diff options
Diffstat (limited to 'vendor/plugins/rails_xss/lib')
| -rw-r--r-- | vendor/plugins/rails_xss/lib/rails_xss.rb | 3 | ||||
| -rw-r--r-- | vendor/plugins/rails_xss/lib/rails_xss/action_view.rb | 111 | ||||
| -rw-r--r-- | vendor/plugins/rails_xss/lib/rails_xss/erubis.rb | 35 | ||||
| -rw-r--r-- | vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb | 65 | ||||
| -rw-r--r-- | vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake | 4 |
5 files changed, 218 insertions, 0 deletions
diff --git a/vendor/plugins/rails_xss/lib/rails_xss.rb b/vendor/plugins/rails_xss/lib/rails_xss.rb new file mode 100644 index 000000000..46d1b9a4a --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss.rb @@ -0,0 +1,3 @@ +require 'rails_xss/erubis' +require 'rails_xss/action_view' +require 'rails_xss/string_ext' diff --git a/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb new file mode 100644 index 000000000..c3f5e47df --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb @@ -0,0 +1,111 @@ +module ActionView + class Base + def self.xss_safe? + true + end + + module WithSafeOutputBuffer + # Rails version of with_output_buffer uses '' as the default buf + def with_output_buffer(buf = ActiveSupport::SafeBuffer.new) #:nodoc: + super buf + end + end + + include WithSafeOutputBuffer + end + + module Helpers + module CaptureHelper + def content_for(name, content = nil, &block) + ivar = "@content_for_#{name}" + content = capture(&block) if block_given? + instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe) + nil + end + end + + module TextHelper + def concat(string, unused_binding = nil) + if unused_binding + ActiveSupport::Deprecation.warn("The binding argument of #concat is no longer needed. Please remove it from your views and helpers.", caller) + end + + output_buffer.concat(string) + end + + def simple_format(text, html_options={}) + start_tag = tag('p', html_options, true) + text = ERB::Util.h(text).to_str.dup + text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n + text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph + text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br + text.insert 0, start_tag + text.html_safe.safe_concat("</p>") + end + end + + module TagHelper + private + def content_tag_string_with_escaping(name, content, options, escape = true) + content_tag_string_without_escaping(name, escape ? ERB::Util.h(content) : content, options, escape) + end + alias_method_chain :content_tag_string, :escaping + end + + module UrlHelper + def link_to(*args, &block) + if block_given? + options = args.first || {} + html_options = args.second + concat(link_to(capture(&block), options, html_options)) + else + name = args.first + options = args.second || {} + html_options = args.third + + url = url_for(options) + + if html_options + html_options = html_options.stringify_keys + href = html_options['href'] + convert_options_to_javascript!(html_options, url) + tag_options = tag_options(html_options) + else + tag_options = nil + end + + href_attr = "href=\"#{url}\"" unless href + "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe + end + end + end + + module JavaScriptHelper + def escape_javascript(javascript) + if javascript + javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] } + else + '' + end + end + end + end +end + +module RailsXss + module SafeHelpers + def safe_helper(*names) + names.each do |helper_method_name| + aliased_target, punctuation = helper_method_name.to_s.sub(/([?!=])$/, ''), $1 + module_eval <<-END + def #{aliased_target}_with_xss_safety#{punctuation}(*args, &block) + raw(#{aliased_target}_without_xss_safety#{punctuation}(*args, &block)) + end + END + alias_method_chain helper_method_name, :xss_safety + end + end + end +end + +Module.class_eval { include RailsXss::SafeHelpers } diff --git a/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb new file mode 100644 index 000000000..c8171c669 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb @@ -0,0 +1,35 @@ +require 'erubis/helpers/rails_helper' + +module RailsXss + class Erubis < ::Erubis::Eruby + def add_preamble(src) + src << "@output_buffer = ActiveSupport::SafeBuffer.new;" + end + + def add_text(src, text) + return if text.empty? + src << "@output_buffer.safe_concat('" << escape_text(text) << "');" + end + + BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/ + + def add_expr_literal(src, code) + if code =~ BLOCK_EXPR + src << "@output_buffer.safe_concat((" << $1 << ").to_s);" + else + src << '@output_buffer << ((' << code << ').to_s);' + end + end + + def add_expr_escaped(src, code) + src << '@output_buffer << ' << escaped_expr(code) << ';' + end + + def add_postamble(src) + src << '@output_buffer.to_s' + end + end +end + +Erubis::Helpers::RailsHelper.engine_class = RailsXss::Erubis +Erubis::Helpers::RailsHelper.show_src = false diff --git a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb new file mode 100644 index 000000000..ee32e47c8 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb @@ -0,0 +1,65 @@ +require 'active_support/deprecation' + +ActiveSupport::SafeBuffer.class_eval do + def concat(value) + if value.html_safe? + super(value) + else + super(ERB::Util.h(value)) + end + end + alias << concat + UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze + + for unsafe_method in UNSAFE_STRING_METHODS + class_eval <<-EOT, __FILE__, __LINE__ + 1 + def #{unsafe_method}(*args) + super.to_str + end + + def #{unsafe_method}!(*args) + raise TypeError, "Cannot modify SafeBuffer in place" + end + EOT + end +end + +class String + def html_safe? + defined?(@_rails_html_safe) + end + + def html_safe! + ActiveSupport::Deprecation.warn("Use html_safe with your strings instead of html_safe! See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for the full story.", caller) + @_rails_html_safe = true + self + end + + def add_with_safety(other) + result = add_without_safety(other) + if html_safe? && also_html_safe?(other) + result.html_safe! + else + result + end + end + alias_method :add_without_safety, :+ + alias_method :+, :add_with_safety + + def concat_with_safety(other_or_fixnum) + result = concat_without_safety(other_or_fixnum) + unless html_safe? && also_html_safe?(other_or_fixnum) + remove_instance_variable(:@_rails_html_safe) if defined?(@_rails_html_safe) + end + result + end + + alias_method_chain :concat, :safety + undef_method :<< + alias_method :<<, :concat_with_safety + + private + def also_html_safe?(other) + other.respond_to?(:html_safe?) && other.html_safe? + end +end diff --git a/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake b/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake new file mode 100644 index 000000000..b8659f089 --- /dev/null +++ b/vendor/plugins/rails_xss/lib/tasks/rails_xss_tasks.rake @@ -0,0 +1,4 @@ +# desc "Explaining what the task does" +# task :rails_xss do +# # Task goes here +# end |