zafu 0.7.4 → 0.7.5

data/History.txt

@@ -1,3 +1,13 @@
+== 0.7.5 2011-01-15
+
+* Enhancements
+  * Fixed double rendering of zafu block (store) and @var usage.
+  * Fixed security hole where include could be used to create erb.
+  * Fixed a bug where class conditional in [if] would not render correctly.
+  * Better handling of nested dom_id when used with ajax (draggable).
+  * Adapted RubyLess resolution to new Proc calls (RubyLess 0.8.1).
+  * Removed some Zena specific code.
+
 == 0.7.4 2010-09-25
 
 * Minor enhancement

data/lib/zafu/all.rb

@@ -5,6 +5,7 @@ require 'zafu/process/ruby_less_processing'
 require 'zafu/process/context'
 require 'zafu/process/conditional'
 require 'zafu/process/forms'
+require 'zafu/security'
 
 module Zafu
   All = [
@@ -15,5 +16,6 @@ module Zafu
     Zafu::Process::RubyLessProcessing,
     Zafu::Process::Ajax,
     Zafu::Process::Forms,
+    Zafu::Security,
   ]
 end

data/lib/zafu/controller_methods.rb

@@ -14,8 +14,6 @@ module Zafu
               t.previously_last_modified = nil
             # end
             render_for_text @template.render(:file => template_path, :locals => locals, :layout => layout), status
-          rescue => err
-            puts err.backtrace.join("\n")
           end
           alias_method_chain :render_for_file, :rebuild
         end

data/lib/zafu/info.rb

@@ -1,4 +1,4 @@
 module Zafu
-  VERSION = '0.7.4'
+  VERSION = '0.7.5'
 end
 

data/lib/zafu/markup.rb

@@ -100,9 +100,19 @@ module Zafu
         if value =~ /^(.*)\#\{(.*)\}(.*)$/
           @params.delete(key)
           if $1 == '' && $3 == ''
-            append_dyn_param(key, "<%= #{RubyLess.translate(helper, $2)} %>")
+            code = RubyLess.translate(helper, $2)
+            if code.literal
+              append_dyn_param(key, helper.form_quote(code.literal.to_s))
+            else
+              append_dyn_param(key, "<%= #{code} %>")
+            end
           else
-            append_dyn_param(key, "<%= #{RubyLess.translate_string(helper, value)} %>")
+            code = RubyLess.translate_string(helper, value)
+            if code.literal
+              append_dyn_param(key, helper.form_quote(code.literal.to_s))
+            else
+              append_dyn_param(key, "<%= #{code} %>")
+            end
           end
         end
       end

data/lib/zafu/node_context.rb

@@ -22,7 +22,7 @@ module Zafu
     end
 
     def move_to(name, klass, opts={})
-      NodeContext.new(name, klass, self, opts)
+      self.class.new(name, klass, self, opts)
     end
 
     # Since the idiom to write the node context name is the main purpose of this class, it
@@ -38,7 +38,7 @@ module Zafu
     # Return true if the NodeContext represents an element of the given type. We use 'will_be' because
     # it is equivalent to 'is_a', but for future objects (during rendering).
     def will_be?(type)
-      single_class.ancestors.include?(type)
+      single_class <= type
     end
 
     # Return a new node context that corresponds to the current object when rendered alone (in an ajax response or
@@ -48,7 +48,7 @@ module Zafu
     # ivar name (see #master_class).
     def as_main(after_class = nil)
       klass = after_class ? master_class(after_class) : single_class
-      NodeContext.new("@#{klass.to_s.underscore}", single_class)
+      self.class.new("@#{klass.to_s.underscore}", single_class)
     end
 
     # Find the class just afer 'after_class' in the class hierarchy.
@@ -65,6 +65,7 @@ module Zafu
 
     # Generate a unique DOM id for this element based on dom_scopes defined in parent contexts.
     def dom_id(opts = {})
+      dom_prefix = opts[:dom_prefix] || self.dom_prefix
       options = {:list => true, :erb => true}.merge(opts)
 
       if options[:erb]
@@ -129,14 +130,16 @@ module Zafu
       class_name.to_s.underscore
     end
 
-    # Return the class name or the superclass name if the current class is an anonymous class.
-    # FIXME: just use klass.to_s (so that we can do clever things with 'to_s')
+    # Return the 'real' class name or the superclass name if the current class is an anonymous class.
     def class_name
+      klass = single_class
+      while klass.name == ''
+        klass = klass.superclass
+      end
       if list_context?
-        klass = single_class
-        "[#{(klass.name.blank? ? klass.superclass : klass).name}]"
+        "[#{klass}]"
       else
-        (@klass.name.blank? ? @klass.superclass : @klass).name
+        klass.name
       end
     end
 

data/lib/zafu/parser.rb

@@ -121,6 +121,7 @@ module Zafu
        :@out_post => @out_post,
        :@params   => @params.dup,
        :@method   => @method,
+       :@var      => @var,
       }
     end
 
@@ -237,6 +238,7 @@ module Zafu
       else
         @context = context
       end
+      # FIXME: replace with array and join (faster)
       @result   = ""
       @out_post = ""
 

data/lib/zafu/parsing_rules.rb

@@ -92,7 +92,7 @@ module Zafu
     end
 
     def remove_erb(text)
-      text.gsub('<%', '&lt;%').gsub('%>', '%&gt;')
+      text.gsub('<%', '&lt;%').gsub('%>', '%&gt;').gsub(/<\Z/, '&lt;')
     end
 
     def unescape_ruby
@@ -186,17 +186,18 @@ module Zafu
 
     def scan_tag(opts={})
       #puts "TAG(#{@method}): [#{@text}]"
-      if @text =~ /\A<r:([\w_]+)([^>]*?)(\/?)>/
+      if @text =~ /\A<r:([\w_]+\??)([^>]*?)(\/?)>/
         #puts "RTAG:#{$~.to_a.inspect}" # ztag
         eat $&
         opts.merge!(:method=>$1, :params=>$2)
         opts.merge!(:text=>'') if $3 != ''
         make(:void, opts)
-      elsif @text =~ /\A<(\w+)([^>]*?)do\s*=('([^>]*?[^\\]|)'|"([^>]*?[^\\]|)")([^>]*?)(\/?)>/
-        #puts "DO:#{($4||$5).inspect}" # do tag
+      #elsif @text =~ /\A<(\w+)([^>]*?)do\s*=('([^>]*?[^\\]|)'|"([^>]*?[^\\]|)")([^>]*?)(\/?)>/
+      elsif @text =~ /\A<(\w+)([^>]*?)do\s*=('|")([^\3]*?[^\\])\3([^>]*?)(\/?)>/
+        #puts "DO:#{$~.to_a.inspect}" # do tag
         eat $&
-        opts.merge!(:method=>($4||$5), :html_tag=>$1, :html_tag_params=>$2, :params=>$6)
-        opts.merge!(:text=>'') if $7 != ''
+        opts.merge!(:method=> $4, :html_tag=>$1, :html_tag_params=>$2, :params=>$5)
+        opts.merge!(:text=>'') if $6 != ''
         make(:void, opts)
       elsif @options[:form] && @text =~ /\A<(input|select|textarea|form)([^>]*?)(\/?)>/
         eat $&
@@ -219,7 +220,7 @@ module Zafu
         opts.merge!(:method=>'void', :html_tag=>$1, :params=>{:id => $3[1..-2]}, :html_tag_params=>"#{$2}id=#{$3}#{$4}")
         opts.merge!(:text=>'') if $5 != ''
         make(:void, opts)
-      elsif @end_tag && @text =~ /\A<#{@end_tag}([^>]*?)(\/?)>/
+      elsif @end_tag && @text =~ /\A<#{@end_tag.gsub('?', '\\?')}([^>]*?)(\/?)>/
         #puts "SAME:#{$~.to_a.inspect}" # simple html tag same as end_tag
         flush $&
         @end_tag_count += 1 unless $2 == '/'
@@ -242,10 +243,11 @@ module Zafu
 
     def scan_asset
       # puts "ASSET(#{object_id}) [#{@text}]"
-      if @text =~ /\A<(\w*)([^>]*?)(\/?)>/
+      if @text =~ /\A<(\w+)([^>]*?)(\/?)>/
         eat $&
         @method = 'rename_asset'
-        @markup.tag = @end_tag = $1
+        @markup.tag = $1
+        @end_tag = $1
         closed = ($3 != '')
         @params = Markup.parse_params($2)
         if closed
@@ -263,7 +265,7 @@ module Zafu
     end
 
