/scalate-jruby/src/main/resources/haml-3.0.25/lib/haml/helpers/xss_mods.rb
Ruby | 165 lines | 124 code | 20 blank | 21 comment | 6 complexity | 4db05b747a4da564e8a624c3513b308d MD5 | raw file
1module Haml 2 module Helpers 3 # This module overrides Haml helpers to work properly 4 # in the context of ActionView. 5 # Currently it's only used for modifying the helpers 6 # to work with Rails' XSS protection methods. 7 module XssMods 8 def self.included(base) 9 %w[html_escape find_and_preserve preserve list_of surround 10 precede succeed capture_haml haml_concat haml_indent 11 haml_tag escape_once].each do |name| 12 base.send(:alias_method, "#{name}_without_haml_xss", name) 13 base.send(:alias_method, name, "#{name}_with_haml_xss") 14 end 15 end 16 17 # Don't escape text that's already safe, 18 # output is always HTML safe 19 def html_escape_with_haml_xss(text) 20 str = text.to_s 21 return text if str.html_safe? 22 Haml::Util.html_safe(html_escape_without_haml_xss(str)) 23 end 24 25 # Output is always HTML safe 26 def find_and_preserve_with_haml_xss(*args, &block) 27 Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args, &block)) 28 end 29 30 # Output is always HTML safe 31 def preserve_with_haml_xss(*args, &block) 32 Haml::Util.html_safe(preserve_without_haml_xss(*args, &block)) 33 end 34 35 # Output is always HTML safe 36 def list_of_with_haml_xss(*args, &block) 37 Haml::Util.html_safe(list_of_without_haml_xss(*args, &block)) 38 end 39 40 # Input is escaped, output is always HTML safe 41 def surround_with_haml_xss(front, back = front, &block) 42 Haml::Util.html_safe( 43 surround_without_haml_xss( 44 haml_xss_html_escape(front), 45 haml_xss_html_escape(back), 46 &block)) 47 end 48 49 # Input is escaped, output is always HTML safe 50 def precede_with_haml_xss(str, &block) 51 Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str), &block)) 52 end 53 54 # Input is escaped, output is always HTML safe 55 def succeed_with_haml_xss(str, &block) 56 Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str), &block)) 57 end 58 59 # Output is always HTML safe 60 def capture_haml_with_haml_xss(*args, &block) 61 Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block)) 62 end 63 64 # Input is escaped 65 def haml_concat_with_haml_xss(text = "") 66 haml_concat_without_haml_xss(@_haml_concat_raw ? text : haml_xss_html_escape(text)) 67 end 68 69 # Output is always HTML safe 70 def haml_indent_with_haml_xss 71 Haml::Util.html_safe(haml_indent_without_haml_xss) 72 end 73 74 # Input is escaped, haml_concat'ed output is always HTML safe 75 def haml_tag_with_haml_xss(name, *rest, &block) 76 name = haml_xss_html_escape(name.to_s) 77 rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t} 78 with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)} 79 end 80 81 # Output is always HTML safe 82 def escape_once_with_haml_xss(*args) 83 Haml::Util.html_safe(escape_once_without_haml_xss(*args)) 84 end 85 86 private 87 88 # Escapes the HTML in the text if and only if 89 # Rails XSS protection is enabled *and* the `:escape_html` option is set. 90 def haml_xss_html_escape(text) 91 return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html] 92 html_escape(text) 93 end 94 end 95 96 class ErrorReturn 97 # Any attempt to treat ErrorReturn as a string should cause it to blow up. 98 alias_method :html_safe, :to_s 99 alias_method :html_safe?, :to_s 100 alias_method :html_safe!, :to_s 101 end 102 end 103end 104 105module ActionView 106 module Helpers 107 module CaptureHelper 108 def with_output_buffer_with_haml_xss(*args, &block) 109 res = with_output_buffer_without_haml_xss(*args, &block) 110 case res 111 when Array; res.map {|s| Haml::Util.html_safe(s)} 112 when String; Haml::Util.html_safe(res) 113 else; res 114 end 115 end 116 alias_method :with_output_buffer_without_haml_xss, :with_output_buffer 117 alias_method :with_output_buffer, :with_output_buffer_with_haml_xss 118 end 119 120 module FormTagHelper 121 def form_tag_with_haml_xss(*args, &block) 122 res = form_tag_without_haml_xss(*args, &block) 123 res = Haml::Util.html_safe(res) unless block_given? 124 res 125 end 126 alias_method :form_tag_without_haml_xss, :form_tag 127 alias_method :form_tag, :form_tag_with_haml_xss 128 end 129 130 module FormHelper 131 def form_for_with_haml_xss(*args, &block) 132 res = form_for_without_haml_xss(*args, &block) 133 return Haml::Util.html_safe(res) if res.is_a?(String) 134 return res 135 end 136 alias_method :form_for_without_haml_xss, :form_for 137 alias_method :form_for, :form_for_with_haml_xss 138 end 139 140 module TextHelper 141 def concat_with_haml_xss(string) 142 if is_haml? 143 haml_buffer.buffer.concat(haml_xss_html_escape(string)) 144 else 145 concat_without_haml_xss(string) 146 end 147 end 148 alias_method :concat_without_haml_xss, :concat 149 alias_method :concat, :concat_with_haml_xss 150 151 # safe_concat was introduced in Rails 3.0 152 if Haml::Util.has?(:instance_method, self, :safe_concat) 153 def safe_concat_with_haml_xss(string) 154 if is_haml? 155 haml_buffer.buffer.concat(string) 156 else 157 safe_concat_without_haml_xss(string) 158 end 159 end 160 alias_method :safe_concat_without_haml_xss, :safe_concat 161 alias_method :safe_concat, :safe_concat_with_haml_xss 162 end 163 end 164 end 165end