raw 0.49.0

data/lib/raw/test/context.rb

@@ -0,0 +1,55 @@
+require 'test/unit'
+require 'test/unit/assertions'
+require 'rexml/document'
+
+require 'raw/context'
+
+module Raw
+
+# Override the default Request implementation
+# to include methods useful for testing.
+
+module Request
+end
+
+# Override the default Response implementation
+# to include methods useful for testing.
+
+module Response
+
+  def status_ok?
+    @status == 200
+  end
+
+  def redirect?
+    (300..399).include?(@status)
+  end
+
+  def redirect_uri
+    @response_headers['location']
+  end
+
+  def response_cookie(name)
+    return nil unless @response_cookies
+    @response_cookies.find { |c| c.name == name }
+  end
+
+end
+
+# Override the default Context implementation
+# to include methods useful for testing.
+
+class Context
+  attr_writer :session, :cookies
+  
+  def session
+    @session || @session = {}
+  end
+  
+  def cookies
+    @cookies || @cookies = {}
+  end
+     
+end
+
+end

data/lib/raw/test/testcase.rb

@@ -0,0 +1,79 @@
+require 'ostruct'
+
+require 'test/unit'
+require 'test/unit/assertions'
+require 'rexml/document'
+
+require 'glue'
+require 'nitro/test/context'
+
+module Test::Unit
+  
+class TestCase
+  include Nitro
+
+  def reset_context
+    @context_config = OpenStruct.new(
+      :dispatcher => Nitro::Dispatcher.new(Nitro::Server.map)
+    )
+    @context = Nitro::Context.new(@context_config)
+  end
+
+  # Send a request to the controller. Alternatively you can use
+  # the request method helpers (get, post, ...)
+  #
+  # === Options
+  #
+  # :uri, :method, :headers/:env, :params, :session
+  
+  def process(options = {})
+    unless options.is_a? Hash
+      options = { :uri => options.to_s }
+    end
+
+    uri = options[:uri]
+    uri = "/#{uri}" unless uri =~ /^\//
+   
+    reset_context unless @context
+    context = @context
+    if @last_response_cookies
+      @last_response_cookies.each do |cookie|
+        context.cookies.merge! cookie.name => cookie.value
+      end
+    end
+    context.headers = options[:headers] || options[:env] || {}
+    context.headers['REQUEST_URI'] = uri
+    context.headers['REQUEST_METHOD'] = options.fetch(:method, :get).to_s.upcase
+    context.headers['REMOTE_ADDR'] ||= '127.0.0.1'
+    if ((:get == options[:method]) and (options[:params]))
+      context.headers['QUERY_STRING'] = options[:params].collect {|k,v| "#{k}=#{v}"}.join('&')
+    end
+    context.params = options[:params] || {}
+    context.cookies.merge! options[:cookies] if options[:cookies]
+    context.session.merge! options[:session] if options[:session]
+    
+    context.render(context.path)
+    @last_response_cookies = context.response_cookies
+    return context.body
+  end
+
+  #--
+  # Compile some helpers.
+  #++
+  
+  for m in [:get, :post, :put, :delete, :head]
+    eval %{
+      def #{m}(options = {})
+        unless options.is_a? Hash
+          options = { :uri => options.to_s }
+        end
+        options[:method] = :#{m}
+        process(options)
+      end 
+    }
+  end
+
+end
+
+end
+

data/lib/raw/util/attr.rb

@@ -0,0 +1,128 @@
+require 'cgi'
+require 'og/relation/all'
+
+#--
+# TODO: find a better name!
+# TODO: this is nitro request specific, should probably get moved
+# into the Nitro directory.
+#++
+
+class AttributeUtils
+  class << self
+
+  #--
+  # TODO: Add preprocessing.
+  #++
+  
+  def set_attr(obj, name, value)
+    obj.send("__force_#{name}", value)
+  rescue Object => ex
+    obj.instance_variable_set("@#{name}", value)
+  end
+
+  # Populate an object from a hash of values.
+  # This is a truly dangerous method.
+  #
+  # === Options
+  #
+  # * name
+  # * force_boolean
+  
+  def populate_object(obj, values, options = {})
+    options = {
+      :force_boolean => true
+    }.update(options)
+    
+    # If a class is passed create an instance.