     def scan_inside_asset
-      if @text =~ /\A(.*?)<\/#{@end_tag}>/m
+      if @text =~ /\A(.*?)<\/#{@end_tag.gsub('?', '\\?')}>/m
         eat $&
         store $1
         leave(:asset)

data/lib/zafu/process/ajax.rb

@@ -208,14 +208,15 @@ module Zafu
           out wrap("#{expand_with(:onclick=>"[\"#{node.dom_prefix}_add\", \"#{node.dom_prefix}_form\"].each(Element.toggle);#{focus}return false;")}")
 
           # New object to render form.
+
           # FIXME: use 'klass' param in r_add or r_form instead of current list content.
-          new_node = node.move_to("#{var}_new", [node.klass].flatten.first)
+          new_node = node.move_to("#{var}_new", [node.klass].flatten.first, :new_record => true)
 
           if new_node.will_be?(Node)
             # FIXME: BUG if we set <r:form klass='Post'/> the user cannot select class with menu...
 
             # FIXME: inspect '@context[:form]' to see if it contains v_klass ?
-            out "<% if #{new_node} = secure(Node) { Node.new_from_class('#{new_node.class_name}') } -%>"
+            out "<% if #{new_node} = secure(Node) { Node.new_node('class' => '#{new_node.klass}') } -%>"
           else
             out "<% if #{new_node} = #{new_node.class_name}.new -%>"
           end
@@ -266,12 +267,13 @@ module Zafu
       # Block visibility of descendance with 'do_list'.
       def public_descendants
         all = super
-        if ['context', 'each', 'block'].include?(self.method)
+        if ['context', 'each', 'block'].include?(method)
           # do not propagate 'form',etc up
           all.reject do |k,v|
             ['form','unlink'].include?(k)
           end
-        elsif ['if', 'case'].include?(self.method)
+        elsif ['if', 'case'].include?(method) || (method =~ /^[A-Z]/)
+          # conditional
           all.reject do |k,v|
             ['else', 'elsif', 'when'].include?(k)
           end

data/lib/zafu/process/conditional.rb

@@ -63,7 +63,8 @@ module Zafu
           res << wrap(expand_with)
         end
 
-        res << expand_with(:in_if => true, :only => /^[A-Z]|else|elsif|when/, :markup => alt_markup)
+        only = method == 'case' ? %r{^[A-Z]|else|elsif|when} : %w{else elsif when}
+        res << expand_with(:in_if => true, :only => only, :markup => alt_markup)
         res << "<% end -%>"
         res
       end

data/lib/zafu/process/ruby_less_processing.rb

@@ -28,8 +28,8 @@ module Zafu
       # Resolve unknown methods by using RubyLess in the current compilation context (the
       # translate method in RubyLess will call 'safe_method_type' in this module).
       def rubyless_eval(params = @params)
-        if @method =~ /^[A-Z]\w+$/
-          return rubyless_class_scope(@method)
+        if @method =~ /^([A-Z]\w+?)\?$/
+          return rubyless_class_scope($1)
         end
 
         rubyless_render(@method, params)
@@ -78,7 +78,7 @@ module Zafu
       def set_markup_attr(markup, key, value)
         value = value.kind_of?(RubyLess::TypedString) ? value : RubyLess.translate_string(self, value)
         if value.literal
-          markup.set_param(key, value.literal)
+          markup.set_param(key, form_quote(value.literal))
         else
           markup.set_dyn_param(key, "<%= #{value} %>")
         end
@@ -87,7 +87,7 @@ module Zafu
       def append_markup_attr(markup, key, value)
         value = RubyLess.translate_string(self, value)
         if value.literal
-          markup.append_param(key, value.literal)
+          markup.append_param(key, form_quote(value.literal))
         else
           markup.append_dyn_param(key, "<%= #{value} %>")
         end
@@ -132,7 +132,6 @@ module Zafu
         # 6. append block as argument (restart 1-5 with xxx(block_string))
         def get_method_type(signature, added_options = false)
           node = self.node
-          raise "#{node.klass.class}" unless node.klass.kind_of?(Array) || node.klass.kind_of?(Class)
 
