tarantula 0.0.8.1 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +80 -51
- data/Rakefile +33 -44
- data/VERSION.yml +4 -0
- data/examples/example_helper.rb +50 -0
- data/{test/relevance/core_extensions/ellipsize_test.rb → examples/relevance/core_extensions/ellipsize_example.rb} +1 -1
- data/{test/relevance/core_extensions/file_test.rb → examples/relevance/core_extensions/file_example.rb} +1 -1
- data/{test/relevance/core_extensions/response_test.rb → examples/relevance/core_extensions/response_example.rb} +5 -5
- data/{test/relevance/core_extensions/test_case_test.rb → examples/relevance/core_extensions/test_case_example.rb} +3 -3
- data/{test/relevance/tarantula/attack_form_submission_test.rb → examples/relevance/tarantula/attack_form_submission_example.rb} +1 -1
- data/{test/relevance/tarantula/attack_handler_test.rb → examples/relevance/tarantula/attack_handler_example.rb} +1 -1
- data/{test/relevance/tarantula/crawler_test.rb → examples/relevance/tarantula/crawler_example.rb} +3 -3
- data/{test/relevance/tarantula/form_test.rb → examples/relevance/tarantula/form_example.rb} +1 -1
- data/{test/relevance/tarantula/form_submission_test.rb → examples/relevance/tarantula/form_submission_example.rb} +1 -1
- data/{test/relevance/tarantula/html_document_handler_test.rb → examples/relevance/tarantula/html_document_handler_example.rb} +1 -1
- data/{test/relevance/tarantula/html_report_helper_test.rb → examples/relevance/tarantula/html_report_helper_example.rb} +1 -1
- data/{test/relevance/tarantula/html_reporter_test.rb → examples/relevance/tarantula/html_reporter_example.rb} +3 -3
- data/{test/relevance/tarantula/invalid_html_handler_test.rb → examples/relevance/tarantula/invalid_html_handler_example.rb} +1 -1
- data/{test/relevance/tarantula/io_reporter_test.rb → examples/relevance/tarantula/io_reporter_example.rb} +2 -2
- data/{test/relevance/tarantula/link_test.rb → examples/relevance/tarantula/link_example.rb} +21 -15
- data/{test/relevance/tarantula/log_grabber_test.rb → examples/relevance/tarantula/log_grabber_example.rb} +1 -1
- data/{test/relevance/tarantula/rails_init_test.rb → examples/relevance/tarantula/rails_init_example.rb} +3 -3
- data/{test/relevance/tarantula/rails_integration_proxy_test.rb → examples/relevance/tarantula/rails_integration_proxy_example.rb} +6 -12
- data/{test/relevance/tarantula/result_test.rb → examples/relevance/tarantula/result_example.rb} +2 -2
- data/{test/relevance/tarantula/tidy_handler_test.rb → examples/relevance/tarantula/tidy_handler_example.rb} +1 -1
- data/{test/relevance/tarantula/transform_test.rb → examples/relevance/tarantula/transform_example.rb} +2 -3
- data/{test/relevance/tarantula_test.rb → examples/relevance/tarantula_example.rb} +3 -3
- data/laf/v2/detail.html +23 -5
- data/laf/v2/index.html +1 -1
- data/laf/v2/stylesheets/tarantula.v2.css +77 -5
- data/lib/relevance/core_extensions/metaclass.rb +78 -0
- data/lib/relevance/tarantula.rb +1 -4
- data/lib/relevance/tarantula/link.rb +1 -1
- data/lib/relevance/tarantula/rails_integration_proxy.rb +1 -3
- data/template/tarantula_test.rb +12 -2
- metadata +54 -190
- data/init.rb +0 -1
- data/install.rb +0 -1
- data/manifest.txt +0 -102
- data/rails/init.rb +0 -4
- data/tarantula.gemspec +0 -56
