ruby-exclaim 0.0.0 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +14 -0
- data/lib/exclaim/renderer.rb +3 -2
- data/lib/exclaim/ui.rb +3 -2
- data/lib/exclaim/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c58fbe14b28a72c3f22279981f5f37c65a31120948f62acfaac8555944281c69
|
|
4
|
+
data.tar.gz: 478d295febd82bb1bd4137578983578cb3d105c38bbcf241c48d4abbc13849cf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a8a70584a279e7c61d5aef6061c8a80095822f4526325278263b9bfca58ebf94a30e2893840eb98d73144baf1ea3be0d1d14330b0fd00ea05d5cca5724f2936
|
|
7
|
+
data.tar.gz: da68180e51ef7c3d919d177d70bf621eda9435d59bf216b2b366c3ae67cda2b20b599d05706e6ca42e9cdadcfd3610b5fa6335598ab03ce3154598797965259c
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
|
|
6
6
|
|
|
7
7
|
## Unreleased
|
|
8
8
|
|
|
9
|
+
## 0.1.0 - 2021-05-06
|
|
10
|
+
### Added
|
|
11
|
+
- Ability to disable all HTML escaping by setting the `should_escape_html` flag to `false` when instantiating
|
|
12
|
+
`Exclaim::Ui`, e.g. `Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)`
|
|
13
|
+
|
|
9
14
|
## 0.0.0 - 2021-02-12
|
|
10
15
|
### Added
|
|
11
16
|
- Initial version
|
data/README.md
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
+ [Shorthand Properties and Configuration Defaults](#shorthand-properties-and-configuration-defaults)
|
|
18
18
|
+ [Security Considerations](#security-considerations)
|
|
19
19
|
- [Script Injection](#script-injection)
|
|
20
|
+
- [Disable HTML escaping](#disable-html-escaping)
|
|
20
21
|
- [Unintended Tracking/HTTP Requests](#unintended-trackinghttp-requests)
|
|
21
22
|
* [Querying the Parsed UI](#querying-the-parsed-ui)
|
|
22
23
|
* [Utilities](#utilities)
|
|
@@ -633,6 +634,19 @@ your implementation can call `CGI.unescape_html` or `CGI.unescape_element`.
|
|
|
633
634
|
See [CGI::Util](https://ruby-doc.org/stdlib-3.0.0/libdoc/cgi/rdoc/CGI/Util.html)
|
|
634
635
|
in the Ruby standard library for details.
|
|
635
636
|
|
|
637
|
+
##### Disable HTML escaping
|
|
638
|
+
|
|
639
|
+
You can disable HTML escaping altogether by setting the `should_escape_html` flag to `false` when instantiating
|
|
640
|
+
`Exclaim::Ui`. You generally should only do this when the output will not be rendered directly to HTML as this could
|
|
641
|
+
potentially allow script injection and other hazards of unescaped rendering of untrusted user input. If you use this
|
|
642
|
+
flag and the output is ultimately destined for a browser, make sure something downstream between `Exclaim::Ui#render`
|
|
643
|
+
and the browser will escape characters that have special meaning in HTML: `<` `>` `&` `"` `'`
|
|
644
|
+
|
|
645
|
+
```
|
|
646
|
+
exclaim_ui = Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)
|
|
647
|
+
exclaim_ui.render(env: my_environment) # HTML characters will not be escaped
|
|
648
|
+
```
|
|
649
|
+
|
|
636
650
|
##### Unintended Tracking/HTTP Requests
|
|
637
651
|
|
|
638
652
|
If you don't need to implement components with configurable URLs, just avoid it completely.
|
data/lib/exclaim/renderer.rb
CHANGED
|
@@ -2,8 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Exclaim
|
|
4
4
|
class Renderer
|
|
5
|
-
def initialize(parsed_ui)
|
|
5
|
+
def initialize(parsed_ui, should_escape_html = true)
|
|
6
6
|
@parsed_ui = parsed_ui
|
|
7
|
+
@should_escape_html = should_escape_html
|
|
7
8
|
end
|
|
8
9
|
|
|
9
10
|
def call(env: {})
|
|
@@ -25,7 +26,7 @@ module Exclaim
|
|
|
25
26
|
end
|
|
26
27
|
|
|
27
28
|
def resolve_component_config(component, env)
|
|
28
|
-
resolve(component.config, env).transform_values! { |value| escape_html!(value) }
|
|
29
|
+
resolve(component.config, env).transform_values! { |value| @should_escape_html ? escape_html!(value) : value }
|
|
29
30
|
end
|
|
30
31
|
|
|
31
32
|
def escape_html!(value)
|
data/lib/exclaim/ui.rb
CHANGED
|
@@ -4,8 +4,9 @@ module Exclaim
|
|
|
4
4
|
class Ui
|
|
5
5
|
attr_reader :implementation_map, :parsed_ui, :renderer
|
|
6
6
|
|
|
7
|
-
def initialize(implementation_map: Exclaim::Implementations.example_implementation_map)
|
|
7
|
+
def initialize(implementation_map: Exclaim::Implementations.example_implementation_map, should_escape_html: true)
|
|
8
8
|
@implementation_map = Exclaim::ImplementationMap.parse!(implementation_map)
|
|
9
|
+
@should_escape_html = should_escape_html
|
|
9
10
|
rescue Exclaim::Error
|
|
10
11
|
raise
|
|
11
12
|
rescue StandardError => e
|
|
@@ -66,7 +67,7 @@ module Exclaim
|
|
|
66
67
|
|
|
67
68
|
def parsed_ui=(value)
|
|
68
69
|
@parsed_ui = value
|
|
69
|
-
@renderer = Exclaim::Renderer.new(@parsed_ui)
|
|
70
|
+
@renderer = Exclaim::Renderer.new(@parsed_ui, @should_escape_html)
|
|
70
71
|
end
|
|
71
72
|
|
|
72
73
|
def bind_paths(config_value, accumulator)
|
data/lib/exclaim/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-exclaim
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Salsify, Inc
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-05-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|