a5e08f7bcc
I installed the rails_xss plugin, for the main purpose of seeing what will break with Rails 3.0 (where the behaviour of the plugin is the default). I think I've fixed everything, but let me know if you see stuff that is HTML-escaped, which shouldn't be. As a side benefit, we now use Erubis, rather than ERB, to render templates. They tell me it's faster ...
85 lines
1.7 KiB
Ruby
85 lines
1.7 KiB
Ruby
##
|
|
## $Release: 2.6.5 $
|
|
## copyright(c) 2006-2009 kuwata-lab.com all rights reserved.
|
|
##
|
|
|
|
require 'abstract'
|
|
|
|
module Erubis
|
|
|
|
|
|
##
|
|
## code generator, called by Converter module
|
|
##
|
|
module Generator
|
|
|
|
def self.supported_properties() # :nodoc:
|
|
return [
|
|
[:escapefunc, nil, "escape function name"],
|
|
]
|
|
end
|
|
|
|
attr_accessor :escapefunc
|
|
|
|
def init_generator(properties={})
|
|
@escapefunc = properties[:escapefunc]
|
|
end
|
|
|
|
|
|
## (abstract) escape text string
|
|
##
|
|
## ex.
|
|
## def escape_text(text)
|
|
## return text.dump
|
|
## # or return "'" + text.gsub(/['\\]/, '\\\\\&') + "'"
|
|
## end
|
|
def escape_text(text)
|
|
not_implemented
|
|
end
|
|
|
|
## return escaped expression code (ex. 'h(...)' or 'htmlspecialchars(...)')
|
|
def escaped_expr(code)
|
|
code.strip!
|
|
return "#{@escapefunc}(#{code})"
|
|
end
|
|
|
|
## (abstract) add @preamble to src
|
|
def add_preamble(src)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add text string to src
|
|
def add_text(src, text)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add statement code to src
|
|
def add_stmt(src, code)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add expression literal code to src. this is called by add_expr().
|
|
def add_expr_literal(src, code)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add escaped expression code to src. this is called by add_expr().
|
|
def add_expr_escaped(src, code)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add expression code to src for debug. this is called by add_expr().
|
|
def add_expr_debug(src, code)
|
|
not_implemented
|
|
end
|
|
|
|
## (abstract) add @postamble to src
|
|
def add_postamble(src)
|
|
not_implemented
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
|
end
|