- data/test/test_helper.rb +0 -34
- data/uninstall.rb +0 -1
- data/vendor/xss-shield/MIT-LICENSE +0 -20
- data/vendor/xss-shield/README +0 -76
- data/vendor/xss-shield/init.rb +0 -16
- data/vendor/xss-shield/lib/xss_shield.rb +0 -6
- data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb +0 -111
- data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb +0 -42
- data/vendor/xss-shield/lib/xss_shield/safe_string.rb +0 -47
- data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb +0 -40
- data/vendor/xss-shield/test/test_actionview_integration.rb +0 -40
- data/vendor/xss-shield/test/test_erb.rb +0 -44
- data/vendor/xss-shield/test/test_haml.rb +0 -43
- data/vendor/xss-shield/test/test_helpers.rb +0 -25
- data/vendor/xss-shield/test/test_safe_string.rb +0 -55
data/rails/init.rb
DELETED
data/tarantula.gemspec
DELETED
@@ -1,56 +0,0 @@
|
|
1
|
-
# -*- encoding: utf-8 -*-
|
2
|
-
|
3
|
-
Gem::Specification.new do |s|
|
4
|
-
s.name = %q{tarantula}
|
5
|
-
s.version = "0.0.8.1"
|
6
|
-
|
7
|
-
s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
|
8
|
-
s.authors = ["Relevance"]
|
9
|
-
s.date = %q{2009-01-16}
|
10
|
-
s.description = %q{A big hairy fuzzy spider that crawls your site, wreaking havoc}
|
11
|
-
s.email = %q{opensource@thinkrelevance.com}
|
12
|
-
s.extra_rdoc_files = ["CHANGELOG", "lib/relevance/core_extensions/ellipsize.rb", "lib/relevance/core_extensions/file.rb", "lib/relevance/core_extensions/response.rb", "lib/relevance/core_extensions/test_case.rb", "lib/relevance/tarantula/attack.rb", "lib/relevance/tarantula/attack_form_submission.rb", "lib/relevance/tarantula/attack_handler.rb", "lib/relevance/tarantula/crawler.rb", "lib/relevance/tarantula/detail.html.erb", "lib/relevance/tarantula/form.rb", "lib/relevance/tarantula/form_submission.rb", "lib/relevance/tarantula/html_document_handler.rb", "lib/relevance/tarantula/html_report_helper.rb", "lib/relevance/tarantula/html_reporter.rb", "lib/relevance/tarantula/index.html.erb", "lib/relevance/tarantula/invalid_html_handler.rb", "lib/relevance/tarantula/io_reporter.rb", "lib/relevance/tarantula/link.rb", "lib/relevance/tarantula/log_grabber.rb", "lib/relevance/tarantula/rails_integration_proxy.rb", "lib/relevance/tarantula/recording.rb", "lib/relevance/tarantula/response.rb", "lib/relevance/tarantula/result.rb", "lib/relevance/tarantula/test_report.html.erb", "lib/relevance/tarantula/tidy_handler.rb", "lib/relevance/tarantula/transform.rb", "lib/relevance/tarantula.rb", "MIT-LICENSE", "README.rdoc", "vendor/xss-shield/MIT-LICENSE"]
|
13
|
-
s.files = ["CHANGELOG", "init.rb", "install.rb", "laf/images/background.jpg", "laf/images/relevance-os-logo.gif", "laf/images/tab.png", "laf/images/table-sort.gif", "laf/images/tarantula-sprites.png", "laf/javascripts/jquery-1.2.3.js", "laf/javascripts/jquery-ui-tabs.js", "laf/javascripts/jquery.tablesorter.js", "laf/javascripts/niftycube-details.js", "laf/javascripts/niftycube.js", "laf/javascripts/niftyLayout.js", "laf/javascripts/tarantula.js", "laf/stylesheets/niftyCorners.css", "laf/stylesheets/NiftyLayout.css", "laf/stylesheets/old.css", "laf/stylesheets/tarantula.css", "laf/stylesheets/tarantula.v2.css", "laf/stylesheets/ui.tabs.css", "laf/v2/detail.html", "laf/v2/images/button_active.png", "laf/v2/images/button_hover.png", "laf/v2/images/button_inactive.png", "laf/v2/images/header_bg.jpg", "laf/v2/images/logo.png", "laf/v2/images/tagline.png", "laf/v2/index.html", "laf/v2/stylesheets/tarantula.v2.css", "lib/relevance/core_extensions/ellipsize.rb", "lib/relevance/core_extensions/file.rb", "lib/relevance/core_extensions/response.rb", "lib/relevance/core_extensions/test_case.rb", "lib/relevance/tarantula/attack.rb", "lib/relevance/tarantula/attack_form_submission.rb", "lib/relevance/tarantula/attack_handler.rb", "lib/relevance/tarantula/crawler.rb", "lib/relevance/tarantula/detail.html.erb", "lib/relevance/tarantula/form.rb", "lib/relevance/tarantula/form_submission.rb", "lib/relevance/tarantula/html_document_handler.rb", "lib/relevance/tarantula/html_report_helper.rb", "lib/relevance/tarantula/html_reporter.rb", "lib/relevance/tarantula/index.html.erb", "lib/relevance/tarantula/invalid_html_handler.rb", "lib/relevance/tarantula/io_reporter.rb", "lib/relevance/tarantula/link.rb", "lib/relevance/tarantula/log_grabber.rb", "lib/relevance/tarantula/rails_integration_proxy.rb", "lib/relevance/tarantula/recording.rb", "lib/relevance/tarantula/response.rb", "lib/relevance/tarantula/result.rb", "lib/relevance/tarantula/test_report.html.erb", "lib/relevance/tarantula/tidy_handler.rb", "lib/relevance/tarantula/transform.rb", "lib/relevance/tarantula.rb", "manifest.txt", "MIT-LICENSE", "rails/init.rb", "Rakefile", "README.rdoc", "tarantula.gemspec", "tasks/tarantula_tasks.rake", "template/tarantula_test.rb", "test/relevance/core_extensions/ellipsize_test.rb", "test/relevance/core_extensions/file_test.rb", "test/relevance/core_extensions/response_test.rb", "test/relevance/core_extensions/test_case_test.rb", "test/relevance/tarantula/attack_form_submission_test.rb", "test/relevance/tarantula/attack_handler_test.rb", "test/relevance/tarantula/crawler_test.rb", "test/relevance/tarantula/form_submission_test.rb", "test/relevance/tarantula/form_test.rb", "test/relevance/tarantula/html_document_handler_test.rb", "test/relevance/tarantula/html_report_helper_test.rb", "test/relevance/tarantula/html_reporter_test.rb", "test/relevance/tarantula/invalid_html_handler_test.rb", "test/relevance/tarantula/io_reporter_test.rb", "test/relevance/tarantula/link_test.rb", "test/relevance/tarantula/log_grabber_test.rb", "test/relevance/tarantula/rails_init_test.rb", "test/relevance/tarantula/rails_integration_proxy_test.rb", "test/relevance/tarantula/result_test.rb", "test/relevance/tarantula/tidy_handler_test.rb", "test/relevance/tarantula/transform_test.rb", "test/relevance/tarantula_test.rb", "test/test_helper.rb", "uninstall.rb", "vendor/xss-shield/init.rb", "vendor/xss-shield/lib/xss_shield/erb_hacks.rb", "vendor/xss-shield/lib/xss_shield/haml_hacks.rb", "vendor/xss-shield/lib/xss_shield/safe_string.rb", "vendor/xss-shield/lib/xss_shield/secure_helpers.rb", "vendor/xss-shield/lib/xss_shield.rb", "vendor/xss-shield/MIT-LICENSE", "vendor/xss-shield/README", "vendor/xss-shield/test/test_actionview_integration.rb", "vendor/xss-shield/test/test_erb.rb", "vendor/xss-shield/test/test_haml.rb", "vendor/xss-shield/test/test_helpers.rb", "vendor/xss-shield/test/test_safe_string.rb"]
