@@ -1,5 +1,6 @@ require 'xss_shield/safe_string' # Tarantula doesn't use haml # require 'xss_shield/haml_hacks' -require 'xss_shield/erb_hacks' +# ERB hacks blow up Rails +# require 'xss_shield/erb_hacks' require 'xss_shield/secure_helpers' vendor/xss-shield/lib/xss_shield.rb @@ -6,56 +6,56 @@ class XSSProtectedERB < ERB content = '' scanner = make_scanner(s) scanner.scan do |token| - if scanner.stag.nil? - case token + if scanner.stag.nil? + case token when PercentLine - out.push("#{@put_cmd} #{content.dump}") if content.size > 0 - content = '' + out.push("#{@put_cmd} #{content.dump}") if content.size > 0 + content = '' out.push(token.to_s) out.cr - when :cr - out.cr - when '<%', '<%=', '<%#' - scanner.stag = token - out.push("#{@put_cmd} #{content.dump}") if content.size > 0 - content = '' - when "\n" - content << "\n" - out.push("#{@put_cmd} #{content.dump}") - out.cr - content = '' - when '<%%' - content << '<%' - else - content << token - end - else - case token - when '%>' - case scanner.stag - when '<%' - if content[-1] == ?\n - content.chop! - out.push(content) - out.cr - else - out.push(content) - end - when '<%=' + when :cr + out.cr + when '<%', '<%=', '<%#' + scanner.stag = token + out.push("#{@put_cmd} #{content.dump}") if content.size > 0 + content = '' + when "\n" + content << "\n" + out.push("#{@put_cmd} #{content.dump}") + out.cr + content = '' + when '<%%' + content << '<%' + else + content << token + end + else + case token + when '%>' + case scanner.stag + when '<%' + if content[-1] == ?\n + content.chop! + out.push(content) + out.cr + else + out.push(content) + end + when '<%=' # NOTE: Changed lines - out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)") + out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)") # NOTE: End changed lines - when '<%#' - # out.push("# #{content.dump}") - end - scanner.stag = nil - content = '' - when '%%>' - content << '%>' - else - content << token - end - end + when '<%#' + # out.push("# #{content.dump}") + end + scanner.stag = nil + content = '' + when '%%>' + content << '%>' + else + content << token + end + end end out.push("#{@put_cmd} #{content.dump}") if content.size > 0 out.close vendor/xss-shield/lib/xss_shield/erb_hacks.rb 4853da135ffa460af2967213f74ed3cb145f6dcc stu stu@fe6a39be-99a9-dc11-9a70-001c23e17821 http://github.com/relevance/tarantula/commit/ed72f3ddbcc4d2f965d131176aee0ab8d8c9dde7 ed72f3ddbcc4d2f965d131176aee0ab8d8c9dde7 2008-02-28T08:37:09-08:00 2008-02-28T08:37:09-08:00 turn off parts of xss_shield that are blowing up Fizmo f806b18634e36f53f65130b8b46c95a8ee4e66f0 stu stu@fe6a39be-99a9-dc11-9a70-001c23e17821