xss_shield 1.0.0

data/MIT-LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2009 Novell, 2007 Trampoline Systems
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,103 @@
+= XSS Shield
+
+This Rails plugin provides automatic cross site scripting
+({XSS}[http://en.wikipedia.org/wiki/Cross-site_scripting]) protection for your
+views. Once installed, you no longer have to manually and painstakingly sanitize
+all your views with HTML escaping (eg. <tt><%= h(foo) %></tt>). Currently only 
+{ERB}[http://www.ruby-doc.org/stdlib/libdoc/erb/rdoc/index.html] templates are
+supported.
+
+For example with XSS Shield:
+  <%= link_to "A & B", "/foo" %>
+will return a +SafeString+:
+  <a href="/foo">A &amp; B</a>
+and not a plain, unsafe +String+:
+  <a href="/foo">A & B</a>
+
+This version has been tested to work with <b><i>Rails 2.1.2</i></b>. Your milage
+may vary.
+
+DISCLAIMER: Note that while no effort is spared to ensure that this plugin works as
+advertised, we cannot guarantee that all your views are 100% XSS safe. Use it at
+your own risk, but remember that {bug
+reports}[http://github.com/jamestyj/xss_shield/issues] and patches are welcomed.
+
+== How it works
+
+It works by subclassing +String+ into +SafeString+. When the ERB engine sees a
+<tt><%= foo %></tt> fragment, it checks if the result of executing +foo+ is a
++SafeString+. If so, it just uses it. Otherwise the string is HTML escaped
+first.
+
+The use of +SafeString+ avoids potential double-escaping. For example, with XSS
+Shield, <tt><%= @foo %></tt> is the same as <tt><%= h(@foo) %></tt>.
+
+If your string contains HTML that you don't want to escape (and you trust it),
+just append <tt>.xss_safe</tt>:
+  <%= "<b>foobar</b>".xss_safe %>
+
+It would be cumbersome to require xss_safe every time you use some helper like
+<tt>render(:partial)</tt> or +link_to+, so some helpers are modified to return
++SafeString+.
+
+If you trust your helpers, you can mark them as XSS safe:
+
+  module Some::Module
+    mark_methods_as_xss_safe :text_field, :check_box
+  end
+
+You may need to manually tweak your helpers, views and layouts to avoid
+unnecessary escaping.
+
+== Other template engines
+
+Currently only ERB templates is supported, but support for other templating
+engines should be relatively straightforward. It's mostly a matter of changing
+to_s to to_xss_safe in a few places in their source.
+
+Patches that add support for other templating engines (along with supporting
+tests) are welcomed.
+
+== Running tests
+
+This plugin monkey patches ERB in order to do its magic, so it's a good idea to
+at least run the included tests to verify that things work in your environment.
+
+You can run the XSS Shield tests by simply running:
+
+  rake
+
+which should generate output looking like this:
+
+  (in /xss_shield)
+  /usr/bin/ruby -I"lib:lib" "/usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake/rake_test_loader.rb" ...
+  Loaded suite /usr/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake/rake_test_loader
+  Started
+  ..........................................................................................
+  Finished in 0.163422 seconds.
+
+  90 tests, 135 assertions, 0 failures, 0 errors
+
+If you place this plugin inside the vendor/plugin directory of your Rails
+application, the test suite will load your application environment by requiring
+RAILS_ROOT/test/test_helper.rb.
+
+Of course, you should also verify that your existing application tests still
+pass with XSS Shield enabled.
+
+== Bugs and feedback
+
+Please report bugs and feature requests
+{here}[http://github.com/jamestyj/xss_shield/issues]. Patches and suggestions
+are welcomed too.
+
+== Authors
+
+- Updated to support Rails 2.1 and maintained by {James
+  Tan}[http://github.com/jamestyj], Novell.
+- {Original code}[http://code.google.com/p/xss-shield/] written by {Tomasz
+  Wegrzanowski}[http://code.google.com/u/Tomasz.Wegrzanowski/], Trampoline Systems.
+
+== License
+
+Copyright (c) 2009 Novell. See MIT-LICENSE in this directory.

data/Rakefile

@@ -0,0 +1,33 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the xss-shield plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = 'xss_shield'
+    gemspec.summary = 'Protect your Rails site from XSS attacks.'
+    gemspec.description = 'This Rails plugin provides automatic cross site ' +
+      'scripting (XSS) protection for your views. Once installed, you no ' +
+      'longer have to manually and painstakingly sanitize all your views ' +
+      'with HTML escaping.'
+    gemspec.email = 'jamestyj@gmail.com'
+    gemspec.homepage = 'http://github.com/jamestyj/xss_shield'
+    gemspec.authors = [ 'James Tan' ]
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts 'Jeweler (or a dependency) not available. ' +
+       'Install it with: sudo gem install jeweler.'
+end
+

