Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

add readme

  • Loading branch information...
commit b7781e6165232972172be2115c8907854f1c8c75 1 parent 6320ea9
@igrigorik authored
Showing with 37 additions and 0 deletions.
  1. +37 −0 README.md
View
37 README.md
@@ -0,0 +1,37 @@
+# Runtime Contextual Autoescaper
+
+A JRuby wrapper for [Mike Samuel's contextual HTML autoescaper](https://github.com/mikesamuel/html-contextual-autoescaper-java). A quick example of the escaper at work:
+
+```ruby
+<% def helper(obj); "Hello, \#{obj['world']}"; end %>
+
+<div style="color: <%= object['color'] %>">
+<a href="/<%= object['color'] %>?q=<%= object['world'] %>" onclick="alert('<%= helper(object) %>');return false"><%= helper(object) %></a>
+<script>(function () { // Sleepy developers put sensitive info in comments.
+ var o = <%= object %>,
+ w = "<%= object['world'] %>";
+})();</script>
+</div>
+```
+
+Let's load the template and execute it:
+```ruby
+template = Erubis::ContextualEruby.new(template_string)
+
+object = {"world" => "<Cincinnati>", "color" => "blue"}
+puts template.result(binding())
+```
+
+Output:
+
+```
+<div style="color: blue">
+<a href="/blue?q=%3cCincinnati%3e" onclick="alert('Hello, \x3cCincinnati\x3e');return false">Hello, &lt;Cincinnati&gt;</a>
+<script>(function () {
+ var o = {'world':'\x3cCincinnati\x3e','color':'blue'},
+ w = "\x3cCincinnati\x3e";
+})();</script>
+</div>
+```
+
+The safe parts are treated as literal chunks of HTML/CSS/JS, the object rendered within a javascript block is automatically encoded into JSON, and appropriate values are automatically escaped (same applies for css, removing extra comments, etc).
Please sign in to comment.
Something went wrong with that request. Please try again.