From 0791bd6cc2eb0ebe5a4077b0dac503f23c2a1a31 Mon Sep 17 00:00:00 2001 From: Jonathan Garvin Date: Tue, 17 Feb 2009 22:05:45 -0700 Subject: [PATCH] Fix turning off escaping on methods that call other text fields in other classes. --- lib/cross_site_sniper.rb | 16 +++++++++++++--- test/cross_site_sniper_test.rb | 13 ++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/lib/cross_site_sniper.rb b/lib/cross_site_sniper.rb index f6ebf18..74b5753 100644 --- a/lib/cross_site_sniper.rb +++ b/lib/cross_site_sniper.rb @@ -41,7 +41,7 @@ def define_attribute_methods_with_html_escaping val = send("#{column.name}_without_html_escaping") #if htmlescaping is disabled, just send it as is. - return val if @html_escaping_disabled + return val if CrossSiteSniper.disabled? # Only escape strings. Other data types, such # as 'nil', should be returned uncorrupted. @@ -64,9 +64,9 @@ def method_missing(method_sym,*args,&blk) #catch without_html_escaping for non-column methods and simulate it if method_sym.to_s[/(.+)_without_html_escaping/] original_method = $1 - @html_escaping_disabled = true + CrossSiteSniper.disabled = true val = self.send(original_method) - @html_escaping_disabled = false + CrossSiteSniper.disabled = false return val else super @@ -123,3 +123,13 @@ def html_escape(opts = {}) end end end + +class CrossSiteSniper + def self.disabled? + @disabled + end + + def self.disabled=(x) + @disabled = x + end +end \ No newline at end of file diff --git a/test/cross_site_sniper_test.rb b/test/cross_site_sniper_test.rb index c902cfa..b6dc37c 100644 --- a/test/cross_site_sniper_test.rb +++ b/test/cross_site_sniper_test.rb @@ -1,6 +1,6 @@ require 'test/unit' require 'rubygems' -gem 'activerecord', '>= 2.0.2' +gem 'activerecord', '>= 2.3.0' require 'active_record' require 'erb' require "#{File.dirname(__FILE__)}/../init" @@ -12,7 +12,7 @@ class CrossSiteSniperTest < Test::Unit::TestCase def setup setup_db @hunter = SnipeHunter.create(:name => 'One', :title => 'One Title', :description => 'One Description',:age => 42) - @snipe = Snipe.create(:species => 'Fitch', :genus => 'Abercrombie') + @snipe = Snipe.create(:species => 'Fitch', :genus => 'Abercrombie', :snipe_hunter => @hunter) @leprechaun = Leprechaun.create(:name => 'Clover McGillicuty') end @@ -47,12 +47,15 @@ def test_basics assert_equal('<b>Fitch</b>',snipe.species) assert_equal('Abercrombie',snipe.genus) + assert_equal('<b>Fitch</b>',hunter.first_snipe_species) + assert_equal('Fitch',hunter.first_snipe_species_without_html_escaping) + assert_equal('Clover McGillicuty',leprechaun.name) end end class SnipeHunter < ActiveRecord::Base - + has_many :snipes #make title unescaped html_escape :except => :title @@ -60,9 +63,12 @@ class SnipeHunter < ActiveRecord::Base def description; 'Overriden'; end def name_and_age; "#{name}(#{age})"; end + + def first_snipe_species; snipes.first.species; end end class Snipe < ActiveRecord::Base + belongs_to :snipe_hunter #only escape species html_escape :only => :species end @@ -87,6 +93,7 @@ def setup_db end create_table :snipes do |t| + t.column :snipe_hunter_id, :integer t.column :species, :string t.column :genus, :string end