Permalink
Browse files

cleaning up after the refactoring

  • Loading branch information...
dan-manges committed Sep 26, 2008
1 parent 4746583 commit 13209460aa10b9c726b5b9e3bc9d2785e04726d3
View
@@ -6,7 +6,7 @@ Rake::TestTask.new do |t|
t.pattern = "test/**/*_test.rb"
end
-RAILS_VERSIONS = %w[2.1.1 2.1.0 2.0.2] # 1.2.6
+RAILS_VERSIONS = %w[2.1.1 2.1.0 2.0.2]
namespace :test do
desc "test with multiple versions of rails"
View
@@ -9,7 +9,6 @@
ActionController::Base.send :include, XssKiller::ActionControllerExtension
module XssKiller
- @records_to_escape = []
@rendering = false
def self.render_format
@@ -20,13 +19,14 @@ def self.rendering?
@rendering
end
+ def self.rendering_html?
+ @rendering && @render_format == :html
+ end
+
def self.rendering(format, template, &block)
@template = template
@render_format = format
@rendering = true
- while record = @records_to_escape.shift
- record.kill_xss(template) if format == :html
- end
yield
ensure
@render_format = nil
@@ -18,11 +18,9 @@ def render_with_xss_killer(options = nil, extra_options = {}, &block)
if options # explicit render
mime_type = response.content_type ? Mime::Type.lookup(response.content_type.to_s).to_sym : Mime::HTML.to_sym
else # implicit render
- if Rails::VERSION::MAJOR == 2 && Rails::VERSION::MINOR == 1
- handler = ActionView::Template.new(@template, default_template_name, true).handler.class
- elsif Rails::VERSION::MAJOR == 2 && Rails::VERSION::MINOR == 0
- ext = @template.send :find_template_extension_for, default_template_name
- handler = ActionView::Base.handler_for_extension(ext)
+ handler_method = "handler_for_rails_#{Rails::VERSION::MAJOR}_#{Rails::VERSION::MINOR}"
+ if respond_to?(handler_method)
+ handler = send(handler_method)
else
raise "Rails #{Rails::VERSION::STRING} is not supported"
end
@@ -33,5 +31,14 @@ def render_with_xss_killer(options = nil, extra_options = {}, &block)
render_without_xss_killer options, extra_options, &block
end
end
+
+ def handler_for_rails_2_1
+ ActionView::Template.new(@template, default_template_name, true).handler.class
+ end
+
+ def handler_for_rails_2_0
+ ext = @template.send :find_template_extension_for, default_template_name
+ ActionView::Base.handler_for_extension(ext)
+ end
end
end
@@ -3,6 +3,10 @@ module ActiveRecordExtension
module ClassMethods
def kills_xss(options = {})
@xss_killer_options = options
+ @xss_killer_options[:allow_injection] ||= []
+ @xss_killer_options[:allow_injection].map!(&:to_s)
+ @xss_killer_options[:sanitize] ||= []
+ @xss_killer_options[:sanitize].map!(&:to_s)
@kill_xss = true
end
@@ -18,13 +22,10 @@ def xss_killer_options
def kill_xss(column_name, value)
return value unless value.is_a?(String)
return value unless self.class.kill_xss?
- return value unless XssKiller.rendering?
- return value unless XssKiller.render_format == :html
- if self.class.xss_killer_options[:allow_injection] &&
- self.class.xss_killer_options[:allow_injection].map(&:to_s).include?(column_name.to_s)
+ return value unless XssKiller.rendering_html?
+ if self.class.xss_killer_options[:allow_injection].include?(column_name.to_s)
value
- elsif self.class.xss_killer_options[:sanitize] &&
- self.class.xss_killer_options[:sanitize].map(&:to_s).include?(column_name.to_s)
+ elsif self.class.xss_killer_options[:sanitize].include?(column_name.to_s)
sanitized = XssKiller.template.sanitize value
formatted = XssKiller.template.simple_format sanitized
else
@@ -10,18 +10,13 @@ def self.included(base)
def define_read_method_with_xss_killing(symbol, attr_name, column)
define_read_method_without_xss_killing symbol, attr_name, column
if column.type == :string || column.type == :text
- alias_method "#{attr_name}_without_xss_killing", attr_name
class_eval <<-END, __FILE__, __LINE__
def #{attr_name}_with_xss_killing
value = #{attr_name}_without_xss_killing
- if respond_to?(:kill_xss)
- kill_xss #{column.name.inspect}, value
- else
- value
- end
+ kill_xss #{column.name.inspect}, value
end
END
- alias_method attr_name, "#{attr_name}_with_xss_killing"
+ alias_method_chain attr_name, "xss_killing"
end
end
end

0 comments on commit 1320946

Please sign in to comment.