|
14
|
-
s.has_rdoc = true
|
15
|
-
s.homepage = %q{http://github.com/relevance/tarantula}
|
16
|
-
s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Tarantula", "--main", "README.rdoc"]
|
17
|
-
s.require_paths = ["lib"]
|
18
|
-
s.rubyforge_project = %q{thinkrelevance}
|
19
|
-
s.rubygems_version = %q{1.3.1}
|
20
|
-
s.summary = %q{A big hairy fuzzy spider that crawls your site, wreaking havoc}
|
21
|
-
s.test_files = ["test/relevance/core_extensions/ellipsize_test.rb", "test/relevance/core_extensions/file_test.rb", "test/relevance/core_extensions/response_test.rb", "test/relevance/core_extensions/test_case_test.rb", "test/relevance/tarantula/attack_form_submission_test.rb", "test/relevance/tarantula/attack_handler_test.rb", "test/relevance/tarantula/crawler_test.rb", "test/relevance/tarantula/form_submission_test.rb", "test/relevance/tarantula/form_test.rb", "test/relevance/tarantula/html_document_handler_test.rb", "test/relevance/tarantula/html_report_helper_test.rb", "test/relevance/tarantula/html_reporter_test.rb", "test/relevance/tarantula/invalid_html_handler_test.rb", "test/relevance/tarantula/io_reporter_test.rb", "test/relevance/tarantula/link_test.rb", "test/relevance/tarantula/log_grabber_test.rb", "test/relevance/tarantula/rails_init_test.rb", "test/relevance/tarantula/rails_integration_proxy_test.rb", "test/relevance/tarantula/result_test.rb", "test/relevance/tarantula/tidy_handler_test.rb", "test/relevance/tarantula/transform_test.rb", "test/relevance/tarantula_test.rb"]
|
22
|
-
|
23
|
-
if s.respond_to? :specification_version then
|
24
|
-
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
25
|
-
s.specification_version = 2
|
26
|
-
|
27
|
-
if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
|
28
|
-
s.add_runtime_dependency(%q<htmlentities>, [">= 0"])
|
29
|
-
s.add_runtime_dependency(%q<hpricot>, [">= 0"])
|
30
|
-
s.add_runtime_dependency(%q<facets>, [">= 2.4.3"])
|
31
|
-
s.add_runtime_dependency(%q<actionpack>, [">= 0"])
|
32
|
-
s.add_runtime_dependency(%q<activesupport>, [">= 0"])
|
33
|
-
s.add_development_dependency(%q<ruby-debug>, [">= 0"])
|
34
|
-
s.add_development_dependency(%q<test-spec>, [">= 0"])
|
35
|
-
s.add_development_dependency(%q<mocha>, [">= 0"])
|
36
|
-
else
|
37
|
-
s.add_dependency(%q<htmlentities>, [">= 0"])
|
38
|
-
s.add_dependency(%q<hpricot>, [">= 0"])
|
39
|
-
s.add_dependency(%q<facets>, [">= 2.4.3"])
|
40
|
-
s.add_dependency(%q<actionpack>, [">= 0"])
|
41
|
-
s.add_dependency(%q<activesupport>, [">= 0"])
|
42
|
-
s.add_dependency(%q<ruby-debug>, [">= 0"])
|
43
|
-
s.add_dependency(%q<test-spec>, [">= 0"])
|
44
|
-
s.add_dependency(%q<mocha>, [">= 0"])
|
45
|
-
end
|
46
|
-
else
|
47
|
-
s.add_dependency(%q<htmlentities>, [">= 0"])
|
48
|
-
s.add_dependency(%q<hpricot>, [">= 0"])
|
49
|
-
s.add_dependency(%q<facets>, [">= 2.4.3"])
|
50
|
-
s.add_dependency(%q<actionpack>, [">= 0"])
|
51
|
-
s.add_dependency(%q<activesupport>, [">= 0"])
|
52
|
-
s.add_dependency(%q<ruby-debug>, [">= 0"])
|
53
|
-
s.add_dependency(%q<test-spec>, [">= 0"])
|
54
|
-
s.add_dependency(%q<mocha>, [">= 0"])
|
55
|
-
end
|
56
|
-
end
|
data/test/test_helper.rb
DELETED
@@ -1,34 +0,0 @@
|
|
1
|
-
basedir = File.dirname(__FILE__)
|
