deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Rails_xss Plugin

Browse source 
I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
This commit is contained in:
Jacques Distler 2010-05-26 00:27:49 -05:00
parent d6be09e0f0
commit a5e08f7bcc
343 changed files with 43874 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

197
vendor/plugins/erubis-2.6.5/lib/erubis/helpers/rails_form_helper.rb vendored Normal file
View file

@ -0,0 +1,197 @@
###
### $Release: 2.6.5 $
### copyright(c) 2006-2009 kuwata-lab.com all rights reserved.
###
module Erubis
module Helpers
module RailsFormHelper
end
end
end
module Erubis::Helpers::RailsFormHelper
if ActionPack::VERSION::MAJOR == 1 ### Rails 1.X
def pp_template_filename(basename)
return "#{RAILS_ROOT}/app/views/#{controller.controller_name}/#{basename}.rhtml"
end
else ### Rails 2.X
def pp_template_filename(basename)
fname = "#{RAILS_ROOT}/app/views/#{controller.controller_name}/#{basename}.html.erb"
return fname if test(?f, fname)
return "#{RAILS_ROOT}/app/views/#{controller.controller_name}/#{basename}.rhtml"
end
end
def pp_render_partial(basename)
basename = "_#{basename}" unless basename[0] == ?_
filename = pp_template_filename(basename)
preprocessor = _create_preprocessor(File.read(filename))
return preprocessor.evaluate(_preprocessing_context_object())
end
def pp_error_on(object_name, method)
s = ''
s << "<% _stag, _etag = _pp_error_tags(@#{object_name}.errors.on('#{method}')) %>"
s << "<%= _stag %>"
s << yield(object_name, method)
s << "<%= _etag %>"
return s
end
def _pp_error_tags(value)
return value ? ['<div class="fieldWithErrors">', '</div>'] : ['', '']
end
def _pp_remove_error_div(s)
s.sub!(/\A<div class="fieldWithErrors">(.*)<\/div>\z/, '\1')
return s
end
def pp_tag_helper(helper, object_name, method, options={})
if object_name.is_a?(ActionView::Helpers::FormHelper)
object_name = object_name.object_name
end
unless options.key?(:value) || options.key?('value')
options['value'] = _?("h @#{object_name}.#{method}")
end
#$stderr.puts "*** debug: pp_tag_helper(): options=#{options.inspect}"
return pp_error_on(object_name, method) {
s = __send__(helper, object_name, method, options)
_pp_remove_error_div(s)
}
end
def pp_form_tag(url_for_options={}, options={}, *parameters_for_url, &block)
return form_tag(url_for_options, options, *parameters_for_url, &block)
end
#--
#def pp_form_for(object_name, *args, &block)
# return form_for(object_name, *args, &block)
#end
#++
def pp_text_field(object_name, method, options={})
return pp_tag_helper(:text_field, object_name, method, options)
end
def pp_password_field(object_name, method, options={})
return pp_tag_helper(:password_field, object_name, method, options)
end
def pp_hidden_field(object_name, method, options={})
return pp_tag_helper(:hidden_field, object_name, method, options)
end
def pp_file_field(object_name, method, options={})
return pp_tag_helper(:file_field, object_name, method, options)
end
def pp_text_area(object_name, method, options={})
return pp_tag_helper(:text_area, object_name, method, options)
end
def pp_check_box(object_name, method, options={}, checked_value="1", unchecked_value="0")
s = check_box(object_name, method, options, checked_value, unchecked_value)
s.sub!(/\schecked=\"checked\"/, '')
s.sub!(/type="checkbox"/, "\\&<%= _pp_check_box_checked?(@#{object_name}.#{method}, #{checked_value.inspect}) ? ' checked=\"checked\"' : '' %>")
return pp_error_on(object_name, method) { _pp_remove_error_div(s) }
end
def _pp_check_box_checked?(value, checked_value)
return ActionView::Helpers::InstanceTag::check_box_checked?(value, checked_value)
end
def pp_radio_button(object_name, method, tag_value, options={})
s = radio_button(object_name, method, tag_value, options)
s.sub!(/\schecked=\"checked\"/, '')
s.sub!(/type="radio"/, "\\&<%= _pp_radio_button_checked?(@#{object_name}.#{method}, #{tag_value.inspect}) ? ' checked=\"checked\"' : '' %>")
return pp_error_on(object_name, method) { _pp_remove_error_div(s) }
end
def _pp_radio_button_checked?(value, tag_value)
return ActionView::Helpers::InstanceTag::radio_button_checked?(value, tag_value)
end
def _pp_select(object, method, collection, priority_collection, options={}, html_options={})
return pp_error_on(object, method) do
s = ""
## start tag
s << "<select id=\"#{object}_#{method}\" name=\"#{object}[#{method}]\""
for key, val in html_options:
s << " #{key}=\"#{val}\""
end
s << ">\n"
## selected table
key = options.key?(:value) ? :value : (options.key?('value') ? 'value' : nil)
if key.nil? ; selected = "@#{object}.#{method}"
elsif (val=options[key]).nil? ; selected = nil
elsif val =~ /\A<%=(.*)%>\z/ ; selected = $1
else ; selected = val.inspect
end
s << "<% _table = {#{selected}=>' selected=\"selected\"'} %>\n" if selected
## <option> tags
if options[:include_blank] || options['include_blank']
s << "<option value=\"\"></option>\n"
end
unless priority_collection.blank?
