rails_xss 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. data/{LICENSE → MIT-LICENSE} +1 -1
  2. data/README.markdown +90 -0
  3. data/Rakefile +0 -1
  4. data/VERSION +1 -1
  5. data/init.rb +1 -7
  6. metadata +6 -9
  7. data/README.rdoc +0 -17
  8. data/test/helper.rb +0 -10
  9. data/test/test_rails_xss.rb +0 -7
data/{LICENSE → MIT-LICENSE} RENAMED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2009 joloudov
1
+ Copyright (c) 2009 Koziarski Software Ltd.
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining
4
4
  a copy of this software and associated documentation files (the
data/README.markdown ADDED
@@ -0,0 +1,90 @@
1
+ RailsXss
2
+ ========
3
+
4
+ This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0.
5
+
6
+ Strings now have a notion of "html safe", which is false by default. Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first.
7
+
8
+ All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified. If you have your own helpers which return strings you *know* are safe, you will need to explicitly tell rails that they're safe. For an example, take the following helper.
9
+
10
+
11
+ def some_helper
12
+ (1..5).map do |i|
13
+ "<li>#{i}</li>"
14
+ end.join("\n")
15
+ end
16
+
17
+ With this plugin installed, the html will be escaped. So you will need to do one of the following:
18
+
19
+ 1) Use the raw helper in your template. raw will ensure that your string is copied verbatim into the response body.
20
+
21
+ <%= raw some_helper %>
22
+
23
+ 2) Mark the string as safe in the helper itself:
24
+
25
+ def some_helper
26
+ (1..5).map do |i|
27
+ "<li>#{i}</li>"
28
+ end.join("\n").html_safe
29
+ end
30
+
31
+ 3) Use the safe_helper meta programming method:
32
+
33
+ module ApplicationHelper
34
+ def some_helper
35
+ #...
36
+ end
37
+ safe_helper :some_helper
38
+ end
39
+
40
+ Example
41
+ -------
42
+
43
+ BEFORE:
44
+
45
+ <%= params[:own_me] %> => XSS attack
46
+ <%=h params[:own_me] %> => No XSS
47
+ <%= @blog_post.content %> => Displays the HTML
48
+
49
+ AFTER:
50
+
51
+ <%= params[:own_me] %> => No XSS
52
+ <%=h params[:own_me] %> => No XSS (same result)
53
+ <%= @blog_post.content %> => *escapes* the HTML
54
+ <%= raw @blog_post.content %> => Displays the HTML
55
+
56
+
57
+ Gotchas
58
+ ---
59
+
60
+ #### textilize and simple_format do *not* return safe strings
61
+
62
+ Both these methods support arbitrary HTML and are *not* safe to embed directly in your document. You'll need to do something like:
63
+
64
+ <%= sanitize(textilize(@blog_post.content_textile)) %>
65
+
66
+ #### Safe strings aren't magic.
67
+
68
+ Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+. All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like
69
+
70
+ value = something_safe
71
+ value.gsub!(/a/, params[:own_me])
72
+
73
+ Don't do that.
74
+
75
+ #### String interpolation won't be safe, even when it 'should' be
76
+
77
+ value = "#{something_safe}#{something_else_safe}"
78
+ value.html_safe? # => false
79
+
80
+ This is intended functionality and can't be fixed.
81
+
82
+ Getting Started
83
+ ===============
84
+
85
+ 1. Install rails 2.3.8 or higher, or freeze rails from 2-3-stable.
86
+ 2. Install erubis (gem install erubis)
87
+ 3. Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git)
88
+ 4. Report anything that breaks.
89
+
90
+ Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license. For full details see MIT-LICENSE included in this distribution.
data/Rakefile CHANGED
@@ -18,7 +18,6 @@ begin
18
18
  'lib/**/*.rb',
19
19
  'lib/**/*.rake',
20
20
  ]
21
- # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
22
21
  end
23
22
  Jeweler::GemcutterTasks.new
24
23
  rescue LoadError
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.2
1
+ 0.1.3
data/init.rb CHANGED
@@ -1,7 +1 @@
1
- unless $gems_rake_task
2
- if Rails.version <= "2.3.7"
3
- $stderr.puts "rails_xss requires Rails 2.3.8 or later. Please upgrade to enable automatic HTML safety."
4
- else
5
- require 'rails_xss'
6
- end
7
- end
1
+ require File.dirname(__FILE__) + "/rails/init".
metadata CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
5
5
  segments:
6
6
  - 0
7
7
  - 1
8
- - 2
9
- version: 0.1.2
8
+ - 3
9
+ version: 0.1.3
10
10
  platform: ruby
11
11
  authors:
12
12
  - joloudov
@@ -14,7 +14,7 @@ autorequire:
14
14
  bindir: bin
15
15
  cert_chain: []
16
16
 
17
- date: 2010-07-02 00:00:00 +04:00
17
+ date: 2010-07-14 00:00:00 +04:00
18
18
  default_executable:
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
@@ -38,11 +38,10 @@ executables: []
38
38
  extensions: []
39
39
 
40
40
  extra_rdoc_files:
41
- - LICENSE
42
- - README.rdoc
41
+ - README.markdown
43
42
  files:
44
- - LICENSE
45
- - README.rdoc
43
+ - MIT-LICENSE
44
+ - README.markdown
46
45
  - Rakefile
47
46
  - VERSION
48
47
  - init.rb
@@ -91,8 +90,6 @@ test_files:
91
90
  - test/date_helper_test.rb
92
91
  - test/active_record_helper_test.rb
93
92
  - test/caching_test.rb
94
- - test/test_rails_xss.rb
95
93
  - test/text_helper_test.rb
96
94
  - test/asset_tag_helper_test.rb
97
95
  - test/rails_xss_test.rb
98
- - test/helper.rb
data/README.rdoc DELETED
@@ -1,17 +0,0 @@
1
- = rails_xss
2
-
3
- Description goes here.
4
-
5
- == Note on Patches/Pull Requests
6
-
7
- * Fork the project.
8
- * Make your feature addition or bug fix.
9
- * Add tests for it. This is important so I don't break it in a
10
- future version unintentionally.
11
- * Commit, do not mess with rakefile, version, or history.
12
- (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
13
- * Send me a pull request. Bonus points for topic branches.
14
-
15
- == Copyright
16
-
17
- Copyright (c) 2010 joloudov. See LICENSE for details.
data/test/helper.rb DELETED
@@ -1,10 +0,0 @@
1
- require 'rubygems'
2
- require 'test/unit'
3
- require 'shoulda'
4
-
5
- $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
6
- $LOAD_PATH.unshift(File.dirname(__FILE__))
7
- require 'rails_xss'
8
-
9
- class Test::Unit::TestCase
10
- end
data/test/test_rails_xss.rb DELETED
@@ -1,7 +0,0 @@
1
- require 'helper'
2
-
3
- class TestRailsXss < Test::Unit::TestCase
4
- should "probably rename this file and start testing for real" do
5
- flunk "hey buddy, you should probably rename this file and start testing for real"
6
- end
7
- end