Update Rails, rails_xss and Bundler

Update Bundler to 1.0.15. Update Rails to 2.3.12. Update rails_xss plugin. The latter two were the source of a considerable amount of grief, as rails_xss is now MUCH stricter about what string methods can be used. Also made it possible to use rake 0.9.x with Instiki. But you probably REALLY want to use ruby bundle exec rake ... instead of just saying rake ....
2011-06-15 00:43:38 -05:00 · 2011-06-15 00:43:38 -05:00 · 9e909d5be3
commit 9e909d5be3
parent ec443685a6
1105 changed files with 14278 additions and 4667 deletions
--- a/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb
+++ b/vendor/plugins/rails_xss/lib/rails_xss/action_view.rb
@ -15,6 +15,15 @@ module ActionView
  end

  module Helpers
+    module CaptureHelper
+      def content_for(name, content = nil, &block)
+        ivar = "@content_for_#{name}"
+        content = capture(&block) if block_given?
+        instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe)
+        nil
+      end
+    end    
+
    module TextHelper
      def concat(string, unused_binding = nil)
        if unused_binding
@ -23,15 +32,53 @@ module ActionView

        output_buffer.concat(string)
      end
+
+      def simple_format(text, html_options={})
+        start_tag = tag('p', html_options, true)
+        text = ERB::Util.h(text).to_str.dup
+        text.gsub!(/\r\n?/, "\n")                    # \r\n and \r -> \n
+        text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}")  # 2+ newline  -> paragraph
+        text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline   -> br
+        text.insert 0, start_tag
+        text.html_safe.safe_concat("</p>")
+      end
    end

    module TagHelper
      private
        def content_tag_string_with_escaping(name, content, options, escape = true)
-          content_tag_string_without_escaping(name, ERB::Util.h(content), options, escape)
+          content_tag_string_without_escaping(name, escape ? ERB::Util.h(content) : content, options, escape)
        end
        alias_method_chain :content_tag_string, :escaping
    end
+
+    module UrlHelper
+      def link_to(*args, &block)
+        if block_given?
+          options      = args.first || {}
+          html_options = args.second
+          concat(link_to(capture(&block), options, html_options))
+        else
+          name         = args.first
+          options      = args.second || {}
+          html_options = args.third
+
+          url = url_for(options)
+
+          if html_options
+            html_options = html_options.stringify_keys
+            href = html_options['href']
+            convert_options_to_javascript!(html_options, url)
+            tag_options = tag_options(html_options)
+          else
+            tag_options = nil
+          end
+
+          href_attr = "href=\"#{url}\"" unless href
+          "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
+        end
+      end
+    end
  end
 end

@ -49,35 +96,6 @@ module RailsXss
      end
    end
  end
-
-  module HelperOverrides
-    def link_to(*args, &block)
-      if block_given?
-        options      = args.first || {}
-        html_options = args.second
-        concat(link_to(capture(&block), options, html_options))
-      else
-        name         = args.first
-        options      = args.second || {}
-        html_options = args.third
-
-        url = url_for(options)
-
-        if html_options
-          html_options = html_options.stringify_keys
-          href = html_options['href']
-          convert_options_to_javascript!(html_options, url)
-          tag_options = tag_options(html_options)
-        else
-          tag_options = nil
-        end
-
-        href_attr = "href=\"#{url}\"" unless href
-        "<a #{href_attr}#{tag_options}>#{ERB::Util.h(name || url)}</a>".html_safe
-      end
-    end
-  end
 end

 Module.class_eval { include RailsXss::SafeHelpers }
-ActionController::Base.helper(RailsXss::HelperOverrides)
--- a/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb
+++ b/vendor/plugins/rails_xss/lib/rails_xss/erubis.rb
@ -11,8 +11,10 @@ module RailsXss
      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
    end

+    BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
    def add_expr_literal(src, code)
-      if code =~ /\s*raw\s+(.*)/
+      if code =~ BLOCK_EXPR
        src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
      else
        src << '@output_buffer << ((' << code << ').to_s);'
--- a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb
+++ b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb
@ -9,6 +9,19 @@ ActiveSupport::SafeBuffer.class_eval do
    end
  end
  alias << concat
+  UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
+
+  for unsafe_method in UNSAFE_STRING_METHODS
+    class_eval <<-EOT, __FILE__, __LINE__
+      def #{unsafe_method}(*args)
+        super.to_str
+      end
+  
+      def #{unsafe_method}!(*args)
+        raise TypeError, "Cannot modify SafeBuffer in place"
+      end
+    EOT
+  end
 end

 class String