+  
+    obj = obj.new if obj.is_a?(Class) 
+
+    for sym in obj.class.serializable_attributes
+      anno = obj.class.ann(sym)
+      
+      unless options[:all]
+        # THINK: should skip control none attributes?
+        next if sym == obj.class.primary_key or anno[:control] == :none or anno[:disable_control]
+      end
+      
+      prop_name = sym.to_s
+
+      # See if there is an incoming request param for this prop.
+      
+      if values.keys.include? prop_name
+
+        prop_value = values[prop_name]
+        
+        # to_s must be called on the prop_value incase the 
+        # request is IOString.
+        
+        prop_value = prop_value.to_s unless prop_value.is_a?(Hash) or prop_value.is_a?(Array)
+        
+        # If property is a Blob dont overwrite current 
+        # property's data if "".
+        
+        break if anno[:class] == Og::Blob and prop_value.empty?
+
+        prop_value = CGI.unescape(prop_value)
+        
+        if anno[:class] == String and anno[:unfiltered] != true
+          # html filter all strings by default.
+          prop_value = prop_value.html_filter
+        end 
+
+        set_attr(obj, prop_name, CGI.unescape(prop_value))
+        
+      elsif options[:force_boolean] and (anno[:class] == TrueClass or anno[:class] == FalseClass)
+        # Set a boolean property to false if it is not in the 
+        # request. Requires force_boolean == true.
+
+        set_attr(obj, prop_name, false)
+        obj.send("__force_#{prop_name}", false)
+      end
+    end
+
+    if options[:assign_relations]
+      for rel in obj.class.relations
+        unless options[:all]
+          next if rel.options[:control] == :none or rel.options[:disable_control]
+        end
+        
+        rel_name = rel.name.to_s
+        
+        # Renew the relations from values
+        
+        if rel.kind_of?(Og::RefersTo)
+          if foreign_oid = values[rel_name]
+            foreign_oid = foreign_oid.to_s unless foreign_oid.is_a?(Hash) or foreign_oid.is_a?(Array) 
+            foreign_oid = nil if foreign_oid == 'nil' or foreign_oid == 'none'
+          end
+          set_attr(obj, rel.foreign_key, foreign_oid)
+        elsif rel.kind_of?(Og::JoinsMany) || rel.kind_of?(Og::HasMany)
+          collection = obj.send(rel_name)
+          collection.remove_all 
+          if values.has_key?(rel_name)
+            primary_keys = values[rel_name]
+            primary_keys.each do |v|
+              v = v.to_s
+              next if v == "nil" or v == "none"
+              collection << rel.target_class[v.to_i]
+            end
+          end
+        end
+      end
+    end
+
+    #--
+    # gmosx, FIXME: this is a hack, will be replaced with proper
+    # code soon.
+    #++
+    
+    for callback in obj.class.assign_callbacks
+      callback.call(obj, values, options)
+    end if obj.class.respond_to?(:assign_callbacks)
+
+    return obj
+  end 
+  
+  end
+end

data/lib/raw/util/encode_uri.rb

@@ -0,0 +1,149 @@
+module Raw
+
+# A collection of intelligent url encoding methods.
+
+module EncodeURI
+
+private
+
+  # Encode controller, action, params into a valid url.
+  # Automatically respects nice urls and routing.
+  #
+  # Handles parameters either as a hash or as an array.
+  # Use the array method to pass parameters to 'nice' actions.
+  #
+  # Pass Controller, action, and (param_name, param_value) 
+  # pairs.
+  #
+  # If you pass an entity (model) class as the first parameter,
+  # the encoder tries to lookup the default controller for this
+  # class (ie, Klass::Controller).
+  #
+  # === Examples
+  #
+  # encode_url ForaController, :post, :title, 'Hello', :body, 'World'
+  # encode_url :post, :title, 'Hello', :body, 'World' # => implies controller == self
+  # encode_url :kick, :oid, 4
+  # encode_url article # => article.to_href
+  # 
+  # Alternatively you can pass options with a hash:
+  #
+  # encode_url :controller => ForaController, :action => :delete, :params => { :title => 'Hello' }
+  # encode_url :action => :delete
+  #--
+  # Design: The pseudo-hack method with the alternating array 
+  # elements is needed because Ruby hashes are not sorted.