_pp_select_options(s, priority_collection, selected, 'delete')
s << "<option value=\"\">-------------</option>\n"
end
_pp_select_options(s, collection, selected, '[]')
## end tag
s << "</select>"
s
end
end
def _pp_select_options(s, collection, selected, operator)
for item in collection
value, text = item.is_a?(Array) ? item : [item, item]
if !selected
t = ''
elsif operator == 'delete'
t = "<%= _table.delete(#{value.inspect}) %>"
else
t = "<%= _table[#{value.inspect}] %>"
end
s << "<option value=\"#{h value}\"#{t}>#{h text}</option>\n"
end
end
def pp_select(object, method, collection, options={}, html_options={})
return _pp_select(object, method, collection, nil, options, html_options)
end
def pp_collection_select(object, method, collection, value_method, text_method, options={}, html_options={})
collection2 = collection.collect { |e|
[e.__send__(value_method), e.__send__(text_method)]
}
return _pp_select(object, method, collection2, nil, options, html_options)
end
def pp_country_select(object, method, priority_countries=nil, options={}, html_options={})
collection = ActionView::Helpers::FormOptionsHelper::COUNTRIES
return _pp_select(object, method, collection, priority_countries, options, html_options)
end
def pp_time_zone_select(object, method, priority_zones=nil, options={}, html_options={})
model = options[:model] || options['model'] || TimeZone
collection = model.all.collect { |e| [e.name, e.to_s] }
return _pp_select(object, method, collection, priority_zones, options, html_options)
end
def pp_submit_tag(value="Save changes", options={})
return submit_tag(value, options)
end
def pp_image_submit_tag(source, options={})
return image_submit_tag(source, options)
end
end

353
vendor/plugins/erubis-2.6.5/lib/erubis/helpers/rails_helper.rb vendored Normal file
View file

@ -0,0 +1,353 @@
###
### $Release: 2.6.5 $
### copyright(c) 2006-2009 kuwata-lab.com all rights reserved.
###
require 'erubis'
require 'erubis/preprocessing'
module Erubis
class Eruby
include ErboutEnhancer # will generate '_erbout = _buf = ""; '
end
class FastEruby
include ErboutEnhancer # will generate '_erbout = _buf = ""; '
