xss_shield 1.0.0 → 2.0.0

data/.gitignore

@@ -0,0 +1 @@
+pkg/

data/README.rdoc

@@ -14,7 +14,7 @@ will return a +SafeString+:
 and not a plain, unsafe +String+:
   <a href="/foo">A & B</a>
 
-This version has been tested to work with <b><i>Rails 2.1.2</i></b>. Your milage
+This version has been tested to work with <b><i>Rails 2.3.4</i></b>. Your milage
 may vary.
 
 DISCLAIMER: Note that while no effort is spared to ensure that this plugin works as

data/VERSION

@@ -1 +1 @@
-1.0.0
+2.0.0

data/lib/xss_shield/erb_hacks.rb

@@ -1,6 +1,6 @@
 # Create our own ERB compiler to handle <%= %> differently.
-# See /usr/lib/ruby/1.8/erb.erb.
-class XSSProtectedERB < ERB
+# See /usr/lib64/ruby/1.8/erb.rb.
+class XssShieldERB < ERB
   class Compiler < ::ERB::Compiler
     def compile(s)
       out = Buffer.new(self)
@@ -78,7 +78,7 @@ class XSSProtectedERB < ERB
     @safe_level = safe_level
     # NOTE: Changed lines
 
-    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+    compiler = XssShieldERB::Compiler.new(trim_mode)
 
     # NOTE: End changed lines
     set_eoutvar(compiler, eoutvar)
@@ -88,14 +88,22 @@ class XSSProtectedERB < ERB
 end
 
 # Use our own ERB handler.
-# See /usr/lib/ruby/gems/1.8/gems/actionpack-2.1.0/lib/action_view/template_handlers/erb.rb.
+# See /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_view/template_handlers/erb.rb.
 module ActionView
   module TemplateHandlers
-    class ERB < TemplateHandler
+    class XssShieldERB < TemplateHandler
+      include Compilable
+
+      cattr_accessor :erb_trim_mode
+      self.erb_trim_mode = '-'
+
       def compile(template)
-        ::XSSProtectedERB.new(template.source, nil, @view.erb_trim_mode).src
+        ::XssShieldERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src
       end
     end
   end
 end
 
+ActionView::Template.register_default_template_handler(
+  :erb, ActionView::TemplateHandlers::XssShieldERB)
+

data/lib/xss_shield/secure_helpers.rb

@@ -55,11 +55,9 @@ class ActionView::Base
   mark_methods_as_xss_safe :select, 
                            :options_for_select,
                            :collection_select,
-                           :country_select,
                            :time_zone_select,
                            :options_from_collection_for_select,
                            :option_groups_from_collection_for_select,
-                           :country_options_for_select,
                            :time_zone_options_for_select
 
   # ActionView::Helpers::PrototypeHelper

data/test/active_record_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::ActiveRecordHelper are properly
 # escaped.
-class ActiveRecordHelper < Test::Unit::TestCase
+class ActiveRecordHelper < ActionView::TestCase
 
   def setup
     @errors = mock()
@@ -18,7 +18,7 @@ class ActiveRecordHelper < Test::Unit::TestCase
     @errors.stubs(:on).with(:bar).returns('foo&bar')
     assert_render({
       %(<%= error_message_on :foo, :bar %>) => %(
-        <div class="formError">foo&bar</div>)
+        <div class="formError">foo&amp;bar</div>)
     }, @options)
   end
 
@@ -29,7 +29,7 @@ class ActiveRecordHelper < Test::Unit::TestCase
       %(<%= error_messages_for :foo %>) => %(
         <div class="errorExplanation" id="errorExplanation"><h2>1 error \
 prohibited this foo from being saved</h2><p>There were problems with the \
-following fields:</p><ul><li>foo&bar</li></ul></div>)
+following fields:</p><ul><li>foo&amp;bar</li></ul></div>)
     }, @options)
   end
 
@@ -37,8 +37,8 @@ following fields:</p><ul><li>foo&bar</li></ul></div>)
     @foo.stubs(:new_record?).returns(true)
     assert_render({
       %(<%= form :foo %>) => %(
-        <form action="/test/foobar" method="post">foo&name<input name="commit" \
-type="submit" value="Create"#{XHTML_TAGS}></form>)
+        <form action="/test/foobar" method="post">foo&name<input name="\
+commit" type="submit" value="Create"#{XHTML_TAGS}></form>)
     }, @options)
   end
 

data/test/asset_package_test.rb

@@ -1,7 +1,7 @@
 require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from Synthesis::AssetPackagerHelper are properly escaped.
-class AssetPackagerTest < Test::Unit::TestCase
+class AssetPackagerTest < ActionView::TestCase
 
   $asset_packages_yml = {
     "javascripts" => [{ "base" => [ "foobar" ] }], 
@@ -10,7 +10,7 @@ class AssetPackagerTest < Test::Unit::TestCase
   include Synthesis::AssetPackageHelper
 
 rescue NameError
-  puts "AssetPackager plugin not found, skipping related tests"
+  puts "Skipping AssetPackger plugin tests"
 
 else
 

data/test/asset_tag_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::AssetTagHelper are properly
 # escaped.
-class AssetTagHelper < Test::Unit::TestCase
+class AssetTagHelper < ActionView::TestCase
 
   def test_auto_discovery_link_tag
     assert_render(

data/test/date_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::DateHelper are properly
 # escaped.
-class DateHelperTest < Test::Unit::TestCase
+class DateHelperTest < ActionView::TestCase
 
   def test_date_select
     assert_render_has_no_escaped_chars %(<%= date_select :foo, :created_on %>)

data/test/erb_util_test.rb

@@ -1,7 +1,7 @@
 require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ERB::Util are properly escaped.
-class ErbUtilTest< Test::Unit::TestCase
+class ErbUtilTest< ActionView::TestCase
 
   # h is an alias for html_escape.
   def test_html_escape

data/test/form_helper_test.rb

@@ -1,7 +1,7 @@
 require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::FormHelper are properly escaped.
-class FormHelperTest < Test::Unit::TestCase
+class FormHelperTest < ActionView::TestCase
 
   def setup
     @options = { :locals => { :@foo => stub(:bar => "f&b") } }
@@ -10,14 +10,16 @@ class FormHelperTest < Test::Unit::TestCase
   def test_check_box
     assert_render({
       %(<%= check_box :foo, :bar %>) => %(
-        <input name="foo[bar]" type="checkbox" id="foo_bar" value="1" /><input name="foo[bar]" type="hidden" value="0" />)
+        <input name="foo[bar]" type="hidden" value="0" />\
+<input name="foo[bar]" id="foo_bar" value="1" type="checkbox" />)
       }, @options)
   end
 
   def test_fields_for
     assert_render({
       %(<% fields_for @foo.bar do |fields| %>Field: <%= fields.check_box :field %><% end %>) => %(
-        Field: <input name="f&amp;b[field]" type="checkbox" id="f_b_field" value="1" /><input name="f&amp;b[field]" type="hidden" value="0" />)
+Field: <input name="f&amp;b[field]" type="hidden" value="0" />\
+<input name="f&amp;b[field]" type="checkbox" id="f_b_field" value="1" />)
       }, @options)
   end
 
@@ -31,7 +33,7 @@ class FormHelperTest < Test::Unit::TestCase
   def test_form_for
     assert_render({
       %(<% form_for :foo do |f| %>Bar: <%= f.text_field :bar %><% end %>) => %(
-        <form action="/test/foobar" method="post">Bar: <input name="foo[bar]" size="30" type="text" id="foo_bar" value="f&amp;b" /></form>)
+<form method=\"post\" action=\"/test/foobar\">Bar: <input name=\"foo[bar]\" size=\"30\" id=\"foo_bar\" value=\"f&amp;b\" type=\"text\" /></form>)
       }, @options)
   end
 
