Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

runtime contextual HTML autoescaper

tag: v0.0.1

Fetching latest commit…

Cannot retrieve the latest commit at this time

README.md

Runtime Contextual Autoescaper

A JRuby wrapper for Mike Samuel's contextual HTML autoescaper. Same one as used by Google's Closure Templates.

Example

First, let's define an Erb template:

<% def helper(obj); "Hello, #{obj['world']}"; end %>

<div style="color: <%= object['color'] %>">
<a href="/<%= object['color'] %>?q=<%= object['world'] %>" onclick="alert('<%= helper(object) %>');return false"><%= helper(object) %></a>
<script>(function () {  // Sleepy developers put sensitive info in comments.
 var o = <%= object %>,
 w = "<%= object['world'] %>";
})();</script>
</div>

Let's load the template and execute it:

template = Erubis::ContextualEruby.new(template_string)

object = {"world" => "<Cincinnati>", "color" => "blue"}
puts template.result(binding())

Output:

<div style="color: blue">
<a href="/blue?q=%3cCincinnati%3e" onclick="alert('Hello, \x3cCincinnati\x3e');return false">Hello, &lt;Cincinnati&gt;</a>
<script>(function () {
 var o = {'world':'\x3cCincinnati\x3e','color':'blue'},
 w = "\x3cCincinnati\x3e";
})();</script>
</div>

The safe parts are treated as literal chunks of HTML/CSS/JS, the query string parameters are auto URI encoded, same data is also auto escaped within the JS block, and the rendered object within the javascript block is automatically converted to JSON! Additionally, extra comments are removed, data is properly HTML escaped, and so forth.

Contextual will also automatically strip variety of injection cases for JS, CSS, and HTML, and give you a dozen other features for free.

Something went wrong with that request. Please try again.