lib/safe_erb/taint_helpers.rb test/taint_helpers_test.rb @@ -1,6 +1,7 @@ # SafeERB require 'safe_erb/common' +require 'safe_erb/taint_helpers' require 'safe_erb/assertion_helpers' require 'safe_erb/erb_extensions' require 'safe_erb/i18n_extensions' lib/safe_erb.rb @@ -1,17 +1,13 @@ module ActionView module Helpers module SanitizeHelper - def strip_tags_with_untaint(html) - strip_tags_without_untaint(html).untaint - end - alias_method_chain :strip_tags, :untaint + extend SafeErb::TaintHelpers + untaint_result :strip_tags end module TagHelper - def escape_once_with_untaint(html) - escape_once_without_untaint(html).untaint - end - alias_method_chain :escape_once, :untaint + extend SafeErb::TaintHelpers + untaint_result :escape_once end end end lib/safe_erb/action_view_helpers_extensions.rb @@ -46,17 +46,14 @@ class ERB end module Util - def html_escape_with_untaint(s) - html_escape_without_untaint(s).untaint - end - alias_method_chain :html_escape, :untaint - - def h_with_untaint(s) - h_without_untaint(s).untaint - end - alias_method_chain :h, :untaint + extend SafeErb::TaintHelpers + + untaint_result :html_escape + untaint_result :h - module_function :h + # For some unknown reason, these functions exist as both instance and + # module functions in the standard ERB::Util class. module_function :html_escape + module_function :h end end lib/safe_erb/erb_extensions.rb @@ -12,6 +12,4 @@ class ErbTest < ActiveSupport::TestCase assert_not_tainted html_escape("foo".taint) assert_not_tainted ERB::Util.html_escape("foo".taint) end - - end test/erb_test.rb 59da52b67387d74b715a2a7dca738a3e4f7ee37a Eric Kidd git@randomhacks.net http://github.com/emk/safe_erb/commit/34c45ba0d2786f645cc8fc88c3d58166648827ae 34c45ba0d2786f645cc8fc88c3d58166648827ae 2008-12-21T08:15:32-08:00 2008-12-21T08:15:32-08:00 Add declarative untaint_result helper This can be used to automatically untaint the return value of a specific function without having to wrap it manually. 3ff072cce63bb792432a62a7a9ab02ac858afe3f Eric Kidd git@randomhacks.net