Permalink
Browse files

changing to micronaut, throwing out some tests, and reducing back to …

…one file. going to split back out after it makes sense. removing rails 1.x support
  • Loading branch information...
1 parent 699b485 commit ccfb1cc5747dc3ae546cb430ec9c1918dd74ca09 Aaron Bedra committed Apr 24, 2009
View
@@ -0,0 +1 @@
+rdoc
View
@@ -1,4 +1,4 @@
-Copyright (c) 2006 Shinya Kasatani
+Copyright (c) 2006-2009 Shinya Kasatani && Aaron Bedra
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
View
@@ -1,22 +1,45 @@
require 'rake'
require 'rake/testtask'
require 'rake/rdoctask'
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+require 'micronaut/rake_task'
-desc 'Default: run unit tests.'
-task :default => :test
+desc "Run all micronaut examples"
+Micronaut::RakeTask.new :examples do |t|
+ t.pattern = "examples/**/*_example.rb"
+end
+
+namespace :examples do
+ desc "Run all micronaut examples using rcov"
+ Micronaut::RakeTask.new :coverage do |t|
+ t.pattern = "examples/**/*_example.rb"
+ t.rcov = true
+ t.rcov_opts = %[--exclude "gems/*,/Library/Ruby/*,config/*" --text-summary --sort coverage --no-validator-links]
+ end
+
+ RAILS_VERSIONS = %w[2.0.2 2.1.0 2.1.1 2.2.2 2.3.1 2.3.2]
+
+ desc "Run exmaples with multiple versions of rails"
+ task :multi_rails do
+ RAILS_VERSIONS.each do |rails_version|
+ puts
+ sh "RAILS_VERSION='#{rails_version}' rake examples"
+ end
+ end
+end
-desc 'Test the safe_erb plugin.'
-Rake::TestTask.new(:test) do |t|
- t.libs << 'lib'
- t.pattern = 'test/**/*_test.rb'
- t.verbose = true
+if ENV["RUN_CODE_RUN"]
+ task :default => "examples:multi_rails"
+else
+ task :default => "examples"
end
desc 'Generate documentation for the safe_erb plugin.'
Rake::RDocTask.new(:rdoc) do |rdoc|
rdoc.rdoc_dir = 'rdoc'
rdoc.title = 'SafeERB'
rdoc.options << '--line-numbers' << '--inline-source'
- rdoc.rdoc_files.include('README')
+ rdoc.rdoc_files.include('README.rdoc')
rdoc.rdoc_files.include('lib/**/*.rb')
end
View
@@ -0,0 +1,16 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "../" "lib", "safe_erb.rb"))
+
+gem "spicycode-micronaut", ">= 0.2.4"
+require 'micronaut'
+
+def not_in_editor?
+ ['TM_MODE', 'EMACS', 'VIM'].all? { |k| !ENV.has_key?(k) }
+end
+
+Micronaut.configure do |c|
+ c.alias_example_to :fit, :focused => true
+ c.alias_example_to :xit, :disabled => true
+ c.mock_with :mocha
+ c.color_enabled = not_in_editor?
+ c.filter_run :focused => true
+end
@@ -0,0 +1,31 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "example_helper.rb"))
+
+describe "Safe ERB" do
+
+ describe "render_with_checking_tainted" do
+ it "test checking" do
+ ERB.with_checking_tainted do
+ src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
+ lambda { eval(src) }.should raise_error(RuntimeError)
+ end
+ end
+
+ it "test checking non tainted" do
+ ERB.with_checking_tainted do
+ src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
+ lambda { eval(src) }.should_not raise_error
+ end
+ end
+ end
+
+ describe "Tag Helper Tests" do
+ include ActionView::Helpers::TagHelper
+
+ it "test taghelper untaints" do
+ evil_str = "evil knievel".taint
+ escape_once(evil_str).should_not be_tainted
+ escape_once_without_untaint(evil_str).should be_tainted
+ end
+ end
+
+end
View
@@ -1,3 +1 @@
-# Include hook code here
-
require 'safe_erb'
View
@@ -1 +1 @@
-# Install hook code here
+
View
@@ -1,10 +1,114 @@
-# SafeERB
+require 'erb'
+require 'action_controller'
+require 'action_view'
-require 'safe_erb/common'
-require 'safe_erb/tag_helper'
+class ActionController::Base
+ # Object#taint is set when the request comes from FastCGI or WEBrick,
+ # but it is not set in Mongrel and also functional / integration testing
+ # so we'll set it anyways in the filter
+ before_filter :taint_request
+
+ def render_with_checking_tainted(*args, &blk)
+ if @skip_checking_tainted
+ render_without_checking_tainted(*args, &blk)
+ else
+ ERB.with_checking_tainted do
+ render_without_checking_tainted(*args, &blk)
+ end
+ end
+ end
-if Rails::VERSION::MAJOR >= 2
- require 'safe_erb/rails_2'
-else
- require 'safe_erb/rails_1'
+ alias_method_chain :render, :checking_tainted
+
+ private
+
+ def taint_hash(hash)
+ hash.each do |k, v|
+ case v
+ when String
+ v.taint
+ when Hash
+ taint_hash(v)
+ end
+ end
+ end
+
+ def taint_request
+ taint_hash(params)
+ cookies.each do |k, v|
+ v.taint
+ end
+ end
+end
+
+class String
+ def concat_unless_tainted(str)
+ raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
+ concat(str)
+ end
end
+
+class ERB
+ cattr_accessor :check_tainted
+ alias_method :original_set_eoutvar, :set_eoutvar
+
+ def self.with_checking_tainted(&block)
+ # not thread safe
+ ERB.check_tainted = true
+ begin
+ yield
+ ensure
+ ERB.check_tainted = false
+ end
+ end
+
+ def set_eoutvar(compiler, eoutvar = '_erbout')
+ original_set_eoutvar(compiler, eoutvar)
+ if check_tainted
+ if compiler.respond_to?(:insert_cmd)
+ compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
+ else
+ compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
+ end
+ end
+ end
+
+ module Util
+ alias_method :html_escape_without_untaint, :html_escape
+
+ def html_escape(s)
+ h = html_escape_without_untaint(s)
+ h.untaint
+ h
+ end
+
+ alias_method :h, :html_escape
+
+ module_function :h
+ module_function :html_escape
+ module_function :html_escape_without_untaint
+ end
+end
+
+module ActionView::Helpers::SanitizeHelper
+ def strip_tags_with_untaint(html)
+ str = strip_tags_without_untaint(html)
+ str.untaint
+ str
+ end
+
+ alias_method_chain :strip_tags, :untaint
+end
+
+module ActionView
+ module Helpers
+ module TagHelper
+ def escape_once_with_untaint(html)
+ escape_once_without_untaint(html).untaint
+ end
+
+ alias_method_chain :escape_once, :untaint
+ end
+ end
+end
+
View
@@ -1,93 +0,0 @@
-# SafeERB
-
-require 'erb'
-require 'action_controller'
-require 'action_view'
-
-class ActionController::Base
- # Object#taint is set when the request comes from FastCGI or WEBrick,
- # but it is not set in Mongrel and also functional / integration testing
- # so we'll set it anyways in the filter
- before_filter :taint_request
-
- def render_with_checking_tainted(*args, &blk)
- if @skip_checking_tainted
- render_without_checking_tainted(*args, &blk)
- else
- ERB.with_checking_tainted do
- render_without_checking_tainted(*args, &blk)
- end
- end
- end
-
- alias_method_chain :render, :checking_tainted
-
- private
-
- def taint_hash(hash)
- hash.each do |k, v|
- case v
- when String
- v.taint
- when Hash
- taint_hash(v)
- end
- end
- end
-
- def taint_request
- taint_hash(params)
- cookies.each do |k, v|
- v.taint
- end
- end
-end
-
-class String
- def concat_unless_tainted(str)
- raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
- concat(str)
- end
-end
-
-class ERB
- cattr_accessor :check_tainted
- alias_method :original_set_eoutvar, :set_eoutvar
-
- def self.with_checking_tainted(&block)
- # not thread safe
- ERB.check_tainted = true
- begin
- yield
- ensure
- ERB.check_tainted = false
- end
- end
-
- def set_eoutvar(compiler, eoutvar = '_erbout')
- original_set_eoutvar(compiler, eoutvar)
- if check_tainted
- if compiler.respond_to?(:insert_cmd)
- compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
- else
- compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
- end
- end
- end
-
- module Util
- alias_method :html_escape_without_untaint, :html_escape
-
- def html_escape(s)
- h = html_escape_without_untaint(s)
- h.untaint
- h
- end
-
- alias_method :h, :html_escape
-
- module_function :h
- module_function :html_escape
- module_function :html_escape_without_untaint
- end
-end
View
@@ -1,11 +0,0 @@
-# Rails 1.x dependent code (tested on 1.2.6)
-
-module ActionView::Helpers::TextHelper
- alias_method :strip_tags_without_untaint, :strip_tags
-
- def strip_tags(html)
- str = strip_tags_without_untaint(html)
- str.untaint
- str
- end
-end
View
@@ -1,11 +0,0 @@
-# Rails 2.0 dependent code (tested on 2.0.2)
-
-module ActionView::Helpers::SanitizeHelper
- def strip_tags_with_untaint(html)
- str = strip_tags_without_untaint(html)
- str.untaint
- str
- end
-
- alias_method_chain :strip_tags, :untaint
-end
View
@@ -1,11 +0,0 @@
-module ActionView
- module Helpers
- module TagHelper
- def escape_once_with_untaint(html)
- escape_once_without_untaint(html).untaint
- end
-
- alias_method_chain :escape_once, :untaint
- end
- end
-end
@@ -1,4 +0,0 @@
-# desc "Explaining what the task does"
-# task :safe_erb do
-# # Task goes here
-# end
Oops, something went wrong.

0 comments on commit ccfb1cc

Please sign in to comment.