vidibus-xss 0.1.12 → 0.1.13

Sign up to get free protection for your applications and to get access to all the features.
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.12
1
+ 0.1.13
@@ -1,10 +1,10 @@
1
1
  class XssController < ApplicationController
2
2
  unloadable
3
-
3
+
4
4
  def load
5
- custom_params = params.except(:path, :scope, :controller, :action)
5
+ custom_params = params.symbolize_keys.except(:path, :scope, :controller, :action)
6
6
  path = params[:path]
7
7
  path += "?#{custom_params.to_uri}" if custom_params.any?
8
8
  render :path => path, :format => :xss
9
9
  end
10
- end
10
+ end
data/config/routes.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  Rails.application.routes.draw do
2
- match "xss/:path" => "xss#load"
2
+ match "xss/:path" => "xss#load", :constraints => { :path => /.*/ }
3
3
  end
@@ -4,44 +4,48 @@ module Vidibus
4
4
  module Xss
5
5
  module Extensions
6
6
  module Controller
7
-
7
+
8
8
  extend ActiveSupport::Concern
9
-
9
+
10
10
  included do
11
11
  helper_method :url_for, :xss_request?, :fullpath_url
12
12
  respond_to :html, :xss
13
13
  rescue_from ActionController::RoutingError, :with => :rescue_404
14
14
  end
15
-
15
+
16
16
  # Set hostname of clients that are allowed to access this resource.
17
17
  def xss_clients
18
- [request.headers["Origin"]]
18
+ @xss_clients ||= [request.headers["Origin"]]
19
19
  end
20
-
20
+
21
21
  protected
22
-
22
+
23
23
  # Returns true if requesting client is in list of xss clients.
24
24
  def xss_client?
25
25
  @is_xss_client ||= !!xss_client
26
26
  end
27
-
27
+
28
28
  # Returns requesting client if it is in list of xss clients.
29
29
  def xss_client
30
30
  @xss_client ||= begin
31
31
  return unless origin = request.headers["Origin"]
32
+ clients = xss_clients
32
33
  unless xss_clients
33
34
  raise %(Define a list of xss_clients in your ApplicationController that returns all hosts that are allowed to access your service.\nExample: %w[http://myconsumer.local])
34
35
  end
35
- xss_clients = [xss_clients] unless xss_clients.is_a?(Array)
36
- xss_clients.detect { |c| c == origin }
36
+ if clients.is_a?(Array)
37
+ clients.detect { |c| c == origin }
38
+ elsif clients == origin
39
+ origin
40
+ end
37
41
  end
38
42
  end
39
-
43
+
40
44
  # Returns layout for current request format.
41
45
  def get_layout(format = nil)
42
46
  (xss_request? or format == :xss) ? 'xss.haml' : 'application'
43
47
  end
44
-
48
+
45
49
  # IMPORTANT: restart server to apply modifications.
46
50
  def rescue_404
47
51
  return if respond_to_options_request
@@ -50,7 +54,7 @@ module Vidibus
50
54
 
51
55
  # Responds to OPTIONS request.
52
56
  # When sending data to foreign domain by AJAX, Firefox will send an OPTIONS request first.
53
- #
57
+ #
54
58
  # == Usage:
55
59
  #
56
60
  # Set up a catch-all route for handling 404s like this, if you haven't done it already:
@@ -68,7 +72,7 @@ module Vidibus
68
72
  xss_access_control_headers
69
73
  render(:text => "OK", :status => 200) and return true
70
74
  end
71
-
75
+
72
76
  # Returns true if current request is in XSS format.
73
77
  def xss_request?
74
78
  @is_xss ||= begin
@@ -81,12 +85,12 @@ module Vidibus
81
85
  end
82
86
  end
83
87
  end
84
-
88
+
85
89
  # Returns true if the current request is an OPTIONS request.
86
90
  def options_request?
87
91
  @is_options_request ||= request.method == "OPTIONS"
88
92
  end
89
-
93
+
90
94
  # Set access control headers to allow cross-domain XMLHttpRequest calls.
91
95
  # For more information, see: https://developer.mozilla.org/En/HTTP_access_control
92
96
  def xss_access_control_headers
@@ -96,13 +100,13 @@ module Vidibus
96
100
  headers["Access-Control-Allow-Credentials"] = "true"
97
101
  headers["Access-Control-Max-Age"] = "1728000" # Cache this response for 20 days.
98
102
  end
99
-
103
+
100
104
  def extract_xss_html(dom)
101
105
  dom.css('body').first.inner_html
102
106
  end
103
107
 