end
module Helpers
##
## helper module for Ruby on Rails
##
## howto:
##
## 1. add the folliwng code in your 'config/environment.rb'
##
## require 'erubis/helpers/rails_helper'
## #Erubis::Helpers::RailsHelper.engine_class = Erubis::Eruby # or Erubis::FastEruby
## #Erubis::Helpers::RailsHelper.init_properties = {}
## #Erubis::Helpers::RailsHelper.show_src = false # set true for debugging
## #Erubis::Helpers::RailsHelper.preprocessing = true # set true to enable preprocessing
##
## 2. restart web server.
##
## if Erubis::Helper::Rails.show_src is true, Erubis prints converted Ruby code
## into log file ('log/development.log' or so). if false, it doesn't.
## if nil, Erubis prints converted Ruby code if ENV['RAILS_ENV'] == 'development'.
##
module RailsHelper
#cattr_accessor :init_properties
@@engine_class = ::Erubis::Eruby
#@@engine_class = ::Erubis::FastEruby
def self.engine_class
@@engine_class
end
def self.engine_class=(klass)
@@engine_class = klass
end
#cattr_accessor :init_properties
@@init_properties = {}
def self.init_properties
@@init_properties
end
def self.init_properties=(hash)
@@init_properties = hash
end
#cattr_accessor :show_src
@@show_src = nil
def self.show_src
@@show_src
end
def self.show_src=(flag)
@@show_src = flag
end
#cattr_accessor :preprocessing
@@preprocessing = false
def self.preprocessing
@@preprocessing
end
def self.preprocessing=(flag)
@@preprocessing = flag
end
## define class for backward-compatibility
class PreprocessingEruby < Erubis::PreprocessingEruby # :nodoc:
end
module TemplateConverter
## covert eRuby string into ruby code
def _convert_template(template) # :nodoc:
#src = ::Erubis::Eruby.new(template).src
klass = ::Erubis::Helpers::RailsHelper.engine_class
properties = ::Erubis::Helpers::RailsHelper.init_properties
show_src = ::Erubis::Helpers::RailsHelper.show_src
show_src = ENV['RAILS_ENV'] == 'development' if show_src.nil?
## preprocessing
if ::Erubis::Helpers::RailsHelper.preprocessing
preprocessor = _create_preprocessor(template)
template = preprocessor.evaluate(_preprocessing_context_object())
_logger_info "** Erubis: preprocessed==<<'END'\n#{template}END\n" if show_src
end
## convert into ruby code
src = klass.new(template, properties).src
#src.insert(0, '_erbout = ')
_logger_info "** Erubis: src==<<'END'\n#{src}END\n" if show_src
return src
end
def _create_preprocessor(template)
return PreprocessingEruby.new(template, :escape=>true)
end
def _preprocessing_context_object
return self
end
def _logger_info(message)
logger.info message
end
end
end
end
end
class ActionView::Base # :nodoc:
include ::Erubis::Helpers::RailsHelper::TemplateConverter
include ::Erubis::PreprocessingHelper
private
# convert template into ruby code
def convert_template_into_ruby_code(template)
#ERB.new(template, nil, @@erb_trim_mode).src
return _convert_template(template)
end
end
require 'action_pack/version'
rails22 = false
if ActionPack::VERSION::MAJOR >= 2 ### Rails 2.X
if ActionPack::VERSION::MINOR >=2 ### Rails 2.2, 2.3 or higher
rails22 = true
module ActionView
module TemplateHandlers
class ErubisHandler < TemplateHandler
include Compilable
include ::Erubis::Helpers::RailsHelper::TemplateConverter
include ::Erubis::PreprocessingHelper
def compile(template)
#src = ::ERB.new("<% __in_erb_template=true %>#{template.source}", nil, erb_trim_mode, '@output_buffer').src
return _convert_template("<% __in_erb_template=true %>#{template.source}")
end
end
end
handler_klass = TemplateHandlers::ErubisHandler
Template.register_default_template_handler :erb, handler_klass
Template.register_template_handler :rhtml, handler_klass
end
module Erubis::Helpers::RailsHelper::TemplateConverter
def _logger_info(message)
#logger.info message # logger.info seems not available in Rails 2.2
ActionController::Base.new.logger.info message
end
end
elsif ActionPack::VERSION::MINOR >=1 ### Rails 2.1
module ActionView
module TemplateHandlers # :nodoc:
class ErubisHandler < TemplateHandler
include Compilable
include Erubis::Helpers::RailsHelper::TemplateConverter
include Erubis::PreprocessingHelper
#
def compile(template)
return _convert_template(template.source) # template.is_a?(ActionView::Template)
end
def logger #:nodoc:
return @view.controller.logger
end
def _preprocessing_context_object #:nodoc:
return @view.controller.instance_variable_get('@template')
end
#
def cache_fragment(block, name = {}, options = nil) #:nodoc:
@view.fragment_for(block, name, options) do
#eval(ActionView::Base.erb_variable, block.binding)
eval('_buf', block.binding)
end
end
end
end
handler_klass = TemplateHandlers::ErubisHandler
Template.register_default_template_handler :erb, handler_klass
Template.register_template_handler :rhtml, handler_klass
end
elsif ActionPack::VERSION::TINY >= 2 ### Rails 2.0.X (X >= 2)
module ActionView
module TemplateHandlers # :nodoc:
class ErubisHandler < TemplateHandler
include Erubis::Helpers::RailsHelper::TemplateConverter
include Erubis::PreprocessingHelper
def compile(template)
return _convert_template(template) # template.is_a?(String)
end
def logger #:nodoc:
return @view.controller.logger
end
def _preprocessing_context_object #:nodoc:
return @view.controller.instance_variable_get('@template')
end
end
end
Base.class_eval do
handler_klass = TemplateHandlers::ErubisHandler
register_default_template_handler :erb, handler_klass
register_template_handler :rhtml, handler_klass
end
end
else ### Rails 2.0.0 or 2.0.1
class ActionView::Base # :nodoc:
