Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 187 lines (158 sloc) 4.703 kb
644219a @snusnu Require AS singleton_class code in AS output_safety
snusnu authored
1 require 'erb'
89978f1 @fxn moves Object#singleton_class to Kernel#singleton_class to match Ruby als...
fxn authored
2 require 'active_support/core_ext/kernel/singleton_class'
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
3
4 class ERB
5 module Util
28f2c6f @spastorino html_escape should escape single quotes
spastorino authored
6 HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
7 JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
8
ebddf75 @rafaelfranca Fix html_escape with Ruby 1.8
rafaelfranca authored
9 if RUBY_VERSION >= '1.9'
10 # A utility method for escaping HTML tag characters.
11 # This method is also aliased as <tt>h</tt>.
12 #
13 # In your ERB templates, use this method to escape any unsafe content. For example:
14 # <%=h @person.name %>
15 #
16 # ==== Example:
17 # puts html_escape("is a > 0 & a < 10?")
18 # # => is a &gt; 0 &amp; a &lt; 10?
19 def html_escape(s)
20 s = s.to_s
21 if s.html_safe?
22 s
23 else
24 s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
25 end
26 end
27 else
28 def html_escape(s) #:nodoc:
29 s = s.to_s
30 if s.html_safe?
31 s
32 else
33 s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
34 end
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
35 end
36 end
37
273700c @rtlechow Active Support typos.
rtlechow authored
38 # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
a5587ef @wycats Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM wa...
wycats authored
39 remove_method(:h)
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
40 alias h html_escape
41
42 module_function :h
43
a5587ef @wycats Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM wa...
wycats authored
44 singleton_class.send(:remove_method, :html_escape)
45 module_function :html_escape
46
206e48e @fxn applies API conventions to the RDoc of json_encode
fxn authored
47 # A utility method for escaping HTML entities in JSON strings
48 # using \uXXXX JavaScript escape sequences for string literals:
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
49 #
206e48e @fxn applies API conventions to the RDoc of json_encode
fxn authored
50 # json_escape("is a > 0 & a < 10?")
51 # # => is a \u003E 0 \u0026 a \u003C 10?
a38e653 @neerajdotname json_escape makes json invalid doc change [#1485 state:resolved]
neerajdotname authored
52 #
206e48e @fxn applies API conventions to the RDoc of json_encode
fxn authored
53 # Note that after this operation is performed the output is not
54 # valid JSON. In particular double quotes are removed:
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
55 #
206e48e @fxn applies API conventions to the RDoc of json_encode
fxn authored
56 # json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
a38e653 @neerajdotname json_escape makes json invalid doc change [#1485 state:resolved]
neerajdotname authored
57 # # => {name:john,created_at:2010-04-28T01:39:31Z,id:1}
58 #
206e48e @fxn applies API conventions to the RDoc of json_encode
fxn authored
59 # This method is also aliased as +j+, and available as a helper
60 # in Rails templates:
61 #
62 # <%=j @person.to_json %>
63 #
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
64 def json_escape(s)
0b02284 @tenderlove ensuring that json_escape returns html safe strings when passed an html ...
tenderlove authored
65 result = s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
66 s.html_safe? ? result.html_safe : result
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
67 end
68
69 alias j json_escape
70 module_function :j
71 module_function :json_escape
72 end
73 end
74
561885a @josevalim String#<< should work for any object which responds to :to_str, so enabl...
josevalim authored
75 class Object
76 def html_safe?
77 false
78 end
79 end
80
b732724 @dmathieu all numerics should be html_safe - Closes #1935
dmathieu authored
81 class Numeric
561885a @josevalim String#<< should work for any object which responds to :to_str, so enabl...
josevalim authored
82 def html_safe?
83 true
84 end
85 end
86
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
87 module ActiveSupport #:nodoc:
88 class SafeBuffer < String
87eab59 @amatsuda ruby193: String#prepend is also unsafe
amatsuda authored
89 UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase", "prepend"].freeze
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
90
f44db45 @josevalim safe_concat should not work on dirty buffers.
josevalim authored
91 alias_method :original_concat, :concat
92 private :original_concat
93
94 class SafeConcatError < StandardError
95 def initialize
96 super "Could not concatenate to the buffer because it is not html safe."
97 end
98 end
99
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
100 def [](*args)
101 return super if args.size < 2
102
103 if html_safe?
