vidibus-xss 0.1.12 → 0.1.13

data/VERSION

@@ -1 +1 @@
-0.1.12
+0.1.13

data/app/controllers/xss_controller.rb

@@ -1,10 +1,10 @@
 class XssController < ApplicationController
   unloadable
-  
+
   def load
-    custom_params = params.except(:path, :scope, :controller, :action)
+    custom_params = params.symbolize_keys.except(:path, :scope, :controller, :action)
     path = params[:path]
     path += "?#{custom_params.to_uri}" if custom_params.any?
     render :path => path, :format => :xss
   end
-end
+end

data/config/routes.rb

@@ -1,3 +1,3 @@
 Rails.application.routes.draw do
-  match "xss/:path" => "xss#load"
+  match "xss/:path" => "xss#load", :constraints => { :path => /.*/ }
 end

data/lib/vidibus/xss/extensions/controller.rb

@@ -4,44 +4,48 @@ module Vidibus
   module Xss
     module Extensions
       module Controller
-        
+
         extend ActiveSupport::Concern
-        
+
         included do
           helper_method :url_for, :xss_request?, :fullpath_url
           respond_to :html, :xss
           rescue_from ActionController::RoutingError, :with => :rescue_404
         end
-        
+
         # Set hostname of clients that are allowed to access this resource.
         def xss_clients
-          [request.headers["Origin"]]
+          @xss_clients ||= [request.headers["Origin"]]
         end
-        
+
         protected
-        
+
         # Returns true if requesting client is in list of xss clients.
         def xss_client?
           @is_xss_client ||= !!xss_client
         end
-  
+
         # Returns requesting client if it is in list of xss clients.
         def xss_client
           @xss_client ||= begin
             return unless origin = request.headers["Origin"]
+            clients = xss_clients
             unless xss_clients
               raise %(Define a list of xss_clients in your ApplicationController that returns all hosts that are allowed to access your service.\nExample: %w[http://myconsumer.local])
             end
-            xss_clients = [xss_clients] unless xss_clients.is_a?(Array)
-            xss_clients.detect { |c| c == origin }
+            if clients.is_a?(Array)
+              clients.detect { |c| c == origin }
+            elsif clients == origin
+              origin
+            end
           end
         end
-        
+
         # Returns layout for current request format.
         def get_layout(format = nil)
           (xss_request? or format == :xss) ? 'xss.haml' : 'application'
         end
-        
+
         # IMPORTANT: restart server to apply modifications.
         def rescue_404
           return if respond_to_options_request
@@ -50,7 +54,7 @@ module Vidibus
 
         # Responds to OPTIONS request.
         # When sending data to foreign domain by AJAX, Firefox will send an OPTIONS request first.
-        # 
+        #
         # == Usage:
         #
         #  Set up a catch-all route for handling 404s like this, if you haven't done it already:
@@ -68,7 +72,7 @@ module Vidibus
           xss_access_control_headers
           render(:text => "OK", :status => 200) and return true
         end
-      
+
         # Returns true if current request is in XSS format.
         def xss_request?
           @is_xss ||= begin
@@ -81,12 +85,12 @@ module Vidibus
             end
           end
         end
-      
+
         # Returns true if the current request is an OPTIONS request.
         def options_request?
           @is_options_request ||= request.method == "OPTIONS"
         end
-        
+
         # Set access control headers to allow cross-domain XMLHttpRequest calls.
         # For more information, see: https://developer.mozilla.org/En/HTTP_access_control
         def xss_access_control_headers
@@ -96,13 +100,13 @@ module Vidibus
           headers["Access-Control-Allow-Credentials"] = "true"
           headers["Access-Control-Max-Age"] = "1728000" # Cache this response for 20 days.
         end
-        
+
         def extract_xss_html(dom)
           dom.css('body').first.inner_html
         end
 
         # Extracts javascript resources from given DOM object.
-        # 
+        #
         # Usage:
         #
         #   dom = Nokogiri::HTML(<html></html>)
@@ -119,7 +123,7 @@ module Vidibus
         end
 
         # Extracts stylesheet resources from given DOM object.
-        # 
+        #
         # Usage:
         #
         #   dom = Nokogiri::HTML(<html></html>)
@@ -137,19 +141,19 @@ module Vidibus
         end
 
