escape_utils-1.2.1/0000755000004100000410000000000012706333543014231 5ustar www-datawww-dataescape_utils-1.2.1/Rakefile0000644000004100000410000000062712706333543015703 0ustar www-datawww-datarequire 'rake/testtask' Rake::TestTask.new do |t| t.pattern = "test/**/*_test.rb" end task :default => :test gem 'rake-compiler', '>= 0.7.5' require "rake/extensiontask" Rake::ExtensionTask.new('escape_utils') do |ext| ext.cross_compile = true ext.cross_platform = ['x86-mingw32', 'x86-mswin32-60'] ext.lib_dir = File.join 'lib', 'escape_utils' end Rake::Task[:test].prerequisites << :compile escape_utils-1.2.1/Gemfile0000644000004100000410000000004712706333543015525 0ustar www-datawww-datasource 'https://rubygems.org' gemspec escape_utils-1.2.1/script/0000755000004100000410000000000012706333543015535 5ustar www-datawww-dataescape_utils-1.2.1/script/testsuite0000755000004100000410000000034112706333543017512 0ustar www-datawww-data#!/bin/sh set -e cd "$(dirname "$0")/.." # run entire test suite ruby --version 1>&2 exec ruby -I. -rubygems \ -r "$(pwd)/test/helper" \ -e "ARGV.each { |f| require(f) }" \ -- ${*:-`find test -name '*_test.rb'`} escape_utils-1.2.1/script/bootstrap0000755000004100000410000000011412706333543017474 0ustar www-datawww-databundle install --path vendor/gems --binstubs bin/rake clobber clean compile escape_utils-1.2.1/.travis.yml0000644000004100000410000000010612706333543016337 0ustar www-datawww-datalanguage: ruby rvm: - 1.9.3 - 2.0.0 - 2.1.0 - 2.2.0 - 2.3.0 escape_utils-1.2.1/benchmark/0000755000004100000410000000000012706333543016163 5ustar www-datawww-dataescape_utils-1.2.1/benchmark/html_unescape.rb0000644000004100000410000000136612706333543021345 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'cgi' require 'haml' require 'escape_utils' module HamlBench extend Haml::Helpers end url = "https://en.wikipedia.org/wiki/Succession_to_the_British_throne" html = `curl -s #{url}` html = html.force_encoding('binary') if html.respond_to?(:force_encoding) escaped_html = EscapeUtils.escape_html(html) puts "Unescaping #{escaped_html.bytesize} bytes of escaped html, from #{url}" Benchmark.ips do |x| x.report "CGI.unescapeHTML" do |times| times.times do CGI.unescapeHTML(escaped_html) end end x.report "EscapeUtils.unescape_html" do |times| times.times do EscapeUtils.unescape_html(escaped_html) end end x.compare! end escape_utils-1.2.1/benchmark/xml_escape.rb0000644000004100000410000000111612706333543020627 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'fast_xs' require 'escape_utils' url = "http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml" xml = `curl -s #{url}` xml = xml.force_encoding('binary') if xml.respond_to?(:force_encoding) puts "Escaping #{xml.bytesize} bytes of xml, from #{url}" Benchmark.ips do |x| x.report "fast_xs" do |times| times.times do xml.fast_xs end end x.report "EscapeUtils.escape_xml" do |times| times.times do EscapeUtils.escape_xml(xml) end end x.compare! end escape_utils-1.2.1/benchmark/javascript_escape.rb0000644000004100000410000000147512706333543022205 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'action_view' require 'escape_utils' class ActionPackBench extend ActionView::Helpers::JavaScriptHelper end url = "http://ajax.googleapis.com/ajax/libs/dojo/1.4.3/dojo/dojo.xd.js.uncompressed.js" javascript = `curl -s #{url}` javascript = javascript.force_encoding('utf-8') if javascript.respond_to?(:force_encoding) puts "Escaping #{javascript.bytesize} bytes of javascript, from #{url}" Benchmark.ips do |x| x.report "ActionView::Helpers::JavaScriptHelper#escape_javascript" do |times| times.times do ActionPackBench.escape_javascript(javascript) end end x.report "EscapeUtils.escape_javascript" do |times| times.times do EscapeUtils.escape_javascript(javascript) end end x.compare! end escape_utils-1.2.1/benchmark/html_escape.rb0000644000004100000410000000256212706333543021001 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'rack' require 'erb' require 'cgi' require 'haml' require 'fast_xs_extra' require 'escape_utils' module HamlBench extend Haml::Helpers end url = "https://en.wikipedia.org/wiki/Succession_to_the_British_throne" html = `curl -s #{url}` html = html.force_encoding('utf-8') if html.respond_to?