           if type = node_context_from_signature(signature)
             # Resolve self, @page, @node
@@ -149,11 +148,15 @@ module Zafu
           elsif node && !node.list_context? && type = safe_method_from(node.klass, signature, node)
             # not a list_contex
             # Resolve node context methods: xxx.foo, xxx.bar
-            type = type[:class].call(self, signature) if type[:class].kind_of?(Proc)
-            type.merge(:method => "#{node.name}.#{type[:method]}")
+            type = type[:class].call(self, node.klass, signature) if type[:class].kind_of?(Proc)
+            type.merge(:receiver => RubyLess::TypedString.new(node.name, :class => node.klass))
+          elsif node && node.list_context? && type = safe_method_from(Array, signature, node)
+            # FIXME: why do we need this here ? Remove with related code in zafu_safe_definitions ?
+            type = type[:class].call(self, node.klass, signature) if type[:class].kind_of?(Proc)
+            type.merge(:receiver => RubyLess::TypedString.new(node.name, :class => Array, :elem => node.klass.first))
           elsif node && node.list_context? && type = safe_method_from(node.klass.first, signature, node)
-            type = type[:class].call(self, signature) if type[:class].kind_of?(Proc)
-            type.merge(:method => "#{node.name}.first.#{type[:method]}")
+            type = type[:class].call(self, node.klass, signature) if type[:class].kind_of?(Proc)
+            type.merge(:receiver => RubyLess::TypedString.new("#{node.name}.first", :class => node.klass.first))
           elsif @rendering_block_owner && @blocks.first.kind_of?(String) && !added_options
             # Insert the block content into the method: <r:trans>blah</r:trans> becomes trans("blah")
             signature_with_block = signature.dup
@@ -166,8 +169,8 @@ module Zafu
           elsif node && !added_options
             # Try prepending current node before arguments: link("foo") becomes link(var1, "foo")
             signature_with_node = signature.dup
-            signature_with_node.insert(1, node.klass)
-            if type = get_method_type(signature_with_node, added_options = true)
+            signature_with_node.insert(1, node.real_class) # node.klass ?
+            if type = get_method_type(signature_with_node, true)
               type.merge(:prepend_args => RubyLess::TypedString.new(node.name, :class => node.klass))
             else
               nil
@@ -210,7 +213,7 @@ module Zafu
         def rubyless_expand(res)
           if res.klass == String && !@blocks.detect {|b| !b.kind_of?(String)}
             if lit = res.literal
-              out lit
+              out erb_escape(lit)
             else
               out "<%= #{res} %>"
             end
@@ -224,6 +227,8 @@ module Zafu
         end
 
         def rubyless_class_scope(class_name)
+          return parser_error("Cannot scope class in list (use each before filtering).") if node.list_context?
+
           # capital letter ==> class conditional
           klass = Module.const_get(class_name)
           if klass.ancestors.include?(node.klass)

data/lib/zafu/security.rb

@@ -0,0 +1,15 @@
+module Zafu
+  module Security
+    SECURE_REGEXP = %r{<%|%>|<\Z}
+    SAFE_CODE     = {'<%' => '&lt;%', '%>' => '%&gt;', '<' => '&lt;'}
+    # Make sure translations and other literal values cannot be used to build erb.
+    def erb_escape(text)
+      # Do not only replace '<%' ! or <r:t>min</r:t>% ==> <% ...
+      text.gsub(SECURE_REGEXP) {|code| SAFE_CODE[code]}
+    end
+
+    def form_quote(text)
+      erb_escape(text).gsub("'", "&apos;")
+    end
+  end # Security
+end # Zafu

data/test/node_context_test.rb

@@ -121,7 +121,7 @@ class NodeContextTest < Test::Unit::TestCase
       end
     end # with a sub-class
 