104
108
  # Extracts javascript resources from given DOM object.
105
- #
109
+ #
106
110
  # Usage:
107
111
  #
108
112
  # dom = Nokogiri::HTML(<html></html>)
@@ -119,7 +123,7 @@ module Vidibus
119
123
  end
120
124
 
121
125
  # Extracts stylesheet resources from given DOM object.
122
- #
126
+ #
123
127
  # Usage:
124
128
  #
125
129
  # dom = Nokogiri::HTML(<html></html>)
@@ -137,19 +141,19 @@ module Vidibus
137
141
  end
138
142
 
139
143
  # Renders given content string to XSS hash of resources and content.
140
- # If html content is given, the method tries to extract title,
144
+ # If html content is given, the method tries to extract title,
141
145
  # stylesheets and javascripts from head and content from body.
142
146
  # TODO: Allow script blocks! Add them to body?
143
147
  # TODO: Allow style blocks?
144
148
  # TODO: Check for html content
145
149
  def render_to_xss(content)
146
150
  dom = Nokogiri::HTML(content)
147
- {
148
- :resources => extract_xss_javascripts(dom) + extract_xss_stylesheets(dom),
149
- :content => extract_xss_html(dom)
151
+ {
152
+ :resources => extract_xss_javascripts(dom) + extract_xss_stylesheets(dom),
153
+ :content => extract_xss_html(dom)
150
154
  }
151
155
  end
152
-
156
+
153
157
  # Redirect to a xss url.
154
158
  # For POST request, invoke callback action.
155
159
  # For GET request, render redirect action directly.
@@ -170,15 +174,15 @@ module Vidibus
170
174
  end
171
175
 
172
176
  data = {
173
- :status => type,
174
- :html => nil,
175
- :message => nil,
176
- :to => nil
177
+ :status => type,
178
+ :html => nil,
179
+ :message => nil,
180
+ :to => nil
177
181
  }.merge(options)
178
182
 
179
183
  render_xss(:callback => data)
180
184
  end
181
-
185
+
182
186
  # Main method for rendering XSS.
183
187
  # Renders given XSS resources and content to string and sets it as response_body.
184
188
  def render_xss(options = {})
@@ -187,12 +191,12 @@ module Vidibus
187
191
  path = options.delete(:get)
188
192
  redirect = options.delete(:redirect)
189
193
  callback = options.delete(:callback)
190
-
194
+
191
195
  raise "Please provide :content, :get, :redirect or :callback." unless content or path or redirect or callback
192
196
  raise "Please provide either :content to render or :get location to load. Not both." if content and path
193
-
197
+
194
198
  xss = ""
195
-
199
+
196
200
  # determine scope
197
201
  if !(scope = params[:scope]).blank?
198
202
  scope = "$('##{scope}')"
@@ -200,7 +204,7 @@ module Vidibus
200
204
  scope = "$s#{xss_random_string}"
201
205
  xss << %(var #{scope}=vidibus.xss.detectScope();)
202
206
  end
203
-
207
+
204
208
  # set host for current scope
205
209
  xss << %(vidibus.xss.setHost('#{request.protocol}#{request.host_with_port}',#{scope});)
206
210
 
