wunderbar 0.12.0 → 0.12.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +17 -7
- data/lib/wunderbar/builder.rb +2 -2
- data/lib/wunderbar/html-methods.rb +16 -4
- data/lib/wunderbar/version.rb +1 -1
- data/wunderbar.gemspec +1 -1
- metadata +1 -1
data/README.md
CHANGED
@@ -183,11 +183,13 @@ Suffixes after the tag name will modify the processing.
|
|
183
183
|
* `?`: adds code to rescue exceptions and produce tracebacks
|
184
184
|
* `_`: adds extra blank lines between this tag and siblings
|
185
185
|
|
186
|
-
The "`_`" method serves a number of purposes. Calling it with a single
|
187
|
-
|
188
|
-
|
186
|
+
The "`_`" method serves a number of purposes. Calling it with a single
|
187
|
+
argument inserts markup, respecting indendation. Inserting markup without
|
188
|
+
reguard to indendatation is done using "`_ << text`". A number of other
|
189
|
+
convenience methods are defined:
|
189
190
|
|
190
|
-
* `_?`: insert
|
191
|
+
* `_?`: insert text with indentation matching the current output
|
192
|
+
* `_!`: insert text without indenting
|
191
193
|
* `_.post?` -- was this invoked via HTTP POST?
|
192
194
|
* `_.system` -- invokes a shell command, captures stdin, stdout, and stderr
|
193
195
|
* `_.submit` -- runs command (or block) as a deamon process
|
@@ -287,16 +289,24 @@ Secure by default
|
|
287
289
|
---
|
288
290
|
|
289
291
|
Wunderbar will properly escape all HTML and JSON output, eliminating problems
|
290
|
-
of HTML or JavaScript injection.
|
292
|
+
of HTML or JavaScript injection. This includes calls to `_` to insert markup
|
293
|
+
directly when the input is `tainted` and not explicitly marked as `html-safe?`
|
294
|
+
(when using Rails).
|
291
295
|
|
292
|
-
|
293
|
-
also set
|
296
|
+
For all environments other than Rails, unless you call `Wunderbar.unsafe!` at
|
297
|
+
the top of your script, Wunderbar will also set
|
294
298
|
[`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
|
295
299
|
before processing requests. This means that you will need to
|
296
300
|
[`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
|
297
301
|
received from external sources before you make system calls or access the file
|
298
302
|
system.
|
299
303
|
|
304
|
+
A special feature that effectively is only available in the Rails environment:
|
305
|
+
if the first argument to call that creates an element is `html_safe?`, then
|
306
|
+
that argument will be treated as a markup instead of as text. This allows one
|
307
|
+
to make calls like `_td link_to...` without placing the call to `link_to` in a
|
308
|
+
block.
|
309
|
+
|
300
310
|
Globals provided
|
301
311
|
---
|
302
312
|
* `$USER` - Host user id
|
data/lib/wunderbar/builder.rb
CHANGED
@@ -129,11 +129,11 @@ module Wunderbar
|
|
129
129
|
begin
|
130
130
|
# if available, use escape as it does prettier quoting
|
131
131
|
require 'escape'
|
132
|
-
command = Escape.shell_command(command)
|
132
|
+
command = Escape.shell_command(command).untaint
|
133
133
|
rescue LoadError
|
134
134
|
# std-lib function that gets the job done
|
135
135
|
require 'shellwords'
|
136
|
-
command = Shellwords.join(command)
|
136
|
+
command = Shellwords.join(command).untaint
|
137
137
|
end
|
138
138
|
end
|
139
139
|
|
@@ -135,6 +135,15 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
135
135
|
args.unshift '' if not VOID.include?(name) and not block
|
136
136
|
end
|
137
137
|
|
138
|
+
if String === args.first and args.first.respond_to? :html_safe?
|
139
|
+
if args.first.html_safe? and not block
|
140
|
+
if args.first.include? '>' or args.first.include? '&'
|
141
|
+
markup = args.shift
|
142
|
+
block = Proc.new {_ markup}
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
138
147
|
if Hash === args.last
|
139
148
|
# remove attributes with nil, false values
|
140
149
|
args.last.delete_if {|key, value| !value}
|
@@ -220,11 +229,11 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
220
229
|
end
|
221
230
|
|
222
231
|
def _?(text)
|
223
|
-
@x.indented_text! text
|
232
|
+
@x.indented_text! text.to_s
|
224
233
|
end
|
225
234
|
|
226
235
|
def _!(text)
|
227
|
-
@x.text! text
|
236
|
+
@x.text! text.to_s
|
228
237
|
end
|
229
238
|
|
230
239
|
def _coffeescript(text)
|
@@ -260,7 +269,10 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
260
269
|
return @x if children == nil
|
261
270
|
|
262
271
|
if String === children
|
263
|
-
|
272
|
+
safe = !children.tainted?
|
273
|
+
safe ||= children.html_safe? if children.respond_to? :html_safe?
|
274
|
+
|
275
|
+
if safe and (children.include? '<' or children.include? '&')
|
264
276
|
require 'nokogiri'
|
265
277
|
children = Nokogiri::HTML::fragment(children.to_s).children
|
266
278
|
else
|
@@ -314,7 +326,7 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
314
326
|
@x.tag!(child.name, child.attributes) {_ child.children}
|
315
327
|
end
|
316
328
|
end
|
317
|
-
elsif child.children.empty?
|
329
|
+
elsif child.children.empty? and VOID.include? child.name
|
318
330
|
@x.tag!(child.name, child.attributes)
|
319
331
|
elsif child.children.all? {|gchild| gchild.text?}
|
320
332
|
@x.tag!(child.name, child.text.strip, child.attributes)
|
data/lib/wunderbar/version.rb
CHANGED
data/wunderbar.gemspec
CHANGED