tag params are properly escaped

holli · Feb 14, 2012 · 0d74da2 · 0d74da2
1 parent e7ac91c
commit 0d74da2
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 10 deletions.
diff --git a/lib/comfortable_mexican_sofa/tag.rb b/lib/comfortable_mexican_sofa/tag.rb
@@ -31,10 +31,17 @@ def regex_tag_signature(identifier = nil)
     # First capture group in the regex is the tag identifier
     def initialize_tag(page, tag_signature)
       if match = tag_signature.match(regex_tag_signature)
+
+        params = begin
+          (CSV.parse_line(match[2].to_s, (RUBY_VERSION < '1.9.2' ? ':' : {:col_sep => ':'})) || []).compact
+        rescue
+          []
+        end.map{|p| p.gsub(/\\|'/) { |c| "\\#{c}" } }
+
         tag = self.new
         tag.page        = page
         tag.identifier  = match[1]
-        tag.params      = (CSV.parse_line(match[2].to_s, (RUBY_VERSION < '1.9.2' ? ':' : {:col_sep => ':'})) || []).compact rescue []
+        tag.params      = params
         tag
       end
     end

diff --git a/lib/comfortable_mexican_sofa/tags/helper.rb b/lib/comfortable_mexican_sofa/tags/helper.rb
@@ -1,7 +1,7 @@
 class ComfortableMexicanSofa::Tag::Helper
   include ComfortableMexicanSofa::Tag
 
-  BLACKLIST = %w(eval class_eval instance_eval)
+  BLACKLIST = %w(eval class_eval instance_eval render)
 
   def self.regex_tag_signature(identifier = nil)
     identifier ||= /[\w\-]+/

diff --git a/test/unit/tag_test.rb b/test/unit/tag_test.rb
@@ -266,4 +266,12 @@ def test_content_with_irb_enabled
     assert_equal "<% 1 + 1 %> text <% 2 + 2 %> snippet <%= 2 + 2 %> <%= render :partial => 'path/to' %> <%= method() %> text <%= render :partial => 'partials/cms/snippets', :locals => {:model => 'Cms::Snippet', :identifier => '#{snippet.id}'} %> <%= 1 + 1 %>", page.content
   end
 
+  def test_escaping_of_parameters
+    tag = ComfortableMexicanSofa::Tag::Helper.initialize_tag(
+      cms_pages(:default), '{{cms:helper:h:"\'+User.first.inspect+\'"}}'
+    )
+    assert_equal %{<%= h('\\'+User.first.inspect+\\'') %>}, tag.content
+    assert_equal %{<%= h('\\'+User.first.inspect+\\'') %>}, tag.render
+  end
+
 end
diff --git a/test/unit/tags/helper_test.rb b/test/unit/tags/helper_test.rb
@@ -82,13 +82,5 @@ def test_whitelisted_methods
     assert_equal "<%= invalid('Rails.env') %>", tag.content
     assert_equal nil, tag.render
   end
-
-  def test_escaping_of_parameters
- 	  tag = ComfortableMexicanSofa::Tag::Helper.initialize_tag(
- 	    cms_pages(:default), '{{cms:helper:h:"\'+User.first.inspect+\'"}}'
-    )
- 	  assert_equal %{<%= h('\\'+User.first.inspect+\\'') %>}, tag.content
- 	  assert_equal %{<%= h('\\'+User.first.inspect+\\'') %>}, tag.render
-  end
 
 end