Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

changing to micronaut, throwing out some tests, and reducing back to …

…one file. going to split back out after it makes sense. removing rails 1.x support
  • Loading branch information...
commit ccfb1cc5747dc3ae546cb430ec9c1918dd74ca09 1 parent 699b485
Aaron Bedra authored
View
1  .gitignore
@@ -0,0 +1 @@
+rdoc
View
2  MIT-LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2006 Shinya Kasatani
+Copyright (c) 2006-2009 Shinya Kasatani && Aaron Bedra
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
View
39 Rakefile
@@ -1,15 +1,38 @@
require 'rake'
require 'rake/testtask'
require 'rake/rdoctask'
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+require 'micronaut/rake_task'
-desc 'Default: run unit tests.'
-task :default => :test
+desc "Run all micronaut examples"
+Micronaut::RakeTask.new :examples do |t|
+ t.pattern = "examples/**/*_example.rb"
+end
+
+namespace :examples do
+ desc "Run all micronaut examples using rcov"
+ Micronaut::RakeTask.new :coverage do |t|
+ t.pattern = "examples/**/*_example.rb"
+ t.rcov = true
+ t.rcov_opts = %[--exclude "gems/*,/Library/Ruby/*,config/*" --text-summary --sort coverage --no-validator-links]
+ end
+
+ RAILS_VERSIONS = %w[2.0.2 2.1.0 2.1.1 2.2.2 2.3.1 2.3.2]
+
+ desc "Run exmaples with multiple versions of rails"
+ task :multi_rails do
+ RAILS_VERSIONS.each do |rails_version|
+ puts
+ sh "RAILS_VERSION='#{rails_version}' rake examples"
+ end
+ end
+end
-desc 'Test the safe_erb plugin.'
-Rake::TestTask.new(:test) do |t|
- t.libs << 'lib'
- t.pattern = 'test/**/*_test.rb'
- t.verbose = true
+if ENV["RUN_CODE_RUN"]
+ task :default => "examples:multi_rails"
+else
+ task :default => "examples"
end
desc 'Generate documentation for the safe_erb plugin.'
@@ -17,6 +40,6 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
rdoc.rdoc_dir = 'rdoc'
rdoc.title = 'SafeERB'
rdoc.options << '--line-numbers' << '--inline-source'
- rdoc.rdoc_files.include('README')
+ rdoc.rdoc_files.include('README.rdoc')
rdoc.rdoc_files.include('lib/**/*.rb')
end
View
16 examples/example_helper.rb
@@ -0,0 +1,16 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "../" "lib", "safe_erb.rb"))
+
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+
+def not_in_editor?
+ ['TM_MODE', 'EMACS', 'VIM'].all? { |k| !ENV.has_key?(k) }
+end
+
+Micronaut.configure do |c|
+ c.alias_example_to :fit, :focused => true
+ c.alias_example_to :xit, :disabled => true
+ c.mock_with :mocha
+ c.color_enabled = not_in_editor?
+ c.filter_run :focused => true
+end
View
31 examples/safe_erb_example.rb
@@ -0,0 +1,31 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "example_helper.rb"))
+
+describe "Safe ERB" do
+
+ describe "render_with_checking_tainted" do
+ it "test checking" do
+ ERB.with_checking_tainted do
+ src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
+ lambda { eval(src) }.should raise_error(RuntimeError)
+ end
+ end
+
+ it "test checking non tainted" do
+ ERB.with_checking_tainted do
+ src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
+ lambda { eval(src) }.should_not raise_error
+ end
+ end
+ end
+
+ describe "Tag Helper Tests" do
+ include ActionView::Helpers::TagHelper
+
+ it "test taghelper untaints" do
+ evil_str = "evil knievel".taint
+ escape_once(evil_str).should_not be_tainted
+ escape_once_without_untaint(evil_str).should be_tainted
+ end
+ end
+
+end
View
2  init.rb
@@ -1,3 +1 @@
-# Include hook code here
-
require 'safe_erb'
View
2  install.rb
@@ -1 +1 @@
-# Install hook code here
+
View
118 lib/safe_erb.rb
@@ -1,10 +1,114 @@
-# SafeERB
+require 'erb'
+require 'action_controller'
+require 'action_view'
-require 'safe_erb/common'
-require 'safe_erb/tag_helper'
+class ActionController::Base
+ # Object#taint is set when the request comes from FastCGI or WEBrick,
+ # but it is not set in Mongrel and also functional / integration testing
+ # so we'll set it anyways in the filter
+ before_filter :taint_request
+
+ def render_with_checking_tainted(*args, &blk)
+ if @skip_checking_tainted
+ render_without_checking_tainted(*args, &blk)
+ else
+ ERB.with_checking_tainted do
+ render_without_checking_tainted(*args, &blk)
+ end
+ end
+ end
-if Rails::VERSION::MAJOR >= 2
- require 'safe_erb/rails_2'
-else
- require 'safe_erb/rails_1'
+ alias_method_chain :render, :checking_tainted
+
+ private
+
+ def taint_hash(hash)
+ hash.each do |k, v|
+ case v
+ when String
+ v.taint
+ when Hash
+ taint_hash(v)
+ end
+ end
+ end
+
+ def taint_request
+ taint_hash(params)
+ cookies.each do |k, v|
+ v.taint
+ end
+ end
+end
+
+class String
+ def concat_unless_tainted(str)
+ raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
+ concat(str)
+ end
end
+
+class ERB
+ cattr_accessor :check_tainted
+ alias_method :original_set_eoutvar, :set_eoutvar
+
+ def self.with_checking_tainted(&block)
+ # not thread safe
+ ERB.check_tainted = true
+ begin
+ yield
+ ensure
+ ERB.check_tainted = false
+ end
+ end
+
+ def set_eoutvar(compiler, eoutvar = '_erbout')
+ original_set_eoutvar(compiler, eoutvar)
