer
 		original_capturing = @capturing
+		original_fragments = @fragments
 
 		begin
-			@target = new_target
+			@buffer = new_buffer
 			@capturing = true
+			@fragments = nil
 			yield
 		ensure
-			@target = original_target
+			@buffer = original_buffer
 			@capturing = original_capturing
+			@fragments = original_fragments
 		end
 
-		new_target
+		new_buffer
 	end
 end

data/lib/phlex/csv.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+class Phlex::CSV
+	include Phlex::Callable
+
+	FORMULA_PREFIXES = ["=", "+", "-", "@", "\t", "\r"].to_h { |prefix| [prefix, true] }.freeze
+	SPACE_CHARACTERS = [" ", "\t", "\r"].to_h { |char| [char, true] }.freeze
+
+	def initialize(collection)
+		@collection = collection
+		@_headers = []
+		@_current_row = []
+		@_current_column_index = 0
+		@_view_context = nil
+		@_first = true
+	end
+
+	attr_reader :collection
+
+	def call(buffer = +"", view_context: nil)
+		unless escape_csv_injection? == true || escape_csv_injection? == false
+			raise <<~MESSAGE
+				You need to define escape_csv_injection? in #{self.class.name}, returning either `true` or `false`.
+
+				CSV injection is a security vulnerability where malicious spreadsheet formulae are used to execute code or exfiltrate data when a CSV is opened in a spreadsheet program such as Microsoft Excel or Google Sheets.
+
+				For more information, see https://owasp.org/www-community/attacks/CSV_Injection
+
+				If you're sure this CSV will never be opened in a spreadsheet program, you can disable CSV injection escapes:
+
+				  def escape_csv_injection? = false
+
+				This is useful when using CSVs for byte-for-byte data exchange between secure systems.
+
+				Alternatively, you can enable CSV injection escapes at the cost of data integrity:
+
+				  def escape_csv_injection? = true
+
+				Note: Enabling the CSV injection escapes will prefix any values that start with `=`, `+`, `-`, `@`, `\\t`, or `\\r` with a single quote `'` to prevent them from being interpreted as formulae by spreadsheet programs.
+
+				Unfortunately, there is no one-size-fits-all solution to CSV injection. You need to decide based on your specific use case.
+			MESSAGE
+		end
+
+		@_view_context = view_context
+
+		each_item do |record|
+			yielder(record) do |*args, **kwargs|
+				view_template(*args, **kwargs)
+
+				if @_first && render_headers?
+					buffer << @_headers.join(",") << "\n"
+				end
+
+				buffer << @_current_row.join(",") << "\n"
+				@_current_column_index = 0
+				@_current_row.clear
+			end
+
+			@_first = false
+		end
+
+		buffer
+	end
+
+	def filename
+		nil
+	end
+
+	def content_type
+		"text/csv"
+	end
+
+	private
+
+	def column(header = nil, value)
+		if @_first
+			@_headers << escape(header)
+		elsif header != @_headers[@_current_column_index]
+			raise "Inconsistent header."
+		end
+
+		@_current_row << escape(value)
+		@_current_column_index += 1
+	end
+
+	def each_item(&block)
+		collection.each(&block)
+	end
+
+	def yielder(record)
+		yield(record)
+	end
+
+	def template(...)
+		nil
+	end
+
+	# Override and set to `false` to disable rendering headers.
+	def render_headers?
+		true
+	end
+
+	# Override and set to `true` to strip leading and trailing whitespace from values.
+	def trim_whitespace?
+		false
+	end
+
+	# Override and set to `false` to disable CSV injection escapes or `true` to enable.
+	def escape_csv_injection?
+		nil
+	end
+
+	def helpers
+		@_view_context
+	end
+
+	def escape(value)
+		value = trim_whitespace? ? value.to_s.strip : value.to_s
+		first_char = value[0]
+		last_char = value[-1]
+
+		if escape_csv_injection? && FORMULA_PREFIXES[first_char]
+			# Prefix a single quote to prevent Excel, Google Docs, etc. from interpreting the value as a formula.
+			# See https://owasp.org/www-community/attacks/CSV_Injection
+			%("'#{value.gsub('"', '""')}")
+		elsif (!trim_whitespace? && (SPACE_CHARACTERS[first_char] || SPACE_CHARACTERS[last_char])) || value.include?('"') || value.include?(",") || value.include?("\n")
+			%("#{value.gsub('"', '""')}")
+		else
+			value
+		end
+	end
+end

data/lib/phlex/deferred_render.rb

@@ -11,7 +11,7 @@
 # 			@tabs = []
 # 		end
 #
-# 		def template
+# 		def view_template
 # 			@tabs.each { |t| a { t.name } }
 # 			@tabs.each { |t| article(&t.content) }
 # 		end

data/lib/phlex/elements.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0")
-	using Phlex::Overrides::Symbol::Name
-end
-
 # Extending this module provides the {register_element} macro for registering your own custom elements. It's already extended by {HTML} and {SVG}.
 # @example
 # 	module MyCustomElements
@@ -15,14 +11,14 @@ end
 # 	class MyComponent < Phlex::HTML
 # 		include MyCustomElements
 #
-# 		def template
+# 		def view_template
 # 			trix_editor
 # 		end
 # 	end
 module Phlex::Elements
 	# @api private
 	def registered_elements
-		@registered_elements ||= Concurrent::Map.new
+		@registered_elements ||= {}
 	end
 
