wunderbar 0.12.0 → 0.12.1

data/README.md

@@ -183,11 +183,13 @@ Suffixes after the tag name will modify the processing.
 * `?`: adds code to rescue exceptions and produce tracebacks 
 * `_`: adds extra blank lines between this tag and siblings
 
-The "`_`" method serves a number of purposes.  Calling it with a single argument
-produces text nodes.  Inserting markup verbatim is done by "`_ << text`".  A
-number of other convenience methods are defined:
+The "`_`" method serves a number of purposes.  Calling it with a single
+argument inserts markup, respecting indendation.  Inserting markup without
+reguard to indendatation is done using "`_ << text`".  A number of other
+convenience methods are defined:
 
-* `_?`: insert markup with indentation matching the current output
+* `_?`: insert text with indentation matching the current output
+* `_!`: insert text without indenting
 * `_.post?`  -- was this invoked via HTTP POST?
 * `_.system` -- invokes a shell command, captures stdin, stdout, and stderr
 * `_.submit` -- runs command (or block) as a deamon process
@@ -287,16 +289,24 @@ Secure by default
 ---
 
 Wunderbar will properly escape all HTML and JSON output, eliminating problems
-of HTML or JavaScript injection.
+of HTML or JavaScript injection.  This includes calls to `_` to insert markup
+directly when the input is `tainted` and not explicitly marked as `html-safe?`
+(when using Rails).
 
-Unless you call `Wunderbar.unsafe!` at the top of your script, Wunderbar will
-also set
+For all environments other than Rails, unless you call `Wunderbar.unsafe!` at
+the top of your script, Wunderbar will also set
 [`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
 before processing requests.  This means that you will need to
 [`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
 received from external sources before you make system calls or access the file
 system.
 
+A special feature that effectively is only available in the Rails environment:
+if the first argument to call that creates an element is `html_safe?`, then
+that argument will be treated as a markup instead of as text.  This allows one
+to make calls like `_td link_to...` without placing the call to `link_to` in a
+block.
+
 Globals provided
 ---
 * `$USER`   - Host user id

data/lib/wunderbar/builder.rb

@@ -129,11 +129,11 @@ module Wunderbar
         begin
           # if available, use escape as it does prettier quoting
           require 'escape'
-          command = Escape.shell_command(command)
+          command = Escape.shell_command(command).untaint
         rescue LoadError
           # std-lib function that gets the job done
           require 'shellwords'
-          command = Shellwords.join(command)
+          command = Shellwords.join(command).untaint
         end
       end
 

data/lib/wunderbar/html-methods.rb

@@ -135,6 +135,15 @@ class HtmlMarkup < Wunderbar::BuilderBase
         args.unshift '' if not VOID.include?(name) and not block
       end
 
+      if String === args.first and args.first.respond_to? :html_safe?
+        if args.first.html_safe? and not block
+          if args.first.include? '>' or args.first.include? '&'
+            markup = args.shift
+            block = Proc.new {_ markup}
+          end
+        end
+      end
+
       if Hash === args.last
         # remove attributes with nil, false values
         args.last.delete_if {|key, value| !value}
@@ -220,11 +229,11 @@ class HtmlMarkup < Wunderbar::BuilderBase
   end
 
   def _?(text)
-    @x.indented_text! text
+    @x.indented_text! text.to_s
   end
 
   def _!(text)
-    @x.text! text
+    @x.text! text.to_s
   end
 
   def _coffeescript(text)
@@ -260,7 +269,10 @@ class HtmlMarkup < Wunderbar::BuilderBase
     return @x if children == nil
 
     if String === children
-      if children.include? '<' or children.include? '&'
+      safe = !children.tainted?
+      safe ||= children.html_safe?  if children.respond_to? :html_safe?
+
+      if safe and (children.include? '<' or children.include? '&')
         require 'nokogiri'
         children = Nokogiri::HTML::fragment(children.to_s).children
       else
@@ -314,7 +326,7 @@ class HtmlMarkup < Wunderbar::BuilderBase
             @x.tag!(child.name, child.attributes) {_ child.children}
           end
         end
-      elsif child.children.empty?
+      elsif child.children.empty? and VOID.include? child.name
         @x.tag!(child.name, child.attributes)
       elsif child.children.all? {|gchild| gchild.text?}
         @x.tag!(child.name, child.text.strip, child.attributes)

data/lib/wunderbar/version.rb

@@ -2,7 +2,7 @@ module Wunderbar
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 12
-    TINY  = 0
+    TINY  = 1
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/wunderbar.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "wunderbar"
-  s.version = "0.12.0"
+  s.version = "0.12.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Sam Ruby"]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wunderbar
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.12.1
   prerelease: 
 platform: ruby
 authors: