Permalink
Browse files

updating docs

  • Loading branch information...
1 parent 6871d86 commit 48830e76968c89dc12973b9a105a5237e8c761d0 Aaron Bedra committed Apr 26, 2009
Showing with 4 additions and 116 deletions.
  1. +4 −2 README.rdoc
  2. +0 −114 lib/safe_erb.rb
View
@@ -8,9 +8,11 @@ The check is done using "tainted?" method in Object class which is a standard fe
== Installation
-Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.
+You can grab Safe ERB from github and put it in vendor/plugins, or just run
-Safe ERB works on Rails 1.2.x, 2.0.x, 2.1.x, 2.2.x, and 2.3.x. It has been tested using following database libraries:
+ script/plugin install git://github.com/abedra/safe-erb
+
+Safe ERB works on Rails 2.0.x, 2.1.x, 2.2.x, and 2.3.x. It has been tested using following database libraries:
- PostgreSQL (postgres-0.7.1 gem)
- MySQL (mysql-2.7 gem)
View
@@ -1,114 +0,0 @@
-require 'erb'
-require 'action_controller'
-require 'action_view'
-
-class ActionController::Base
- # Object#taint is set when the request comes from FastCGI or WEBrick,
- # but it is not set in Mongrel and also functional / integration testing
- # so we'll set it anyways in the filter
- before_filter :taint_request
-
- def render_with_checking_tainted(*args, &blk)
- if @skip_checking_tainted
- render_without_checking_tainted(*args, &blk)
- else
- ERB.with_checking_tainted do
- render_without_checking_tainted(*args, &blk)
- end
- end
- end
-
- alias_method_chain :render, :checking_tainted
-
- private
-
- def taint_hash(hash)
- hash.each do |k, v|
- case v
- when String
- v.taint
- when Hash
- taint_hash(v)
- end
- end
- end
-
- def taint_request
- taint_hash(params)
- cookies.each do |k, v|
- v.taint
- end
- end
-end
-
-class String
- def concat_unless_tainted(str)
- raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
- concat(str)
- end
-end
-
-class ERB
- cattr_accessor :check_tainted
- alias_method :original_set_eoutvar, :set_eoutvar
-
- def self.with_checking_tainted(&block)
- # not thread safe
- ERB.check_tainted = true
- begin
- yield
- ensure
- ERB.check_tainted = false
- end
- end
-
- def set_eoutvar(compiler, eoutvar = '_erbout')
- original_set_eoutvar(compiler, eoutvar)
- if check_tainted
- if compiler.respond_to?(:insert_cmd)
- compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
- else
- compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
- end
- end
- end
-
- module Util
- alias_method :html_escape_without_untaint, :html_escape
-
- def html_escape(s)
- h = html_escape_without_untaint(s)
- h.untaint
- h
- end
-
- alias_method :h, :html_escape
-
- module_function :h
- module_function :html_escape
- module_function :html_escape_without_untaint
- end
-end
-
-module ActionView::Helpers::SanitizeHelper
- def strip_tags_with_untaint(html)
- str = strip_tags_without_untaint(html)
- str.untaint
- str
- end
-
- alias_method_chain :strip_tags, :untaint
-end
-
-module ActionView
- module Helpers
- module TagHelper
- def escape_once_with_untaint(html)
- escape_once_without_untaint(html).untaint
- end
-
- alias_method_chain :escape_once, :untaint
- end
- end
-end
-

0 comments on commit 48830e7

Please sign in to comment.