Skip to content

Commit

Permalink
Removed all uses of uneval (Mozilla-only), provided a hopefully safe …
Browse files Browse the repository at this point in the history 
…hand-crafted alternative.
  • Loading branch information
@darobin @ashb
darobin authored and ashb committed May 18, 2010
1 parent 46d4582 commit 8e89cac
Showing 1 changed file with 30 additions and 16 deletions.
46 changes: 30 additions & 16 deletions lib/Template.js
View file
Expand Up @@ -317,6 +317,20 @@ Template.prototype = {

};

Template.escapeString = function (str) {
var hexDigits = "0123456789ABCDEF";
var hex = function (d) { return hexDigits[d >> 8] + hexDigits[d & 0x0F]; }
var esc = function (string) {
return string.replace(/[\x00-\x1F'\\]/g,
function (x) {
if (x === "'" || x === "\\") return "\\" + x;
return "\\x" + hex(x.charCodeAt(0));
});
}
if (typeof str === "string") return "'" + esc(str) + "'";
else throw new Template.Exception("escape", "Called escapeString on a non-string: " + str);
};

/** section: Template
* Filters
**/
Expand Down Expand Up @@ -609,7 +623,7 @@ Template.Context.prototype = {

// Default implementation if no file IO.
load_file: function load_file(file) {
throw new Template.Exception("file", uneval(file) + ": not found");
throw new Template.Exception("file", Template.escapeString(file) + ": not found");
},

$catch: function $catch(err) {
Expand Down Expand Up @@ -650,7 +664,7 @@ Template.Context.prototype = {

if (!flt) {
throw new Template.Exception("filter",
uneval(name) + ": not found");
Template.escapeString(name) + ": not found");
}

return flt;
Expand All @@ -669,7 +683,7 @@ try {
f = new fs.rawOpen(file, 'r');
}
catch (e) {
throw new Template.Exception("file", uneval(file) + ": not found");
throw new Template.Exception("file", Template.escapeString(file) + ": not found");
}

return f.readWhole();
Expand Down Expand Up @@ -697,7 +711,7 @@ Template.Parser = function (config) {
self[name] = function Template$Parser$prototype$logCall() {
try {
if (name == 'consumeToken') {
self._logCall(name + '(' + uneval(this.token.literal || this.token.type) + ')');
self._logCall(name + '(' + Template.escapeString(this.token.literal || this.token.type) + ')');

} else if (name == 'assertToken') {
self._logCall(name + '(' + arguments[0].toSource() + ')');
Expand Down Expand Up @@ -772,7 +786,7 @@ Template.Parser.prototype = {
var substr = this.origInput.substr(this.token.position, 10).replace(/\n/g, '\\n');
if (this.token.position + 10 < this.origInput.length)
substr += '...';
throw new Error(msg + " at '" + substr + "' " + uneval(this.token));
throw new Error(msg + " at '" + substr + "' " + Template.escapeString(this.token));
},

log: function(str) {
Expand Down Expand Up @@ -2337,12 +2351,12 @@ Template.Interpreter.prototype = {
switch (term.type) {

case 'TEXT':
return uneval(term.literal);
return Template.escapeString(term.literal);
case 'ident':
return 'ctx.dot_op(' + this.handle_ident_segments(term.segments) + ')';

case 'IDENT':
return "ctx.dot_op(ctx.stash, [" + uneval(term.literal) + "])";
return "ctx.dot_op(ctx.stash, [" + Template.escapeString(term.literal) + "])";
case 'NUMBER':
return parseFloat(term.literal);
case 'LITERAL':
Expand Down Expand Up @@ -2522,11 +2536,11 @@ Template.Interpreter.prototype = {
case 'BLOCK':
var block_name;
if (term.name.type == 'IDENT' || term.name.type == 'FILENAME')
block_name = uneval(term.name.literal);
block_name = Template.escapeString(term.name.literal);
else if (term.name.type == 'LITERAL')
block_name = term.name.literal;
else
throw new Error('Handle ' + uneval(term.name));
throw new Error('Handle ' + Template.escapeString(term.name));

// Blocks can be defined after the are referenced
this.blocks[block_name] = (new Template.Interpreter(term.chunks)).output;
Expand Down Expand Up @@ -2577,7 +2591,7 @@ Template.Interpreter.prototype = {
{
range.push(i);
}
return uneval(range);
return Template.escapeString(range);
}
case 'NEXT':
// This will need fixing for nested loops
Expand Down Expand Up @@ -2664,7 +2678,7 @@ Template.Interpreter.prototype = {
else if (c.signature) {
ret += " ";
if (if_count) { ret += "else " }
ret += "if (ctx.$error_matches($e, " + uneval(c.signature.literal) + ") ) {\n";
ret += "if (ctx.$error_matches($e, " + Template.escapeString(c.signature.literal) + ") ) {\n";
ret += this.walk(c.block).replace(/^/gm, ' ');
ret += "\n }\n";
if_count++;
Expand Down Expand Up @@ -2708,7 +2722,7 @@ Template.Interpreter.prototype = {
var str;
if (term.names.length == 1) {
if (term.names[0].type == 'IDENT' || term.names[0].type == 'FILENAME')
str = uneval(term.names[0].literal);
str = Template.escapeString(term.names[0].literal);
else if (term.names[0].type == 'LITERAL')
str = term.names[0].literal;
else if (term.names[0].type == 'interpret')
Expand All @@ -2718,7 +2732,7 @@ Template.Interpreter.prototype = {
}
}
if (str === undefined)
throw new Error("handle " + uneval(term.names));
throw new Error("handle " + Template.escapeString(term.names));

if (term.args.length > 1 || term.args[0].length) {
str += ", " + this.make_namearg_dict(term.args);
Expand All @@ -2740,7 +2754,7 @@ Template.Interpreter.prototype = {
var arg = [named.shift(), named.shift()];
var name, value;
if (arg[0].type == 'IDENT')
name = uneval(arg[0].literal);
name = Template.escapeString(arg[0].literal);
else
throw new Error("handle");

Expand Down Expand Up @@ -2784,7 +2798,7 @@ Template.Interpreter.prototype = {
for (var i in segs) {
var seg = segs[i];
if (seg.type == 'IDENT') {
var_name.push(uneval(seg.literal));
var_name.push(Template.escapeString(seg.literal));
}
else if (seg.type == 'interpret') {
if (seg.term.type == 'LITERAL') {
Expand All @@ -2803,7 +2817,7 @@ Template.Interpreter.prototype = {
// ctx.dot_op(ctx.dot_op(stash, ['foo','bar'],[1,2,3]), ['baz,'fish'])
var funcName;
if (seg.func.type == 'IDENT')
var_name.push(uneval(seg.func.literal));
var_name.push(Template.escapeString(seg.func.literal));
else if (seg.func.type == 'interpret') {
var_name.push(this.$get_term(seg.func));
}
Expand Down

0 comments on commit 8e89cac

Please sign in to comment.