a5e08f7bcc
I installed the rails_xss plugin, for the main purpose of seeing what will break with Rails 3.0 (where the behaviour of the plugin is the default). I think I've fixed everything, but let me know if you see stuff that is HTML-escaped, which shouldn't be. As a side benefit, we now use Erubis, rather than ERB, to render templates. They tell me it's faster ...
59 lines
992 B
Ruby
59 lines
992 B
Ruby
###
|
|
### $Release: 2.6.5 $
|
|
### copyright(c) 2006-2009 kuwata-lab.com all rights reserved.
|
|
###
|
|
|
|
require 'cgi'
|
|
|
|
|
|
module Erubis
|
|
|
|
|
|
##
|
|
## for preprocessing
|
|
##
|
|
class PreprocessingEruby < Erubis::Eruby
|
|
|
|
def initialize(input, params={})
|
|
params = params.dup
|
|
params[:pattern] ||= '\[% %\]' # use '[%= %]' instead of '<%= %>'
|
|
#params[:escape] = true # transport '[%= %]' and '[%== %]'
|
|
super
|
|
end
|
|
|
|
def add_expr_escaped(src, code)
|
|
add_expr_literal(src, "_decode((#{code}))")
|
|
end
|
|
|
|
end
|
|
|
|
|
|
##
|
|
## helper methods for preprocessing
|
|
##
|
|
module PreprocessingHelper
|
|
|
|
module_function
|
|
|
|
def _p(arg)
|
|
return "<%=#{arg}%>"
|
|
end
|
|
|
|
def _P(arg)
|
|
return "<%=h(#{arg})%>"
|
|
end
|
|
|
|
alias _? _p
|
|
|
|
def _decode(arg)
|
|
arg = arg.to_s
|
|
arg.gsub!(/%3C%25(?:=|%3D)(.*?)%25%3E/) { "<%=#{CGI.unescape($1)}%>" }
|
|
arg.gsub!(/<%=(.*?)%>/) { "<%=#{CGI.unescapeHTML($1)}%>" }
|
|
return arg
|
|
end
|
|
|
|
end
|
|
|
|
|
|
end
|