relevance-tarantula 0.0.8.1 → 0.1.0

data/uninstall.rb

@@ -1 +0,0 @@
-# Uninstall hook code here

data/vendor/xss-shield/MIT-LICENSE

@@ -1,20 +0,0 @@
-Copyright (c) 2007 Trampoline Systems
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/vendor/xss-shield/README

@@ -1,76 +0,0 @@
-FIXME: THIS README IS NOT UP-TO-DATE.
-
-This plugin provides XSS protection for views coded in HAML and RHTML.
-
-ERB templates are sometimes used for HTML, and sometimes for
-other kinds of languages (SQL, email templates, YAML etc.).
-XSS Shield protects only those templates with .rhtml extension,
-leaving templates with .erb extension unprotected.
-
-=== Quick start ===
-
-Assuming you're using HAML for all your templates.
-
-* Install plugin.
-* Edit all your layout files and change:
-    = @content_for_layout
-    = yield(:foo) # Foo being usually :js or :css
-  to:
-    = @content_for_layout.mark_as_xss_protected
-    = yield(:foo).mark_as_xss_protected
-* By this point your application should be runnanble,
-  but might need some tweaking here and there to avoid potential
-  double-escaping.
-
-=== How it works ===
-
-It works by subclassing String into SafeString.
-When HAML engine seems a "= foo" fragment it check if result of executing "foo"
-is a SafeString. If it is - it copies it to the output, if it's anything else
-(String, Integer, nil and so on) it HTML-escapes it first.
-
-To avoid double-escaping output of h is a SafeString, as is everything you
-mark as XSS-protected.
-  = h(@foo)
-  = @foo # fully equivalent to h(@foo)
-  = "X <br /> Y".mark_as_xss_protected
-
-It would be cumbersome to require mark_as_xss_protected every time you use
-some helper like render :partial or link_to, so some helpers are modified
-to return SafeString.
-
-  = render :partial => "foo"
-  = link_to "Bar", :action => :bar
-
-If you trust your helpers, make them as XSS-protected:
-
-  module Some::Module
-    mark_helpers_as_xss_protected :text_field, :check_box
-  end
-
-Because it is not possible to alter syntactic keywords like yield
-or instance variables like @content_for_layout to mark them automatically
-as secure, layout files need some manual tweaking.
-
-=== Other template engines ===
-
-If a templates uses some templating engine other than HAML or ERB,
-or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
-
-However some helpers like link_to and button_to are patched by XSS Shield to
-make them more secure, and this extra security will be there even when used
-in an otherwise unprotected context.
-
-For example with XSS shield
-  link_to "A & B", "/foo"
-will return (marked as safe):
-  '<a href="/foo">A &amp; B</a>'
-not (plain String):
-  '<a href="/foo">A & B</a>'
-
-Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
-If you use some alternative ERB engine it probably won't work.
-
-Adding support for alternative templating engine should be relatively straightforward.
-It's mostly a matter of changing to_s to to_s_xss_protected in a few places
-in their source.

data/vendor/xss-shield/init.rb

@@ -1,16 +0,0 @@
-unless ENV['DISABLE_XSS_SHIELD']
-  puts "Loading XSS Shield"
-  require 'xss_shield'
-else
-  class ::String
-    def mark_as_xss_protected
-      self
-    end
-  end
-
-  class ::NilClass
-    def mark_as_xss_protected
-      self
-    end
-  end
-end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -1,6 +0,0 @@
-require 'xss_shield/safe_string'
-# Tarantula doesn't use haml
-# require 'xss_shield/haml_hacks'
-# ERB hacks blow up Rails
-# require 'xss_shield/erb_hacks'
-require 'xss_shield/secure_helpers'

