wunderbar 0.12.0 → 0.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/README.md CHANGED
@@ -183,11 +183,13 @@ Suffixes after the tag name will modify the processing.
183
183
  * `?`: adds code to rescue exceptions and produce tracebacks
184
184
  * `_`: adds extra blank lines between this tag and siblings
185
185
 
186
- The "`_`" method serves a number of purposes. Calling it with a single argument
187
- produces text nodes. Inserting markup verbatim is done by "`_ << text`". A
188
- number of other convenience methods are defined:
186
+ The "`_`" method serves a number of purposes. Calling it with a single
187
+ argument inserts markup, respecting indendation. Inserting markup without
188
+ reguard to indendatation is done using "`_ << text`". A number of other
189
+ convenience methods are defined:
189
190
 
190
- * `_?`: insert markup with indentation matching the current output
191
+ * `_?`: insert text with indentation matching the current output
192
+ * `_!`: insert text without indenting
191
193
  * `_.post?` -- was this invoked via HTTP POST?
192
194
  * `_.system` -- invokes a shell command, captures stdin, stdout, and stderr
193
195
  * `_.submit` -- runs command (or block) as a deamon process
@@ -287,16 +289,24 @@ Secure by default
287
289
  ---
288
290
 
289
291
  Wunderbar will properly escape all HTML and JSON output, eliminating problems
290
- of HTML or JavaScript injection.
292
+ of HTML or JavaScript injection. This includes calls to `_` to insert markup
293
+ directly when the input is `tainted` and not explicitly marked as `html-safe?`
294
+ (when using Rails).
291
295
 
292
- Unless you call `Wunderbar.unsafe!` at the top of your script, Wunderbar will
293
- also set
296
+ For all environments other than Rails, unless you call `Wunderbar.unsafe!` at
297
+ the top of your script, Wunderbar will also set
294
298
  [`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
295
299
  before processing requests. This means that you will need to
296
300
  [`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
297
301
  received from external sources before you make system calls or access the file
298
302
  system.
299
303
 
304
+ A special feature that effectively is only available in the Rails environment:
305
+ if the first argument to call that creates an element is `html_safe?`, then
306
+ that argument will be treated as a markup instead of as text. This allows one
307
+ to make calls like `_td link_to...` without placing the call to `link_to` in a
308
+ block.
309
+
300
310
  Globals provided
301
311
  ---
302
312
  * `$USER` - Host user id
@@ -129,11 +129,11 @@ module Wunderbar
129
129
  begin
130
130
  # if available, use escape as it does prettier quoting
131
131
  require 'escape'
132
- command = Escape.shell_command(command)
132
+ command = Escape.shell_command(command).untaint
133
133
  rescue LoadError
134
134
  # std-lib function that gets the job done
135
135
  require 'shellwords'
136
- command = Shellwords.join(command)
136
+ command = Shellwords.join(command).untaint
137
137
  end
138
138
  end
139
139
 
@@ -135,6 +135,15 @@ class HtmlMarkup < Wunderbar::BuilderBase
135
135
  args.unshift '' if not VOID.include?(name) and not block
136
136
  end
137
137
 
138
+ if String === args.first and args.first.respond_to? :html_safe?
139
+ if args.first.html_safe? and not block
140
+ if args.first.include? '>' or args.first.include? '&'
141
+ markup = args.shift
142
+ block = Proc.new {_ markup}
143
+ end
144
+ end
145
+ end
146
+
138
147
  if Hash === args.last
139
148
  # remove attributes with nil, false values
140
149
  args.last.delete_if {|key, value| !value}
@@ -220,11 +229,11 @@ class HtmlMarkup < Wunderbar::BuilderBase
220
229
  end
221
230
 
222
231
  def _?(text)
223
- @x.indented_text! text
232
+ @x.indented_text! text.to_s
224
233
  end
225
234
 
226
235
  def _!(text)
227
- @x.text! text
236
+ @x.text! text.to_s
228
237
  end
229
238
 
230
239
  def _coffeescript(text)
@@ -260,7 +269,10 @@ class HtmlMarkup < Wunderbar::BuilderBase
260
269
  return @x if children == nil
261
270
 
262
271
  if String === children
263
- if children.include? '<' or children.include? '&'
272
+ safe = !children.tainted?
273
+ safe ||= children.html_safe? if children.respond_to? :html_safe?
274
+
275
+ if safe and (children.include? '<' or children.include? '&')
264
276
  require 'nokogiri'
265
277
  children = Nokogiri::HTML::fragment(children.to_s).children
266
278
  else
@@ -314,7 +326,7 @@ class HtmlMarkup < Wunderbar::BuilderBase
314
326
  @x.tag!(child.name, child.attributes) {_ child.children}
315
327
  end
316
328
  end
317
- elsif child.children.empty?
329
+ elsif child.children.empty? and VOID.include? child.name
318
330
  @x.tag!(child.name, child.attributes)
319
331
  elsif child.children.all? {|gchild| gchild.text?}
320
332
  @x.tag!(child.name, child.text.strip, child.attributes)
@@ -2,7 +2,7 @@ module Wunderbar
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 0
4
4
  MINOR = 12
5
- TINY = 0
5
+ TINY = 1
6
6
 
7
7
  STRING = [MAJOR, MINOR, TINY].join('.')
8
8
  end
data/wunderbar.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = "wunderbar"
5
- s.version = "0.12.0"
5
+ s.version = "0.12.1"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Sam Ruby"]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wunderbar
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.12.0
4
+ version: 0.12.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors: