rails_xss 0.1.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,21 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 joloudov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,17 @@
+= rails_xss
+
+Description goes here.
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 joloudov. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "rails_xss"
+    gem.summary = %Q{A plugin for rails 2.3 apps which switches the default to escape by default}
+    gem.description = %Q{This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0.}
+    gem.email = "joloudov@gmail.com"
+    gem.homepage = "http://github.com/joloudov/rails_xss"
+    gem.authors = ["joloudov"]
+    gem.add_development_dependency "erubis", ">= 2.6.5"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "rails_xss #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/rails_xss.rb

@@ -0,0 +1,3 @@
+require 'rails_xss/erubis'
+require 'rails_xss/action_view'
+require 'rails_xss/string_ext'

data/test/active_record_helper_test.rb

@@ -0,0 +1,74 @@
+require 'test_helper'
+
+class ActiveRecordHelperTest < ActionView::TestCase
+  silence_warnings do
+    Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on)
+    Post.class_eval do
+      alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast)
+      alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast)
+      alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast)
+    end
+  end
+
+  def setup_post
+    @post = Post.new
+    def @post.errors
+      Class.new {
+        def on(field)
+          case field.to_s
+          when "author_name"
+            "can't be empty"
+          when "body"
+            true
+          else
+            false
+          end
+        end
+        def empty?() false end
+        def count() 1 end
+        def full_messages() [ "Author name can't be empty" ] end
+      }.new
+    end
+
+    def @post.new_record?() true end
+    def @post.to_param() nil end
+
+    def @post.column_for_attribute(attr_name)
+      Post.content_columns.select { |column| column.name == attr_name }.first
+    end
+
+    silence_warnings do
+      def Post.content_columns() [ Column.new(:string, "title", "Title"), Column.new(:text, "body", "Body") ] end
+    end
+
+    @post.title       = "Hello World"
+    @post.author_name = ""
+    @post.body        = "Back to the hill and over it again!"
+    @post.secret = 1
+    @post.written_on  = Date.new(2004, 6, 15)
+  end
+
+  def setup
+    setup_post
+
+    @response = ActionController::TestResponse.new
+
+    @controller = Object.new
+    def @controller.url_for(options)
+      options = options.symbolize_keys
+
+      [options[:action], options[:id].to_param].compact.join('/')
+    end
+  end
+
+  def test_text_field_with_errors_is_safe
+    assert text_field("post", "author_name").html_safe?
+  end
+
+  def test_text_field_with_errors
+    assert_dom_equal(
+      %(<div class="fieldWithErrors"><input id="post_author_name" name="post[author_name]" size="30" type="text" value="" /></div>),
+      text_field("post", "author_name")
+    )
+  end
+end

data/test/asset_tag_helper_test.rb

@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class AssetTagHelperTest < ActionView::TestCase
+  def setup
+    @controller = Class.new do
+      attr_accessor :request
+      def url_for(*args) "http://www.example.com" end
+    end.new
+  end
+
+  def test_auto_discovery_link_tag
+    assert_dom_equal(%(<link href="http://www.example.com" rel="Not so alternate" title="ATOM" type="application/atom+xml" />),
+                     auto_discovery_link_tag(:atom, {}, {:rel => "Not so alternate"}))
+  end
+
+  def test_javascript_include_tag_with_blank_asset_id
+    ENV["RAILS_ASSET_ID"] = ""
+    assert_dom_equal(%(<script src="/javascripts/test.js" type="text/javascript"></script>\n<script src="/javascripts/prototype.js" type="text/javascript"></script>\n<script src="/javascripts/effects.js" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js" type="text/javascript"></script>\n<script src="/javascripts/controls.js" type="text/javascript"></script>\n<script src="/javascripts/application.js" type="text/javascript"></script>),
+                     javascript_include_tag("test", :defaults))
+  end
+
+  def test_javascript_include_tag_with_given_asset_id
+    ENV["RAILS_ASSET_ID"] = "1"
+    assert_dom_equal(%(<script src="/javascripts/prototype.js?1" type="text/javascript"></script>\n<script src="/javascripts/effects.js?1" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js?1" type="text/javascript"></script>\n<script src="/javascripts/controls.js?1" type="text/javascript"></script>\n<script src="/javascripts/application.js?1" type="text/javascript"></script>),
+                     javascript_include_tag(:defaults))
+    ENV["RAILS_ASSET_ID"] = ""
+  end
+
+  def test_javascript_include_tag_is_html_safe
+    assert javascript_include_tag(:defaults).html_safe?
+    assert javascript_include_tag("prototype").html_safe?
+  end
+
+  def test_stylesheet_link_tag
+    assert_dom_equal(%(<link href="http://www.example.com/styles/style.css" media="screen" rel="stylesheet" type="text/css" />),
+                     stylesheet_link_tag("http://www.example.com/styles/style"))
+  end
+
+  def test_stylesheet_link_tag_is_html_safe
+    assert stylesheet_link_tag('dir/file').html_safe?
+    assert stylesheet_link_tag('dir/other/file', 'dir/file2').html_safe?
+    assert stylesheet_tag('dir/file', {}).html_safe?
+  end
+
+  def test_image_tag
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+                     image_tag("mouse.png", :mouseover => image_path("mouse_over.png")))
+  end
+end