data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb

@@ -1,111 +0,0 @@
-class XSSProtectedERB < ERB
-  class Compiler < ::ERB::Compiler
-    def compile(s)
-      out = Buffer.new(self)
-
-      content = ''
-      scanner = make_scanner(s)
-      scanner.scan do |token|
-  if scanner.stag.nil?
-    case token
-          when PercentLine
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      content = ''
-            out.push(token.to_s)
-            out.cr
-    when :cr
-      out.cr
-    when '<%', '<%=', '<%#'
-      scanner.stag = token
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      content = ''
-    when "\n"
-      content << "\n"
-      out.push("#{@put_cmd} #{content.dump}")
-      out.cr
-      content = ''
-    when '<%%'
-      content << '<%'
-    else
-      content << token
-    end
-  else
-    case token
-    when '%>'
-      case scanner.stag
-      when '<%'
-        if content[-1] == ?\n
-    content.chop!
-    out.push(content)
-    out.cr
-        else
-    out.push(content)
-        end
-      when '<%='
-              # NOTE: Changed lines
-        out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
-              # NOTE: End changed lines
-      when '<%#'
-        # out.push("# #{content.dump}")
-      end
-      scanner.stag = nil
-      content = ''
-    when '%%>'
-      content << '%>'
-    else
-      content << token
-    end
-  end
-      end
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      out.close
-      out.script
-    end
-  end
-
-  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
-    @safe_level = safe_level
-    compiler = XSSProtectedERB::Compiler.new(trim_mode)
-    set_eoutvar(compiler, eoutvar)
-    @src = compiler.compile(str)
-    @filename = nil
-  end
-end
-
-module ActionView
-  class Base
-    private
-      def create_template_source(extension, template, render_symbol, locals)
-        if template_requires_setup?(extension)
-          body = case extension.to_sym
-            when :rxml, :builder
-              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
-              "#{content_type_handler}.content_type ||= Mime::XML\n" +
-              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
-              template +
-              "\nxml.target!\n"
-            when :rjs
-              "controller.response.content_type ||= Mime::JS\n" +
-              "update_page do |page|\n#{template}\nend"
-          end
-        # NOTE: Changed lines
-        elsif extension.to_sym == :rhtml
-          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
-        # NOTE: End changed lines
-        else
-          body = ERB.new(template, nil, @@erb_trim_mode).src
-        end
-
-        @@template_args[render_symbol] ||= {}
-        locals_keys = @@template_args[render_symbol].keys | locals
-        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
-
-        locals_code = ""
-        locals_keys.each do |key|
-          locals_code << "#{key} = local_assigns[:#{key}]\n"
-        end
-
-        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
-      end
-  end
-end

data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb

@@ -1,42 +0,0 @@
-raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
-
-module Haml
-  class Engine
-    def push_script(text, flattened)
-      unless options[:suppress_eval]
-        push_silent("haml_temp = #{text}", true)
-        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
-        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
-        if @block_opened
-          push_and_tabulate([:loud, out])
-        else
-          @precompiled << out
-        end
-      end
-    end
-
-    def build_attributes(attributes = {})
-      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
-      # making ' as attribute quote not workable
-      result = attributes.map do |a,v|
-        v = v.to_s_xss_protected
-        unless v.blank?
-          " #{a}=\"#{v}\""
-        end
-      end
-      result.sort.join
-    end
-  end
-
-  class Buffer
-    def build_attributes(attributes = {})
-      result = attributes.map do |a,v|
-        v = v.to_s_xss_protected
-        unless v.blank?
-          " #{a}=\"#{v}\""
-        end
-      end
-      result.sort.join
-    end
-  end
-end