2
|
-
$:.unshift "#{basedir}/../lib"
|
3
|
-
require 'rubygems'
|
4
|
-
gem 'ruby-debug'
|
5
|
-
gem 'test-spec'
|
6
|
-
gem 'actionpack'
|
7
|
-
gem 'activerecord'
|
8
|
-
gem 'activesupport'
|
9
|
-
|
10
|
-
require 'test/spec'
|
11
|
-
require 'mocha'
|
12
|
-
require 'ostruct'
|
13
|
-
require 'ruby-debug'
|
14
|
-
require 'activerecord'
|
15
|
-
require 'relevance/tarantula'
|
16
|
-
|
17
|
-
# needed for html-scanner, grr
|
18
|
-
require 'active_support'
|
19
|
-
require 'action_controller'
|
20
|
-
|
21
|
-
require 'redgreen' unless (Object.const_defined?("TextMate") || ENV["EMACS"]) rescue nil # just a nice to have, don't blow up if not there
|
22
|
-
|
23
|
-
class Test::Unit::TestCase
|
24
|
-
def test_output_dir
|
25
|
-
File.join(File.dirname(__FILE__), "..", "tmp", "test_output")
|
26
|
-
end
|
27
|
-
|
28
|
-
# TODO change puts/print to use a single method for logging, which will then make the stubbing cleaner
|
29
|
-
def stub_puts_and_print(obj)
|
30
|
-
obj.stubs(:puts)
|
31
|
-
obj.stubs(:print)
|
32
|
-
end
|
33
|
-
|
34
|
-
end
|
data/uninstall.rb
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
# Uninstall hook code here
|
@@ -1,20 +0,0 @@
|
|
1
|
-
Copyright (c) 2007 Trampoline Systems
|
2
|
-
|
3
|
-
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
-
a copy of this software and associated documentation files (the
|
5
|
-
"Software"), to deal in the Software without restriction, including
|
6
|
-
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
-
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
-
permit persons to whom the Software is furnished to do so, subject to
|
9
|
-
the following conditions:
|
10
|
-
|
11
|
-
The above copyright notice and this permission notice shall be
|
12
|
-
included in all copies or substantial portions of the Software.
|
13
|
-
|
14
|
-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
-
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
-
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
-
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
-
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
-
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
-
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/vendor/xss-shield/README
DELETED
@@ -1,76 +0,0 @@
|
|
1
|
-
FIXME: THIS README IS NOT UP-TO-DATE.
|
2
|
-
|
3
|
-
This plugin provides XSS protection for views coded in HAML and RHTML.
|
4
|
-
|
5
|
-
ERB templates are sometimes used for HTML, and sometimes for
|
6
|
-
other kinds of languages (SQL, email templates, YAML etc.).
|
7
|
-
XSS Shield protects only those templates with .rhtml extension,
|
8
|
-
leaving templates with .erb extension unprotected.
|
9
|
-
|
10
|
-
=== Quick start ===
|
11
|
-
|
12
|
-
Assuming you're using HAML for all your templates.
|
13
|
-
|
14
|
-
* Install plugin.
|
15
|
-
* Edit all your layout files and change:
|
16
|
-
= @content_for_layout
|
17
|
-
= yield(:foo) # Foo being usually :js or :css
|
18
|
-
to:
|
19
|
-
= @content_for_layout.mark_as_xss_protected
|
20
|
-
= yield(:foo).mark_as_xss_protected
|
21
|
-
* By this point your application should be runnanble,
|
22
|
-
but might need some tweaking here and there to avoid potential
|
23
|
-
double-escaping.
