wunderbar 0.10.9 → 0.11.0

data/README.md

@@ -136,24 +136,28 @@ Basic interface
 A typical main program produces one or more of HTML, JSON, or plain text
 output.  This is accomplished by providing one or more of the following:
 
-    Wunderbar.html do
+    _html do
       code
     end
  
-    Wunderbar.xhtml do
+    _xhtml do
       code
     end
  
-    Wunderbar.json do
+    _json do
       code
     end
 
-    Wunderbar.text do
+    _text do
       code
     end
  
-Arbitrary Ruby code can be placed in each.  To append to the output produced,
-use the `_` methods described here.
+Arbitrary Ruby code can be placed in each.  Form parameters are made available
+as instance variables (e.g., `@name`).  Host environment (CGI, Rack, Sinatra)
+values are accessible as methods of the `_` object: for example `_.headers`
+(CGI), `_.set_cookie` (Rack), `_.redirect` (Sinatra).
+
+To append to the output produced, use the `_` methods described below.  
 
 Methods provided to Wunderbar.html
 ---
@@ -182,16 +186,33 @@ number of other convenience methods are defined:
 * `_.post?`  -- was this invoked via HTTP POST?
 * `_.system` -- invokes a shell command, captures stdin, stdout, and stderr
 * `_.submit` -- runs command (or block) as a deamon process
+* `_.xhtml?` -- output as XHTML?
 
 Access to all of the builder _defined_ methods (typically these end in an esclamation mark) and all of the Wunderbar module methods can be accessed in this way.  Examples:
 
-* `_.tag! :foo`
-* `_.error 'Log message'`
+* `_.tag! :foo`: insert elements where the name can be dynamic
+* `_.error 'Log message'`: write a message to the server log
+* `_import!`: insert markup with indentation matching the current output
 
 XHTML differs from HTML in the escaping of inline style and script elements.
 XHTML will also fall back to HTML output unless the user agent indicates it
 supports XHTML via the HTTP Accept header.
 
+In addition to the default processing of elements, text, and attributes,
+Wunderdar defines additional processing for the following:
+
+* `_head`: insert meta charset utf-8
+* `_svg`: insert svg namespace
+* `_math`: insert math namespace
+* `_coffeescript`: convert [coffeescript](http://coffeescript.org/) to JS and insert script tag
+
+Note that adding an exclamation mark to the end of the tag name disables this
+behavior.
+
+If one of the attributes passed on the `_html` declaration is `:_width`, an
+attempt will be made to reflow text in order to not exceed this line width.
+This won't be done if it will affect what actually is displayed.
+
 Methods provided to Wunderbar.json
 ---
 
@@ -258,6 +279,20 @@ output stream, which provides access to other useful methods, for example:
         _.print 'foo'
         _.printf "Hello %s!\n", 'world'
 
+Secure by default
+---
+
+Wunderbar will properly escape all HTML and JSON output, eliminating problems
+of HTML or JavaScript injection.
+
+Unless you call `Wunderbar.unsafe!` at the top of your script, Wunderbar will
+also set
+[`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
+before processing requests.  This means that you will need to
+[`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
+received from external sources before you make system calls or access the file
+system.
+
 Globals provided
 ---
 * `$USER`   - Host user id
@@ -276,18 +311,6 @@ Also, the following environment variables are set if they aren't already:
 Finally, the (Ruby 1.9.x) default external and internal encodings are set to
 UTF-8.  For Ruby 1.8, `$KCODE` is set to `U`
 
-HTML methods
----
-* `_head`: insert meta charset utf-8
-* `_svg`: insert svg namespace
-* `_math`: insert math namespace
-* `_coffeescript`: convert [coffeescript](http://coffeescript.org/) to JS and insert script tag
-* `_import!`: insert markup with indentation matching the current output
-* `xhtml?`: output as XHTML?
-
-Note that adding an exclamation mark to the end of the tag name disables this
-behavior.
-
 Builder extensions
 ---
 * `indented_text!`: matches text indentation to markup

data/lib/wunderbar/builder.rb

@@ -218,7 +218,7 @@ module Wunderbar
 
       @_builder << data
     rescue LoadError
-      @_builder << string
+      @_builder << data
     end
   end
 
@@ -230,11 +230,15 @@ module Wunderbar
         instance_variable_set "@#{key}", value if key =~ /^\w+$/
       end
     end
+
+    def get_binding
+      binding
+    end
   end
 
+  require 'stringio'
   class TextBuilder < BuilderBase
     def initialize(scope)
-      require 'stringio'
       @_target = StringIO.new
       @_scope = scope
     end

data/lib/wunderbar/cgi-methods.rb

@@ -1,3 +1,5 @@
+require 'digest/md5'
+
 module Wunderbar
   module CGI
 
@@ -31,7 +33,6 @@ module Wunderbar
     # Conditionally provide output, based on ETAG
     def self.out?(scope, headers, &block)
       content = block.call
-      require 'digest/md5'
       etag = Digest::MD5.hexdigest(content)
 
       if scope.env['HTTP_IF_NONE_MATCH'] == etag.inspect

data/lib/wunderbar/environment.rb

@@ -5,10 +5,14 @@ module Wunderbar
     TEXT      = ARGV.delete('--text')
   end
 
-  module Untaint
-    def untaint_if_match regexp
-      self.untaint if regexp.match(self)
-    end
+  @@unsafe = false
+
+  def self.unsafe!(mode=true)
+    @@unsafe=mode
+  end
+
+  def self.safe?
+    not @@unsafe
   end
 
   class Scope

data/lib/wunderbar/html-methods.rb

@@ -27,6 +27,7 @@ class HtmlMarkup < Wunderbar::BuilderBase
     # default namespace
     args << {} if args.empty?
     args.first[:xmlns] ||= 'http://www.w3.org/1999/xhtml' if Hash === args.first
+    @_width = args.first.delete(:_width) if Hash === args.first
 
     @x.text! "\xEF\xBB\xBF"
     @x.declare! :DOCTYPE, :html
@@ -34,6 +35,32 @@ class HtmlMarkup < Wunderbar::BuilderBase
       set_variables_from_params
       instance_eval(&block)
     end
+
+    if @_width
+      # reflow long lines
+      source = @x.target!.slice!(0..-1)
+      indent = col = 0
+      breakable = true
+      while not source.empty?
+        token = source.shift
+        indent = token[/^ */].length if col == 0
+        breakable = false if token.start_with? '<'
+        while token.length + col > @_width and breakable
+          break if token[0...-1].include? "\n"
+          split = token.rindex(' ', [@_width-col,0].max) || token.index(' ')
+          break unless split
+          break if col+split < indent+@_width/2
+          @x.target! << token[0...split] << "\n" << (' '*indent)
+          col = indent
+          token = token[split+1..-1]
+        end
+        breakable = true if token.end_with? '>'
+        @x.target! << token
+        col += token.length
+        col = 0 if token.end_with? "\n"
+      end
+    end
+
     @x.target!.join
   end
 

data/lib/wunderbar/rack.rb

@@ -6,7 +6,11 @@ module Wunderbar
       @_request = Rack::Request.new(env)
       @_response = Rack::Response.new
       Wunderbar.logger = @_request.logger
-      Wunderbar::CGI.call(self)
+      if Wunderbar.safe? and $SAFE==0
+        Proc.new { $SAFE=1; Wunderbar::CGI.call(self) }.call
+      else
+        Wunderbar::CGI.call(self)
+      end
       @_response.finish
     end
 