+  # FIXME: better implementation? optimize this?
+  # TODO: move elsewhere.
+  #++
+  
+  def encode_uri(*args)
+    f = args.first
+    
+    # A standard url as string, return as is.
+    
+    if f.is_a? String
+      # Attach the controller mount_path if this is a relative
+      # path. Use Controller.current to make this method more
+      # reusable.
+      unless f =~ /^\// or f =~ /^http/
+        f = "#{Controller.current.mount_path}/#{f}".squeeze('/')  
+      end
+      return f
+    end
+  
+    # If the passed param is an object that responds to :to_href
+    # returns the url to this object.
+    
+    if f.respond_to? :to_href
+      return args.first.to_href
+    end
+    
+    if f.is_a? Symbol
+      # no controller passed, try to use self as controller.
+      if self.class.respond_to? :mount_path
+        args.unshift(self.class)
+      else
+        raise "No controller passed to encode_url"
+      end
+    end
+
+    # Try to encode using the router.
+    
+    if router = Context.current.dispatcher.router
+      if path = router.encode_route(*args)
+        return path
+      end
+    end
+    
+    # No routing rule, manual encoding.
+    
+    controller = args.shift
+    action = args.shift.to_sym    
+
+    if controller.is_a? Class
+      # If the class argument is not a controller, try to get 
+      # a controller for this class.
+      
+      unless controller.respond_to? :mount_path
+        # Use the standard controller convention.
+        controller = controller::Controller
+      end
+    else
+      # An entity model is passed, lookup the class, then 
+      # the controller and inject the oid as a parameter. For
+      # example:
+      #
+      # a = Article[1]
+      # encode_url(a, :read) == encode_url(Article::Controller, :read, :oid, a.oid)
+      
+      args.unshift :oid, controller.oid
+      controller = controller.class::Controller
+    end
+    
+    if action == :index
+      url = "#{controller.mount_path}"
+    else
+      mount_path = controller.mount_path
+      mount_path = nil if mount_path == '/'    
+      url = "#{mount_path}/#{action}"
+    end
+
+    unless args.empty?
+      if controller.action_or_template?(action, Context.current.format)
+        param_count = controller.instance_method(action).arity
+        if param_count > 0
+           param_count.times do
+            args.shift # name 
+            url << "/#{CGI.escape(args.shift.to_s)}"
+          end        
+        end
+      end
+      
+      unless args.empty?
+        url << '?'
+        params = []
+        (args.size / 2).times do
+          params << "#{args.shift}=#{args.shift}" 
+        end
+        url << params.join(';')
+      end
+    end
+    
+    return url  
+  end
+  alias R encode_uri
+  alias encode_url encode_uri # DEPRECATED.
+  
+
+  # Just like encode_uri, but generates an absolute URI instead.
+  
+  def encode_absolute_uri(*args)
+    return "#{request.host_url}#{encode_url(*args)}"
+  end
+  alias RA encode_absolute_uri
+  alias encode_absolute_url encode_absolute_uri # DEPRECATED.
+  
+end
+
+end

data/lib/raw/util/html_filter.rb

@@ -0,0 +1,538 @@
+# = HTML filtering library
+#
+# == Port
+#
+# lib_filter.php, v1.15 by Cal Henderson <cal@iamcal.com>
+#
+# This code is licensed under a Creative Commons Attribution-ShareAlike 2.5 License
+# http://creativecommons.org/licenses/by-sa/2.5/
+#
+# Thanks to Jang Kim for adding support for single quoted attributes
+#
+# == Reference
+#
+# http://iamcal.com/publish/articles/php/processing_html/
+# http://iamcal.com/publish/articles/php/processing_html_part_2/
+#
+# == Author(s)
+#
+# * TransNoumena
+# * George Moschovitis
+# * James Britt
+# * Cal Henderson
+# * Jang Kim
+
+require "cgi"
+
+class HtmlFilter
+
+  # tags and attributes that are allowed
+  #
+  # Eg.