|
24
|
-
|
25
|
-
=== How it works ===
|
26
|
-
|
27
|
-
It works by subclassing String into SafeString.
|
28
|
-
When HAML engine seems a "= foo" fragment it check if result of executing "foo"
|
29
|
-
is a SafeString. If it is - it copies it to the output, if it's anything else
|
30
|
-
(String, Integer, nil and so on) it HTML-escapes it first.
|
31
|
-
|
32
|
-
To avoid double-escaping output of h is a SafeString, as is everything you
|
33
|
-
mark as XSS-protected.
|
34
|
-
= h(@foo)
|
35
|
-
= @foo # fully equivalent to h(@foo)
|
36
|
-
= "X <br /> Y".mark_as_xss_protected
|
37
|
-
|
38
|
-
It would be cumbersome to require mark_as_xss_protected every time you use
|
39
|
-
some helper like render :partial or link_to, so some helpers are modified
|
40
|
-
to return SafeString.
|
41
|
-
|
42
|
-
= render :partial => "foo"
|
43
|
-
= link_to "Bar", :action => :bar
|
44
|
-
|
45
|
-
If you trust your helpers, make them as XSS-protected:
|
46
|
-
|
47
|
-
module Some::Module
|
48
|
-
mark_helpers_as_xss_protected :text_field, :check_box
|
49
|
-
end
|
50
|
-
|
51
|
-
Because it is not possible to alter syntactic keywords like yield
|
52
|
-
or instance variables like @content_for_layout to mark them automatically
|
53
|
-
as secure, layout files need some manual tweaking.
|
54
|
-
|
55
|
-
=== Other template engines ===
|
56
|
-
|
57
|
-
If a templates uses some templating engine other than HAML or ERB,
|
58
|
-
or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
|
59
|
-
|
60
|
-
However some helpers like link_to and button_to are patched by XSS Shield to
|
61
|
-
make them more secure, and this extra security will be there even when used
|
62
|
-
in an otherwise unprotected context.
|
63
|
-
|
64
|
-
For example with XSS shield
|
65
|
-
link_to "A & B", "/foo"
|
66
|
-
will return (marked as safe):
|
67
|
-
'<a href="/foo">A & B</a>'
|
68
|
-
not (plain String):
|
69
|
-
'<a href="/foo">A & B</a>'
|
70
|
-
|
71
|
-
Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
|
72
|
-
If you use some alternative ERB engine it probably won't work.
|
73
|
-
|
74
|
-
Adding support for alternative templating engine should be relatively straightforward.
|
75
|
-
It's mostly a matter of changing to_s to to_s_xss_protected in a few places
|
76
|
-
in their source.
|
data/vendor/xss-shield/init.rb
DELETED
@@ -1,111 +0,0 @@
|
|
1
|
-
class XSSProtectedERB < ERB
|
2
|
-
class Compiler < ::ERB::Compiler
|
3
|
-
def compile(s)
|
4
|
-
out = Buffer.new(self)
|
5
|
-
|
6
|
-
content = ''
|
7
|
-
scanner = make_scanner(s)
|
8
|
-
scanner.scan do |token|
|
9
|
-
if scanner.stag.nil?
|
10
|
-
case token
|
11
|
-
when PercentLine
|
12
|
-
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
13
|
-
content = ''
|
14
|
-
out.push(token.to_s)
|
15
|
-
out.cr
|
16
|
-
when :cr
|
17
|
-
out.cr
|
18
|
-
when '<%', '<%=', '<%#'
|
19
|
-
scanner.stag = token
|
20
|
-
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
21
|
-
content = ''
|
22
|
-
when "\n"
|
23
|
-
content << "\n"
|
24
|
-
out.push("#{@put_cmd} #{content.dump}")
|
25
|
-
out.cr
|
26
|
-
content = ''
|
27
|
-
when '<%%'
|
28
|
-
content << '<%'
|
29
|
-
else
|
30
|
-
content << token
|
31
|
-
end
|
32
|
-
else
|
33
|
-
case token
|
34
|
-
when '%>'
|
35
|
-
case scanner.stag
|
36
|
-
when '<%'
|
37
|
-
if content[-1] == ?\n
|
38
|
-
content.chop!