data/lib/wunderbar/rails.rb

@@ -0,0 +1,46 @@
+require 'active_support/core_ext'
+
+module Wunderbar
+  module Rails
+    class HtmlHandler
+      cattr_accessor :default_format
+      self.default_format = Mime::HTML
+
+      def self.call(template)
+        pre = %{
+          x = HtmlMarkup.new(self);
+          instance_variables.each do |var|
+            x.instance_variable_set var, instance_variable_get(var)
+          end
+        }.strip.gsub(/\s+/, ' ')
+
+        post ="x._.target!.join"
+
+        # take care to preserve line numbers in original source
+        "#{pre}; x.instance_eval { #{template.source} }; #{post}"
+      end
+    end
+
+    class JsonHandler
+      cattr_accessor :default_format
+      self.default_format = Mime::JSON
+
+      def self.call(template)
+        pre = %{
+          x = Wunderbar::JsonBuilder.new(self);
+          instance_variables.each do |var|
+            x.instance_variable_set var, instance_variable_get(var)
+          end
+        }.strip.gsub(/\s+/, ' ')
+
+        post ="x.target!"
+
+        # take care to preserve line numbers in original source
+        "#{pre}; x.instance_eval { #{template.source} }; #{post}"
+      end
+    end
+
+    ActionView::Template.register_template_handler :_html, HtmlHandler
+    ActionView::Template.register_template_handler :_json, JsonHandler
+  end
+end

data/lib/wunderbar/server.rb

@@ -35,6 +35,10 @@ elsif defined? Sinatra
 
   require 'wunderbar/sinatra'
 
+elsif defined? ActionView::Template
+
+  require 'wunderbar/rails'
+
 else
 
   require 'etc'
@@ -79,7 +83,11 @@ else
       ENV['REQUEST_METHOD'] ||= 'GET'  if ARGV.delete('--get')
 
       # CGI or command line
-      Wunderbar::CGI.call(cgi)
+      if Wunderbar.safe? and $SAFE==0
+        Proc.new { $SAFE=1; Wunderbar::CGI.call(cgi) }.call
+      else
+        Wunderbar::CGI.call(cgi)
+      end
     end
   end
 end

data/lib/wunderbar/sinatra.rb

@@ -1,5 +1,6 @@
 require 'sinatra'
 require 'digest/md5'
+require 'nokogiri'
 
 module Wunderbar
   # Tilt template implementation
@@ -48,10 +49,24 @@ module Wunderbar
             instance_variable_set "@#{key}", value if key =~ /^[a-z]\w+$/
           end
         end
-        if block
+
+        if not block
+          builder.instance_eval(data.untaint, eval_file)
+        elsif not data
           builder.instance_eval(&block)
-        elsif data
-          builder.instance_eval(data, eval_file)
+        else
+          context = builder.get_binding do
+            builder.instance_eval {_import! block.call}
+          end
+          context.eval(data.untaint, eval_file)
+        end
+      end
+
+      def _evaluate_safely(*args, &block)
+        if Wunderbar.safe? and $SAFE==0
+          Proc.new { $SAFE=1; _evaluate(*args, &block) }.call
+        else
+          _evaluate(*args, &block)
         end
       end
     end
@@ -62,7 +77,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = HtmlMarkup.new(scope)
         begin
-          _evaluate(builder, scope, locals, &block)
+          _evaluate_safely(builder, scope, locals, &block)
         rescue Exception => exception
           scope.response.status = 500
           builder.clear!
@@ -90,7 +105,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = JsonBuilder.new(scope)
         begin
-          _evaluate(builder, scope, locals, &block)
+          _evaluate_safely(builder, scope, locals, &block)
         rescue Exception => exception
           scope.content_type self.class.default_mime_type, :charset => 'utf-8'
           scope.response.status = 500
@@ -106,7 +121,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = TextBuilder.new(scope)
         begin
-          _evaluate(builder, scope, locals, &block)
+          _evaluate_safely(builder, scope, locals, &block)
           scope.response.status = 404 if builder.target!.empty?
         rescue Exception => exception
           scope.headers['Content-Type'] = self.class.default_mime_type

data/lib/wunderbar/version.rb

@@ -1,8 +1,8 @@
 module Wunderbar
   module VERSION #:nodoc:
     MAJOR = 0
-    MINOR = 10
-    TINY  = 9
+    MINOR = 11
+    TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/wunderbar.gemspec

