Skip to content
Browse files

Initial plugin

  • Loading branch information...
0 parents commit b59569529d30b5f329d1fc7a9f2c08d77fe094e2 @NZKoz NZKoz committed Jun 26, 2009
Showing with 162 additions and 0 deletions.
  1. +20 −0 MIT-LICENSE
  2. +84 −0 README
  3. +23 −0 Rakefile
  4. +6 −0 init.rb
  5. +1 −0 install.rb
  6. +12 −0 lib/rails_xss.rb
  7. +4 −0 tasks/rails_xss_tasks.rake
  8. +8 −0 test/rails_xss_test.rb
  9. +3 −0 test/test_helper.rb
  10. +1 −0 uninstall.rb
20 MIT-LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2009 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
84 README
@@ -0,0 +1,84 @@
+RailsXss
+========
+
+This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. The intention is to ship this functionality, or something like it, for rails 3.0.
+
+*************************************************************************************
+*This will *only* work with rails from http://github.com/NZKoz/rails/tree/rails_xss *
+*************************************************************************************
+
+Strings now have a notion of "html safe". These strings will always be appended without escaping. This means that helpers like link_to, form_tag etc will continue to work unmodified. If you have your own helpers which return strings you *know* are safe, you will need to mark the strings as safe. For example
+
+ def some_helper
+ (1..5).map do |i|
+ "<li>#{i}</li>"
+ end.join("\n")
+ end
+
+With this plugin installed, these tags will be escaped. So you will need to do one of the following:
+
+1) mark safe at the call site
+
+ <%= raw some_helper %>
+
+2) Mark safe in the helper:
+
+ def some_helper
+ (1..5).map do |i|
+ "<li>#{i}</li>"
+ end.join("\n").html_safe!
+ end
+
+3) use the safe_helper meta programming method: (NOT YET IMPLEMENTED)
+
+ module ApplicationHelper
+ def some_helper
+ #...
+ end
+ safe_helper :some_helper
+ end
+
+Example
+=======
+
+BEFORE:
+ <%= params[:own_me] %> => XSS attack
+ <%=h params[:own_me] %> => No XSS
+ <%= @blog_post.content %> => Displays the HTML
+
+AFTER:
+ <%= params[:own_me] %> => No XSS
+ <%=h params[:own_me] %> => No XSS (same result)
+ <%= @blog_post.content %> => *escapes* the HTML
+ <%= raw @blog_post.content %> => Displays the HTML
+
+
+Gotchas
+=======
+
+# textilize and simple_format do *not* return safe strings
+
+Both these methods support arbitrary HTML and are *not* safe to embed directly in your document. You'll need to do something like:
+
+<%= sanitize(textilize(@blog_post.content_textile)) %>
+
+# Safe strings aren't magic.
+
+Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+. All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like
+
+ value = something_safe
+ value.gsub!(/a/, params[:own_me])
+
+Don't do that.
+
+# String interpolation won't be safe, even when it 'should' be
+
+ value = "#{something_safe}#{something_else_safe}"
+ value.html_safe? # => false
+
+This is intended functionality and can't be fixed.
+
+
+
+
+Copyright (c) 2009 [name of plugin creator], released under the MIT license
23 Rakefile
@@ -0,0 +1,23 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the rails_xss plugin.'
+Rake::TestTask.new(:test) do |t|
+ t.libs << 'lib'
+ t.libs << 'test'
+ t.pattern = 'test/**/*_test.rb'
+ t.verbose = true
+end
+
+desc 'Generate documentation for the rails_xss plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+ rdoc.rdoc_dir = 'rdoc'
+ rdoc.title = 'RailsXss'
+ rdoc.options << '--line-numbers' << '--inline-source'
+ rdoc.rdoc_files.include('README')
+ rdoc.rdoc_files.include('lib/**/*.rb')
+end
6 init.rb
@@ -0,0 +1,6 @@
+# Include hook code here
+require 'rails_xss'
+require 'erubis/helpers/rails_helper'
+
+
+Erubis::Helpers::RailsHelper.engine_class = RailsXSS::Erubis
1 install.rb
@@ -0,0 +1 @@
+# Install hook code here
12 lib/rails_xss.rb
@@ -0,0 +1,12 @@
+# RailsXss
+module RailsXss
+ class Erubis
+ def add_preamble(src)
+ src << "@output_buffer = _buf = ActionView::SafeBuffer.new;"
+ end
+
+ def add_text(src, text)
+ src << "@output_buffer.concat('" << escape_text(text) << "'.html_safe!);"
+ end
+ end
+end
4 tasks/rails_xss_tasks.rake
@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :rails_xss do
+# # Task goes here
+# end
8 test/rails_xss_test.rb
@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class RailsXssTest < ActiveSupport::TestCase
+ # Replace this with your real tests.
+ test "the truth" do
+ assert true
+ end
+end
3 test/test_helper.rb
@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'active_support'
+require 'active_support/test_case'
1 uninstall.rb
@@ -0,0 +1 @@
+# Uninstall hook code here

0 comments on commit b595695

Please sign in to comment.
Something went wrong with that request. Please try again.