thumblemonks-inquisition 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +20 -0
- data/README.rdoc +24 -0
- data/VERSION.yml +4 -0
- data/lib/html5lib_sanitize.rb +2453 -0
- data/lib/inquisition.rb +43 -0
- data/test/inquisition_test.rb +37 -0
- data/test/lib/animal.rb +13 -0
- data/test/lib/whisky.rb +14 -0
- data/test/performance.rb +29 -0
- data/test/test_helper.rb +14 -0
- metadata +65 -0
data/lib/inquisition.rb
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'html5'
|
2
|
+
require 'html5lib_sanitize'
|
3
|
+
|
4
|
+
# == Introduction
|
5
|
+
#
|
6
|
+
# Inquisition will escape html included in specified attributes to
|
7
|
+
# eliminate xss-style attacks.
|
8
|
+
module Inquisition
|
9
|
+
def self.included(klass)
|
10
|
+
klass.extend(ClassMethods)
|
11
|
+
end
|
12
|
+
|
13
|
+
module ClassMethods
|
14
|
+
|
15
|
+
# cleanse_attr creates getters and setters for the specified list of attributes.
|
16
|
+
def cleanse_attr(*attributes)
|
17
|
+
cleanse_attr_reader(*attributes)
|
18
|
+
cleanse_attr_writer(*attributes)
|
19
|
+
end
|
20
|
+
|
21
|
+
def cleanse_attr_reader(*attributes)
|
22
|
+
attributes.each do |attr|
|
23
|
+
alias_method(:"#{attr}_without_cleansing", :"#{attr}")
|
24
|
+
define_method(:"#{attr}") do
|
25
|
+
HTML5libSanitize.sanitize_html(send(:"#{attr}_without_cleansing"))
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def cleanse_attr_writer(*attributes)
|
31
|
+
attributes.each do |attr|
|
32
|
+
alias_method(:"#{attr}_without_cleansing=", :"#{attr}=")
|
33
|
+
define_method(:"#{attr}=") do |value|
|
34
|
+
send(:"#{attr}_without_cleansing=", HTML5libSanitize.sanitize_html(value))
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end #Class Methods
|
39
|
+
end #Inquisition
|
40
|
+
|
41
|
+
class Object
|
42
|
+
include Inquisition
|
43
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class InquisitionTest < Test::Unit::TestCase
|
4
|
+
context "a fine Whisky" do
|
5
|
+
setup do
|
6
|
+
@whisky = Whisky.new(:name => "<script>alert('Cragganmore')</script>",
|
7
|
+
:origin => "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", :abv => 42.0,
|
8
|
+
:description => %Q['';!--"<XSS>=&{()}a buttery scotch])
|
9
|
+
end
|
10
|
+
|
11
|
+
should "have heresy removed from name" do
|
12
|
+
assert_equal "<script>alert('Cragganmore')</script>", @whisky.name
|
13
|
+
end
|
14
|
+
|
15
|
+
should "remove already-ingrained heresey" do
|
16
|
+
@whisky.instance_variable_set(:@name, "<script>alert('Cragganmore')</script>")
|
17
|
+
assert_equal "<script>alert('Cragganmore')</script>", @whisky.name
|
18
|
+
end
|
19
|
+
|
20
|
+
should "cleanse heresy before setting" do
|
21
|
+
@whisky.name = "<script>alert('Cragganmore')</script>"
|
22
|
+
private_name = @whisky.instance_variable_get(:@name)
|
23
|
+
|
24
|
+
assert_equal "<script>alert('Cragganmore')</script>", private_name
|
25
|
+
end
|
26
|
+
|
27
|
+
should "not cleanse fields not targeted for cleansing" do
|
28
|
+
assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
|
29
|
+
end
|
30
|
+
|
31
|
+
should "not cleanse and set fields not targeted for cleansing" do
|
32
|
+
@whisky.origin = "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>"
|
33
|
+
private_origin = @whisky.instance_variable_get(:@origin)
|
34
|
+
assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/test/lib/animal.rb
ADDED
data/test/lib/whisky.rb
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
class Whisky
|
2
|
+
attr_accessor :name, :origin, :abv, :description
|
3
|
+
cleanse_attr :name, :description
|
4
|
+
|
5
|
+
def initialize(attributes)
|
6
|
+
attributes.each_pair do |k,v|
|
7
|
+
self.send(:"#{k}=",v)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
def drink
|
12
|
+
"You quaffed #{description}"
|
13
|
+
end
|
14
|
+
end
|
data/test/performance.rb
ADDED
@@ -0,0 +1,29 @@
|
|
1
|
+
require 'benchmark'
|
2
|
+
require File.join(File.dirname(__FILE__), 'test_helper')
|
3
|
+
|
4
|
+
@whisky = Whisky.new({})
|
5
|
+
Benchmark.bmbm do |x|
|
6
|
+
x.report("normal") do
|
7
|
+
1_000.times do
|
8
|
+
@whisky.origin = "<script>foo</script>"
|
9
|
+
@whisky.instance_variable_set(:@origin, "<script>foo</script>")
|
10
|
+
@whisky.origin
|
11
|
+
end
|
12
|
+
end
|
13
|
+
x.report("cleansed") do
|
14
|
+
1_000.times do
|
15
|
+
@whisky.name = "<script>foo</script>"
|
16
|
+
@whisky.instance_variable_set(:@name, "<script>foo</script>")
|
17
|
+
@whisky.name
|
18
|
+
end
|
19
|
+
end
|
20
|
+
x.report("writer only") do
|
21
|
+
1_000.times do @whisky.name = "<script>foo</script>" end
|
22
|
+
end
|
23
|
+
x.report("reader only") do
|
24
|
+
1_000.times do
|
25
|
+
@whisky.instance_variable_set(:@name, "<script>foo</script>")
|
26
|
+
@whisky.name = "<script>foo</script>"
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
data/test/test_helper.rb
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'test/unit'
|
3
|
+
require 'shoulda'
|
4
|
+
|
5
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
6
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
7
|
+
require 'inquisition'
|
8
|
+
|
9
|
+
#Test models, yeah.
|
10
|
+
require 'lib/animal'
|
11
|
+
require 'lib/whisky'
|
12
|
+
|
13
|
+
class Test::Unit::TestCase
|
14
|
+
end
|
metadata
ADDED
@@ -0,0 +1,65 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: thumblemonks-inquisition
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- toothrot
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2009-03-27 00:00:00 -07:00
|
13
|
+
default_executable:
|
14
|
+
dependencies: []
|
15
|
+
|
16
|
+
description:
|
17
|
+
email: scissorjammer@gmail.com
|
18
|
+
executables: []
|
19
|
+
|
20
|
+
extensions: []
|
21
|
+
|
22
|
+
extra_rdoc_files:
|
23
|
+
- README.rdoc
|
24
|
+
- LICENSE
|
25
|
+
files:
|
26
|
+
- VERSION.yml
|
27
|
+
- README.rdoc
|
28
|
+
- lib/inquisition.rb
|
29
|
+
- lib/html5lib_sanitize.rb
|
30
|
+
- test/lib
|
31
|
+
- test/lib/animal.rb
|
32
|
+
- test/lib/whisky.rb
|
33
|
+
- test/inquisition_test.rb
|
34
|
+
- test/performance.rb
|
35
|
+
- test/test_helper.rb
|
36
|
+
- LICENSE
|
37
|
+
has_rdoc: true
|
38
|
+
homepage: http://github.com/thumblemonks/inquisition
|
39
|
+
post_install_message: Choosy heretics choose Thumble Monks.
|
40
|
+
rdoc_options:
|
41
|
+
- --inline-source
|
42
|
+
- --charset=UTF-8
|
43
|
+
require_paths:
|
44
|
+
- lib
|
45
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
46
|
+
requirements:
|
47
|
+
- - ">="
|
48
|
+
- !ruby/object:Gem::Version
|
49
|
+
version: "0"
|
50
|
+
version:
|
51
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: "0"
|
56
|
+
version:
|
57
|
+
requirements: []
|
58
|
+
|
59
|
+
rubyforge_project:
|
60
|
+
rubygems_version: 1.2.0
|
61
|
+
signing_key:
|
62
|
+
specification_version: 2
|
63
|
+
summary: TODO
|
64
|
+
test_files: []
|
65
|
+
|