104 new_safe_buffer = super
105 new_safe_buffer.instance_eval { @html_safe = true }
106 new_safe_buffer
107 else
108 to_str[*args]
109 end
110 end
111
f44db45 @josevalim safe_concat should not work on dirty buffers.
josevalim authored
112 def safe_concat(value)
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
113 raise SafeConcatError unless html_safe?
f44db45 @josevalim safe_concat should not work on dirty buffers.
josevalim authored
114 original_concat(value)
115 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
116
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
117 def initialize(*)
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
118 @html_safe = true
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
119 super
120 end
121
122 def initialize_copy(other)
123 super
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
124 @html_safe = other.html_safe?
594603b @josevalim Fix safe buffer by adding a dirty status.
josevalim authored
125 end
126
621d219 @amatsuda add AS::SafeBuffer#clone_empty
amatsuda authored
127 def clone_empty
5fd3601 @carlosantoniodasilva Stop SafeBuffer#clone_empty from issuing warnings
carlosantoniodasilva authored
128 self[0, 0]
621d219 @amatsuda add AS::SafeBuffer#clone_empty
amatsuda authored
129 end
130
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
131 def concat(value)
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
132 if !html_safe? || value.html_safe?
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
133 super(value)
134 else
135 super(ERB::Util.h(value))
136 end
137 end
c65f4b1 @spastorino Making SafeBuffer << an alias for concat method
spastorino authored
138 alias << concat
e12380e @josh Remove concat before overriding it
josh authored
139
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
140 def +(other)
141 dup.concat(other)
142 end
143
144 def html_safe?
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
145 defined?(@html_safe) && @html_safe
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
146 end
e12380e @josh Remove concat before overriding it
josh authored
147
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
148 def to_s
149 self
150 end
1f6c567 @jeremy OutputBuffer#to_yaml should return string yaml, not some custom class du...
jeremy authored
151
1fa059c @pixeltrix Define ActiveSupport#to_param as to_str - closes #1663
pixeltrix authored
152 def to_param
153 to_str
154 end
155
c87fb22 @tenderlove make sure we play nicely when syck is activated
tenderlove authored
156 def encode_with(coder)
157 coder.represent_scalar nil, to_str
158 end
159
160 def to_yaml(*args)
161 return super() if defined?(YAML::ENGINE) && !YAML::ENGINE.syck?
162 to_str.to_yaml(*args)
1f6c567 @jeremy OutputBuffer#to_yaml should return string yaml, not some custom class du...
jeremy authored
163 end
1300c03 @NZKoz Ensure that the strings returned by SafeBuffer#gsub and friends aren't c...
NZKoz authored
164
49dcc4f @smartinez87 Prefer 'each' over 'for in' syntax.
smartinez87 authored
165 UNSAFE_STRING_METHODS.each do |unsafe_method|
9c4fe30 @amatsuda override unsafe methods only if defined on String
amatsuda authored
166 if 'String'.respond_to?(unsafe_method)
167 class_eval <<-EOT, __FILE__, __LINE__ + 1
168 def #{unsafe_method}(*args, &block) # def capitalize(*args, &block)
169 to_str.#{unsafe_method}(*args, &block) # to_str.capitalize(*args, &block)
170 end # end
171
172 def #{unsafe_method}!(*args) # def capitalize!(*args)
55ac1b9 @josevalim Ensure [] respects the status of the buffer.
josevalim authored
173 @html_safe = false # @html_safe = false
9c4fe30 @amatsuda override unsafe methods only if defined on String
amatsuda authored
174 super # super
175 end # end
176 EOT
177 end
1300c03 @NZKoz Ensure that the strings returned by SafeBuffer#gsub and friends aren't c...
NZKoz authored
178 end
9415935 @NZKoz Switch to on-by-default XSS escaping for rails.
NZKoz authored
179 end
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
180 end
e12380e @josh Remove concat before overriding it
josh authored
181
4cbb9db For performance reasons, you can no longer call html_safe! on Strings. I...
Yehuda Katz authored
182 class String
183 def html_safe
184 ActiveSupport::SafeBuffer.new(self)
185 end
e05d4ce @vijaydev revert the changes from c60995f3 - related to marking sub,gsub as unavai...
vijaydev authored
186 end
Something went wrong with that request. Please try again.