2010-05-25 19:45:45 +02:00
|
|
|
require 'erb'
|
|
|
|
|
|
|
|
class ERB
|
|
|
|
module Util
|
|
|
|
HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' }
|
|
|
|
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
|
|
|
|
|
|
|
|
# A utility method for escaping HTML tag characters.
|
|
|
|
# This method is also aliased as <tt>h</tt>.
|
|
|
|
#
|
|
|
|
# In your ERb templates, use this method to escape any unsafe content. For example:
|
|
|
|
# <%=h @person.name %>
|
|
|
|
#
|
|
|
|
# ==== Example:
|
|
|
|
# puts html_escape("is a > 0 & a < 10?")
|
|
|
|
# # => is a > 0 & a < 10?
|
|
|
|
def html_escape(s)
|
|
|
|
s = s.to_s
|
|
|
|
if s.html_safe?
|
|
|
|
s
|
|
|
|
else
|
2011-08-19 08:54:58 +02:00
|
|
|
s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe
|
2010-05-25 19:45:45 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
undef :h
|
|
|
|
alias h html_escape
|
|
|
|
|
|
|
|
module_function :html_escape
|
|
|
|
module_function :h
|
|
|
|
|
|
|
|
# A utility method for escaping HTML entities in JSON strings.
|
|
|
|
# This method is also aliased as <tt>j</tt>.
|
|
|
|
#
|
|
|
|
# In your ERb templates, use this method to escape any HTML entities:
|
|
|
|
# <%=j @person.to_json %>
|
|
|
|
#
|
|
|
|
# ==== Example:
|
|
|
|
# puts json_escape("is a > 0 & a < 10?")
|
|
|
|
# # => is a \u003E 0 \u0026 a \u003C 10?
|
|
|
|
def json_escape(s)
|
|
|
|
s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
|
|
|
|
end
|
|
|
|
|
|
|
|
alias j json_escape
|
|
|
|
module_function :j
|
|
|
|
module_function :json_escape
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class Object
|
|
|
|
def html_safe?
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class Fixnum
|
|
|
|
def html_safe?
|
|
|
|
true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2009-12-01 02:38:34 +01:00
|
|
|
module ActiveSupport #:nodoc:
|
2010-05-25 19:45:45 +02:00
|
|
|
class SafeBuffer < String
|
|
|
|
def +(other)
|
|
|
|
dup.concat(other)
|
|
|
|
end
|
|
|
|
|
|
|
|
def html_safe?
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
def html_safe
|
|
|
|
self
|
|
|
|
end
|
|
|
|
|
|
|
|
def to_s
|
|
|
|
self
|
|
|
|
end
|
|
|
|
|
|
|
|
def to_yaml(*args)
|
|
|
|
to_str.to_yaml(*args)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class String
|
|
|
|
alias safe_concat concat
|
|
|
|
|
|
|
|
def as_str
|
|
|
|
self
|
|
|
|
end
|
|
|
|
|
|
|
|
def html_safe
|
|
|
|
ActiveSupport::SafeBuffer.new(self)
|
|
|
|
end
|
|
|
|
|
|
|
|
def html_safe?
|
|
|
|
false
|
2009-12-01 02:38:34 +01:00
|
|
|
end
|
2010-05-25 19:45:45 +02:00
|
|
|
end
|