changing to micronaut, throwing out some tests, and reducing back to …

…one file. going to split back out after it makes sense. removing rails 1.x support

.gitignore

@@ -0,0 +1 @@
+rdoc

MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2006 Shinya Kasatani
+Copyright (c) 2006-2009 Shinya Kasatani && Aaron Bedra
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

Rakefile

@@ -1,22 +1,45 @@
 require 'rake'
 require 'rake/testtask'
 require 'rake/rdoctask'
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+require 'micronaut/rake_task'
 
-desc 'Default: run unit tests.'
-task :default => :test
+desc "Run all micronaut examples"
+Micronaut::RakeTask.new :examples do |t|
+  t.pattern = "examples/**/*_example.rb"
+end
+
+namespace :examples do
+  desc "Run all micronaut examples using rcov"
+  Micronaut::RakeTask.new :coverage do |t|
+    t.pattern = "examples/**/*_example.rb"
+    t.rcov = true
+    t.rcov_opts = %[--exclude "gems/*,/Library/Ruby/*,config/*" --text-summary  --sort coverage --no-validator-links]
+  end
+
+  RAILS_VERSIONS = %w[2.0.2 2.1.0 2.1.1 2.2.2 2.3.1 2.3.2]
+
+  desc "Run exmaples with multiple versions of rails"
+  task :multi_rails do
+    RAILS_VERSIONS.each do |rails_version|
+      puts
+      sh "RAILS_VERSION='#{rails_version}' rake examples"
+    end
+  end
+end
 
-desc 'Test the safe_erb plugin.'
-Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = true
+if ENV["RUN_CODE_RUN"]
+  task :default => "examples:multi_rails"
+else
+  task :default => "examples"
 end
 
 desc 'Generate documentation for the safe_erb plugin.'
 Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title    = 'SafeERB'
   rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('README.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end

examples/example_helper.rb

@@ -0,0 +1,16 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "../" "lib", "safe_erb.rb"))
+
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+
+def not_in_editor?
+  ['TM_MODE', 'EMACS', 'VIM'].all? { |k| !ENV.has_key?(k) }
+end
+
+Micronaut.configure do |c|
+  c.alias_example_to :fit, :focused => true
+  c.alias_example_to :xit, :disabled => true
+  c.mock_with :mocha
+  c.color_enabled = not_in_editor?
+  c.filter_run :focused => true
+end

examples/safe_erb_example.rb

@@ -0,0 +1,31 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "example_helper.rb"))
+
+describe "Safe ERB" do
+
+  describe "render_with_checking_tainted" do
+    it "test checking" do
+      ERB.with_checking_tainted do
+        src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
+        lambda { eval(src) }.should raise_error(RuntimeError)
+      end
+    end
+
+    it "test checking non tainted" do
+      ERB.with_checking_tainted do
+        src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
+        lambda { eval(src) }.should_not raise_error
+      end
+    end
+  end
+
+  describe "Tag Helper Tests" do
+    include ActionView::Helpers::TagHelper
+
+    it "test taghelper untaints" do
+      evil_str = "evil knievel".taint
+      escape_once(evil_str).should_not be_tainted
+      escape_once_without_untaint(evil_str).should be_tainted
+    end
+  end     
+
+end

init.rb

@@ -1,3 +1 @@
-# Include hook code here
-
 require 'safe_erb'

install.rb

@@ -1 +1 @@
-# Install hook code here
+

lib/safe_erb.rb

@@ -1,10 +1,114 @@
-# SafeERB
+require 'erb'
+require 'action_controller'
+require 'action_view'
 
-require 'safe_erb/common'
-require 'safe_erb/tag_helper'
+class ActionController::Base
+  # Object#taint is set when the request comes from FastCGI or WEBrick,
+  # but it is not set in Mongrel and also functional / integration testing
+  # so we'll set it anyways in the filter
+  before_filter :taint_request
+
+  def render_with_checking_tainted(*args, &blk)
+    if @skip_checking_tainted
+      render_without_checking_tainted(*args, &blk)
+    else
+      ERB.with_checking_tainted do
+        render_without_checking_tainted(*args, &blk)
+      end
+    end
+  end
 
-if Rails::VERSION::MAJOR >= 2
-  require 'safe_erb/rails_2'
-else
-  require 'safe_erb/rails_1'
+  alias_method_chain :render, :checking_tainted
+
+  private
+
+  def taint_hash(hash)
+    hash.each do |k, v|
+      case v
+      when String
+        v.taint
+      when Hash
+        taint_hash(v)
+      end
+    end
+  end
+
+  def taint_request
+    taint_hash(params)
+    cookies.each do |k, v|
+      v.taint
+    end
+  end
+end
+
+class String
+  def concat_unless_tainted(str)
+    raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
+    concat(str)
+  end
 end
+
+class ERB
+  cattr_accessor :check_tainted
+  alias_method :original_set_eoutvar, :set_eoutvar
+
+  def self.with_checking_tainted(&block)
+    # not thread safe
+    ERB.check_tainted = true
+    begin
+      yield
+    ensure
+      ERB.check_tainted = false
+    end
+  end
+
+  def set_eoutvar(compiler, eoutvar = '_erbout')
+    original_set_eoutvar(compiler, eoutvar)
+    if check_tainted
+      if compiler.respond_to?(:insert_cmd)
+        compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
+      else
+        compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
+      end
+    end
+  end
+
+  module Util
+    alias_method :html_escape_without_untaint, :html_escape
+
+    def html_escape(s)
+      h = html_escape_without_untaint(s)
+      h.untaint
+      h
+    end
+
+    alias_method :h, :html_escape
+
+    module_function :h
+    module_function :html_escape
+    module_function :html_escape_without_untaint
+  end
+end
+
+module ActionView::Helpers::SanitizeHelper
+  def strip_tags_with_untaint(html)
+    str = strip_tags_without_untaint(html)
+    str.untaint
+    str
+  end
+
+  alias_method_chain :strip_tags, :untaint
+end
+
+module ActionView
+  module Helpers
+    module TagHelper
+      def escape_once_with_untaint(html)
+        escape_once_without_untaint(html).untaint
+      end
+
+      alias_method_chain :escape_once, :untaint
+    end
+  end
+end
+