@@ -1,19 +1,23 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = "wunderbar"
-  s.version = "0.10.9"
+  s.name = %q{wunderbar}
+  s.version = "0.11.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Sam Ruby"]
-  s.date = "2012-04-18"
-  s.description = "    Wunderbar makes it easy to produce valid HTML5, wellformed XHTML, Unicode\n    (utf-8), consistently indented, readable applications.  This includes\n    output that conforms to the Polyglot specification and the emerging\n    results from the XML Error Recovery Community Group.\n"
-  s.email = "rubys@intertwingly.net"
-  s.files = ["wunderbar.gemspec", "README.md", "COPYING", "lib/wunderbar.rb", "lib/wunderbar", "lib/wunderbar/installation.rb", "lib/wunderbar/html-methods.rb", "lib/wunderbar/job-control.rb", "lib/wunderbar/server.rb", "lib/wunderbar/logger.rb", "lib/wunderbar/rack.rb", "lib/wunderbar/builder.rb", "lib/wunderbar/sinatra.rb", "lib/wunderbar/environment.rb", "lib/wunderbar/cgi-methods.rb", "lib/wunderbar/cssproxy.rb", "lib/wunderbar/version.rb"]
-  s.homepage = "http://github.com/rubys/wunderbar"
-  s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.21"
-  s.summary = "HTML Generator and CGI application support"
+  s.authors = [%q{Sam Ruby}]
+  s.date = %q{2012-04-23}
+  s.description = %q{    Wunderbar makes it easy to produce valid HTML5, wellformed XHTML, Unicode
+    (utf-8), consistently indented, readable applications.  This includes
+    output that conforms to the Polyglot specification and the emerging
+    results from the XML Error Recovery Community Group.
+}
+  s.email = %q{rubys@intertwingly.net}
+  s.files = [%q{wunderbar.gemspec}, %q{README.md}, %q{COPYING}, %q{lib/wunderbar.rb}, %q{lib/wunderbar}, %q{lib/wunderbar/version.rb}, %q{lib/wunderbar/installation.rb}, %q{lib/wunderbar/cssproxy.rb}, %q{lib/wunderbar/rack.rb}, %q{lib/wunderbar/logger.rb}, %q{lib/wunderbar/builder.rb}, %q{lib/wunderbar/sinatra.rb}, %q{lib/wunderbar/rails.rb}, %q{lib/wunderbar/server.rb}, %q{lib/wunderbar/html-methods.rb}, %q{lib/wunderbar/job-control.rb}, %q{lib/wunderbar/environment.rb}, %q{lib/wunderbar/cgi-methods.rb}]
+  s.homepage = %q{http://github.com/rubys/wunderbar}
+  s.require_paths = [%q{lib}]
+  s.rubygems_version = %q{1.8.5}
+  s.summary = %q{HTML Generator and CGI application support}
 
   if s.respond_to? :specification_version then
     s.specification_version = 3

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: wunderbar
 version: !ruby/object:Gem::Version 
-  hash: 37
+  hash: 51
   prerelease: 
   segments: 
   - 0
-  - 10
-  - 9
-  version: 0.10.9
+  - 11
+  - 0
+  version: 0.11.0
 platform: ruby
 authors: 
 - Sam Ruby
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-04-18 00:00:00 Z
+date: 2012-04-23 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: builder
@@ -59,18 +59,19 @@ files:
 - README.md
 - COPYING
 - lib/wunderbar.rb
+- lib/wunderbar/version.rb
 - lib/wunderbar/installation.rb
-- lib/wunderbar/html-methods.rb
-- lib/wunderbar/job-control.rb
-- lib/wunderbar/server.rb
-- lib/wunderbar/logger.rb
+- lib/wunderbar/cssproxy.rb
 - lib/wunderbar/rack.rb
+- lib/wunderbar/logger.rb
 - lib/wunderbar/builder.rb
 - lib/wunderbar/sinatra.rb
+- lib/wunderbar/rails.rb
+- lib/wunderbar/server.rb
+- lib/wunderbar/html-methods.rb
+- lib/wunderbar/job-control.rb
 - lib/wunderbar/environment.rb
 - lib/wunderbar/cgi-methods.rb
-- lib/wunderbar/cssproxy.rb
-- lib/wunderbar/version.rb
 homepage: http://github.com/rubys/wunderbar
 licenses: []
 
@@ -100,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.21
+rubygems_version: 1.8.5
 signing_key: 
 specification_version: 3
 summary: HTML Generator and CGI application support