thumblemonks-inquisition 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/LICENSE +20 -0
- data/README.rdoc +24 -0
- data/VERSION.yml +4 -0
- data/lib/html5lib_sanitize.rb +2453 -0
- data/lib/inquisition.rb +43 -0
- data/test/inquisition_test.rb +37 -0
- data/test/lib/animal.rb +13 -0
- data/test/lib/whisky.rb +14 -0
- data/test/performance.rb +29 -0
- data/test/test_helper.rb +14 -0
- metadata +65 -0
data/lib/inquisition.rb
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
require 'html5'
|
|
2
|
+
require 'html5lib_sanitize'
|
|
3
|
+
|
|
4
|
+
# == Introduction
|
|
5
|
+
#
|
|
6
|
+
# Inquisition will escape html included in specified attributes to
|
|
7
|
+
# eliminate xss-style attacks.
|
|
8
|
+
module Inquisition
|
|
9
|
+
def self.included(klass)
|
|
10
|
+
klass.extend(ClassMethods)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
module ClassMethods
|
|
14
|
+
|
|
15
|
+
# cleanse_attr creates getters and setters for the specified list of attributes.
|
|
16
|
+
def cleanse_attr(*attributes)
|
|
17
|
+
cleanse_attr_reader(*attributes)
|
|
18
|
+
cleanse_attr_writer(*attributes)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def cleanse_attr_reader(*attributes)
|
|
22
|
+
attributes.each do |attr|
|
|
23
|
+
alias_method(:"#{attr}_without_cleansing", :"#{attr}")
|
|
24
|
+
define_method(:"#{attr}") do
|
|
25
|
+
HTML5libSanitize.sanitize_html(send(:"#{attr}_without_cleansing"))
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def cleanse_attr_writer(*attributes)
|
|
31
|
+
attributes.each do |attr|
|
|
32
|
+
alias_method(:"#{attr}_without_cleansing=", :"#{attr}=")
|
|
33
|
+
define_method(:"#{attr}=") do |value|
|
|
34
|
+
send(:"#{attr}_without_cleansing=", HTML5libSanitize.sanitize_html(value))
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end #Class Methods
|
|
39
|
+
end #Inquisition
|
|
40
|
+
|
|
41
|
+
class Object
|
|
42
|
+
include Inquisition
|
|
43
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
require 'test_helper'
|
|
2
|
+
|
|
3
|
+
class InquisitionTest < Test::Unit::TestCase
|
|
4
|
+
context "a fine Whisky" do
|
|
5
|
+
setup do
|
|
6
|
+
@whisky = Whisky.new(:name => "<script>alert('Cragganmore')</script>",
|
|
7
|
+
:origin => "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", :abv => 42.0,
|
|
8
|
+
:description => %Q['';!--"<XSS>=&{()}a buttery scotch])
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
should "have heresy removed from name" do
|
|
12
|
+
assert_equal "<script>alert('Cragganmore')</script>", @whisky.name
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
should "remove already-ingrained heresey" do
|
|
16
|
+
@whisky.instance_variable_set(:@name, "<script>alert('Cragganmore')</script>")
|
|
17
|
+
assert_equal "<script>alert('Cragganmore')</script>", @whisky.name
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
should "cleanse heresy before setting" do
|
|
21
|
+
@whisky.name = "<script>alert('Cragganmore')</script>"
|
|
22
|
+
private_name = @whisky.instance_variable_get(:@name)
|
|
23
|
+
|
|
24
|
+
assert_equal "<script>alert('Cragganmore')</script>", private_name
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
should "not cleanse fields not targeted for cleansing" do
|
|
28
|
+
assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
should "not cleanse and set fields not targeted for cleansing" do
|
|
32
|
+
@whisky.origin = "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>"
|
|
33
|
+
private_origin = @whisky.instance_variable_get(:@origin)
|
|
34
|
+
assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
data/test/lib/animal.rb
ADDED
data/test/lib/whisky.rb
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
class Whisky
