-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
basic contextual autoescape wrapper for eruby + jruby
- Loading branch information
Showing
8 changed files
with
134 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1 +1,11 @@ | |||
require 'bundler/gem_tasks' | require 'bundler/gem_tasks' | ||
require 'rspec/core/rake_task' | |||
|
|||
task :default => [:spec] | |||
task :test => [:spec] | |||
|
|||
desc "run spec tests" | |||
RSpec::Core::RakeTask.new('spec') do |t| | |||
t.pattern = 'spec/**_spec.rb' | |||
end | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1,5 +1,3 @@ | |||
require "contextual/version" | require "contextual/version" | ||
require "contextual/contextual" | |||
|
|
||
module Contextual | |||
# Your code goes here... | |||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,82 @@ | |||
require "java" | |||
require "ext/guava" | |||
require "ext/autoesc" | |||
|
|||
java_import com.google.autoesc.HTMLEscapingWriter | |||
|
|||
require "rubygems" | |||
require "erubis" | |||
|
|||
module Erubis | |||
module ContextualEscapeEnhancer | |||
|
|||
def self.desc # :nodoc: | |||
"switch '<%= %>' to escaped and '<%== %>' to unescaped" | |||
end | |||
|
|||
def add_expr(src, code, indicator) | |||
case indicator | |||
when '=' | |||
@escape ? add_expr_literal(src, code) : add_expr_escaped(src, code) | |||
when '==' | |||
@escape ? add_expr_escaped(src, code) : add_expr_literal(src, code) | |||
when '===' | |||
add_expr_debug(src, code) | |||
end | |||
end | |||
|
|||
def add_text(src, text) | |||
src << " #{@bufvar}.writeSafe '" << text << "';" unless text.empty? | |||
end | |||
|
|||
def add_stmt(src, code) | |||
src << code | |||
src << ';' unless code[-1] == ?\n | |||
end | |||
|
|||
def add_expr_literal(src, code) | |||
src << " #{@bufvar}.writeSafe(" << code << ').to_s;' | |||
end | |||
|
|||
def add_expr_escaped(src, code) | |||
src << " #{@bufvar}.write((" << code << ').to_s);' | |||
end | |||
end | |||
|
|||
class ContextualBuffer | |||
def initialize | |||
@writer = java.io.StringWriter.new | |||
@buf = HTMLEscapingWriter.new(@writer) | |||
end | |||
|
|||
def writeSafe(code) | |||
@buf.writeSafe(code) | |||
end | |||
|
|||
def write(code) | |||
@buf.write(code) | |||
end | |||
|
|||
def to_s | |||
@writer.to_s | |||
end | |||
|
|||
def close | |||
@writer.close | |||
end | |||
end | |||
|
|||
class ContextualEruby < Eruby | |||
include ContextualEscapeEnhancer | |||
|
|||
def add_preamble(src) | |||
src << "#{@bufvar} = Erubis::ContextualBuffer.new; " | |||
end | |||
|
|||
def add_postamble(src) | |||
src << "\n" unless src[-1] == ?\n | |||
src << "#{@bufvar}.close\n" | |||
src << "#{@bufvar}.to_s\n" | |||
end | |||
end | |||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,35 @@ | |||
require "contextual" | |||
|
|||
describe Contextual do | |||
|
|||
it "should escape unsafe content" do | |||
t = Erubis::ContextualEruby.new(" \ | |||
<% elements.each do |e| %> \ | |||
<%= e %> \ | |||
<% end %> \ | |||
") | |||
|
|||
elements = ['<script>', '&bar', 'style="test"'] | |||
res = t.result(binding()) | |||
|
|||
res.should match('<script>') | |||
res.should match('&bar') | |||
res.should match('style="test"') | |||
end | |||
|
|||
it "should preserve safe content" do | |||
t = Erubis::ContextualEruby.new("<ul><%= '<script>' %></ul>") | |||
t.result.should match('<ul><script></ul>') | |||
end | |||
|
|||
it "should allow explicit safe content" do | |||
t = Erubis::ContextualEruby.new("<ul><%== '<script>' %></ul>") | |||
t.result.should match('<ul><script></ul>') | |||
end | |||
|
|||
it "should skip comments" do | |||
t = Erubis::ContextualEruby.new("<%# some comment %>") | |||
t.result.should be_empty | |||
end | |||
|
|||
end |