Security issue

Cakefile

@@ -35,7 +35,7 @@ task "fixtures", "Generate .coffee fixtures from .eco fixtures", ->
 task "dist", "Generate dist/eco.js", ->
   build -> bundle ->
     fs     = require("fs")
-    coffee = require("coffee-script").compile
+    coffee = require("coffeescript").compile
     uglify = require("uglify-js")
 
     read = (filename) ->
@@ -58,9 +58,9 @@ task "dist", "Generate dist/eco.js", ->
       "./scanner":        read "lib/scanner.js"
       "./util":           read "lib/util.js"
       "strscan":          read "node_modules/strscan/lib/strscan.js"
-      "coffee-script":    stub "CoffeeScript"
+      "coffeescript":     stub "CoffeeScript"
 
-    package = for name, source of modules
+    cake_package = for name, source of modules
       """
         '#{name}': function(module, require, exports) {
           #{source}
@@ -77,7 +77,20 @@ task "dist", "Generate dist/eco.js", ->
        */
     """
 
-    source = uglify """
+    minify = (code) ->
+      toplevel = uglify.parse(code)
+      toplevel.figure_out_scope()
+
+      compressor = uglify.Compressor()
+      compressed_ast = toplevel.transform(compressor)
+
+      compressed_ast.figure_out_scope()
+      compressed_ast.compute_char_frequency()
+      compressed_ast.mangle_names()
+
+      compressed_ast.print_to_string()
+
+    source = minify """
       this.eco = (function(modules) {
         return function require(name) {
           var fn, module = {id: name, exports: {}};
@@ -89,12 +102,12 @@ task "dist", "Generate dist/eco.js", ->
           }
         };
       })({
-        #{package.join ',\n'}
+        #{cake_package.join ',\n'}
       })('eco');
     """
 
     try
-      fs.mkdirSync "#{__dirname}/dist", 0755
+      fs.mkdirSync "#{__dirname}/dist", 755
     catch err
 
     fs.writeFileSync "#{__dirname}/dist/eco.js", "#{header}\n#{source}"

README.md

@@ -1,3 +1,38 @@
+## This is a modified version of eco that depends on underscore.js for a safer `_.escape`
+
+**Why?** Because Eco's default `__escape` implementation doesn't escape single quotes, which makes XSS attacks like the following possible:
+
+```html
+<input type='text' value='<%= @value %>'>
+```
+
+with a @value of `x'onmouseover='alert(document.domain)`, an XSS occurs.
+
+### How to use this fork
+
+Use `dist/eco.js` instead of the unmaintained eco.js
+
+### How to use this fork with Rails and the eco gem
+
+Copy `dist/eco.js` into `vendor/assets/javascripts/eco-custom.js` and add the following to your application.rb file:
+
+```ruby
+class Application < Rails::Application
+  ...
+  # Eco, the Coffee Script templating language, hasn't been updated in 3 years.  We found an XSS bug in the escape
+  # function and fixed it by forking the library and using underscore.js's implementation.  In order to avoid also
+  # having to fork the eco Ruby gem, we're setting an explicit override path to our updated eco.js.
+  ENV['ECO_SOURCE_PATH'] = Rails.root.join("vendor/assets/javascripts/eco-custom.js").to_s
+end
+```
+
+Run `rm -rf tmp/cache/` to clear your local asset pipeline cache and restart your local Rails app.  Double check the fix
+by looking at application.js and searching for `__escape`.
+
+### How to recompile
+
+Compile with: `cake dist`
+
 Eco: Embedded CoffeeScript templates
 ====================================