a5e08f7bcc
I installed the rails_xss plugin, for the main purpose of seeing what will break with Rails 3.0 (where the behaviour of the plugin is the default). I think I've fixed everything, but let me know if you see stuff that is HTML-escaped, which shouldn't be. As a side benefit, we now use Erubis, rather than ERB, to render templates. They tell me it's faster ...
48 lines
848 B
Ruby
48 lines
848 B
Ruby
##
|
|
## $Release: 2.6.5 $
|
|
## copyright(c) 2006-2009 kuwata-lab.com all rights reserved.
|
|
##
|
|
|
|
|
|
module Erubis
|
|
|
|
##
|
|
## helper for xml
|
|
##
|
|
module XmlHelper
|
|
|
|
module_function
|
|
|
|
ESCAPE_TABLE = {
|
|
'&' => '&',
|
|
'<' => '<',
|
|
'>' => '>',
|
|
'"' => '"',
|
|
"'" => ''',
|
|
}
|
|
|
|
def escape_xml(value)
|
|
value.to_s.gsub(/[&<>"]/) { |s| ESCAPE_TABLE[s] } # or /[&<>"']/
|
|
#value.to_s.gsub(/[&<>"]/) { ESCAPE_TABLE[$&] }
|
|
end
|
|
|
|
def escape_xml2(value)
|
|
return value.to_s.gsub(/\&/,'&').gsub(/</,'<').gsub(/>/,'>').gsub(/"/,'"')
|
|
end
|
|
|
|
alias h escape_xml
|
|
alias html_escape escape_xml
|
|
|
|
def url_encode(str)
|
|
return str.gsub(/[^-_.a-zA-Z0-9]+/) { |s|
|
|
s.unpack('C*').collect { |i| "%%%02X" % i }.join
|
|
}
|
|
end
|
|
|
|
alias u url_encode
|
|
|
|
end
|
|
|
|
|
|
end
|