@@ -222,9 +226,9 @@ module Vidibus
222
226
  %(vidibus.xss.callback(#{callback.to_json},#{scope});)
223
227
  end
224
228
  end
225
-
229
+
226
230
  xss_content << xss_csrf_vars
227
-
231
+
228
232
  # wait until resources have been loaded, before rendering XSS content
229
233
  if defer
230
234
  function_name = "rx#{xss_random_string}"
@@ -258,11 +262,11 @@ module Vidibus
258
262
  # def verify_authenticity_token
259
263
  # xss_request? || super
260
264
  # end
261
-
265
+
262
266
  # Extension of url_for:
263
267
  # Transform given relative paths into absolute urls.
264
- #
265
- # Usage:
268
+ #
269
+ # Usage:
266
270
  # url_for("/stylesheets/vidibus.css", :only_path => false)
267
271
  #
268
272
  def url_for(*args)
@@ -277,7 +281,7 @@ module Vidibus
277
281
 
278
282
  # Chatches redirect calls for XSS locations.
279
283
  # If a XSS location is given, XSS content will be rendered instead of redirecting.
280
- #
284
+ #
281
285
  # == Usage:
282
286
  #
283
287
  # respond_to do |format|
@@ -19,4 +19,4 @@ module Vidibus
19
19
  end
20
20
  end
21
21
  end
22
- end
22
+ end
@@ -2,7 +2,7 @@ module Vidibus
2
2
  module Xss
3
3
  module Extensions
4
4
  module View
5
-
5
+
6
6
  # Sets XSS attributes on given ones.
7
7
  def set_xss_html_attributes(attributes)
8
8
  attributes['data-xss'] = true
@@ -6,4 +6,4 @@ ActiveSupport.on_load(:action_controller) do
6
6
  include Vidibus::Xss::Extensions::Controller
7
7
  end
8
8
 
9
- String.send :include, Vidibus::Xss::Extensions::String
9
+ String.send :include, Vidibus::Xss::Extensions::String
data/lib/vidibus/xss.rb CHANGED
@@ -1,2 +1,2 @@
1
1
  require "xss/extensions"
2
- require "xss/mime_type"
2
+ require "xss/mime_type"
data/lib/vidibus-xss.rb CHANGED
@@ -1,7 +1,6 @@
1
1
  $:.unshift(File.join(File.dirname(__FILE__), "..", "lib", "vidibus"))
2
2
  require "xss"
3
3
 
4
- # Load contents of app and config directories.
5
4
  module Vidibus::Xss
6
5
  class Engine < ::Rails::Engine; end
7
- end
6
+ end
data/spec/spec_helper.rb CHANGED
@@ -6,6 +6,6 @@ require "rails"
6
6
  require "spec"
7
7
  require "rr"
8
8
 
9
- Spec::Runner.configure do |config|
9
+ Spec::Runner.configure do |config|
10
10
  config.mock_with RR::Adapters::Rspec
11
- end
11
+ end
data/vidibus-xss.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{vidibus-xss}
8
- s.version = "0.1.12"
8
+ s.version = "0.1.13"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Andre Pankratz"]
12
- s.date = %q{2010-09-24}
12
+ s.date = %q{2010-10-04}
13
13
  s.description = %q{Drop-in XSS support for remote applications.}
14
14
  s.email = %q{andre@vidibus.com}
15
15
  s.extra_rdoc_files = [
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vidibus-xss
3
3
  version: !ruby/object:Gem::Version
4
- hash: 3
4
+ hash: 1
5
5
  prerelease: false
6
6
  segments:
7
7
  - 0
8
8
  - 1
9
- - 12
10
- version: 0.1.12
9
+ - 13
10
+ version: 0.1.13
11
11
  platform: ruby
12
12
  authors:
13
13
  - Andre Pankratz
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2010-09-24 00:00:00 +02:00
18
+ date: 2010-10-04 00:00:00 +02:00
19
19
  default_executable:
20
20
  dependencies:
21
21
  - !ruby/object:Gem::Dependency