+  #
+  #   {
+  #     'a' => ['href', 'target'],
+  #     'b' => [],
+  #     'img' => ['src', 'width', 'height', 'alt']
+  #   }
+  attr_accessor :allowed
+
+  # tags which should always be self-closing (e.g. "<img />")
+  attr_accessor :no_close
+
+  # tags which must always have seperate opening and closing 
+  # tags (e.g. "<b></b>")
+  attr_accessor :always_close
+
+  # attributes which should be checked for valid protocols 
+  # (src,href)
+  attr_accessor :protocol_attributes
+
+  # protocols which are allowed (http, ftp, mailto)
+  attr_accessor :allowed_protocols
+
+  # tags which should be removed if they contain no content 
+  # (e.g. "<b></b>" or "<b />")
+  attr_accessor :remove_blanks
+
+  # should we remove comments? (true, false)
+  attr_accessor :strip_comments
+
+  # should we try and make a b tag out of "b>" (true, false)
+  attr_accessor :always_make_tags
+
+  # entity control option (true, false)
+  attr_accessor :allow_numbered_entities
+
+  # entity control option (amp, gt, lt, quot, etc.)
+  attr_accessor :allowed_entities
+
+  # default settings
+  DEFAULT = {
+    'allowed' => {
+      'a'   => ['href', 'target'],
+      'b'   => [],
+      'i'   => [],
+      'ul'  => [],
+      'ol'  => [],
+      'li'  => [],
+      'img' => ['src', 'width', 'height', 'alt'],
+      'object' => ['width', 'height'],
+      'param' => ['name', 'value'],
+      'embed' => ['src', 'type', 'wmode', 'name', 'value'],
+    },
+    'no_close' => ['img', 'br', 'hr'],
+    'always_close' => ['a', 'b'],
+    'protocol_attributes' => ['src', 'href'],
+    'allowed_protocols' => ['http', 'ftp', 'mailto'],
+    'remove_blanks' => ['a', 'b'],
+    'strip_comments' => true,
+    'always_make_tags' => true,
+    'allow_numbered_entities' => true,
+    'allowed_entities' => ['amp', 'gt', 'lt', 'quot']
+  }
+
+  #
+  # new html filter
+  #
+
+  def initialize( options=nil )
+    @tag_counts = {}
+
+    (options || DEFAULT).each{ |k,v| send("#{k}=",v) }
+  end
+
+  #
+  #
+  #
+
+  def filter(data)
+    tag_counts = []
+
+    data = escape_comments(data)
+    data = balance_html(data)
+    data = check_tags(data)
+    data = process_remove_blanks(data)
+    data = validate_entities(data)
+
+    return data
+  end
+
+  private
+
+  #
+  # internal tag counter
+  #
+
+  attr_reader :tag_counts
+
+  #
+  #
+  #
+
+  def escape_comments(data)
+    data = data.gsub(/<!--(.*?)-->/s) do
+      '<!--' + html_sepcial_chars(strip_single($1)) + '-->'
+    end
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def balance_html(data)
+    data = data.dup
+
+    if always_make_tags
+      # try and form html
+      data.gsub!(/>>+/, '>')
+      data.gsub!(/<<+/, '<')
+      data.gsub!(/^>/, '')
+      data.gsub!(/<([^>]*?)(?=<|$)/, '<\1>')
+      data.gsub!(/(^|>)([^<]*?)(?=>)/, '\1<\2')
+    else
+      # escape stray brackets
+      data.gsub!(/<([^>]*?)(?=<|$)/, '&lt;\1')
+      data.gsub!(/(^|>)([^<]*?)(?=>)/, '\1\2&gt;<')
+      # the last regexp causes '<>' entities to appear
+      # (we need to do a lookahead assertion so that the last bracket
+      # can be used in the next pass of the regexp)
+      data.gsub!('<>', '')
+    end
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def check_tags(data)
+    data = data.dup
+
+    data.gsub!(/<(.*?)>/s){
+      process_tag(strip_single($1))
+    }
+
+    tag_counts.each do |tag, cnt|
+        cnt.times{ data << "</#{tag}>" }
+    end
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def process_tag(data)
+
+    # ending tags
+
+    re = /^\/([a-z0-9]+)/si
+
+    if matches = re.match(data)
+        name = matches[1].downcase
+        if allowed.key?(name)
+            unless no_close.include?(name)
+                if tag_counts[name]
+                    tag_counts[name] -= 1
+                    return "</#{name}>"
+                end
+            end
+        else
+            return ''
+        end
+    end
+
+    # starting tags
+
+    re = /^([a-z0-9]+)(.*?)(\/?)$/si
+
+    if matches = re.match(data)
+        name   = matches[1].downcase
+        body   = matches[2]
+        ending = matches[3]
+
