ruby-exclaim 0.0.0 → 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +14 -0
- data/lib/exclaim/renderer.rb +3 -2
- data/lib/exclaim/ui.rb +3 -2
- data/lib/exclaim/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c58fbe14b28a72c3f22279981f5f37c65a31120948f62acfaac8555944281c69
|
|
4
|
+
data.tar.gz: 478d295febd82bb1bd4137578983578cb3d105c38bbcf241c48d4abbc13849cf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a8a70584a279e7c61d5aef6061c8a80095822f4526325278263b9bfca58ebf94a30e2893840eb98d73144baf1ea3be0d1d14330b0fd00ea05d5cca5724f2936
|
|
7
|
+
data.tar.gz: da68180e51ef7c3d919d177d70bf621eda9435d59bf216b2b366c3ae67cda2b20b599d05706e6ca42e9cdadcfd3610b5fa6335598ab03ce3154598797965259c
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
|
|
6
6
|
|
|
7
7
|
## Unreleased
|
|
8
8
|
|
|
9
|
+
## 0.1.0 - 2021-05-06
|
|
10
|
+
### Added
|
|
11
|
+
- Ability to disable all HTML escaping by setting the `should_escape_html` flag to `false` when instantiating
|
|
12
|
+
`Exclaim::Ui`, e.g. `Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)`
|
|
13
|
+
|
|
9
14
|
## 0.0.0 - 2021-02-12
|
|
10
15
|
### Added
|
|
11
16
|
- Initial version
|
data/README.md
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
+ [Shorthand Properties and Configuration Defaults](#shorthand-properties-and-configuration-defaults)
|
|
18
18
|
+ [Security Considerations](#security-considerations)
|
|
19
19
|
- [Script Injection](#script-injection)
|
|
20
|
+
- [Disable HTML escaping](#disable-html-escaping)
|
|
20
21
|
- [Unintended Tracking/HTTP Requests](#unintended-trackinghttp-requests)
|
|
21
22
|
* [Querying the Parsed UI](#querying-the-parsed-ui)
|
|
22
23
|
* [Utilities](#utilities)
|
|
@@ -633,6 +634,19 @@ your implementation can call `CGI.unescape_html` or `CGI.unescape_element`.
|
|
|
633
634
|
See [CGI::Util](https://ruby-doc.org/stdlib-3.0.0/libdoc/cgi/rdoc/CGI/Util.html)
|
|
634
635
|
in the Ruby standard library for details.
|
|
635
636
|
|
|
637
|
+
##### Disable HTML escaping
|
|
638
|
+
|
|
639
|
+
You can disable HTML escaping altogether by setting the `should_escape_html` flag to `false` when instantiating
|
|
640
|
+
`Exclaim::Ui`. You generally should only do this when the output will not be rendered directly to HTML as this could
|
|
641
|
+
potentially allow script injection and other hazards of unescaped rendering of untrusted user input. If you use this
|
|
642
|
+
flag and the output is ultimately destined for a browser, make sure something downstream between `Exclaim::Ui#render`
|
|
643
|
+
and the browser will escape characters that have special meaning in HTML: `<` `>` `&` `"` `'`
|
|
644
|
+
|
|
645
|
+
```
|
|
646
|
+
exclaim_ui = Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)
|
|
647
|
+
exclaim_ui.render(env: my_environment) # HTML characters will not be escaped
|
|
648
|
+
```
|
|
649
|
+
|
|
636
650
|
##### Unintended Tracking/HTTP Requests
|
|
637
651
|
|
|
638
652
|
If you don't need to implement components with configurable URLs, just avoid it completely.
|
data/lib/exclaim/renderer.rb
CHANGED
|
@@ -2,8 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Exclaim
|
|
4
4
|
class Renderer
|
|
5
|
-
def initialize(parsed_ui)
|
|
5
|
+
def initialize(parsed_ui, should_escape_html = true)
|
|
6
6
|
@parsed_ui = parsed_ui
|
|
7
|
+
@should_escape_html = should_escape_html
|
|
7
8
|
end
|
|
8
9
|
|
|
9
10
|
def call(env: {})
|
|
@@ -25,7 +26,7 @@ module Exclaim
|
|
|
25
26
|
end
|
|
26
27
|
|
|
27
28
|
def resolve_component_config(component, env)
|
|
28
|
-
resolve(component.config, env).transform_values! { |value| escape_html!(value) }
|
|
29
|
+
resolve(component.config, env).transform_values! { |value| @should_escape_html ? escape_html!(value) : value }
|
|
29
30
|
end
|
|
30
31
|
|
|
31
32
|
def escape_html!(value)
|
data/lib/exclaim/ui.rb
CHANGED
|
@@ -4,8 +4,9 @@ module Exclaim
|
|
|
4
4
|
class Ui
|
|
5
5
|
attr_reader :implementation_map, :parsed_ui, :renderer
|
|
6
6
|
|
|
7
|
-
def initialize(implementation_map: Exclaim::Implementations.example_implementation_map)
|
|
7
|
+
def initialize(implementation_map: Exclaim::Implementations.example_implementation_map, should_escape_html: true)
|
|
8
8
|
@implementation_map = Exclaim::ImplementationMap.parse!(implementation_map)
|
|
9
|
+
@should_escape_html = should_escape_html
|
|
9
10
|
rescue Exclaim::Error
|
|
10
11
|
raise
|
|
11
12
|
rescue StandardError => e
|
|
@@ -66,7 +67,7 @@ module Exclaim
|
|
|
66
67
|
|
|
67
68
|
def parsed_ui=(value)
|
|
68
69
|
@parsed_ui = value
|
|
69
|
-
@renderer = Exclaim::Renderer.new(@parsed_ui)
|
|
70
|
+
@renderer = Exclaim::Renderer.new(@parsed_ui, @should_escape_html)
|
|
70
71
|
end
|
|
71
72
|
|
|
72
73
|
def bind_paths(config_value, accumulator)
|
data/lib/exclaim/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-exclaim
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Salsify, Inc
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-05-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|