@@ -51,28 +53,28 @@ class FormHelperTest < Test::Unit::TestCase
   def test_password_field
     assert_render({
       %(<%= password_field :foo, :bar %>) => %(
-        <input name="foo[bar]" size="30" type="password" id="foo_bar" value="f&amp;b" />) 
+<input name="foo[bar]" size="30" type="password" id="foo_bar" value="f&amp;b" />)
       }, @options)
   end
 
   def test_radio_button
     assert_render({
       %(<%= radio_button :foo, :bar, 'f&b' %>) => %(
-        <input name="foo[bar]" checked="checked" type="radio" id="foo_bar_fb" value="f&amp;b" />)
+<input name="foo[bar]" checked="checked" type="radio" id="foo_bar_fb" value="f&amp;b" />)
       }, @options)
   end
 
   def test_text_area
     assert_render({
       %(<%= text_area :foo, :bar %>) => %(
-        <textarea name="foo[bar]" id="foo_bar" rows="20" cols="40">f&amp;b</textarea>)
+<textarea name="foo[bar]" id="foo_bar" rows="20" cols="40">f&amp;b</textarea>)
       }, @options)
   end
 
   def test_text_field
     assert_render({
       %(<%= text_field :foo, :bar %>) => %(
-        <input name="foo[bar]" size="30" type="text" id="foo_bar" value="f&amp;b" />)
+<input name="foo[bar]" size="30" type="text" id="foo_bar" value="f&amp;b" />)
       }, @options)
   end
 

data/test/form_options_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::FormOptionsHelper are properly
 # escaped.
-class FormOptionsHelperTest < Test::Unit::TestCase
+class FormOptionsHelperTest < ActionView::TestCase
 
   def setup
     @options = { 
@@ -17,14 +17,6 @@ class FormOptionsHelperTest < Test::Unit::TestCase
       }, @options)
   end
 
-  def test_country_options_for_select
-    assert_render_has_no_escaped_chars %(<%= country_options_for_select %>")
-  end
-
-  def test_country_select
-    assert_render_has_no_escaped_chars %(<%= country_select :foo, :bar %>)
-  end
-
   def test_option_groups_from_collection_for_select
     continents = [
       stub(:id => 1, 
@@ -40,8 +32,9 @@ class FormOptionsHelperTest < Test::Unit::TestCase
 
   def test_options_for_select
     assert_render(
-      %(<%= options_for_select 'a&b', 'c&d' %>) => %(
-        <option value="a&amp;b">a&amp;b</option>))
+      %(<%= options_for_select ['a&b', 'c&d'] %>) => %(
+        <option value="a&amp;b">a&amp;b</option>
+<option value="c&amp;d">c&amp;d</option>))
   end
 
   def test_options_from_collection_for_select

data/test/form_tag_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::FormTagHelper are properly
 # escaped.
-class FormTagHelperTest < Test::Unit::TestCase
+class FormTagHelperTest < ActionView::TestCase
 
   def test_check_box_tag
     assert_render(
@@ -20,7 +20,7 @@ class FormTagHelperTest < Test::Unit::TestCase
   def test_file_field_tag
     assert_render(
       %(<%= file_field_tag 'foo&bar' %>) => %(
-        <input name="foo&amp;bar" type="file" id="foo&amp;bar"#{XHTML_TAGS}>))
+        <input name="foo&amp;bar" type="file" id="foo_bar"#{XHTML_TAGS}>))
   end
 
   def test_form_tag
@@ -33,7 +33,7 @@ class FormTagHelperTest < Test::Unit::TestCase
   def test_hidden_field_tag
     assert_render(
       %(<%= hidden_field_tag 'foo&bar' %>) => %(
-        <input name="foo&amp;bar" type="hidden" id="foo&amp;bar"#{XHTML_TAGS}>))
+        <input name="foo&amp;bar" type="hidden" id="foo_bar"#{XHTML_TAGS}>))
   end
 
   def test_image_submit_tag
@@ -45,13 +45,13 @@ class FormTagHelperTest < Test::Unit::TestCase
   def test_label_tag
     assert_render(
       %(<%= label_tag 'foo&bar' %>) => %(
-        <label for="foo&amp;bar">Foo&bar</label>))
+        <label for="foo_bar">Foo&bar</label>))
   end
 
   def test_password_field_tag
     assert_render(
       %(<%= password_field_tag 'foo&bar' %>) => %(
-        <input name="foo&amp;bar" type="password" id="foo&amp;bar"#{XHTML_TAGS}>))
+        <input name="foo&amp;bar" type="password" id="foo_bar"#{XHTML_TAGS}>))
   end
 
   def test_radio_button_tag
@@ -64,7 +64,7 @@ class FormTagHelperTest < Test::Unit::TestCase
   def test_select_tag
     assert_render(
       %(<%= select_tag 'foo&bar' %>) => %(
-        <select name="foo&amp;bar" id="foo&amp;bar"></select>))
+        <select name="foo&amp;bar" id="foo_bar"></select>))
   end
 
   def test_submit_tag
@@ -76,13 +76,13 @@ class FormTagHelperTest < Test::Unit::TestCase
   def test_text_area_tag
     assert_render(
       %(<%= text_area_tag 'foo&bar' %>) => %(
-        <textarea name="foo&amp;bar" id="foo&amp;bar"></textarea>))
+        <textarea name="foo&amp;bar" id="foo_bar"></textarea>))
   end
 
   def test_text_field_tag
     assert_render(
       %(<%= text_field_tag 'foo&bar' %>) => %(
-        <input name="foo&amp;bar" type="text" id="foo&amp;bar"#{XHTML_TAGS}>))
+        <input name="foo&amp;bar" type="text" id="foo_bar"#{XHTML_TAGS}>))
   end
 
 end

data/test/javascript_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::JavaScriptHelper are properly
 # escaped.
-class JavascriptHelperTest < Test::Unit::TestCase
+class JavascriptHelperTest < ActionView::TestCase
 
   def test_button_to_function
     assert_render(

data/test/prototype_helper_test.rb

@@ -2,7 +2,7 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 
 # Test that helpers from ActionView::Helpers::PrototypeHelper are escaped
 # correctly.
-class PrototypeHelperTest < Test::Unit::TestCase
+class PrototypeHelperTest < ActionView::TestCase
 
   def test_evaluate_remote_response
     assert_render(
@@ -54,7 +54,7 @@ new PeriodicalExecuter(function() {new Ajax.Request('/test/foobar', \
       %(<%= submit_to_remote 'foo&bar', 'f&b' %>) => %(
       <input name="foo&amp;bar" value="f&amp;b" type="button" onclick="\
 new Ajax.Request('/test/foobar', {asynchronous:true, evalScripts:true, \
-parameters:Form.serialize(this.form)}); return false;"#{XHTML_TAGS}>))
+parameters:Form.serialize(this.form)});"#{XHTML_TAGS}>))
   end
 
 end

data/test/template_object_test.rb

@@ -5,29 +5,16 @@ require File.dirname(__FILE__) + '/../test/test_helper'
 class TemplateObjectTest < Test::Unit::TestCase
 
   def setup
-    @view = ActionView::Base.new(VIEW_PATH)
-    @path = "hello_world.erb"
+    @template_path = VIEW_PATH + "/hello_world.erb"
   end
 
-  def test_should_create_valid_template
-    template = ActionView::Template.new(@view, @path, true)
+  def test_create_valid_template
+    template = ActionView::Template.new(@template_path, true)
 
-    assert_kind_of ActionView::TemplateHandlers::ERB, template.handler
-    assert_equal "hello_world.erb", template.path
+    assert_equal ActionView::TemplateHandlers::XssShieldERB, template.handler
+    assert_equal @template_path, template.path
     assert_nil template.instance_variable_get(:"@source")
     assert_equal "erb", template.extension
   end
 