private
# Method to create the source code for a given template.
def create_template_source(extension, template, render_symbol, locals)
if template_requires_setup?(extension)
body = case extension.to_sym
when :rxml, :builder
content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
"#{content_type_handler}.content_type ||= Mime::XML\n" +
"xml = Builder::XmlMarkup.new(:indent => 2)\n" +
template +
"\nxml.target!\n"
when :rjs
"controller.response.content_type ||= Mime::JS\n" +
"update_page do |page|\n#{template}\nend"
end
else
#body = ERB.new(template, nil, @@erb_trim_mode).src
body = convert_template_into_ruby_code(template)
end
#
@@template_args[render_symbol] ||= {}
locals_keys = @@template_args[render_symbol].keys | locals
@@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
#
locals_code = ""
locals_keys.each do |key|
locals_code << "#{key} = local_assigns[:#{key}]\n"
end
#
"def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
end
end
end #if
else ### Rails 1.X
if ActionPack::VERSION::MINOR > 12 ### Rails 1.2
class ActionView::Base # :nodoc:
private
# Create source code for given template
def create_template_source(extension, template, render_symbol, locals)
if template_requires_setup?(extension)
body = case extension.to_sym
when :rxml
"controller.response.content_type ||= 'application/xml'\n" +
"xml = Builder::XmlMarkup.new(:indent => 2)\n" +
template
when :rjs
"controller.response.content_type ||= 'text/javascript'\n" +
"update_page do |page|\n#{template}\nend"
end
else
#body = ERB.new(template, nil, @@erb_trim_mode).src
body = convert_template_into_ruby_code(template)
end
#
@@template_args[render_symbol] ||= {}
locals_keys = @@template_args[render_symbol].keys | locals
@@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
#
locals_code = ""
locals_keys.each do |key|
locals_code << "#{key} = local_assigns[:#{key}]\n"
end
#
"def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
end
end
else ### Rails 1.1
class ActionView::Base # :nodoc:
private
# Create source code for given template
def create_template_source(extension, template, render_symbol, locals)
if template_requires_setup?(extension)
body = case extension.to_sym
when :rxml
"xml = Builder::XmlMarkup.new(:indent => 2)\n" +
"@controller.headers['Content-Type'] ||= 'application/xml'\n" +
template
when :rjs
"@controller.headers['Content-Type'] ||= 'text/javascript'\n" +
"update_page do |page|\n#{template}\nend"
end
else
#body = ERB.new(template, nil, @@erb_trim_mode).src
body = convert_template_into_ruby_code(template)
end
#
@@template_args[render_symbol] ||= {}
locals_keys = @@template_args[render_symbol].keys | locals
@@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
#
locals_code = ""
locals_keys.each do |key|
locals_code << "#{key} = local_assigns[:#{key}] if local_assigns.has_key?(:#{key})\n"
end
#
"def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
end
end
end #if
## make h() method faster (only for Rails 1.X)
module ERB::Util # :nodoc:
ESCAPE_TABLE = { '&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;', '"'=>'&quot;', "'"=>'&#039;', }
def h(value)
value.to_s.gsub(/[&<>"]/) {|s| ESCAPE_TABLE[s] }
end
module_function :h
end
end ###
## finish
ActionController::Base.new.logger.info "** Erubis #{::Erubis::VERSION}"
$stdout.puts "** Erubis #{::Erubis::VERSION}" if rails22