PageRenderTime 69ms CodeModel.GetById 17ms app.highlight 48ms RepoModel.GetById 1ms app.codeStats 0ms

/scalate-jruby/src/main/resources/haml-3.0.25/lib/haml/helpers/xss_mods.rb

http://github.com/scalate/scalate
Ruby | 165 lines | 124 code | 20 blank | 21 comment | 6 complexity | 4db05b747a4da564e8a624c3513b308d MD5 | raw file
  1module Haml
  2  module Helpers
  3    # This module overrides Haml helpers to work properly
  4    # in the context of ActionView.
  5    # Currently it's only used for modifying the helpers
  6    # to work with Rails' XSS protection methods.
  7    module XssMods
  8      def self.included(base)
  9        %w[html_escape find_and_preserve preserve list_of surround
 10           precede succeed capture_haml haml_concat haml_indent
 11           haml_tag escape_once].each do |name|
 12          base.send(:alias_method, "#{name}_without_haml_xss", name)
 13          base.send(:alias_method, name, "#{name}_with_haml_xss")
 14        end
 15      end
 16
 17      # Don't escape text that's already safe,
 18      # output is always HTML safe
 19      def html_escape_with_haml_xss(text)
 20        str = text.to_s
 21        return text if str.html_safe?
 22        Haml::Util.html_safe(html_escape_without_haml_xss(str))
 23      end
 24
 25      # Output is always HTML safe
 26      def find_and_preserve_with_haml_xss(*args, &block)
 27        Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args, &block))
 28      end
 29
 30      # Output is always HTML safe
 31      def preserve_with_haml_xss(*args, &block)
 32        Haml::Util.html_safe(preserve_without_haml_xss(*args, &block))
 33      end
 34
 35      # Output is always HTML safe
 36      def list_of_with_haml_xss(*args, &block)
 37        Haml::Util.html_safe(list_of_without_haml_xss(*args, &block))
 38      end
 39
 40      # Input is escaped, output is always HTML safe
 41      def surround_with_haml_xss(front, back = front, &block)
 42        Haml::Util.html_safe(
 43          surround_without_haml_xss(
 44            haml_xss_html_escape(front),
 45            haml_xss_html_escape(back),
 46            &block))
 47      end
 48
 49      # Input is escaped, output is always HTML safe
 50      def precede_with_haml_xss(str, &block)
 51        Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str), &block))
 52      end
 53
 54      # Input is escaped, output is always HTML safe
 55      def succeed_with_haml_xss(str, &block)
 56        Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str), &block))
 57      end
 58
 59      # Output is always HTML safe
 60      def capture_haml_with_haml_xss(*args, &block)
 61        Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block))
 62      end
 63
 64      # Input is escaped
 65      def haml_concat_with_haml_xss(text = "")
 66        haml_concat_without_haml_xss(@_haml_concat_raw ? text : haml_xss_html_escape(text))
 67      end
 68
 69      # Output is always HTML safe
 70      def haml_indent_with_haml_xss
 71        Haml::Util.html_safe(haml_indent_without_haml_xss)
 72      end
 73
 74      # Input is escaped, haml_concat'ed output is always HTML safe
 75      def haml_tag_with_haml_xss(name, *rest, &block)
 76        name = haml_xss_html_escape(name.to_s)
 77        rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t}
 78        with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)}
 79      end
 80
 81      # Output is always HTML safe
 82      def escape_once_with_haml_xss(*args)
 83        Haml::Util.html_safe(escape_once_without_haml_xss(*args))
 84      end
 85
 86      private
 87
 88      # Escapes the HTML in the text if and only if
 89      # Rails XSS protection is enabled *and* the `:escape_html` option is set.
 90      def haml_xss_html_escape(text)
 91        return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html]
 92        html_escape(text)
 93      end
 94    end
 95
 96    class ErrorReturn
 97      # Any attempt to treat ErrorReturn as a string should cause it to blow up.
 98      alias_method :html_safe, :to_s
 99      alias_method :html_safe?, :to_s
100      alias_method :html_safe!, :to_s
101    end
102  end
103end
104
105module ActionView
106  module Helpers
107    module CaptureHelper
108      def with_output_buffer_with_haml_xss(*args, &block)
109        res = with_output_buffer_without_haml_xss(*args, &block)
110        case res
111        when Array; res.map {|s| Haml::Util.html_safe(s)}
112        when String; Haml::Util.html_safe(res)
113        else; res
114        end
115      end
116      alias_method :with_output_buffer_without_haml_xss, :with_output_buffer
117      alias_method :with_output_buffer, :with_output_buffer_with_haml_xss
118    end
119
120    module FormTagHelper
121      def form_tag_with_haml_xss(*args, &block)
122        res = form_tag_without_haml_xss(*args, &block)
123        res = Haml::Util.html_safe(res) unless block_given?
124        res
125      end
126      alias_method :form_tag_without_haml_xss, :form_tag
127      alias_method :form_tag, :form_tag_with_haml_xss
128    end
129
130    module FormHelper
131      def form_for_with_haml_xss(*args, &block)
132        res = form_for_without_haml_xss(*args, &block)
133        return Haml::Util.html_safe(res) if res.is_a?(String)
134        return res
135      end
136      alias_method :form_for_without_haml_xss, :form_for
137      alias_method :form_for, :form_for_with_haml_xss
138    end
139
140    module TextHelper
141      def concat_with_haml_xss(string)
142        if is_haml?
143          haml_buffer.buffer.concat(haml_xss_html_escape(string))
144        else
145          concat_without_haml_xss(string)
146        end
147      end
148      alias_method :concat_without_haml_xss, :concat
149      alias_method :concat, :concat_with_haml_xss
150
151      # safe_concat was introduced in Rails 3.0
152      if Haml::Util.has?(:instance_method, self, :safe_concat)
153        def safe_concat_with_haml_xss(string)
154          if is_haml?
155            haml_buffer.buffer.concat(string)
156          else
157            safe_concat_without_haml_xss(string)
158          end
159        end
160        alias_method :safe_concat_without_haml_xss, :safe_concat
161        alias_method :safe_concat, :safe_concat_with_haml_xss
162      end
163    end
164  end
165end