vidibus-xss 0.1.4

data/public/javascripts/vidibus.js

@@ -0,0 +1,193 @@
+// if (typeof console == undefined) {
+//   console = {};
+// }
+
+
+var vidibus = {};
+
+// Basic loader for stylesheets and javascripts.
+vidibus.loader = {
+  
+  complete: true,       // indicates that loading has been finished
+  queue: [],            // holds resources that are queued to load
+  loading: undefined,   // holds resource that is currently being loaded
+  preloaded: undefined, // holds resources that are included in consumer base file
+  loaded: {},           // holds resources that are currently loaded
+  unused: {},           // holds resources that are loaded, but not required anymore
+  
+  /**
+   * Load resources.
+   */
+  load: function(resources, scope) {
+    this.initStaticResources();
+    this.complete = false;
+    this.unused = jQuery.extend({}, this.loaded); // clone
+
+    $(resources).each(function() {
+      var resource = this,
+          src = resource.src,
+          name = vidibus.loader.resourceName(src);
+      
+      resource.name = name;
+      resource.scopes = {}
+      resource.scopes[scope] = true;
+      
+      // remove current file, because it is used
+      delete vidibus.loader.unused[name];
+
+      // skip files that have already been loaded
+      if (vidibus.loader.loaded[name]) {
+        vidibus.loader.loaded[name].scopes[scope] = true; // add current scope
+        return; // continue
+      } else if (vidibus.loader.preloaded[name]) {
+        return; // continue
+      }
+      
+      vidibus.loader.loaded[name] = resource;
+      switch (resource.type) {
+        
+        // load css file directly
+        case 'text/css':
+          var element = document.createElement("link"); 
+          element.rel = 'stylesheet'; 
+          element.href = src; 
+          element.media = resource.media || 'all';
+          element.type = 'text/css';
+          vidibus.loader.appendToHead(element);
+          break;
+          
+        // push script file to loading queue
+        case 'text/javascript':
+          vidibus.loader.queue.push(resource);
+          break;
+          
+        default: console.log('vidibus.loader.load: unsupported resource type: '+resource.type);
+      }
+    });
+    
+    this.loadQueue(true);
+    this.unloadUnused(scope);
+  },
+  
+  /**
+   * Returns file name of resource.
+   */
+  resourceName: function(url) {
+    return url.match(/\/([^\/\?]+)(\?.*)*$/)[1];
+  },
+  
+  /**
+   * Returns list of static resources.
+   */
+  initStaticResources: function() {
+    if (vidibus.loader.preloaded == undefined) {
+      vidibus.loader.preloaded = {};
+      var $resource, src, name;
+      $('script[src],link[href]',$('head')).each(function() {
+        $resource = $(this);
+        src = $resource.attr('src') || $resource.attr('href');
+        name = vidibus.loader.resourceName(src);
+        vidibus.loader.preloaded[name] = src;
+      });
+    }
+  },
+  
+  /**
+   * Loads resources in queue.
+   */
+  loadQueue: function(start) {
+    
+    // Reduce queue if this method is called as callback.
+    if(start != true) {
+      vidibus.loader.queue.shift();
+    }
+    
+    var resource = vidibus.loader.queue[0];
+    
+    // return if file is currently loading
+    if (resource) {
+      if (resource == vidibus.loader.loading) {
+        // console.log('CURRENTLY LOADING: '+resource.src);
+        return;
+      }
+      vidibus.loader.loading = resource;
+      vidibus.loader.loadScript(resource.src, vidibus.loader.loadQueue);
+    } else {
+      vidibus.loader.loading = undefined;
+      vidibus.loader.complete = true;
+    }
+  },
+  
+  /**
+   * Loads script src.
+   */
+  loadScript: function(src, callback) {
+    var element = document.createElement("script");
+    if (element.addEventListener) {
+      element.addEventListener("load", callback, false);
+    } else {
+      // IE
+      element.onreadystatechange = function() {
+        if (this.readyState == 'loaded') callback.call(this);
+      }
+    }
+    element.type = 'text/javascript';
+    element.src = src;
+    vidibus.loader.appendToHead(element);
+    element = null;
+  },
+  
+  /**
+   * Detects unused resources and removes them.
+   */
+  unloadUnused: function(scope) {
+    var name, resources = [];
+    for(name in vidibus.loader.unused) {
+
+      // Remove dependency for given scope.
+      if (vidibus.loader.unused[name].scopes[scope]) {
+        delete vidibus.loader.unused[name].scopes[scope];
+      }
+      
+      // Unload resource if it has no dependencies left.
+      if ($.isEmptyObject(vidibus.loader.unused[name].scopes)) {
+        resources.push(vidibus.loader.unused[name]);
+      }
+    }
+    vidibus.loader.unload(resources);
+    vidibus.loader.unused = {}
+  },
+  
+  /**
+   * Removes resources given in list.
+   */
+  unload: function(resources) {
+    var src, data, resource;
+    $(resources).each(function() {
+      resource = this;
+      src = resource.src;
+
+      // console.log('REMOVE UNUSED RESOURCE: '+src);
+      
+      switch (resource.type) {
+        case "text/css": 
+          $('link[href="'+src+'"]').remove();
+          break;
+          
+        case "text/javascript": 
+          $('script[src="'+src+'"]').remove();
+          break;
+          
+        default: console.log('vidibus.loader.unload: unsupported resource type: '+resource.type);
+      }
+      delete vidibus.loader.loaded[resource.name];
+    });
+  },
+  
+  /**
+   * Appends given element to document head.
+   */
+  appendToHead: function(element) {
+    document.getElementsByTagName("head")[0].appendChild(element);
+  }
+};

data/public/javascripts/vidibus.xss.js

@@ -0,0 +1,335 @@
+// TODO: Support cross-domain AJAX requests in IE:
+// if ($.browser.msie && window.XDomainRequest) {
+//     // Use Microsoft XDR
+//     var xdr = new XDomainRequest();
+//     xdr.open('get', url);
+//     xdr.onload = function() {
+//         // XDomainRequest doesn't provide responseXml, so if you need it:
+//         var dom = new ActiveXObject('Microsoft.XMLDOM');
+//         dom.async = false;
+//         dom.loadXML(xdr.responseText);
+//     };
+//     xdr.send();
+// } else {
+//     $.ajax({...});
+// }
+
+
+vidibus.xss = {
+  initialized: {},      // holds true for every scope that has been initialized
+  fileExtension: 'xss', // use 'xss' as file extension
+  loadedUrls: {},       // store urls currently loaded in each scope
+
+  /**
+   * Detects scope of script block to be executed. 
+   * Must be called from embedding page.
+   */
+  detectScope: function() {
+    document.write('<div id="scopeDetector"></div>');
+    var $detector = $("#scopeDetector");
+    var $scope = $detector.parent();
+    $detector.remove();
+    return $scope;
+  },
+  
+  /**
+   * Usage:
+   *   vidibus.xss.embed('<div>Some HTML</div>', $('#scope'), 'http://host.url/');
+   */
+  embed: function(html, $scope, host) {
+    html = this.transformPaths(html, $scope); // Transform local paths before embedding html into page!
+    $scope.html(html);
+    this.setUrls($scope);
+    this.setActions($scope);
+  },
+  
+  /**
+   * Calls given path for given scope. If a third parameter is set to true,
+   * the location will be loaded, even if it is currently loaded.
+   * 
+   * Usage:
+   *   vidibus.xss.get('path', $('#scope') [, true]);
+   * 
+   * If no host is provided, host of scope will be used.
+   */
+  get: function(path, $scope, reload) {
+    // Escape query parts
+    path = path.replace("?", "%3F").replace("&", "%26").replace("=", "%3D");
+
+    var scopeId = $scope[0].id,
+        params = scopeId+'='+this.getPath(path),
+        keepCurrentLocation = this.initialized[scopeId] ? 0 : 1,
+        location = $.param.fragment(String(document.location), params, keepCurrentLocation),
+        reloadScope = {};
+    
+    this.initialized[scopeId] = true;
+    window.location.href = location; // write history
+    reloadScope[scopeId] = reload;
+    this.loadUrl(location, reloadScope);
+  },
+  
+  /**
+   * Redirect to given path while forcing reloading.
+   */
+  redirect: function(path, $scope) {
+    this.get(path, $scope, true)
+  },
+  
+  /**
+   * Handles callback action.
+   *
+   * Requires data.status:
+   *   redirect, TODO: ok, error
+   *
+   * Accepts actions depending on status:
+   *   (redirect) to: Performs redirect to location.
+   */
+  callback: function(data, $scope) {    
+    if (data.status == 'redirect') {
+      this.redirect(data.to, $scope);
+    }
+  },
+  
+  /**
+   * Sets host for given scope.
+   */
+  setHost: function(host, $scope) {
+    $scope.attr('data-host', host);
+  },
+  
+  /**
+   * Returns host for given scope.
+   */
+  getHost: function($scope) {
+    return $scope.attr('data-host');
+  },
+  
+  /**
+   * Turns given path into an absolute url.
+   */
+  getUrl: function(path, host) {
+    if (path.match(/https?:\/\//)) { return path }
+    return host + path;
+  },
+  
+  /**
+   * Returns relative path from url.
+   */
+  getPath: function(url) {
+    return url.replace(/https?:\/\/[^\/]+/,'')
+  },
+  
+  /**
+   * Rewrites links to absolute urls.
+   */
+  setUrls: function($scope) {
+    var host = this.getHost($scope);
+
+    // Rewrite links
+    $('a[href]:not([href^=http])', $scope).each(function(e) {
+      var href = $(this).attr('href');
+      $(this).attr('href', vidibus.xss.getUrl(href, host));
+    });
+    
+    // Rewrite forms
+    $('form[action]', $scope).each(function(e) {
+      var action = $(this).attr('action');
+      $(this).attr('href', vidibus.xss.getUrl(action, host));
+    });
+  },
+  
+  /**
+   * Set xss actions for interactive elements.
+   */
+  setActions: function($scope) {
+    var host = this.getHost($scope);
+     
+    // Set action for GET links
+    // TODO: Allow links to be flagged as "external"
+    $('a[href^='+host+']:not([data-method],[data-remote])', $scope).bind('click.xss', function(e) {
+      var href = $(this).attr('href');
+      vidibus.xss.get(href, $scope);
+      e.preventDefault();
+    });
+    
+    // Set action non-GET links
+    // TODO: Remove bindings from links that match current host only: a[data-method][href^='+host+']:not([data-remote])
+    $('a[data-method]:not([data-remote])').die('click').unbind('click'); // remove bindings
+    $('a[data-method][href^='+host+']:not([data-remote])', $scope).click(function(e) {
+      var $link = $(this),
+          path = $link.attr('href'),
+          url = vidibus.xss.buildUrl(path, $scope);
+      $(this).callAjax(url);
+      e.preventDefault();
+    });
+    
+    // Set form action
+    $('form[action]').die('submit').unbind('submit') // remove bindings
+    $('form[action][href^='+host+']', $scope).submit(function(e) {
+      var $form = $(this),
+          path = $form.attr('action');
+          url = vidibus.xss.buildUrl(path, $scope);
+      $(this).callAjax(url);
+      return false;
+    });
+  },
+  
+  /**
+   * Modifies paths within given html string.
+   * This method must be called before embedding html snippet into the page
+   * to avoid loading errors from invalid relative paths.
+   */
+  transformPaths: function(html, $scope) {
+    var match, url;
+    while (match = html.match(/src="((?!http)[^"]+)"/)) {
+      url = vidibus.xss.buildUrl(match[1], $scope);
+      html = html.replace(match[0], 'src="'+url+'"')
+    }
+    return html;
+  },
+  
+  /**
+   * Load XSS sources from given url.
+   * If url is empty, the current location will be used.
+   */
+  loadUrl: function(url, reload) {
+    var scope, $scope, path, loaded, params = $.deparam.fragment();
+    for(scope in params) {
+      path = params[scope];
+
+      // don't reload locations that have already been loaded
+      loaded = this.loadedUrls[scope];
+      if((!reload || !reload[scope]) && loaded && loaded == path) {
+        continue;
+      }
+
+      $scope = $('#'+scope);
+      if($scope[0] == undefined) {
+        console.log('Scope not found: '+scope);
+      } else {
+        this.loadedUrls[scope] = path;
+        this.loadData(path, $scope);
+      }
+    }
+  },
+  
+  /**
+   * Load relative path into given scope.
+   * Transforms scope host and path into a XSS location.
+   */
+  loadData: function(path, $scope) {
+    var url = this.buildUrl(path, $scope, true);
+    $.ajax({
+      url: url,
+      data: [],
+      dataType: 'script',
+      type: 'GET'
+    });
+  },
+  
+  /**
+   * Tranforms local paths to absolute ones.
+   */
+  buildUrl: function(path, $scope, uncached) {
+    var parts = path.split("?");
+    path = parts[0];
+    params = parts[1];
+    if(params) {
+      params = params.split("&");
+    } else {
+      params = []
+    }
+
+    var host = this.getHost($scope),
+      scope = $scope.attr('id'),
+      url = this.getUrl(path, host)
+
+    if (!url.match(/\.[a-z]+((\?|\#).*)?$/)) url += '.xss';
+    if (url.indexOf('.xss') > -1 && params.toString().indexOf('scope='+scope) == -1) {
+      params.push('scope='+scope);
+    }
+    
+    // add cache buster
+    if (uncached) {
+      var d = new Date();
+      params.push(d.getTime());
+    }
+    
+    // append params
+    if (params.length) {
+      if (url.indexOf('?') == -1) url += '?'
+      url += params.join('&');
+    }
+
+    return url;
+  }
+};
+
+/**
+ * Detect changes to document's location.
+ * 
+ */
+$(function($){
+  
+  // Detect changes of document.location and trigger loading.
+  $(window).bind('hashchange', function(e) {
+    if (vidibus.loader.complete) {
+      vidibus.xss.loadUrl();
+    }
+    return false;
+  });
+
+  // Since the event is only triggered when the hash changes, we need
+  // to trigger the event now, to handle the hash the page may have
+  // loaded with.
+  $(window).trigger('hashchange');
+});
+
+/**
+ * Implement ajax handler. 
+ * This is the default handler provided in rails.js extended to accept delete method.
+ */
+$(function($) {
+  $.fn.extend({
+    
+    /**
+     * Handles execution of remote calls firing overridable events along the way.
+     */
+    callAjax: function(url) {
+      var el = this,
+        method = el.attr('method') || el.attr('data-method') || 'GET',
+        dataType = el.attr('data-type')  || 'script';
+      if (!url) url = el.attr('action') || el.attr('href');
+      if (url === undefined) {
+        throw "No URL specified for remote call (action or href must be present).";
+      } else {
+        if (el.triggerAndReturn('ajax:before')) {
+          var data = el.is('form') ? el.serializeArray() : {};
+          if (method == 'delete') {
+            data['_method'] = method;
+            method = 'POST';
+          }
+          $.ajax({
+            url: url,
+            data: data,
+            dataType: dataType,
+            type: method.toUpperCase(),
+            beforeSend: function(xhr) {
+              el.trigger('ajax:loading', xhr);
+            },
+            success: function(data, status, xhr) {
+              el.trigger('ajax:success', [data, status, xhr]);
+            },
+            complete: function(xhr) {
+              el.trigger('ajax:complete', xhr);
+            },
+            error: function(xhr, status, error) {
+              el.trigger('ajax:failure', [xhr, status, error]);
+            }
+          });
+        }
+        el.trigger('ajax:after');
+      }
+    }
+  });
+});