data/VERSION

@@ -0,0 +1 @@
+1.0.0

data/init.rb

@@ -0,0 +1,15 @@
+unless ENV['DISABLE_XSS_SHIELD']
+  require 'xss_shield'
+else
+  class ::String
+    def xss_safe
+      self
+    end
+  end
+
+  class ::NilClass
+    def xss_safe
+      self
+    end
+  end
+end

data/lib/xss_shield/erb_hacks.rb

@@ -0,0 +1,101 @@
+# Create our own ERB compiler to handle <%= %> differently.
+# See /usr/lib/ruby/1.8/erb.erb.
+class XSSProtectedERB < ERB
+  class Compiler < ::ERB::Compiler
+    def compile(s)
+      out = Buffer.new(self)
+
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+        if scanner.stag.nil?
+          case token
+          when PercentLine
+            out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+            content = ''
+            out.push(token.to_s)
+            out.cr
+          when :cr
+            out.cr
+          when '<%', '<%=', '<%#'
+            scanner.stag = token
+            out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+            content = ''
+          when "\n"
+            content << "\n"
+            out.push("#{@put_cmd} #{content.dump}")
+            out.cr
+            content = ''
+          when '<%%'
+            content << '<%'
+          else
+            content << token
+          end
+        else
+          case token
+          when '%>'
+            case scanner.stag
+            when '<%'
+              if content[-1] == ?\n
+                content.chop!
+                out.push(content)
+                out.cr
+              else
+                out.push(content)
+              end
+            when '<%='
+              # NOTE: Changed lines
+
+              # Don't escape yield statements (they should already be safe)
+              if content =~ /^[ \t]*yield[ |\(]/
+                to_string = 'to_s'
+              else
+                to_string = 'to_xss_safe'
+              end
+              out.push("#{@insert_cmd}((#{content}).#{to_string})")
+
+              # NOTE: End changed lines
+            when '<%#'
+              # out.push("# #{content.dump}")
+            end
+            scanner.stag = nil
+            content = ''
+          when '%%>'
+            content << '%>'
+          else
+            content << token
+          end
+        end
+      end
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      out.close
+      out.script
+    end
+
+  end
+
+  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
+    @safe_level = safe_level
+    # NOTE: Changed lines
+
+    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+
+    # NOTE: End changed lines
+    set_eoutvar(compiler, eoutvar)
+    @src = compiler.compile(str)
+    @filename = nil
+  end
+end
+
+# Use our own ERB handler.
+# See /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_view/template_handlers/erb.rb.
+module ActionView
+  module TemplateHandlers
+    class ERB < TemplateHandler
+      def compile(template)
+        ::XSSProtectedERB.new(template.source, nil, @view.erb_trim_mode).src
+      end
+    end
+  end
+end
+

data/lib/xss_shield/safe_string.rb

@@ -0,0 +1,42 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_xss_safe
+    self
+  end
+end
+
+class String
+  def xss_safe
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def xss_safe
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).xss_safe
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).xss_safe
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_xss_safe
+    ERB::Util.h(to_s).xss_safe
+  end
+end
+

data/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,118 @@
+class Module
+  def mark_methods_as_xss_safe(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).xss_safe
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+# Mark known helpers as xss_safe only if their arguments are guaranteed to be
+# safe. Don't mark methods that take a block as xss_safe.
+class ActionView::Base
+  # ActionView::Helpers::AssetTagHelper
+  mark_methods_as_xss_safe :auto_discovery_link_tag,
+                           :javascript_include_tag,
+                           :stylesheet_link_tag,
+                           :image_tag
+
+  # ActionView::Helpers::JavaScriptHelper
+  mark_methods_as_xss_safe :link_to_function,
+                           :button_to_function,
+                           :javascript_tag
+
+  # ActionView::Helpers::FormHelper
+  mark_methods_as_xss_safe :check_box,
+                           :file_field,
+                           :hidden_field,
+                           :label,
+                           :password_field,
+                           :radio_button,
+                           :text_area,
+                           :text_field
+
+  # ActionView::Helpers::FormTagHelper
+  mark_methods_as_xss_safe :check_box_tag,
+                           :file_field_tag,
+                           :form_tag_html,
+                           :hidden_field_tag,
+                           :image_submit_tag,
+                           :label_tag,
+                           :password_field_tag,
+                           :radio_button_tag,
+                           :select_tag,
+                           :submit_tag,
+                           :text_area_tag,
+                           :text_field_tag
+
+  # ActionView::Helpers::FormOptionsHelper
+  mark_methods_as_xss_safe :select, 
+                           :options_for_select,
+                           :collection_select,
+                           :country_select,
+                           :time_zone_select,
+                           :options_from_collection_for_select,
+                           :option_groups_from_collection_for_select,
+                           :country_options_for_select,
+                           :time_zone_options_for_select
+
+  # ActionView::Helpers::PrototypeHelper
+  mark_methods_as_xss_safe :submit_to_remote
+
+  # ActionView::Helpers::ActiveRecordHelper
+  mark_methods_as_xss_safe :error_message_on,
+                           :error_messages_for,
+                           :input
+
+  # ActionView::Helpers::DateHelper
+  mark_methods_as_xss_safe :date_select,
+                           :datetime_select,
+                           :select_date,
+                           :select_datetime,
+                           :select_time,
+                           :select_month,
+                           :select_minute,
+                           :select_hour,
+                           :select_day,
+                           :select_year,
+                           :select_second,
+                           :time_select
+
+  # ActionView::Helpers::UrlHelper
+  mark_methods_as_xss_safe :mail_to
+
+  # General 
+  mark_methods_as_xss_safe :render
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_xss_safe, *args).xss_safe
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_xss_safe, *args).xss_safe
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+# AssetPackager plugin.
+if defined? Synthesis
+  module Synthesis::AssetPackageHelper
+    mark_methods_as_xss_safe :stylesheet_link_merged,
+                             :javascript_include_merged
+  end
+end
+
+# WillPaginate plugin.
+if defined? WillPaginate
+  module WillPaginate::ViewHelpers
+    mark_methods_as_xss_safe :will_paginate
+  end
+end
+

