rails_xss 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- data/Rakefile +1 -0
- data/VERSION +1 -1
- data/lib/rails_xss/action_view.rb +87 -0
- data/lib/rails_xss/erubis.rb +33 -0
- data/lib/rails_xss/string_ext.rb +52 -0
- metadata +6 -3
data/Rakefile
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.2
|
@@ -0,0 +1,87 @@
|
|
1
|
+
module ActionView
|
2
|
+
class Base
|
3
|
+
def self.xss_safe?
|
4
|
+
true
|
5
|
+
end
|
6
|
+
|
7
|
+
module WithSafeOutputBuffer
|
8
|
+
# Rails version of with_output_buffer uses '' as the default buf
|
9
|
+
def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc:
|
10
|
+
super buf
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
include WithSafeOutputBuffer
|
15
|
+
end
|
16
|
+
|
17
|
+
module Helpers
|
18
|
+
module TextHelper
|
19
|
+
def concat(string, unused_binding = nil)
|
20
|
+
if unused_binding
|
21
|
+
ActiveSupport::Deprecation.warn("The binding argument of #concat is no longer needed. Please remove it from your views and helpers.", caller)
|
22
|
+
end
|
23
|
+
|
24
|
+
output_buffer.concat(string)
|
25
|
+
end
|
26
|
+
|
27
|
+
def simple_format_with_escaping(text, html_options = {})
|
28
|
+
simple_format_without_escaping(ERB::Util.h(text), html_options)
|
29
|
+
end
|
30
|
+
alias_method_chain :simple_format, :escaping
|
31
|
+
end
|
32
|
+
|
33
|
+
module TagHelper
|
34
|
+
private
|
35
|
+
def content_tag_string_with_escaping(name, content, options, escape = true)
|
36
|
+
content_tag_string_without_escaping(name, ERB::Util.h(content), options, escape)
|
37
|
+
end
|
38
|
+
alias_method_chain :content_tag_string, :escaping
|
39
|
+
end
|
40
|
+
|
41
|
+
module UrlHelper
|
42
|
+
def link_to(*args, &block)
|
43
|
+
if block_given?
|
44
|
+
options = args.first || {}
|
45
|
+
html_options = args.second
|
46
|
+
concat(link_to(capture(&block), options, html_options))
|
47
|
+
else
|
48
|
+
name = args.first
|
49
|
+
options = args.second || {}
|
50
|
+
html_options = args.third
|
51
|
+
|
52
|
+
url = url_for(options)
|
53
|
+
|
54
|
+
if html_options
|
55
|
+
html_options = html_options.stringify_keys
|
56
|
+
href = html_options['href']
|
57
|
+
convert_options_to_javascript!(html_options, url)
|
58
|
+
tag_options = tag_options(html_options)
|
59
|
+
else
|
60
|
+
tag_options = nil
|
61
|
+
end
|
62
|
+
|
63
|
+
href_attr = "href=\"#{url}\"" unless href
|
64
|
+
"<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
module RailsXss
|
72
|
+
module SafeHelpers
|
73
|
+
def safe_helper(*names)
|
74
|
+
names.each do |helper_method_name|
|
75
|
+
aliased_target, punctuation = helper_method_name.to_s.sub(/([?!=])$/, ''), $1
|
76
|
+
module_eval <<-END
|
77
|
+
def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block)
|
78
|
+
raw(#{aliased_target}_without_xss_safety#{punctuation}(*args, &block))
|
79
|
+
end
|
80
|
+
END
|
81
|
+
alias_method_chain helper_method_name, :xss_safety
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
Module.class_eval { include RailsXss::SafeHelpers }
|
@@ -0,0 +1,33 @@
|
|
1
|
+
require 'erubis/helpers/rails_helper'
|
2
|
+
|
3
|
+
module RailsXss
|
4
|
+
class Erubis < ::Erubis::Eruby
|
5
|
+
def add_preamble(src)
|
6
|
+
src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
|
7
|
+
end
|
8
|
+
|
9
|
+
def add_text(src, text)
|
10
|
+
return if text.empty?
|
11
|
+
src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
|
12
|
+
end
|
13
|
+
|
14
|
+
def add_expr_literal(src, code)
|
15
|
+
if code =~ /\s*raw\s+(.*)/
|
16
|
+
src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
|
17
|
+
else
|
18
|
+
src << '@output_buffer << ((' << code << ').to_s);'
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def add_expr_escaped(src, code)
|
23
|
+
src << '@output_buffer << ' << escaped_expr(code) << ';'
|
24
|
+
end
|
25
|
+
|
26
|
+
def add_postamble(src)
|
27
|
+
src << '@output_buffer.to_s'
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
Erubis::Helpers::RailsHelper.engine_class = RailsXss::Erubis
|
33
|
+
Erubis::Helpers::RailsHelper.show_src = false
|
@@ -0,0 +1,52 @@
|
|
1
|
+
require 'active_support/deprecation'
|
2
|
+
|
3
|
+
ActiveSupport::SafeBuffer.class_eval do
|
4
|
+
def concat(value)
|
5
|
+
if value.html_safe?
|
6
|
+
super(value)
|
7
|
+
else
|
8
|
+
super(ERB::Util.h(value))
|
9
|
+
end
|
10
|
+
end
|
11
|
+
alias << concat
|
12
|
+
end
|
13
|
+
|
14
|
+
class String
|
15
|
+
def html_safe?
|
16
|
+
defined?(@_rails_html_safe)
|
17
|
+
end
|
18
|
+
|
19
|
+
def html_safe!
|
20
|
+
ActiveSupport::Deprecation.warn("Use html_safe with your strings instead of html_safe! See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for the full story.", caller)
|
21
|
+
@_rails_html_safe = true
|
22
|
+
self
|
23
|
+
end
|
24
|
+
|
25
|
+
def add_with_safety(other)
|
26
|
+
result = add_without_safety(other)
|
27
|
+
if html_safe? && also_html_safe?(other)
|
28
|
+
result.html_safe!
|
29
|
+
else
|
30
|
+
result
|
31
|
+
end
|
32
|
+
end
|
33
|
+
alias_method :add_without_safety, :+
|
34
|
+
alias_method :+, :add_with_safety
|
35
|
+
|
36
|
+
def concat_with_safety(other_or_fixnum)
|
37
|
+
result = concat_without_safety(other_or_fixnum)
|
38
|
+
unless html_safe? && also_html_safe?(other_or_fixnum)
|
39
|
+
remove_instance_variable(:@_rails_html_safe) if defined?(@_rails_html_safe)
|
40
|
+
end
|
41
|
+
result
|
42
|
+
end
|
43
|
+
|
44
|
+
alias_method_chain :concat, :safety
|
45
|
+
undef_method :<<
|
46
|
+
alias_method :<<, :concat_with_safety
|
47
|
+
|
48
|
+
private
|
49
|
+
def also_html_safe?(other)
|
50
|
+
other.respond_to?(:html_safe?) && other.html_safe?
|
51
|
+
end
|
52
|
+
end
|
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 1
|
8
|
-
-
|
9
|
-
version: 0.1.
|
8
|
+
- 2
|
9
|
+
version: 0.1.2
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- joloudov
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2010-07-
|
17
|
+
date: 2010-07-02 00:00:00 +04:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
@@ -47,6 +47,9 @@ files:
|
|
47
47
|
- VERSION
|
48
48
|
- init.rb
|
49
49
|
- lib/rails_xss.rb
|
50
|
+
- lib/rails_xss/action_view.rb
|
51
|
+
- lib/rails_xss/erubis.rb
|
52
|
+
- lib/rails_xss/string_ext.rb
|
50
53
|
- lib/tasks/rails_xss_tasks.rake
|
51
54
|
has_rdoc: true
|
52
55
|
homepage: http://github.com/joloudov/rails_xss
|