|
|
2
|
+
attr_accessor :name, :origin, :abv, :description
|
|
3
|
+
cleanse_attr :name, :description
|
|
4
|
+
|
|
5
|
+
def initialize(attributes)
|
|
6
|
+
attributes.each_pair do |k,v|
|
|
7
|
+
self.send(:"#{k}=",v)
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def drink
|
|
12
|
+
"You quaffed #{description}"
|
|
13
|
+
end
|
|
14
|
+
end
|
data/test/performance.rb
ADDED
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
require 'benchmark'
|
|
2
|
+
require File.join(File.dirname(__FILE__), 'test_helper')
|
|
3
|
+
|
|
4
|
+
@whisky = Whisky.new({})
|
|
5
|
+
Benchmark.bmbm do |x|
|
|
6
|
+
x.report("normal") do
|
|
7
|
+
1_000.times do
|
|
8
|
+
@whisky.origin = "<script>foo</script>"
|
|
9
|
+
@whisky.instance_variable_set(:@origin, "<script>foo</script>")
|
|
10
|
+
@whisky.origin
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
x.report("cleansed") do
|
|
14
|
+
1_000.times do
|
|
15
|
+
@whisky.name = "<script>foo</script>"
|
|
16
|
+
@whisky.instance_variable_set(:@name, "<script>foo</script>")
|
|
17
|
+
@whisky.name
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
x.report("writer only") do
|
|
21
|
+
1_000.times do @whisky.name = "<script>foo</script>" end
|
|
22
|
+
end
|
|
23
|
+
x.report("reader only") do
|
|
24
|
+
1_000.times do
|
|
25
|
+
@whisky.instance_variable_set(:@name, "<script>foo</script>")
|
|
26
|
+
@whisky.name = "<script>foo</script>"
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
data/test/test_helper.rb
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
require 'rubygems'
|
|
2
|
+
require 'test/unit'
|
|
3
|
+
require 'shoulda'
|
|
4
|
+
|
|
5
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
|
6
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
|
7
|
+
require 'inquisition'
|
|
8
|
+
|
|
9
|
+
#Test models, yeah.
|
|
10
|
+
require 'lib/animal'
|
|
11
|
+
require 'lib/whisky'
|
|
12
|
+
|
|
13
|
+
class Test::Unit::TestCase
|
|
14
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: thumblemonks-inquisition
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- toothrot
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
|
|
12
|
+
date: 2009-03-27 00:00:00 -07:00
|
|
13
|
+
default_executable:
|
|
14
|
+
dependencies: []
|
|
15
|
+
|
|
16
|
+
description:
|
|
17
|
+
email: scissorjammer@gmail.com
|
|
18
|
+
executables: []
|
|
19
|
+
|
|
20
|
+
extensions: []
|
|
21
|
+
|
|
22
|
+
extra_rdoc_files:
|
|
23
|
+
- README.rdoc
|
|
24
|
+
- LICENSE
|
|
25
|
+
files:
|
|
26
|
+
- VERSION.yml
|
|
27
|
+
- README.rdoc
|
|
28
|
+
- lib/inquisition.rb
|
|
29
|
+
- lib/html5lib_sanitize.rb
|
|
30
|
+
- test/lib
|
|
31
|
+
- test/lib/animal.rb
|
|
32
|
+
- test/lib/whisky.rb
|
|
33
|
+
- test/inquisition_test.rb
|
|
34
|
+
- test/performance.rb
|
|
35
|
+
- test/test_helper.rb
|
|
36
|
+
- LICENSE
|
|
37
|
+
has_rdoc: true
|
|
38
|
+
homepage: http://github.com/thumblemonks/inquisition
|
|
39
|
+
post_install_message: Choosy heretics choose Thumble Monks.
|
|
40
|
+
rdoc_options:
|
|
41
|
+
- --inline-source
|
|
42
|
+
- --charset=UTF-8
|
|
43
|
+
require_paths:
|
|
44
|
+
- lib
|
|
45
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
46
|
+
requirements:
|
|
47
|
+
- - ">="
|
|
48
|
+
- !ruby/object:Gem::Version
|
|
49
|
+
version: "0"
|
|
50
|
+
version:
|
|
51
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
52
|
+
requirements:
|
|
53
|
+
- - ">="
|
|
54
|
+
- !ruby/object:Gem::Version
|
|
55
|
+
version: "0"
|
|
56
|
+
version:
|
|
57
|
+
requirements: []
|
|
58
|
+
|
|
59
|
+
rubyforge_project:
|
|
60
|
+
rubygems_version: 1.2.0
|
|
61
|
+
signing_key:
|
|
62
|
+
specification_version: 2
|
|
63
|
+
summary: TODO
|
|
64
|
+
test_files: []
|
|
65
|
+
|