Rails_xss Plugin

I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...

app/helpers/application_helper.rb

@@ -31,7 +31,7 @@ require 'stringsupport'
       end
     end
     
-    html_options.join("\n")
+    html_options.join("\n").html_safe
   end
 
   # Creates a hyperlink to a Wiki page, without checking if the page exists or not
@@ -39,18 +39,18 @@ require 'stringsupport'
     link_to(
         text || page.plain_name, 
         {:web => @web.address, :action => 'show', :id => page.name, :only_path => true},
-        html_options)
+        html_options).html_safe
   end
   
   # Creates a hyperlink to a Wiki page, or to a "new page" form if the page doesn't exist yet
   def link_to_page(page_name, web = @web, text = nil, options = {})
     raise 'Web not defined' if web.nil?
     UrlGenerator.new(@controller).make_link(@web, page_name, web, text, 
-        options.merge(:base_url => "#{base_url}/#{web.address}"))
+        options.merge(:base_url => "#{base_url}/#{web.address}")).html_safe
   end
 
   def author_link(page, options = {})
-    UrlGenerator.new(@controller).make_link(@web, page.author.name, page.web, nil, options)
+    UrlGenerator.new(@controller).make_link(@web, page.author.name, page.web, nil, options).purify.html_safe
   end
 
   # Create a hyperlink to a particular revision of a Wiki page
@@ -59,19 +59,19 @@ require 'stringsupport'
       link_to(
         text || page.plain_name,
             {:web => @web.address, :action => 'show', :id => page.name,
-               :mode => mode}, html_options) :
+               :mode => mode}, html_options).html_safe :
       link_to(
-        text || page.plain_name + "(rev # #{revision_number})",
+        text || page.plain_name + "(rev # #{revision_number})".html_safe,
             {:web => @web.address, :action => 'revision', :id => page.name,
-              :rev => revision_number, :mode => mode}, html_options)
+              :rev => revision_number, :mode => mode}, html_options).html_safe
   end
 
   # Create a hyperlink to the history of a particular Wiki page
   def link_to_history(page, text = nil, html_options = {})
     link_to(
-        text || page.plain_name + "(history)",
+        text || page.plain_name + "(history)".html_safe,
             {:web => @web.address, :action => 'history', :id => page.name},
-            html_options)
+            html_options).html_safe
   end
 
   def base_url
@@ -84,13 +84,13 @@ require 'stringsupport'
     if @categories.empty?
       ''
     else 
-      "<div id=\"categories\">\n" +
+      ("<div id=\"categories\">\n" +
       '<strong>Categories</strong>:' +
       '[' + link_to_unless_current('Any', :web => @web.address, :action => self.action_name, :category => nil) + "]\n" +
       @categories.map { |c| 
-        link_to_unless_current(c, :web => @web.address, :action => self.action_name, :category => c)
+        link_to_unless_current(c.html_safe, :web => @web.address, :action => self.action_name, :category => c)
       }.join(', ') + "\n" +
-      '</div>'
+      '</div>').html_safe
     end
   end
 
@@ -115,14 +115,14 @@ require 'stringsupport'
   def truncate(text, *args)
     options = args.extract_options!
     options.reverse_merge!(:length => 30, :omission => "...")
-    return text if text.num_chars <= options[:length]
+    return text.html_safe if text.num_chars <= options[:length]
     len = options[:length] - options[:omission].as_utf8.num_chars
     t = ''
     text.split.collect do |word|
       if t.num_chars + word.num_chars <= len
         t << word + ' '
       else 
-        return t.chop + options[:omission]
+        return (t.chop + options[:omission]).html_safe
       end
     end
   end

app/models/page.rb

@@ -90,7 +90,7 @@ class Page < ActiveRecord::Base
 
   # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
   def plain_name
-    web.brackets_only? ? name.escapeHTML : WikiWords.separate(name).escapeHTML
+    web.brackets_only? ? name.escapeHTML.html_safe : WikiWords.separate(name).escapeHTML.html_safe
   end
 