 	# Register a custom element. This macro defines an element method for the current class and descendents only. There is no global element registry.
@@ -32,35 +28,64 @@ module Phlex::Elements
 	# @note The methods defined by this macro depend on other methods from {SGML} so they should always be mixed into an {HTML} or {SVG} component.
 	# @example Register the custom element `<trix-editor>`
 	# 	register_element :trix_editor
-	def register_element(method_name, tag: nil)
-		tag ||= method_name.name.tr("_", "-")
+	def register_element(method_name, tag: method_name.name.tr("_", "-"), deprecated: false)
+		if deprecated
+			deprecation = <<~RUBY
+				Kernel.warn "#{deprecated}"
+			RUBY
+		else
+			deprecation = ""
+		end
 
 		class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
 			# frozen_string_literal: true
 
 			def #{method_name}(**attributes, &block)
-				target = @_context.target
+				#{deprecation}
+
+				context = @_context
+				buffer = context.buffer
+				fragment = context.fragments
+				target_found = false
+
+				if fragment
+					return if fragment.length == 0 # we found all our fragments already
+
+					id = attributes[:id]
+
+					if !context.in_target_fragment
+					  if fragment[id]
+							context.begin_target(id)
+							target_found = true
+						else
+							yield(self) if block
+							return nil
+						end
+					end
+				end
 
 				if attributes.length > 0 # with attributes
 					if block # with content block
-						target << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << ">"
+						buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << ">"
 						yield_content(&block)
-						target << "</#{tag}>"
+						buffer << "</#{tag}>"
 					else # without content block
-						target << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << "></#{tag}>"
+						buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << "></#{tag}>"
 					end
 				else # without attributes
 					if block # with content block
-						target << "<#{tag}>"
+						buffer << "<#{tag}>"
 						yield_content(&block)
-						target << "</#{tag}>"
+						buffer << "</#{tag}>"
 					else # without content block
-						target << "<#{tag}></#{tag}>"
+						buffer << "<#{tag}></#{tag}>"
 					end
 				end
 
 				#{'flush' if tag == 'head'}
 
+				context.end_target if target_found
+
 				nil
 			end
 
@@ -73,19 +98,47 @@ module Phlex::Elements
 	end
 
 	# @api private
-	def register_void_element(method_name, tag: method_name.name.tr("_", "-"))
+	def register_void_element(method_name, tag: method_name.name.tr("_", "-"), deprecated: false)
+		if deprecated
+			deprecation = <<~RUBY
+				Kernel.warn "#{deprecated}"
+			RUBY
+		else
+			deprecation = ""
+		end
+
 		class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
 			# frozen_string_literal: true
 
 			def #{method_name}(**attributes)
-				target = @_context.target
+				#{deprecation}
+				context = @_context
+				buffer = context.buffer
+				fragment = context.fragments
+
+				if fragment
+					return if fragment.length == 0 # we found all our fragments already
+
+					id = attributes[:id]
+
+					if !context.in_target_fragment
+					  if fragment[id]
+							context.begin_target(id)
+							target_found = true
+						else
+							return nil
+						end
+					end
+				end
 
 				if attributes.length > 0 # with attributes
-					target << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << ">"
+					buffer << "<#{tag}" << (Phlex::ATTRIBUTE_CACHE[respond_to?(:process_attributes) ? (attributes.hash + self.class.hash) : attributes.hash] || __attributes__(**attributes)) << ">"
 				else # without attributes
-					target << "<#{tag}>"
+					buffer << "<#{tag}>"
 				end
 
+				context.end_target if target_found
+
 				nil
 			end
 

data/lib/phlex/helpers.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0")
-	using Phlex::Overrides::Symbol::Name
-end
+require "set"
 
 module Phlex::Helpers
 	private
@@ -80,9 +78,23 @@ module Phlex::Helpers
 				when Hash
 					old.is_a?(Hash) ? mix(old, new) : new
 				when Array
-					old.is_a?(Array) ? (old + new) : new
+					case old
+					when Array then old + new
+					when Set then old.to_a + new
+					when Hash then new
+					else
+						[old] + new
+					end
+				when Set
+					case old
+					when Set then old + new
+					when Array then old + new.to_a
+					when Hash then new
+					else
+						new + [old]
+					end
 				when String
-					old.is_a?(String) ? "#{old} #{new}" : new
+					old.is_a?(String) ? "#{old} #{new}" : old + old.class[new]
 				else
 					new
 				end