-  def test_should_prepare_template_properly
-    template = ActionView::Template.new(@view, @path, true)
-    view = template.instance_variable_get(:"@view")
-
-    view.expects(:evaluate_assigns)
-    template.handler.expects(:compile_template).with(template)
-    view.expects(:method_names).returns({})
-
-    template.prepare!
-  end
-
 end
-

data/test/test_helper.rb

@@ -6,7 +6,7 @@ begin
   require File.expand_path "#{CUR_DIR}/../../../../test/test_helper"
 rescue LoadError
   require 'rubygems'
-  gem 'rails', '=2.1.2'
+  gem 'rails', '=2.3.4'
   require 'active_record'
   require 'action_controller'
   require 'action_controller/test_process'
@@ -34,7 +34,7 @@ end
 class Test::Unit::TestCase
 
   VIEW_PATH = File.join(File.dirname(__FILE__), 'fixtures')
-  ActionView::TemplateFinder.process_view_paths(VIEW_PATH)
+  ActionController::Base.prepend_view_path(VIEW_PATH)
 
   private
 
@@ -47,12 +47,20 @@ class Test::Unit::TestCase
   def assert_render(args, options = {})
     args.each do |erb, expected|
       expected.strip!
-      actual = render_erb(erb, options[:locals])
-      assert_dom_equal expected, actual, "#{erb} => #{expected}"
+      begin
+        actual = render_erb(erb, options[:locals])
+      rescue Exception => ex
+        puts "ERB: #{erb} => Expected: #{expected}"
+        puts ex.message
+        puts ex.backtrace
+      end
+      assert_dom_equal actual, expected, "ERB: #{erb}"
     end
   end
 
-  def render_erb(erb, locals = {})
+  def render_erb(erb, variables)
+    variables ||= {}
+
     # Need this to make asset packager happy.
     request = mock()
     request.stubs(:relative_url_root).returns('')
@@ -65,7 +73,20 @@ class Test::Unit::TestCase
     controller.stubs(:url_for).returns('/test/foobar')
 
     view = ActionView::Base.new(VIEW_PATH, {}, controller)
-    ActionView::InlineTemplate.new(view, erb, locals).render.strip
+
+    template = ActionView::InlineTemplate.new(erb)
+    template.stubs(:relative_path).returns('/')
+
+    # Set instance variables
+    locals = variables.dup
+    variables.each do |key, value|
+      if key.to_s.start_with?('@')
+        view.instance_variable_set(key, value)
+        locals.delete(key)
+      end
+    end
+
+    template.render(view, locals).strip
   end
 
 end

data/test/url_helper_test.rb

@@ -1,8 +1,7 @@
 require File.dirname(__FILE__) + '/../test/test_helper'
 
-# Test that helpers from ActionView::Helpers::UrlHelper are properly
-# escaped.
-class UrlHelperTest < Test::Unit::TestCase
+# Test that helpers from ActionView::Helpers::UrlHelper are properly escaped.
+class UrlHelperTest < ActionView::TestCase
 
   def test_button_to
     assert_render(

data/xss_shield.gemspec

@@ -5,7 +5,7 @@
 
 Gem::Specification.new do |s|
   s.name = %q{xss_shield}
-  s.version = "1.0.0"
+  s.version = "2.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["James Tan"]
@@ -16,7 +16,8 @@ Gem::Specification.new do |s|
     "README.rdoc"
   ]
   s.files = [
-    "MIT-LICENSE",
+    ".gitignore",
+     "MIT-LICENSE",
      "README.rdoc",
      "Rakefile",
      "VERSION",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: xss_shield
 version: !ruby/object:Gem::Version 
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors: 
 - James Tan
@@ -22,6 +22,7 @@ extensions: []
 extra_rdoc_files: 
 - README.rdoc
 files: 
+- .gitignore
 - MIT-LICENSE
 - README.rdoc
 - Rakefile