   LOCKING_PERIOD = 30.minutes

app/views/admin/edit_web.rhtml

@@ -46,18 +46,18 @@
         }, @web.color) %>
     </select>
     <p>
-      <input type="checkbox" class="disableAutoComplete" id="safe_mode" name="safe_mode" <%= 'checked="checked"' if @web.safe_mode? %> /> 
+      <input type="checkbox" class="disableAutoComplete" id="safe_mode" name="safe_mode" <%= raw 'checked="checked"' if @web.safe_mode? %> /> 
       <label for="safe_mode">Safe mode
       <em>- strip HTML tags and stylesheet options from the content of all pages</em></label>
       <br/>
-      <input type="checkbox" class="disableAutoComplete" id="brackets_only" name="brackets_only" <%= 'checked="checked"' if @web.brackets_only? %> /> 
+      <input type="checkbox" class="disableAutoComplete" id="brackets_only" name="brackets_only" <%= raw 'checked="checked"' if @web.brackets_only? %> /> 
       <label for="brackets_only">Brackets only 
       <em>- require all wiki words to be as [[wiki word]], WikiWord links won't be created</em></label>
       <br/>
-      <input type="checkbox" class="disableAutoComplete" id="count_pages" name="count_pages" <%= 'checked="checked"' if @web.count_pages? %> /> 
+      <input type="checkbox" class="disableAutoComplete" id="count_pages" name="count_pages" <%= raw 'checked="checked"' if @web.count_pages? %> /> 
       <label for="count_pages">Count pages</label>
       <br/>
-      <input type="checkbox" class="disableAutoComplete" name="allow_uploads" <%= 'checked="checked"' if @web.allow_uploads? %> /> 
+      <input type="checkbox" class="disableAutoComplete" name="allow_uploads" <%= raw 'checked="checked"' if @web.allow_uploads? %> /> 
       Allow uploads of no more than 
       <input type="text" class="disableAutoComplete" name="max_upload_size" value="<%= @web.max_upload_size %>" 
              size="20" /> 
@@ -100,7 +100,7 @@
     The published version is accessible through URLs like /<%= @web.address %>/published/HomePage.
   </div>
   <div class="inputBox">
-    <input type="checkbox" id="published" name="published" class="disableAutoComplete" <%= 'checked="checked"' if @web.published? %> /> 
+    <input type="checkbox" id="published" name="published" class="disableAutoComplete" <%= raw 'checked="checked"' if @web.published? %> /> 
     <label for="published">Publish this web</label>
   </div>
 

app/views/file/delete.html.erb

@@ -1,5 +1,5 @@
 <%-
-  @title = "Delete #{@file_name}"
+  @title = "Delete #{@file_name}".html_safe
   @hide_navigation = true
 -%>
 

app/views/wiki/_inbound_links.rhtml

@@ -1,13 +1,13 @@
 <%- unless @page.linked_from.empty? -%>
   <span class="linked">
     | Linked from: 
-    <%= @page.linked_from.collect { |referring_page| link_to_existing_page referring_page }.join(", ") %>
+    <%= @page.linked_from.collect { |referring_page| link_to_existing_page referring_page }.join(", ").html_safe %>
   </span>
 <%- end -%>
 
 <%- unless @page.included_from.empty? -%>
   <span class="linked">
     | Included from: 
-    <%= @page.included_from.collect { |referring_page| link_to_existing_page referring_page }.join(", ") %>
+    <%= @page.included_from.collect { |referring_page| link_to_existing_page referring_page }.join(", ").html_safe %>
   </span>
 <%- end -%>

app/views/wiki/authors.rhtml

@@ -5,7 +5,7 @@
     <li>
       <%= link_to_page author.purify %>
       co- or authored:
-      <%= @page_names_by_author[author].collect { |page_name| link_to_page(page_name) }.sort.join ', ' %>
+      <%= raw @page_names_by_author[author].collect { |page_name| link_to_page(page_name) }.sort.join ', ' %>
     </li>
   <%- end -%>
 </ul>

app/views/wiki/edit.rhtml

@@ -1,5 +1,5 @@
 <%- 
-  @title = "Editing #{@page.name.escapeHTML}"
+  @title = "Editing #{@page.name.escapeHTML}".html_safe
   @content_width = 720
   @hide_navigation = true
 -%>