         # Renders given content string to XSS hash of resources and content.
-        # If html content is given, the method tries to extract title, 
+        # If html content is given, the method tries to extract title,
         # stylesheets and javascripts from head and content from body.
         # TODO: Allow script blocks! Add them to body?
         # TODO: Allow style blocks?
         # TODO: Check for html content
         def render_to_xss(content)
           dom = Nokogiri::HTML(content)
-          { 
-            :resources => extract_xss_javascripts(dom) + extract_xss_stylesheets(dom), 
-            :content => extract_xss_html(dom) 
+          {
+            :resources => extract_xss_javascripts(dom) + extract_xss_stylesheets(dom),
+            :content => extract_xss_html(dom)
           }
         end
-        
+
         # Redirect to a xss url.
         # For POST request, invoke callback action.
         # For GET request, render redirect action directly.
@@ -170,15 +174,15 @@ module Vidibus
           end
 
           data = {
-            :status => type, 
-            :html => nil, 
-            :message => nil, 
-            :to => nil 
+            :status => type,
+            :html => nil,
+            :message => nil,
+            :to => nil
           }.merge(options)
 
           render_xss(:callback => data)
         end
-        
+
         # Main method for rendering XSS.
         # Renders given XSS resources and content to string and sets it as response_body.
         def render_xss(options = {})
@@ -187,12 +191,12 @@ module Vidibus
           path = options.delete(:get)
           redirect = options.delete(:redirect)
           callback = options.delete(:callback)
-          
+
           raise "Please provide :content, :get, :redirect or :callback." unless content or path or redirect or callback
           raise "Please provide either :content to render or :get location to load. Not both." if content and path
-          
+
           xss = ""
-          
+
           # determine scope
           if !(scope = params[:scope]).blank?
             scope = "$('##{scope}')"
@@ -200,7 +204,7 @@ module Vidibus
             scope = "$s#{xss_random_string}"
             xss << %(var #{scope}=vidibus.xss.detectScope();)
           end
-          
+
           # set host for current scope
           xss << %(vidibus.xss.setHost('#{request.protocol}#{request.host_with_port}',#{scope});)
 
@@ -222,9 +226,9 @@ module Vidibus
               %(vidibus.xss.callback(#{callback.to_json},#{scope});)
             end
           end
-          
+
           xss_content << xss_csrf_vars
-          
+
           # wait until resources have been loaded, before rendering XSS content
           if defer
             function_name = "rx#{xss_random_string}"
@@ -258,11 +262,11 @@ module Vidibus
         # def verify_authenticity_token
         #   xss_request? || super
         # end
-        
+
         # Extension of url_for:
         # Transform given relative paths into absolute urls.
-        # 
-        # Usage: 
+        #
+        # Usage:
         #   url_for("/stylesheets/vidibus.css", :only_path => false)
         #
         def url_for(*args)
@@ -277,7 +281,7 @@ module Vidibus
 
         # Chatches redirect calls for XSS locations.
         # If a XSS location is given, XSS content will be rendered instead of redirecting.
-        # 
+        #
         # == Usage:
         #
         #   respond_to do |format|

data/lib/vidibus/xss/extensions/string.rb

@@ -19,4 +19,4 @@ module Vidibus
       end
     end
   end
-end
+end

data/lib/vidibus/xss/extensions/view.rb

@@ -2,7 +2,7 @@ module Vidibus
   module Xss
     module Extensions
       module View
-      
+
         # Sets XSS attributes on given ones.
         def set_xss_html_attributes(attributes)
           attributes['data-xss'] = true

data/lib/vidibus/xss/extensions.rb

@@ -6,4 +6,4 @@ ActiveSupport.on_load(:action_controller) do
   include Vidibus::Xss::Extensions::Controller
 end
 
-String.send :include, Vidibus::Xss::Extensions::String
+String.send :include, Vidibus::Xss::Extensions::String

data/lib/vidibus/xss.rb

@@ -1,2 +1,2 @@
 require "xss/extensions"
-require "xss/mime_type"
+require "xss/mime_type"

data/lib/vidibus-xss.rb

@@ -1,7 +1,6 @@
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib", "vidibus"))
 require "xss"
 
-# Load contents of app and config directories.
 module Vidibus::Xss
   class Engine < ::Rails::Engine; end
-end
+end

data/spec/spec_helper.rb

@@ -6,6 +6,6 @@ require "rails"
 require "spec"
 require "rr"
 
-Spec::Runner.configure do |config|  
+Spec::Runner.configure do |config|
   config.mock_with RR::Adapters::Rspec
-end
+end

data/vidibus-xss.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{vidibus-xss}
-  s.version = "0.1.12"
+  s.version = "0.1.13"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andre Pankratz"]
-  s.date = %q{2010-09-24}
+  s.date = %q{2010-10-04}
   s.description = %q{Drop-in XSS support for remote applications.}
   s.email = %q{andre@vidibus.com}
   s.extra_rdoc_files = [

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: vidibus-xss
 version: !ruby/object:Gem::Version 
-  hash: 3
+  hash: 1
   prerelease: false
   segments: 
   - 0
   - 1
-  - 12
-  version: 0.1.12
+  - 13
+  version: 0.1.13
 platform: ruby
 authors: 
 - Andre Pankratz
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-24 00:00:00 +02:00
+date: 2010-10-04 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency