wunderbar 0.12.0 → 0.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +17 -7
- data/lib/wunderbar/builder.rb +2 -2
- data/lib/wunderbar/html-methods.rb +16 -4
- data/lib/wunderbar/version.rb +1 -1
- data/wunderbar.gemspec +1 -1
- metadata +1 -1
data/README.md
CHANGED
|
@@ -183,11 +183,13 @@ Suffixes after the tag name will modify the processing.
|
|
|
183
183
|
* `?`: adds code to rescue exceptions and produce tracebacks
|
|
184
184
|
* `_`: adds extra blank lines between this tag and siblings
|
|
185
185
|
|
|
186
|
-
The "`_`" method serves a number of purposes. Calling it with a single
|
|
187
|
-
|
|
188
|
-
|
|
186
|
+
The "`_`" method serves a number of purposes. Calling it with a single
|
|
187
|
+
argument inserts markup, respecting indendation. Inserting markup without
|
|
188
|
+
reguard to indendatation is done using "`_ << text`". A number of other
|
|
189
|
+
convenience methods are defined:
|
|
189
190
|
|
|
190
|
-
* `_?`: insert
|
|
191
|
+
* `_?`: insert text with indentation matching the current output
|
|
192
|
+
* `_!`: insert text without indenting
|
|
191
193
|
* `_.post?` -- was this invoked via HTTP POST?
|
|
192
194
|
* `_.system` -- invokes a shell command, captures stdin, stdout, and stderr
|
|
193
195
|
* `_.submit` -- runs command (or block) as a deamon process
|
|
@@ -287,16 +289,24 @@ Secure by default
|
|
|
287
289
|
---
|
|
288
290
|
|
|
289
291
|
Wunderbar will properly escape all HTML and JSON output, eliminating problems
|
|
290
|
-
of HTML or JavaScript injection.
|
|
292
|
+
of HTML or JavaScript injection. This includes calls to `_` to insert markup
|
|
293
|
+
directly when the input is `tainted` and not explicitly marked as `html-safe?`
|
|
294
|
+
(when using Rails).
|
|
291
295
|
|
|
292
|
-
|
|
293
|
-
also set
|
|
296
|
+
For all environments other than Rails, unless you call `Wunderbar.unsafe!` at
|
|
297
|
+
the top of your script, Wunderbar will also set
|
|
294
298
|
[`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
|
|
295
299
|
before processing requests. This means that you will need to
|
|
296
300
|
[`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
|
|
297
301
|
received from external sources before you make system calls or access the file
|
|
298
302
|
system.
|
|
299
303
|
|
|
304
|
+
A special feature that effectively is only available in the Rails environment:
|
|
305
|
+
if the first argument to call that creates an element is `html_safe?`, then
|
|
306
|
+
that argument will be treated as a markup instead of as text. This allows one
|
|
307
|
+
to make calls like `_td link_to...` without placing the call to `link_to` in a
|
|
308
|
+
block.
|
|
309
|
+
|
|
300
310
|
Globals provided
|
|
301
311
|
---
|
|
302
312
|
* `$USER` - Host user id
|
data/lib/wunderbar/builder.rb
CHANGED
|
@@ -129,11 +129,11 @@ module Wunderbar
|
|
|
129
129
|
begin
|
|
130
130
|
# if available, use escape as it does prettier quoting
|
|
131
131
|
require 'escape'
|
|
132
|
-
command = Escape.shell_command(command)
|
|
132
|
+
command = Escape.shell_command(command).untaint
|
|
133
133
|
rescue LoadError
|
|
134
134
|
# std-lib function that gets the job done
|
|
135
135
|
require 'shellwords'
|
|
136
|
-
command = Shellwords.join(command)
|
|
136
|
+
command = Shellwords.join(command).untaint
|
|
137
137
|
end
|
|
138
138
|
end
|
|
139
139
|
|
|
@@ -135,6 +135,15 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
|
135
135
|
args.unshift '' if not VOID.include?(name) and not block
|
|
136
136
|
end
|
|
137
137
|
|
|
138
|
+
if String === args.first and args.first.respond_to? :html_safe?
|
|
139
|
+
if args.first.html_safe? and not block
|
|
140
|
+
if args.first.include? '>' or args.first.include? '&'
|
|
141
|
+
markup = args.shift
|
|
142
|
+
block = Proc.new {_ markup}
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
end
|
|
146
|
+
|
|
138
147
|
if Hash === args.last
|
|
139
148
|
# remove attributes with nil, false values
|
|
140
149
|
args.last.delete_if {|key, value| !value}
|
|
@@ -220,11 +229,11 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
|
220
229
|
end
|
|
221
230
|
|
|
222
231
|
def _?(text)
|
|
223
|
-
@x.indented_text! text
|
|
232
|
+
@x.indented_text! text.to_s
|
|
224
233
|
end
|
|
225
234
|
|
|
226
235
|
def _!(text)
|
|
227
|
-
@x.text! text
|
|
236
|
+
@x.text! text.to_s
|
|
228
237
|
end
|
|
229
238
|
|
|
230
239
|
def _coffeescript(text)
|
|
@@ -260,7 +269,10 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
|
260
269
|
return @x if children == nil
|
|
261
270
|
|
|
262
271
|
if String === children
|
|
263
|
-
|
|
272
|
+
safe = !children.tainted?
|
|
273
|
+
safe ||= children.html_safe? if children.respond_to? :html_safe?
|
|
274
|
+
|
|
275
|
+
if safe and (children.include? '<' or children.include? '&')
|
|
264
276
|
require 'nokogiri'
|
|
265
277
|
children = Nokogiri::HTML::fragment(children.to_s).children
|
|
266
278
|
else
|
|
@@ -314,7 +326,7 @@ class HtmlMarkup < Wunderbar::BuilderBase
|
|
|
314
326
|
@x.tag!(child.name, child.attributes) {_ child.children}
|
|
315
327
|
end
|
|
316
328
|
end
|
|
317
|
-
elsif child.children.empty?
|
|
329
|
+
elsif child.children.empty? and VOID.include? child.name
|
|
318
330
|
@x.tag!(child.name, child.attributes)
|
|
319
331
|
elsif child.children.all? {|gchild| gchild.text?}
|
|
320
332
|
@x.tag!(child.name, child.text.strip, child.attributes)
|
data/lib/wunderbar/version.rb
CHANGED
data/wunderbar.gemspec
CHANGED