data/lib/xss_shield.rb

@@ -0,0 +1,3 @@
+require 'xss_shield/safe_string'
+require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/test/active_record_helper_test.rb

@@ -0,0 +1,55 @@
+require File.dirname(__FILE__) + '/../test/test_helper'
+
+# Test that helpers from ActionView::Helpers::ActiveRecordHelper are properly
+# escaped.
+class ActiveRecordHelper < Test::Unit::TestCase
+
+  def setup
+    @errors = mock()
+    foobar = mock()
+    foobar.stubs(:collect).returns(['foo&name'])
+    Object.stubs(:content_columns).returns(foobar)
+    @foo = Object.new 
+    @foo.stubs(:errors).returns(@errors)
+    @options = { :locals => { :@foo => @foo } }
+  end
+
+  def test_error_message_on
+    @errors.stubs(:on).with(:bar).returns('foo&bar')
+    assert_render({
+      %(<%= error_message_on :foo, :bar %>) => %(
+        <div class="formError">foo&bar</div>)
+    }, @options)
+  end
+
+  def test_error_messages_for
+    @errors.stubs(:count).returns(1)
+    @errors.stubs(:full_messages).returns('foo&bar')
+    assert_render({
+      %(<%= error_messages_for :foo %>) => %(
+        <div class="errorExplanation" id="errorExplanation"><h2>1 error \
+prohibited this foo from being saved</h2><p>There were problems with the \
+following fields:</p><ul><li>foo&bar</li></ul></div>)
+    }, @options)
+  end
+
+  def test_form
+    @foo.stubs(:new_record?).returns(true)
+    assert_render({
+      %(<%= form :foo %>) => %(
+        <form action="/test/foobar" method="post">foo&name<input name="commit" \
+type="submit" value="Create"#{XHTML_TAGS}></form>)
+    }, @options)
+  end
+
+  def test_input
+    @foo.stubs(:column_for_attribute).returns(stub(:type => :string))
+    @foo.stubs(:bar).returns('foo&bar&val')
+    assert_render({
+      %(<%= input :foo, :bar %>) => %(
+        <input name="foo[bar]" size="30" type="text" id="foo_bar" value="\
+foo&amp;bar&amp;val" />)
+    }, @options)
+  end
+
+end

data/test/asset_package_test.rb

@@ -0,0 +1,32 @@
+require File.dirname(__FILE__) + '/../test/test_helper'
+
+# Test that helpers from Synthesis::AssetPackagerHelper are properly escaped.
+class AssetPackagerTest < Test::Unit::TestCase
+
+  $asset_packages_yml = {
+    "javascripts" => [{ "base" => [ "foobar" ] }], 
+    "stylesheets" => [{ "base" => [ "foobar" ] }] 
+  }
+  include Synthesis::AssetPackageHelper
+
+rescue NameError
+  puts "AssetPackager plugin not found, skipping related tests"
+
+else
+
+  def test_stylesheet_link_merged
+    assert_render(
+      %(<%= stylesheet_link_merged :base %>) => %(
+        <link href="/stylesheets/foobar.css" rel="stylesheet" media="screen"\
+type="text/css"#{XHTML_TAGS}>)
+    )
+  end
+
+  def test_javascript_include_merged
+    assert_render(
+      %(<%= javascript_include_merged :base %>) => %(
+        <script type="text/javascript" src="/javascripts/foobar.js"></script>)
+    )
+  end
+
+end

