Skip to content
Newer
Older
100644 121 lines (97 sloc) 3.46 KB
21317d8 @joshk corrected the ActionMailer tests which broke due to some code removed…
joshk authored
1 require 'action_dispatch/http/mime_type'
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
2 require 'erubis'
b1f078b @wycats First, very early, AbstractController code. More to come
wycats authored
3
3fab196 @jeremy Refactor Action View template handlers. Closes #10437.
jeremy authored
4 module ActionView
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
5 class Template
6 module Handlers
7 class Erubis < ::Erubis::Eruby
8 def add_preamble(src)
2dd43c3 @josevalim Buffer should be an option passed down to template rendering.
josevalim authored
9 src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
10 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
11
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
12 def add_text(src, text)
13 return if text.empty?
14 src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
15 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
16
2797757 @jeremy Override <%== to always behave as literal text rather than toggling b…
jeremy authored
17 # Erubis toggles <%= and <%== behavior when escaping is enabled.
18 # We override to always treat <%== as escaped.
19 def add_expr(src, code, indicator)
20 case indicator
21 when '=='
22 add_expr_escaped(src, code)
23 else
24 super
25 end
26 end
27
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
28 BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
9de8305 Add deprecation notices for <% %>.
Carlhuda authored
29
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
30 def add_expr_literal(src, code)
31 if code =~ BLOCK_EXPR
32 src << '@output_buffer.append= ' << code
33 else
34 src << '@output_buffer.append= (' << code << ');'
35 end
2092351 Add support for compile-time <%= raw %>
Yehuda Katz authored
36 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
37
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
38 def add_expr_escaped(src, code)
f04ec6a @Fjan Added support for Erubis <%== tag
Fjan authored
39 if code =~ BLOCK_EXPR
40 src << "@output_buffer.safe_append= " << code
41 else
42 src << "@output_buffer.safe_concat((" << code << ").to_s);"
43 end
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
44 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
45
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
46 def add_postamble(src)
47 src << '@output_buffer.to_s'
48 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
49 end
50
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
51 class ERB
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
52 # Specify trim mode for the ERB compiler. Defaults to '-'.
bd3cdee @amatsuda s/ERb/ERB/g
amatsuda authored
53 # See ERB documentation for suitable values.
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
54 class_attribute :erb_trim_mode
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
55 self.erb_trim_mode = '-'
c440c9b @jeremy Move erb_trim_mode setting to the ERB template handler. Keep a Base.e…
jeremy authored
56
87e9e3f @rtlechow Action Pack typos.
rtlechow authored
57 # Default implementation used.
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
58 class_attribute :erb_implementation
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
59 self.erb_implementation = Erubis
e693f45 Remove some response content type concepts from ActionView
Yehuda Katz + Carl Lerche authored
60
5f189f4 @tilsammans Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.
tilsammans authored
61 # Do not escape templates of these mime types.
62 class_attribute :escape_whitelist
63 self.escape_whitelist = ["text/plain"]
64
64d109e @wycats Significantly improved internal encoding heuristics and support.
wycats authored
65 ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*")
66
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
67 def self.call(template)
68 new.call(template)
69 end
70
e30ca00 @josevalim Yo dawg, I heard you like streaming. So I put a fiber, inside a block…
josevalim authored
71 def supports_streaming?
72 true
73 end
74
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
75 def handles_encoding?
64d109e @wycats Significantly improved internal encoding heuristics and support.
wycats authored
76 true
77 end
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
78
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
79 def call(template)
5ca86ac @lest deprecate String#encoding_aware? and remove its usage
lest authored
80 # First, convert to BINARY, so in case the encoding is
81 # wrong, we can still find an encoding tag
82 # (<%# encoding %>) inside the String using a regular
83 # expression
59deaec @amatsuda Use already defined Encoding constants rather than creating one-trip …
amatsuda authored
84 template_source = template.source.dup.force_encoding(Encoding::ASCII_8BIT)
64d109e @wycats Significantly improved internal encoding heuristics and support.
wycats authored
85
5ca86ac @lest deprecate String#encoding_aware? and remove its usage
lest authored
86 erb = template_source.gsub(ENCODING_TAG, '')
87 encoding = $2
64d109e @wycats Significantly improved internal encoding heuristics and support.
wycats authored
88
5ca86ac @lest deprecate String#encoding_aware? and remove its usage
lest authored
89 erb.force_encoding valid_encoding(template.source.dup, encoding)
0078df6 @wycats Update template to allow handlers to more cleanly handle encodings (h…
wycats authored
90
5ca86ac @lest deprecate String#encoding_aware? and remove its usage
lest authored
91 # Always make sure we return a String in the default_internal
92 erb.encode!
64d109e @wycats Significantly improved internal encoding heuristics and support.
wycats authored
93
666d3fd @dhh Revert "Merge pull request #7033 from kron4eg/master". Not a a fan at…
dhh authored
94 self.class.erb_implementation.new(
95 erb,
5f189f4 @tilsammans Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`.
tilsammans authored
96 :escape => (self.class.escape_whitelist.include? template.type),
666d3fd @dhh Revert "Merge pull request #7033 from kron4eg/master". Not a a fan at…
dhh authored
97 :trim => (self.class.erb_trim_mode == "-")
98 ).src
0078df6 @wycats Update template to allow handlers to more cleanly handle encodings (h…
wycats authored
99 end
100
101 private
c7408a0 @josevalim Deprecate old template handler API. Remove old handlers.
josevalim authored
102
0078df6 @wycats Update template to allow handlers to more cleanly handle encodings (h…
wycats authored
103 def valid_encoding(string, encoding)
104 # If a magic encoding comment was found, tag the
105 # String with this encoding. This is for a case
106 # where the original String was assumed to be,
107 # for instance, UTF-8, but a magic comment
108 # proved otherwise
109 string.force_encoding(encoding) if encoding
110
111 # If the String is valid, return the encoding we found
112 return string.encoding if string.valid_encoding?
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
113
0078df6 @wycats Update template to allow handlers to more cleanly handle encodings (h…
wycats authored
114 # Otherwise, raise an exception
115 raise WrongEncodingError.new(string, string.encoding)
af0d1a8 @wycats Initial work to improve the state of encodings for templates
wycats authored
116 end
3fab196 @jeremy Refactor Action View template handlers. Closes #10437.
jeremy authored
117 end
118 end
119 end
120 end
Something went wrong with that request. Please try again.