ruby-exclaim 0.0.0 → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 23b0cbf8949adc14eff900789bf6e6e099179e8c06ddb36fd83092397466b653
4
- data.tar.gz: d51958364005213af769660afa6d71a210203832b16fda5ee167164e0c080464
3
+ metadata.gz: c58fbe14b28a72c3f22279981f5f37c65a31120948f62acfaac8555944281c69
4
+ data.tar.gz: 478d295febd82bb1bd4137578983578cb3d105c38bbcf241c48d4abbc13849cf
5
5
  SHA512:
6
- metadata.gz: 3bb5dee1daa8a139f034c0e08cb52cf32d3844a60f0d2f2761ae73bb0b031615e0ff28f35e9bb48577f7ddb11c96ecf340a6fd0937009291b0d33b9c7e40b4a0
7
- data.tar.gz: f18f08e66dbf47ac312ec3958bce96bd25ab65045524f4d1b509de1b373381b3a4c06600edde85afddf46bba4a942c3ac7ef1c94be32ea6b76e40e8839346d18
6
+ metadata.gz: 7a8a70584a279e7c61d5aef6061c8a80095822f4526325278263b9bfca58ebf94a30e2893840eb98d73144baf1ea3be0d1d14330b0fd00ea05d5cca5724f2936
7
+ data.tar.gz: da68180e51ef7c3d919d177d70bf621eda9435d59bf216b2b366c3ae67cda2b20b599d05706e6ca42e9cdadcfd3610b5fa6335598ab03ce3154598797965259c
data/CHANGELOG.md CHANGED
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
6
6
 
7
7
  ## Unreleased
8
8
 
9
+ ## 0.1.0 - 2021-05-06
10
+ ### Added
11
+ - Ability to disable all HTML escaping by setting the `should_escape_html` flag to `false` when instantiating
12
+ `Exclaim::Ui`, e.g. `Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)`
13
+
9
14
  ## 0.0.0 - 2021-02-12
10
15
  ### Added
11
16
  - Initial version
data/README.md CHANGED
@@ -17,6 +17,7 @@
17
17
  + [Shorthand Properties and Configuration Defaults](#shorthand-properties-and-configuration-defaults)
18
18
  + [Security Considerations](#security-considerations)
19
19
  - [Script Injection](#script-injection)
20
+ - [Disable HTML escaping](#disable-html-escaping)
20
21
  - [Unintended Tracking/HTTP Requests](#unintended-trackinghttp-requests)
21
22
  * [Querying the Parsed UI](#querying-the-parsed-ui)
22
23
  * [Utilities](#utilities)
@@ -633,6 +634,19 @@ your implementation can call `CGI.unescape_html` or `CGI.unescape_element`.
633
634
  See [CGI::Util](https://ruby-doc.org/stdlib-3.0.0/libdoc/cgi/rdoc/CGI/Util.html)
634
635
  in the Ruby standard library for details.
635
636
 
637
+ ##### Disable HTML escaping
638
+
639
+ You can disable HTML escaping altogether by setting the `should_escape_html` flag to `false` when instantiating
640
+ `Exclaim::Ui`. You generally should only do this when the output will not be rendered directly to HTML as this could
641
+ potentially allow script injection and other hazards of unescaped rendering of untrusted user input. If you use this
642
+ flag and the output is ultimately destined for a browser, make sure something downstream between `Exclaim::Ui#render`
643
+ and the browser will escape characters that have special meaning in HTML: `<` `>` `&` `"` `'`
644
+
645
+ ```
646
+ exclaim_ui = Exclaim::Ui.new(implementation_map: my_implementation_map, should_escape_html: false)
647
+ exclaim_ui.render(env: my_environment) # HTML characters will not be escaped
648
+ ```
649
+
636
650
  ##### Unintended Tracking/HTTP Requests
637
651
 
638
652
  If you don't need to implement components with configurable URLs, just avoid it completely.
@@ -2,8 +2,9 @@
2
2
 
3
3
  module Exclaim
4
4
  class Renderer
5
- def initialize(parsed_ui)
5
+ def initialize(parsed_ui, should_escape_html = true)
6
6
  @parsed_ui = parsed_ui
7
+ @should_escape_html = should_escape_html
7
8
  end
8
9
 
9
10
  def call(env: {})
@@ -25,7 +26,7 @@ module Exclaim
25
26
  end
26
27
 
27
28
  def resolve_component_config(component, env)
28
- resolve(component.config, env).transform_values! { |value| escape_html!(value) }
29
+ resolve(component.config, env).transform_values! { |value| @should_escape_html ? escape_html!(value) : value }
29
30
  end
30
31
 
31
32
  def escape_html!(value)
data/lib/exclaim/ui.rb CHANGED
@@ -4,8 +4,9 @@ module Exclaim
4
4
  class Ui
5
5
  attr_reader :implementation_map, :parsed_ui, :renderer
6
6
 
7
- def initialize(implementation_map: Exclaim::Implementations.example_implementation_map)
7
+ def initialize(implementation_map: Exclaim::Implementations.example_implementation_map, should_escape_html: true)
8
8
  @implementation_map = Exclaim::ImplementationMap.parse!(implementation_map)
9
+ @should_escape_html = should_escape_html
9
10
  rescue Exclaim::Error
10
11
  raise
11
12
  rescue StandardError => e
@@ -66,7 +67,7 @@ module Exclaim
66
67
 
67
68
  def parsed_ui=(value)
68
69
  @parsed_ui = value
69
- @renderer = Exclaim::Renderer.new(@parsed_ui)
70
+ @renderer = Exclaim::Renderer.new(@parsed_ui, @should_escape_html)
70
71
  end
71
72
 
72
73
  def bind_paths(config_value, accumulator)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Exclaim
4
- VERSION = '0.0.0'
4
+ VERSION = '0.1.0'
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-exclaim
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.0
4
+ version: 0.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Salsify, Inc
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-26 00:00:00.000000000 Z
11
+ date: 2021-05-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler