rack-cerberus 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. data/README.md +1 -0
  2. data/cerberus.gemspec +1 -1
  3. data/cerberus.rb +12 -2
  4. data/spec.rb +7 -0
  5. metadata +4 -4
data/README.md CHANGED
@@ -85,6 +85,7 @@ Changelog
85
85
  0.1.6 Send an Array instead of a string to Rack so that it works on Ruby 1.9
86
86
  0.2.0 External CSS file + `:text_color` option + keep details after login failure
87
87
  0.3.0 Now sends request as a 3rd argument to the block
88
+ 0.3.1 Escape HTML in fields now that they are kept
88
89
 
89
90
  Copyright
90
91
  ---------
data/cerberus.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = 'rack-cerberus'
3
- s.version = "0.3.0"
3
+ s.version = "0.3.1"
4
4
  s.platform = Gem::Platform::RUBY
5
5
  s.summary = "A Rack middleware for form-based authentication"
6
6
  s.description = "A Rack middleware for form-based authentication. Aim is a compromise between fonctionality, beauty and customization."
data/cerberus.rb CHANGED
@@ -29,8 +29,11 @@ class Cerberus
29
29
  -webkit-border-bottom-right-radius: 10px;
30
30
  -moz-border-radius-bottomright: 10px;
31
31
  border-bottom-right-radius: 10px;
32
+ -moz-box-shadow: 0px 0px 5px #333;
33
+ -webkit-box-shadow: 0px 0px 5px #333;
34
+ box-shadow: 0px 0px 5px #333;
32
35
  background-color: %s; }
33
- input { width: 400px; font-size: 20px; }
36
+ input[type=text], input[type=password] { width: 392px; padding: 4px; border: 0px; font-size: 20px; }
34
37
  </style>
35
38
  %s
36
39
  </head><body>
@@ -102,10 +105,17 @@ PAGE
102
105
  401, {'Content-Type' => 'text/html'},
103
106
  [AUTH_PAGE % [
104
107
  @options[:company_name], @options[:bg_color], @options[:text_color], @options[:fg_color], css, @options[:company_name],
105
- icon, err, env['REQUEST_URI'], req['cerberus_login']||'login', req['cerberus_pass']||'pass'
108
+ icon, err, env['REQUEST_URI'], html_escape(req['cerberus_login']||'login'), html_escape(req['cerberus_pass']||'pass')
106
109
  ]]
107
110
  ]
108
111
  end
109
112
  end
110
113
 
114
+ private
115
+
116
+ # Stolen from ERB
117
+ def html_escape(s)
118
+ s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;")
119
+ end
120
+
111
121
  end
data/spec.rb CHANGED
@@ -36,6 +36,13 @@ describe 'cerberus' do
36
36
  res.body.should.match(/name="cerberus_pass" value="fake_pass"/)
37
37
  end
38
38
 
39
+ should 'Escape HTML on submitted info' do
40
+ res = req.post('/', :params => {'cerberus_login' => '<script>bad</script>', 'cerberus_pass' => '<script>bad</script>'})
41
+ res.status.should==401
42
+ res.body.should.match(/name="cerberus_login" value="&lt;script&gt;bad&lt;\/script&gt;"/)
43
+ res.body.should.match(/name="cerberus_pass" value="&lt;script&gt;bad&lt;\/script&gt;"/)
44
+ end
45
+
39
46
  should 'Give access with the appropriate login and pass' do
40
47
  res = req.get('/', :params => {'cerberus_login' => 'mario@nintendo.com', 'cerberus_pass' => 'bros'})
41
48
  cookie = res["Set-Cookie"]
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-cerberus
3
3
  version: !ruby/object:Gem::Version
4
- hash: 19
4
+ hash: 17
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 3
9
- - 0
10
- version: 0.3.0
9
+ - 1
10
+ version: 0.3.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Mickael Riga
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2011-10-07 00:00:00 +01:00
18
+ date: 2011-11-21 00:00:00 +00:00
19
19
  default_executable:
20
20
  dependencies: []
21
21