data/test/caching_test.rb

@@ -0,0 +1,43 @@
+require 'test_helper'
+
+CACHE_DIR = 'test_cache'
+# Don't change '/../temp/' cavalierly or you might hose something you don't want hosed
+FILE_STORE_PATH = File.join(File.dirname(__FILE__), '/../temp/', CACHE_DIR)
+ActionController::Base.page_cache_directory = FILE_STORE_PATH
+ActionController::Base.cache_store = :file_store, FILE_STORE_PATH
+
+class FragmentCachingTestController < ActionController::Base
+  def some_action; end;
+end
+
+class FragmentCachingTest < ActionController::TestCase
+  def setup
+    ActionController::Base.perform_caching = true
+    @store = ActiveSupport::Cache::MemoryStore.new
+    ActionController::Base.cache_store = @store
+    @controller = FragmentCachingTestController.new
+    @params = {:controller => 'posts', :action => 'index'}
+    @request = ActionController::TestRequest.new
+    @response = ActionController::TestResponse.new
+    @controller.params = @params
+    @controller.request = @request
+    @controller.response = @response
+    @controller.send(:initialize_current_url)
+    @controller.send(:initialize_template_class, @response)
+    @controller.send(:assign_shortcuts, @request, @response)
+  end
+
+  def test_html_safety
+    assert_nil @store.read('views/name')
+    content = 'value'.html_safe
+    assert_equal content, @controller.write_fragment('name', content)
+
+    cached = @store.read('views/name')
+    assert_equal content, cached
+    assert_equal String, cached.class
+
+    html_safe = @controller.read_fragment('name')
+    assert_equal content, html_safe
+    assert html_safe.html_safe?
+  end
+end

data/test/date_helper_test.rb

@@ -0,0 +1,29 @@
+require 'test_helper'
+
+class DateHelperTest < ActionView::TestCase
+  silence_warnings do
+    Post = Struct.new("Post", :id, :written_on, :updated_at)
+  end
+
+  def test_select_html_safety
+    assert select_day(16).html_safe?
+    assert select_month(8).html_safe?
+    assert select_year(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+    assert select_minute(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+    assert select_second(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+
+    assert select_minute(8, :use_hidden => true).html_safe?
+    assert select_month(8, :prompt => 'Choose month').html_safe?
+
+    assert select_time(Time.mktime(2003, 8, 16, 8, 4, 18), {}, :class => 'selector').html_safe?
+    assert select_date(Time.mktime(2003, 8, 16), :date_separator => " / ", :start_year => 2003, :end_year => 2005, :prefix => "date[first]").html_safe?
+  end
+  
+  def test_object_select_html_safety
+    @post = Post.new
+    @post.written_on = Date.new(2004, 6, 15)
+
+    assert date_select("post", "written_on", :default => Time.local(2006, 9, 19, 15, 16, 35), :include_blank => true).html_safe?    
+    assert time_select("post", "written_on", :ignore_date => true).html_safe?    
+  end
+end

data/test/deprecated_output_safety_test.rb

@@ -0,0 +1,112 @@
+require 'test_helper'
+
+class DeprecatedOutputSafetyTest < ActiveSupport::TestCase
+  def setup
+    @string = "hello"
+  end
+
+  test "A string can be marked safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      assert @string.html_safe?
+    end
+  end
+
+  test "Marking a string safe returns the string using html_safe!" do
+    assert_deprecated do
+      assert_equal @string, @string.html_safe!
+    end
+  end
+
+  test "Adding a safe string to another safe string returns a safe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+      @combination = @other_string + @string
+
+      assert_equal "otherhello", @combination
+      assert @combination.html_safe?
+    end
+  end
+
+  test "Adding an unsafe string to a safe string returns an unsafe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @combination = @other_string + "<foo>"
+      @other_combination = @string + "<foo>"
+
+      assert_equal "other<foo>", @combination
+      assert_equal "hello<foo>", @other_combination
+
+      assert !@combination.html_safe?
+      assert !@other_combination.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string.concat("<foo>")
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string << @string
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string << "<foo>"
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe with << yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string << @string
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting a fixnum to safe always yields safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      @string.concat(13)
+      assert_equal "hello".concat(13), @string
+      assert @string.html_safe?
+    end
+  end
+end