-    context 'with an anonymoys sub-class' do
+    context 'with an anonymous sub-class' do
       subject do
         NodeContext.new('@node', Class.new(Page))
       end
@@ -129,7 +129,7 @@ class NodeContextTest < Test::Unit::TestCase
       should 'return class on class_name' do
         assert_equal 'Page', subject.class_name
       end
-    end # with an anonymoys sub-class
+    end # with an anonymous sub-class
   end
 
   context 'In a sub-context' do

data/test/ruby_less_test.rb

@@ -3,6 +3,7 @@ require 'test_helper'
 class ZafuRubyLessTest < Test::Unit::TestCase
   include RubyLess
   def self.process_unknown(callback); end;
+  include Zafu::Security
   include Zafu::Process::RubyLessProcessing
   def helper; self.class; end
   safe_method :one => {:class => String, :method => "main_one"}

data/test/zafu/meta.yml

@@ -7,6 +7,11 @@ include_with_part:
   src: "<r:include template='/some/template'><r:with part='a'/><r:with part='b'>new b:<r:include template='/some/template' part='a'/></r:with></r:include>"
   tem: "<div id='b'>new b:<div id='a'>a</div></div>"
 
+include_missing_part:
+  # part 'a' is moved around
+  src: "<r:include template='/some/template' part='bad'/>"
+  tem: "<span class='parser_error'><span class='method'>include</span> <span class='message'>'bad' not found in template '/some/template'</span></span>"
+
 missing_template:
   src: "<r:include template='Foo'/>"
   tem: "/template 'Foo' not found/"

data/test/zafu/security.yml

@@ -17,3 +17,7 @@ trick_erb:
 include_erb:
   src: "include: <r:include template='/nasty_erb'/>"
   tem: "include: this &lt;% puts \"could be\" %&gt; nasty"
+
+rubyless_make_erb:
+  src: "<p foo='#{\"<\"}%= xx'/>"
+  tem: "<p foo='&lt;%= xx'></p>"

data/zafu.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{zafu}
-  s.version = "0.7.4"
+  s.version = "0.7.5"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Gaspard Bucher"]
-  s.date = %q{2010-09-25}
+  s.date = %q{2011-01-15}
   s.description = %q{Provides a powerful templating language based on xhtml for rails}
   s.email = %q{gaspard@teti.ch}
   s.extra_rdoc_files = [
@@ -38,6 +38,7 @@ Gem::Specification.new do |s|
      "lib/zafu/process/forms.rb",
      "lib/zafu/process/html.rb",
      "lib/zafu/process/ruby_less_processing.rb",
+     "lib/zafu/security.rb",
      "lib/zafu/template.rb",
      "lib/zafu/test_helper.rb",
      "lib/zafu/view_methods.rb",
@@ -67,7 +68,7 @@ Gem::Specification.new do |s|
   s.homepage = %q{http://zenadmin.org/zafu}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.6}
+  s.rubygems_version = %q{1.3.7}
   s.summary = %q{Provides a powerful templating language based on xhtml for rails}
   s.test_files = [
     "test/markup_test.rb",
@@ -87,7 +88,7 @@ Gem::Specification.new do |s|
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_development_dependency(%q<shoulda>, [">= 0"])
       s.add_development_dependency(%q<yamltest>, [">= 0.5.0"])
       s.add_runtime_dependency(%q<rubyless>, [">= 0.7.0"])

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: zafu
 version: !ruby/object:Gem::Version 
+  hash: 9
   prerelease: false
   segments: 
   - 0
   - 7
-  - 4
-  version: 0.7.4
+  - 5
+  version: 0.7.5
 platform: ruby
 authors: 
 - Gaspard Bucher
@@ -14,16 +15,18 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-25 00:00:00 +02:00
+date: 2011-01-15 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: shoulda
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
@@ -33,9 +36,11 @@ dependencies:
   name: yamltest
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 11
         segments: 
         - 0
         - 5
@@ -47,9 +52,11 @@ dependencies:
   name: rubyless
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         - 7
@@ -88,6 +95,7 @@ files:
 - lib/zafu/process/forms.rb
 - lib/zafu/process/html.rb
 - lib/zafu/process/ruby_less_processing.rb
+- lib/zafu/security.rb
 - lib/zafu/template.rb
 - lib/zafu/test_helper.rb
 - lib/zafu/view_methods.rb
@@ -123,23 +131,27 @@ rdoc_options:
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Provides a powerful templating language based on xhtml for rails