data/test/asset_tag_helper_test.rb

@@ -0,0 +1,66 @@
+require File.dirname(__FILE__) + '/../test/test_helper'
+
+# Test that helpers from ActionView::Helpers::AssetTagHelper are properly
+# escaped.
+class AssetTagHelper < Test::Unit::TestCase
+
+  def test_auto_discovery_link_tag
+    assert_render(
+      %(<%= auto_discovery_link_tag "foo&bar" %>) => %(
+        <link href="/test/foobar" title="FOO&amp;BAR" rel="alternate" type="\
+foo&amp;bar"#{XHTML_TAGS}>))
+  end
+
+  def test_image_path
+    assert_render(
+      %(<%= image_path "foo&bar" %>) => %(/images/foo&amp;bar))
+  end
+
+  def test_image_tag
+    assert_render(
+      %(<%= image_tag "foo&bar" %>) => %(
+        <img src="/images/foo&amp;bar" alt="Foo&amp;bar"#{XHTML_TAGS}>))
+  end
+
+  def test_javascript_include_tag
+    assert_render(
+      %(<%= javascript_include_tag "foo&bar" %>) => %(
+        <script type="text/javascript" src="/javascripts/foo&amp;bar.js"></script>))
+  end
+
+  def test_javascript_path
+    assert_render(
+      %(<%= javascript_path "foo&bar" %>) => %(/javascripts/foo&amp;bar.js))
+  end
+
+  # Alias for image_path.
+  def test_path_to_image
+    assert_render(
+      %(<%= path_to_image "foo&bar" %>) => %(/images/foo&amp;bar))
+  end
+
+  # Alias for javascript_path.
+  def test_path_to_javascript
+    assert_render(
+      %(<%= path_to_javascript "foo&bar" %>) => %(/javascripts/foo&amp;bar.js))
+  end
+
+  # Alias for stylesheet_path.
+  def test_path_to_stylesheet
+    assert_render(
+      %(<%= path_to_stylesheet "foo&bar" %>) => %(/stylesheets/foo&amp;bar.css))
+  end
+
+  def test_stylesheet_link_tag
+    assert_render(
+      %(<%= stylesheet_link_tag "foo&bar" %>) => %(
+        <link href="/stylesheets/foo&amp;bar.css" rel="stylesheet" type=\
+"text/css" media="screen"#{XHTML_TAGS}>))
+  end
+
+  def test_stylesheet_path
+    assert_render(
+      %(<%= stylesheet_path "foo&bar" %>) => %(/stylesheets/foo&amp;bar.css))
+  end
+
+end

data/test/date_helper_test.rb

@@ -0,0 +1,71 @@
+require File.dirname(__FILE__) + '/../test/test_helper'
+
+# Test that helpers from ActionView::Helpers::DateHelper are properly
+# escaped.
+class DateHelperTest < Test::Unit::TestCase
+
+  def test_date_select
+    assert_render_has_no_escaped_chars %(<%= date_select :foo, :created_on %>)
+  end
+
+  def test_datetime_select
+    assert_render_has_no_escaped_chars(
+      %(<%= datetime_select :foo, :created_on %>))
+  end
+
+  def test_distance_of_time_in_words
+    assert_render({
+      %(<%= distance_of_time_in_words time, time+10 %>) => %(less than a minute)
+    }, { :locals => { :time => Time.now } })
+  end
+
+  def test_distance_of_time_in_words_to_now
+    assert_render({
+      %(<%= distance_of_time_in_words 10 %>) => %(less than a minute)
+    })
+  end
+
+  def test_select_date
+    assert_render_has_no_escaped_chars %(<%= select_date %>)
+  end
+
+  def test_select_datetime
+    assert_render_has_no_escaped_chars %(<%= select_datetime %>)
+  end
+
+  def test_select_day
+    assert_render_has_no_escaped_chars %(<%= select_day 1 %>)
+  end
+
+  def test_select_hour
+    assert_render_has_no_escaped_chars %(<%= select_hour 1 %>)
+  end
+
+  def test_select_minute
+    assert_render_has_no_escaped_chars %(<%= select_minute 1 %>)
+  end
+
+  def test_select_month
+    assert_render_has_no_escaped_chars %(<%= select_month 1 %>)
+  end
+
+  def test_select_second
+    assert_render_has_no_escaped_chars %(<%= select_second 1 %>)
+  end
+
+  def test_select_time
+    assert_render_has_no_escaped_chars %(<%= select_time Time.now %>)
+  end
+
+  def test_select_year
+    assert_render_has_no_escaped_chars %(<%= select_year 2000 %>)
+  end
+
+  def test_time_ago_in_words
+    assert_render_has_no_escaped_chars %(<%= time_ago_in_words Time.now %>)
+  end
+
+  def test_time_select
+    assert_render_has_no_escaped_chars %(<%= time_select :foo, :bar %>)
+  end
+end