|
39
|
-
out.push(content)
|
40
|
-
out.cr
|
41
|
-
else
|
42
|
-
out.push(content)
|
43
|
-
end
|
44
|
-
when '<%='
|
45
|
-
# NOTE: Changed lines
|
46
|
-
out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
|
47
|
-
# NOTE: End changed lines
|
48
|
-
when '<%#'
|
49
|
-
# out.push("# #{content.dump}")
|
50
|
-
end
|
51
|
-
scanner.stag = nil
|
52
|
-
content = ''
|
53
|
-
when '%%>'
|
54
|
-
content << '%>'
|
55
|
-
else
|
56
|
-
content << token
|
57
|
-
end
|
58
|
-
end
|
59
|
-
end
|
60
|
-
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
61
|
-
out.close
|
62
|
-
out.script
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
|
67
|
-
@safe_level = safe_level
|
68
|
-
compiler = XSSProtectedERB::Compiler.new(trim_mode)
|
69
|
-
set_eoutvar(compiler, eoutvar)
|
70
|
-
@src = compiler.compile(str)
|
71
|
-
@filename = nil
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
75
|
-
module ActionView
|
76
|
-
class Base
|
77
|
-
private
|
78
|
-
def create_template_source(extension, template, render_symbol, locals)
|
79
|
-
if template_requires_setup?(extension)
|
80
|
-
body = case extension.to_sym
|
81
|
-
when :rxml, :builder
|
82
|
-
content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
|
83
|
-
"#{content_type_handler}.content_type ||= Mime::XML\n" +
|
84
|
-
"xml = Builder::XmlMarkup.new(:indent => 2)\n" +
|
85
|
-
template +
|
86
|
-
"\nxml.target!\n"
|
87
|
-
when :rjs
|
88
|
-
"controller.response.content_type ||= Mime::JS\n" +
|
89
|
-
"update_page do |page|\n#{template}\nend"
|
90
|
-
end
|
91
|
-
# NOTE: Changed lines
|
92
|
-
elsif extension.to_sym == :rhtml
|
93
|
-
body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
|
94
|
-
# NOTE: End changed lines
|
95
|
-
else
|
96
|
-
body = ERB.new(template, nil, @@erb_trim_mode).src
|
97
|
-
end
|
98
|
-
|
99
|
-
@@template_args[render_symbol] ||= {}
|
100
|
-
locals_keys = @@template_args[render_symbol].keys | locals
|
101
|
-
@@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
|
102
|
-
|
103
|
-
locals_code = ""
|
104
|
-
locals_keys.each do |key|
|
105
|
-
locals_code << "#{key} = local_assigns[:#{key}]\n"
|
106
|
-
end
|
107
|
-
|
108
|
-
"def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
|
109
|
-
end
|
110
|
-
end
|
111
|
-
end
|
@@ -1,42 +0,0 @@
|
|
1
|
-
raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
|
2
|
-
|
3
|
-
module Haml
|
4
|
-
class Engine
|
5
|
-
def push_script(text, flattened)
|
6
|
-
unless options[:suppress_eval]
|
7
|
-
push_silent("haml_temp = #{text}", true)
|
8
|
-
push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
|
9
|
-
out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
|
10
|
-
if @block_opened
|
11
|
-
push_and_tabulate([:loud, out])
|
12
|
-
else
|
13
|
-
@precompiled << out
|
14
|
-
end
|
15
|
-
end
|
16
|
-
end
|
17
|
-
|
18
|
-
def build_attributes(attributes = {})
|
19
|
-
# We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to '
|
20
|
-
# making ' as attribute quote not workable
|
21
|
-
result = attributes.map do |a,v|
|
22
|
-
v = v.to_s_xss_protected
|
23
|
-
unless v.blank?
|
24
|
-
" #{a}=\"#{v}\""
|
25
|
-
end
|
26
|
-
end
|
27
|
-
result.sort.join
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
class Buffer
|
32
|
-
def build_attributes(attributes = {})
|
33
|
-
result = attributes.map do |a,v|
|
34
|
-
v = v.to_s_xss_protected
|
35
|
-
unless v.blank?
|
36
|
-
" #{a}=\"#{v}\""
|
37
|
-
end
|
38
|
-
end
|
39
|
-
result.sort.join
|
40
|
-
end
|
41
|
-
end
|
42
|
-
end
|
@@ -1,47 +0,0 @@
|
|
1
|
-
class SafeString < String
|
2
|
-
def to_s
|
3
|
-
self
|
4
|
-
end
|
5
|
-
def to_s_xss_protected
|
6
|
-
self
|
7
|
-
end
|
8
|
-
end
|
9
|
-
|
10
|
-
class String
|
11
|
-
def mark_as_xss_protected
|
12
|
-
SafeString.new(self)
|
13
|
-
end
|
14
|
-
end
|
15
|
-
|
16
|
-
class NilClass
|
17
|
-
def mark_as_xss_protected
|
18
|
-
self
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
22
|
-
# ERB::Util.h and (include ERB::Util; h) are different methods
|
23
|
-
module ERB::Util
|
24
|
-
class <<self
|
25
|
-
def h_with_xss_protection(*args)
|
26
|
-
h_without_xss_protection(*args).mark_as_xss_protected
|
27
|
-
end
|
28
|
-
alias_method_chain :h, :xss_protection
|
29
|
-
end
|
30
|
-
|
31
|
-
def h_with_xss_protection(*args)
|
32
|
-
h_without_xss_protection(*args).mark_as_xss_protected
|
33
|
-
end
|
34
|
-
alias_method_chain :h, :xss_protection
|
35
|
-
end
|
36
|
-
|
37
|
-
class Object
|
38
|
-
def to_s_xss_protected
|
39
|
-
ERB::Util.h(to_s).mark_as_xss_protected
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
class Array
|
44
|
-
def join_xss_protected(sep="")
|
45
|
-
map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
|
46
|
-
end
|
47
|
-
end
|
@@ -1,40 +0,0 @@
|
|
1
|
-
class Module
|
2
|
-
def mark_helpers_as_xss_protected(*ms)
|
3
|
-
ms.each do |m|
|
4
|
-
begin
|
5
|
-
instance_method("#{m}_with_xss_protection")
|
6
|
-
rescue NameError
|
7
|
-
define_method :"#{m}_with_xss_protection" do |*args|
|
8
|
-
send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
|
9
|
-
end
|
10
|
-
alias_method_chain m, :xss_protection
|
11
|
-
end
|
12
|
-
end
|
13
|
-
end
|
14
|
-
end
|
15
|
-
|
16
|
-
class ActionView::Base
|
17
|
-
mark_helpers_as_xss_protected :javascript_include_tag,
|
18
|
-
:stylesheet_link_tag,
|
19
|
-
:render,
|
20
|
-
:text_field_tag,
|
21
|
-
:submit_tag,
|
22
|
-
:radio_button,
|
23
|
-
:text_area,
|
24
|
-
:auto_discovery_link_tag,
|
25
|
-
:image_tag
|
26
|
-
|
27
|
-
def link_to_with_xss_protection(text, *args)
|
28
|
-
link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
|
29
|
-
end
|
30
|
-
alias_method_chain :link_to, :xss_protection
|
31
|
-
|
32
|
-
def button_to_with_xss_protection(text, *args)
|
33
|
-
button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
|
34
|
-
end
|
35
|
-
alias_method_chain :button_to, :xss_protection
|
36
|
-
end
|
37
|
-
|
38
|
-
module ActionView::Helpers::FormHelper
|
39
|
-
mark_helpers_as_xss_protected :text_field, :check_box
|
40
|
-
end
|