+        if allowed.key?(name)
+            params = ""
+
+            matches_2 = body.scan(/([a-z0-9]+)=(["'])(.*?)\2/si)         # <foo a="b" />
+            matches_1 = body.scan(/([a-z0-9]+)(=)([^"\s']+)/si)          # <foo a=b />
+            matches_3 = body.scan(/([a-z0-9]+)=(["'])([^"']*?)\s*$/si)   # <foo a="b />
+
+            matches = matches_1 + matches_2 + matches_3
+
+            matches.each do |match|
+                pname = match[0].downcase
+                if allowed[name].include?(pname)
+                    value = match[2]
+                    if protocol_attributes.include?(pname)
+                        value = process_param_protocol(value)
+                    end
+                    params += %{ #{pname}="#{value}"}
+                end
+            end
+            if no_close.include?(name)
+                ending = ' /'
+            end
+            if always_close.include?(name)
+                ending = ''
+            end
+            if ending.empty?
+                if tag_counts.key?(name)
+                    tag_counts[name] += 1
+                else
+                    tag_counts[name] = 1
+                end
+            end
+            unless ending.empty?
+                ending = ' /'
+            end
+            return '<' + name + params + ending + '>'
+        else
+            return ''
+        end
+    end
+
+    # comments
+    if /^!--(.*)--$/si =~ data
+        if strip_comments
+            return ''
+        else
+            return '<' + data + '>'
+        end
+    end
+
+    # garbage, ignore it
+    return ''
+  end
+
+  #
+  #
+  #
+
+  def process_param_protocol(data)
+    data = decode_entities(data)
+
+    re = /^([^:]+)\:/si
+
+    if matches = re.match(data)
+        unless allowed_protocols.include?(matches[1])
+            #data = '#'.substr(data, strlen(matches[1])+1)
+            data = '#' + data[0..matches[1].size+1]
+        end
+    end
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def process_remove_blanks(data)
+    data = data.dup
+
+    remove_blanks.each do |tag|
+        data.gsub!(/<#{tag}(\s[^>]*)?><\/#{tag}>/, '')
+        data.gsub!(/<#{tag}(\s[^>]*)?\/>/, '')
+    end
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def fix_case(data)
+    data_notags = strip_tags(data)
+    data_notags = data_notags.gsub(/[^a-zA-Z]/, '')
+
+    if data_notags.size < 5
+        return data
+    end
+
+    if /[a-z]/ =~ data_notags
+        return data
+    end
+
+    data = data.gsub(/(>|^)([^<]+?)(<|$)/s){
+        strip_single($1) +
+        fix_case_inner(strip_single($2)) +
+        strip_single($3)
+    }
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def fix_case_inner(data)
+    data = data.dup
+
+    data.downcase!
+
+    data.gsub!(/(^|[^\w\s\';,\\-])(\s*)([a-z])/){
+        strip_single("#{$1}#{$2}") + strip_single($3).upcase
+    }
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def validate_entities(data)
+    data = data.dup
+
+    # validate entities throughout the string
+    data.gsub!(%r!&([^&;]*)(?=(;|&|$))!){
+        check_entity(strip_single($1), strip_single($2))
+    }
+
+    # validate quotes outside of tags
+    data.gsub!(/(>|^)([^<]+?)(<|$)/s){
+        m1, m2, m3 = $1, $2, $3
+        strip_single(m1) +
+        strip_single(m2).gsub('\"', '&quot;') +
+        strip_single(m3)
+    }
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def check_entity(preamble, term)
+    if term != ';'
+        return '&amp;' + preamble
+    end
+
+    if is_valid_entity(preamble)
+        return '&' + preamble
+    end
+
+    return '&amp;' + preamble
+  end
+
+  #
+  #
+  #
+
+  def is_valid_entity(entity)
+    re = /^#([0-9]+)$/i
+
+    if md = re.match(entity)
+        if (md[1].to_i > 127)
+            return true
+        end
+        return allow_numbered_entities
+    end
+
+    if allowed_entities.include?(entity)
+        return true
+    end
+
+    return nil
+  end
+
+  # within attributes, we want to convert all hex/dec/url
+  # escape sequences into their raw characters so that we can
+  # check we don't get stray quotes/brackets inside strings.
+
+  def decode_entities(data)
+    data = data.dup
+
+    data.gsub!(/(&)#(\d+);?/){ decode_dec_entity($1, $2) }
+    data.gsub!(/(&)#x([0-9a-f]+);?/i){ decode_hex_entity($1, $2) }
+    data.gsub!(/(%)([0-9a-f]{2});?/i){ decode_hex_entity($1, $2) }
+
+    data = validate_entities(data)
+
+    return data
+  end
+
+  #
+  #
+  #
+
+  def decode_hex_entity(*m)
+    return decode_num_entity(m[1], m[2].to_i.to_s(16))
+  end
+
+  #
+  #
+  #
+
+  def decode_dec_entity(*m)
+    return decode_num_entity(m[1], m[2])
+  end
+
+  #
+  #
+  #
+
+  def decode_num_entity(orig_type, d)
+    d = d.to_i
+    d = 32 if d < 0   # space
+
+    # don't mess with high chars
+    if d > 127
+        return '%' + d.to_s(16) if orig_type == '%'
+        return "&#{d};" if orig_type == '&'
+    end
+
+    return escape(d.chr)
+  end
+
+  #
+  #
+  #
+
+  def strip_single(data)
+    return data.gsub('\"', '"').gsub('\0', 0.chr)
+  end
+
+  # Certain characters have special significance in HTML, and 
+  # should be represented by HTML entities if they are to 
+  # preserve their meanings. This function returns a string 
+  # with some of these conversions made; the translations made 
+  # are those most useful for everyday web programming.
+
+  def escape(html)
+    CGI.escape(html).gsub(/'/, '&#039;')
+  end
+
+end
+
+# Overload the standard String class for extra convienience.
+
+class String
+  def html_filter
+    HtmlFilter.new.filter(self)
+  end
+end
+
+
+if $0 ==__FILE__
+
+  require 'test/unit'
+
+  class TestHtmlFilter < Test::Unit::TestCase
+
+    def test_strip_single
+      hf = HtmlFilter.new
+      assert_equal( '"', hf.send(:strip_single,'\"') )
+      assert_equal( "\000", hf.send(:strip_single,'\0') )
+    end
+
+    def assert_filter(filtered, original)
+      assert_equal(filtered, original.html_filter)
+    end
+
+    def test_fix_quotes
+      assert_filter '<img src="foo.jpg" />', "<img src=\"foo.jpg />"
+    end
+
+    def test_basics
+      assert_filter '', ''
+      assert_filter 'hello', 'hello'
+    end
+
+    def test_balancing_tags
+      assert_filter "<b>hello</b>", "<<b>hello</b>"
+      assert_filter "<b>hello</b>", "<b>>hello</b>"
+      assert_filter "<b>hello</b>", "<b>hello<</b>"
+      assert_filter "<b>hello</b>", "<b>hello</b>>" 
+      assert_filter "", "<>"
+    end
+
+    def test_tag_completion
+      assert_filter "hello", "hello<b>"
+      assert_filter "<b>hello</b>", "<b>hello"
+      assert_filter "hello<b>world</b>", "hello<b>world"
+      assert_filter "hello", "hello</b>"
+      assert_filter "hello", "hello<b/>"
+      assert_filter "hello<b>world</b>", "hello<b/>world"
+      assert_filter "<b><b><b>hello</b></b></b>", "<b><b><b>hello"
+      assert_filter "", "</b><b>"
+    end
+
+    def test_end_slashes
+      assert_filter '<img />', '<img>'
+      assert_filter '<img />', '<img/>'
+      assert_filter '', '<b/></b>'
+    end
+
+  end
+
+end