app/views/wiki/file_list.html.erb

@@ -20,7 +20,7 @@
       <a href="<%= url_for :web => @web.address, :action => 'files', 
             :id => file.file_name %>"><%= file.file_name%></a> (<%= file.created_at.asctime %>) <span class="linked"><%= "Linked to by: " unless
             @web.pages_that_link_to_file(file.file_name).empty? -%>
-            <%= @web.pages_that_link_to_file(file.file_name).collect { |referring_page|  link_to_page(referring_page) }.join(", ") %></span>
+            <%= @web.pages_that_link_to_file(file.file_name).collect { |referring_page|  link_to_page(referring_page) }.join(", ").html_safe %></span>
     </li>
   <%- end -%>
   </ul>

app/views/wiki/history.html.erb

@@ -1,4 +1,4 @@
-<%- @title = @page.plain_name + " (history)" -%>
+<%- @title = @page.plain_name + " (history)".html_safe -%>
 <%- @show_footer = true -%>
 
 <%- @revisions_by_day.keys.sort.reverse.each do |day| -%>

app/views/wiki/list.rhtml

@@ -41,7 +41,7 @@
       wanted by
       <%= @web.select.pages_that_reference(wanted_page_name).collect { |referring_page|            
             link_to_existing_page referring_page
-          }.join(", ") 
+          }.join(", ").html_safe 
       %>
     </li>
   <%- end -%>

app/views/wiki/page.rhtml

@@ -1,6 +1,6 @@
 <%- 
   @title = @page.plain_name
-  @title += ' (changes)' if @show_diff 
+  @title += ' (changes)' if @show_diff
   @show_footer = true
 -%>
 
@@ -18,7 +18,7 @@
 
 <div class="byline">
   <%= @page.revisions? ? "Revised" : "Created" %> on <%= format_date(@page.revised_at) %> 
-  by <%= author_link(@page).purify %>
+  by <%= author_link(@page) %>
   <%= "(#{@page.author.ip})" if @page.author.respond_to?(:ip) %>
   <% if @web.count_pages? %>
     <% total_chars = @page.content.length %>
@@ -28,7 +28,7 @@
 
 <div class="navigation navfoot">
 
-  <%= navigation_menu_for_page.join(' | ') %>
+  <%= raw navigation_menu_for_page.join(' | ') %>
   
   <span class="views">
     | Views: 

app/views/wiki/revision.rhtml

@@ -1,5 +1,5 @@
 <%- 
-  @title = "#{@page.plain_name} (Rev ##{@revision_number}#{@show_diff ? ', changes' : ''})"
+  @title = "#{@page.plain_name} (Rev ##{@revision_number}#{@show_diff ? ', changes' : ''})".html_safe
 -%>
 
 
@@ -21,6 +21,6 @@
 </div>
 
 <div class="navigation navfoot">
-  <%= navigation_menu_for_revision.join(' | ') %>
+  <%= raw navigation_menu_for_revision.join(' | ') %>
   <%= render :partial => 'inbound_links' %>
 </div>

app/views/wiki/rollback.rhtml

@@ -1,5 +1,5 @@
 <%- 
-  @title = "Rollback to #{@page.plain_name} Rev ##{@revision_number}"
+  @title = "Rollback to #{@page.plain_name} Rev ##{@revision_number}".html_safe
   @content_width = 720
   @hide_navigation = true
 -%>

app/views/wiki/tex.rhtml

@@ -247,6 +247,6 @@
 
 \section*{<%= @page.name %>}
 
-<%= @tex_content %>
+<%= @tex_content.html_safe %>
 
 \end{document}

app/views/wiki/web_list.rhtml

@@ -19,7 +19,7 @@
 	- Last Update: <%= web.last_page.nil? ? format_date(web.created_at) : format_date(web.last_page.revised_at) %><br/>
 	<%- if ! web.last_page.nil? -%> 
         Last Document: <%= link_to_page(web.last_page.name,web) %> 
-        <%= web.last_page.revisions? ? "Revised" : "Created" %> by <%= author_link(web.last_page).purify %> (<%= web.last_page.current_revision.ip %>)
+        <%= web.last_page.revisions? ? "Revised" : "Created" %> by <%= author_link(web.last_page) %> (<%= web.last_page.current_revision.ip %>)
 	<%- end -%>
     </div>
   </div>