Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
changing to micronaut, throwing out some tests, and reducing back to …
…one file. going to split back out after it makes sense. removing rails 1.x support
- Loading branch information
Aaron Bedra
committed
Apr 24, 2009
1 parent
699b485
commit ccfb1cc
Showing
15 changed files
with
192 additions
and
189 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
rdoc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,45 @@ | ||
require 'rake' | ||
require 'rake/testtask' | ||
require 'rake/rdoctask' | ||
gem "spicycode-micronaut", ">= 0.2.4" | ||
require 'micronaut' | ||
require 'micronaut/rake_task' | ||
|
||
desc 'Default: run unit tests.' | ||
task :default => :test | ||
desc "Run all micronaut examples" | ||
Micronaut::RakeTask.new :examples do |t| | ||
t.pattern = "examples/**/*_example.rb" | ||
end | ||
|
||
namespace :examples do | ||
desc "Run all micronaut examples using rcov" | ||
Micronaut::RakeTask.new :coverage do |t| | ||
t.pattern = "examples/**/*_example.rb" | ||
t.rcov = true | ||
t.rcov_opts = %[--exclude "gems/*,/Library/Ruby/*,config/*" --text-summary --sort coverage --no-validator-links] | ||
end | ||
|
||
RAILS_VERSIONS = %w[2.0.2 2.1.0 2.1.1 2.2.2 2.3.1 2.3.2] | ||
|
||
desc "Run exmaples with multiple versions of rails" | ||
task :multi_rails do | ||
RAILS_VERSIONS.each do |rails_version| | ||
puts | ||
sh "RAILS_VERSION='#{rails_version}' rake examples" | ||
end | ||
end | ||
end | ||
|
||
desc 'Test the safe_erb plugin.' | ||
Rake::TestTask.new(:test) do |t| | ||
t.libs << 'lib' | ||
t.pattern = 'test/**/*_test.rb' | ||
t.verbose = true | ||
if ENV["RUN_CODE_RUN"] | ||
task :default => "examples:multi_rails" | ||
else | ||
task :default => "examples" | ||
end | ||
|
||
desc 'Generate documentation for the safe_erb plugin.' | ||
Rake::RDocTask.new(:rdoc) do |rdoc| | ||
rdoc.rdoc_dir = 'rdoc' | ||
rdoc.title = 'SafeERB' | ||
rdoc.options << '--line-numbers' << '--inline-source' | ||
rdoc.rdoc_files.include('README') | ||
rdoc.rdoc_files.include('README.rdoc') | ||
rdoc.rdoc_files.include('lib/**/*.rb') | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
require File.expand_path(File.join(File.dirname(__FILE__), "../" "lib", "safe_erb.rb")) | ||
|
||
gem "spicycode-micronaut", ">= 0.2.4" | ||
require 'micronaut' | ||
|
||
def not_in_editor? | ||
['TM_MODE', 'EMACS', 'VIM'].all? { |k| !ENV.has_key?(k) } | ||
end | ||
|
||
Micronaut.configure do |c| | ||
c.alias_example_to :fit, :focused => true | ||
c.alias_example_to :xit, :disabled => true | ||
c.mock_with :mocha | ||
c.color_enabled = not_in_editor? | ||
c.filter_run :focused => true | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
require File.expand_path(File.join(File.dirname(__FILE__), "example_helper.rb")) | ||
|
||
describe "Safe ERB" do | ||
|
||
describe "render_with_checking_tainted" do | ||
it "test checking" do | ||
ERB.with_checking_tainted do | ||
src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src | ||
lambda { eval(src) }.should raise_error(RuntimeError) | ||
end | ||
end | ||
|
||
it "test checking non tainted" do | ||
ERB.with_checking_tainted do | ||
src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src | ||
lambda { eval(src) }.should_not raise_error | ||
end | ||
end | ||
end | ||
|
||
describe "Tag Helper Tests" do | ||
include ActionView::Helpers::TagHelper | ||
|
||
it "test taghelper untaints" do | ||
evil_str = "evil knievel".taint | ||
escape_once(evil_str).should_not be_tainted | ||
escape_once_without_untaint(evil_str).should be_tainted | ||
end | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1 @@ | ||
# Include hook code here | ||
|
||
require 'safe_erb' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
# Install hook code here | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,114 @@ | ||
# SafeERB | ||
require 'erb' | ||
require 'action_controller' | ||
require 'action_view' | ||
|
||
require 'safe_erb/common' | ||
require 'safe_erb/tag_helper' | ||
class ActionController::Base | ||
# Object#taint is set when the request comes from FastCGI or WEBrick, | ||
# but it is not set in Mongrel and also functional / integration testing | ||
# so we'll set it anyways in the filter | ||
before_filter :taint_request | ||
|
||
def render_with_checking_tainted(*args, &blk) | ||
if @skip_checking_tainted | ||
render_without_checking_tainted(*args, &blk) | ||
else | ||
ERB.with_checking_tainted do | ||
render_without_checking_tainted(*args, &blk) | ||
end | ||
end | ||
end | ||
|
||
if Rails::VERSION::MAJOR >= 2 | ||
require 'safe_erb/rails_2' | ||
else | ||
require 'safe_erb/rails_1' | ||
alias_method_chain :render, :checking_tainted | ||
|
||
private | ||
|
||
def taint_hash(hash) | ||
hash.each do |k, v| | ||
case v | ||
when String | ||
v.taint | ||
when Hash | ||
taint_hash(v) | ||
end | ||
end | ||
end | ||
|
||
def taint_request | ||
taint_hash(params) | ||
cookies.each do |k, v| | ||
v.taint | ||
end | ||
end | ||
end | ||
|
||
class String | ||
def concat_unless_tainted(str) | ||
raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted? | ||
concat(str) | ||
end | ||
end | ||
|
||
class ERB | ||
cattr_accessor :check_tainted | ||
alias_method :original_set_eoutvar, :set_eoutvar | ||
|
||
def self.with_checking_tainted(&block) | ||
# not thread safe | ||
ERB.check_tainted = true | ||
begin | ||
yield | ||
ensure | ||
ERB.check_tainted = false | ||
end | ||
end | ||
|
||
def set_eoutvar(compiler, eoutvar = '_erbout') | ||
original_set_eoutvar(compiler, eoutvar) | ||
if check_tainted | ||
if compiler.respond_to?(:insert_cmd) | ||
compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted" | ||
else | ||
compiler.put_cmd = "#{eoutvar}.concat_unless_tainted" | ||
end | ||
end | ||
end | ||
|
||
module Util | ||
alias_method :html_escape_without_untaint, :html_escape | ||
|
||
def html_escape(s) | ||
h = html_escape_without_untaint(s) | ||
h.untaint | ||
h | ||
end | ||
|
||
alias_method :h, :html_escape | ||
|
||
module_function :h | ||
module_function :html_escape | ||
module_function :html_escape_without_untaint | ||
end | ||
end | ||
|
||
module ActionView::Helpers::SanitizeHelper | ||
def strip_tags_with_untaint(html) | ||
str = strip_tags_without_untaint(html) | ||
str.untaint | ||
str | ||
end | ||
|
||
alias_method_chain :strip_tags, :untaint | ||
end | ||
|
||
module ActionView | ||
module Helpers | ||
module TagHelper | ||
def escape_once_with_untaint(html) | ||
escape_once_without_untaint(html).untaint | ||
end | ||
|
||
alias_method_chain :escape_once, :untaint | ||
end | ||
end | ||
end | ||
|
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.