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -1,47 +0,0 @@
-class SafeString < String
-  def to_s
-    self
-  end
-  def to_s_xss_protected
-    self
-  end
-end
-
-class String
-  def mark_as_xss_protected
-    SafeString.new(self)
-  end
-end
-
-class NilClass
-  def mark_as_xss_protected
-    self
-  end
-end
-
-# ERB::Util.h and (include ERB::Util; h) are different methods
-module ERB::Util
-  class <<self
-    def h_with_xss_protection(*args)
-      h_without_xss_protection(*args).mark_as_xss_protected
-    end
-    alias_method_chain :h, :xss_protection
-  end
-  
-    def h_with_xss_protection(*args)
-      h_without_xss_protection(*args).mark_as_xss_protected
-    end
-    alias_method_chain :h, :xss_protection
-end
-
-class Object
-  def to_s_xss_protected
-    ERB::Util.h(to_s).mark_as_xss_protected
-  end
-end
-
-class Array
-  def join_xss_protected(sep="")
-    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
-  end
-end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -1,40 +0,0 @@
-class Module
-  def mark_helpers_as_xss_protected(*ms)
-    ms.each do |m|
-      begin
-        instance_method("#{m}_with_xss_protection")
-      rescue NameError
-        define_method :"#{m}_with_xss_protection" do |*args|
-          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
-        end
-        alias_method_chain m, :xss_protection
-      end
-    end
-  end
-end
-
-class ActionView::Base
-  mark_helpers_as_xss_protected :javascript_include_tag,
-                                :stylesheet_link_tag,
-                                :render,
-                                :text_field_tag,
-                                :submit_tag,
-                                :radio_button,
-                                :text_area,
-                                :auto_discovery_link_tag,
-                                :image_tag
-
-  def link_to_with_xss_protection(text, *args)
-    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
-  end
-  alias_method_chain :link_to, :xss_protection
-
-  def button_to_with_xss_protection(text, *args)
-    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
-  end
-  alias_method_chain :button_to, :xss_protection
-end
-
-module ActionView::Helpers::FormHelper
-  mark_helpers_as_xss_protected :text_field, :check_box
-end

data/vendor/xss-shield/test/test_actionview_integration.rb

@@ -1,40 +0,0 @@
-# Run from your Rails main directory
-require 'test/test_helper'
-
-class TestActionViewIntegration < Test::Unit::TestCase
-  def assert_renders(expected, input, extension)
-    base = ActionView::Base.new
-    actual = base.render_template(extension, input, "foo.#{extension}")
-    assert_equal expected, actual
-  end
-
-  def test_erb
-    assert_renders <<OUT, <<IN, :erb
-A & B
-A & B
-OUT
-<%= "A & B" %>
-<%= "A & B".mark_as_xss_protected %>
-IN
-  end
-
-  def test_rhtml
-    assert_renders <<OUT, <<IN, :rhtml
-A &amp; B
-A & B
-OUT
-<%= "A & B" %>
-<%= "A & B".mark_as_xss_protected %>
-IN
-  end
- 
-  def test_haml
-    assert_renders <<OUT, <<IN, :haml
-A &amp; B
-A & B
-OUT
-= "A & B"
-= "A & B".mark_as_xss_protected
-IN
-  end
-end

data/vendor/xss-shield/test/test_erb.rb

@@ -1,44 +0,0 @@
-# Run from your Rails main directory
-require 'test/test_helper'
-
-class TestERB < Test::Unit::TestCase
-  def assert_renders_erb(expected, input, shield=true)
-    erb_class = shield ? XSSProtectedERB : ERB
-
-    actual = eval(erb_class.new(input).src)
-    
-    assert_equal expected, actual
-  end
-  
-  def test_erb_with_shield
-    assert_renders_erb <<OUT, <<IN, true
-Foo &amp;amp; Bar
-Foo &amp;amp; Bar
-Foo &amp; Bar
-Foo &amp; Bar
-Foo &amp; Bar
-OUT
-<%= "Foo &amp; Bar"  %>
-<%= h("Foo &amp; Bar") %>
-<%= "Foo &amp; Bar".mark_as_xss_protected  %>
-<%= h("Foo & Bar") %>
-<%= "Foo & Bar" %>
-IN
-  end
-  
-  def test_erb_without_shield
-    assert_renders_erb <<OUT, <<IN, false
-Foo &amp;amp; Bar
-Foo &amp; Bar
-Foo &amp; Bar
-Foo &amp; Bar
-Foo & Bar
-OUT
-<%= h("Foo &amp; Bar") %>
-<%= "Foo &amp; Bar"  %>
-<%= "Foo &amp; Bar".mark_as_xss_protected  %>
-<%= h("Foo & Bar") %>
-<%= "Foo & Bar" %>
-IN
-  end
-end