+ if check_tainted
+ if compiler.respond_to?(:insert_cmd)
+ compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
+ else
+ compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
+ end
+ end
+ end
+
+ module Util
+ alias_method :html_escape_without_untaint, :html_escape
+
+ def html_escape(s)
+ h = html_escape_without_untaint(s)
+ h.untaint
+ h
+ end
+
+ alias_method :h, :html_escape
+
+ module_function :h
+ module_function :html_escape
+ module_function :html_escape_without_untaint
+ end
+end
+
+module ActionView::Helpers::SanitizeHelper
+ def strip_tags_with_untaint(html)
+ str = strip_tags_without_untaint(html)
+ str.untaint
+ str
+ end
+
+ alias_method_chain :strip_tags, :untaint
+end
+
+module ActionView
+ module Helpers
+ module TagHelper
+ def escape_once_with_untaint(html)
+ escape_once_without_untaint(html).untaint
+ end
+
+ alias_method_chain :escape_once, :untaint
+ end
+ end
+end
+
View
93 lib/safe_erb/common.rb
@@ -1,93 +0,0 @@
-# SafeERB
-
-require 'erb'
-require 'action_controller'
-require 'action_view'
-
-class ActionController::Base
- # Object#taint is set when the request comes from FastCGI or WEBrick,
- # but it is not set in Mongrel and also functional / integration testing
- # so we'll set it anyways in the filter
- before_filter :taint_request
-
- def render_with_checking_tainted(*args, &blk)
- if @skip_checking_tainted
- render_without_checking_tainted(*args, &blk)
- else
- ERB.with_checking_tainted do
- render_without_checking_tainted(*args, &blk)
- end
- end
- end
-
- alias_method_chain :render, :checking_tainted
-
- private
-
- def taint_hash(hash)
- hash.each do |k, v|
- case v
- when String
- v.taint
- when Hash
- taint_hash(v)
- end
- end
- end
-
- def taint_request
- taint_hash(params)
- cookies.each do |k, v|
- v.taint
- end
- end
-end
-
-class String
- def concat_unless_tainted(str)
- raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
- concat(str)
- end
-end
-
-class ERB
- cattr_accessor :check_tainted
- alias_method :original_set_eoutvar, :set_eoutvar
-
- def self.with_checking_tainted(&block)
- # not thread safe
- ERB.check_tainted = true
- begin
- yield
- ensure
- ERB.check_tainted = false
- end
- end
-
- def set_eoutvar(compiler, eoutvar = '_erbout')
- original_set_eoutvar(compiler, eoutvar)
- if check_tainted
- if compiler.respond_to?(:insert_cmd)
- compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
- else
- compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
- end
- end
- end
-
- module Util
- alias_method :html_escape_without_untaint, :html_escape
-
- def html_escape(s)
- h = html_escape_without_untaint(s)
- h.untaint
- h
- end
-
- alias_method :h, :html_escape
-
- module_function :h
- module_function :html_escape
- module_function :html_escape_without_untaint
- end
-end
View
11 lib/safe_erb/rails_1.rb
@@ -1,11 +0,0 @@
-# Rails 1.x dependent code (tested on 1.2.6)
-
-module ActionView::Helpers::TextHelper
- alias_method :strip_tags_without_untaint, :strip_tags
-
- def strip_tags(html)
- str = strip_tags_without_untaint(html)
- str.untaint
- str
- end
-end
View
11 lib/safe_erb/rails_2.rb
@@ -1,11 +0,0 @@
-# Rails 2.0 dependent code (tested on 2.0.2)
-
-module ActionView::Helpers::SanitizeHelper
- def strip_tags_with_untaint(html)
- str = strip_tags_without_untaint(html)
- str.untaint
- str
- end
-
- alias_method_chain :strip_tags, :untaint
-end
View
11 lib/safe_erb/tag_helper.rb
@@ -1,11 +0,0 @@
-module ActionView
- module Helpers
- module TagHelper
- def escape_once_with_untaint(html)
- escape_once_without_untaint(html).untaint
- end
-
- alias_method_chain :escape_once, :untaint
- end
- end
-end
View
4 tasks/safe_erb_tasks.rake
@@ -1,4 +0,0 @@
-# desc "Explaining what the task does"
-# task :safe_erb do
-# # Task goes here
-# end
View
23 test/safe_erb_test.rb
@@ -1,23 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/../../../../config/environment')
-require 'test_help'
-
-class SafeERBTest < Test::Unit::TestCase
- def test_non_checking
- src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
- eval(src)
- end
-
- def test_checking
- ERB.with_checking_tainted do
- src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
- assert_raise(RuntimeError) { eval(src) }
- end
- end
-
- def test_checking_non_tainted
- ERB.with_checking_tainted do
- src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
- eval(src)
- end
- end
-end
View
17 test/tag_helper_test.rb
@@ -1,17 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/../../../../config/environment')
-require 'test_help'
-
-class TagHelperTest < Test::Unit::TestCase
- include ActionView::Helpers::TagHelper
-
- def test_inclusion_in_taghelper
- assert self.respond_to?(:escape_once_with_untaint)
- assert self.respond_to?(:escape_once_without_untaint)
- end
-
- def test_taghelper_untaints
- evil_str = "evil knievel".taint
- assert !escape_once(evil_str).tainted?
- assert escape_once_without_untaint(evil_str).tainted?
- end
-end
Please sign in to comment.
Something went wrong with that request. Please try again.