(:force_encoding) puts "Escaping #{html.bytesize} bytes of html from #{url}" Benchmark.ips do |x| x.report "Rack::Utils.escape_html" do |times| times.times do Rack::Utils.escape_html(html) end end x.report "Haml::Helpers.html_escape" do |times| times.times do HamlBench.html_escape(html) end end x.report "ERB::Util.html_escape" do |times| times.times do ERB::Util.html_escape(html) end end x.report "CGI.escapeHTML" do |times| times.times do CGI.escapeHTML(html) end end x.report "String#gsub" do |times| html_escape = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } times.times do html.gsub(/[&"'><]/, html_escape) end end x.report "fast_xs_extra#fast_xs_html" do |times| times.times do html.fast_xs_html end end x.report "EscapeUtils.escape_html" do |times| times.times do EscapeUtils.escape_html(html) end end x.compare! end escape_utils-1.2.1/benchmark/url_unescape.rb0000644000004100000410000000211112706333543021170 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'rack' require 'cgi' require 'url_escape' require 'fast_xs_extra' require 'escape_utils' url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mYHcEA dh435dqUs0moGHeeAJTSLLbdbcbd9ef----,574b95600e9ab7d27eb0bf524ac68c27----" url = url.force_encoding('us-ascii') if url.respond_to?(:force_encoding) escaped_url = EscapeUtils.escape_url(url) puts "Escaping a #{url.bytesize} byte URL" Benchmark.ips do |x| x.report "Rack::Utils.unescape" do |times| times.times do Rack::Utils.unescape(escaped_url) end end x.report "CGI.unescape" do |times| times.times do CGI.unescape(escaped_url) end end x.report "URLEscape#unescape" do |times| times.times do URLEscape.unescape(escaped_url) end end x.report "fast_xs_extra#fast_uxs_cgi" do |times| times.times do url.fast_uxs_cgi end end x.report "EscapeUtils.unescape_url" do |times| times.times do EscapeUtils.unescape_url(escaped_url) end end x.compare! end escape_utils-1.2.1/benchmark/javascript_unescape.rb0000644000004100000410000000117212706333543022542 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'escape_utils' url = "http://ajax.googleapis.com/ajax/libs/dojo/1.4.3/dojo/dojo.xd.js.uncompressed.js" javascript = `curl -s #{url}` javascript = javascript.force_encoding('utf-8') if javascript.respond_to?(:force_encoding) escaped_javascript = EscapeUtils.escape_javascript(javascript) puts "Escaping #{escaped_javascript.bytesize} bytes of javascript, from #{url}" Benchmark.ips do |x| x.report "EscapeUtils.escape_javascript" do |times| times.times do EscapeUtils.unescape_javascript(escaped_javascript) end end end escape_utils-1.2.1/benchmark/url_escape.rb0000644000004100000410000000216012706333543020631 0ustar www-datawww-data# encoding: utf-8 require 'rubygems' require 'bundler/setup' require 'benchmark/ips' require 'rack' require 'erb' require 'cgi' require 'url_escape' require 'fast_xs_extra' require 'escape_utils' url = "https://www.yourmom.com/cgi-bin/session.cgi?sess_args=mYHcEA dh435dqUs0moGHeeAJTSLLbdbcbd9ef----,574b95600e9ab7d27eb0bf524ac68c27----" url = url.force_encoding('us-ascii') if url.respond_to?(:force_encoding) puts "Escaping a #{url.bytesize} byte URL times" Benchmark.ips do |x| x.report "ERB::Util.url_encode" do |times| times.times do ERB::Util.url_encode(url) end end x.report "Rack::Utils.escape" do |times| times.times do Rack::Utils.escape(url) end end x.report "CGI.escape" do |times| times.times do CGI.escape(url) end end x.report "URLEscape#escape" do |times| times.times do URLEscape.escape(url) end end x.report "fast_xs_extra#fast_xs_url" do |times| times.times do url.fast_xs_url end end x.report "EscapeUtils.escape_url" do |times| times.times do EscapeUtils.escape_url(url) end end x.compare! end escape_utils-1.2.1/lib/0000755000004100000410000000000012706333543014777 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils.rb0000644000004100000410000000150412706333543020004 0ustar www-datawww-datarequire 'escape_utils/escape_utils' require 'escape_utils/version' unless defined? EscapeUtils::VERSION module EscapeUtils extend self # turn on/off the escaping of the '/' character during HTML escaping # Escaping '/' is recommended by the OWASP - http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content # This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010) def self.html_secure @html_secure end self.html_secure = true # Default String class to return from HTML escaping def self.html_safe_string_class @html_safe_string_class end self.html_safe_string_class = String autoload :HtmlSafety, 'escape_utils/html_safety' endescape_utils-1.2.1/lib/escape_utils/0000755000004100000410000000000012706333543017457 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils/html/0000755000004100000410000000000012706333543020423 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils/html/rack.rb0000644000004100000410000000022012706333543021662 0ustar www-datawww-datamodule Rack module Utils include ::EscapeUtils::HtmlSafety alias escape_html _escape_html module_function :escape_html end end escape_utils-1.2.1/lib/escape_utils/html/erb.rb0000644000004100000410000000027312706333543021522 0ustar www-datawww-dataclass ERB module Util include ::EscapeUtils::HtmlSafety alias html_escape _escape_html alias h html_escape module_function :h module_function :html_escape end endescape_utils-1.2.1/lib/escape_utils/html/haml.rb0000644000004100000410000000016012706333543021666 0ustar www-datawww-datamodule Haml module Helpers include ::EscapeUtils::HtmlSafety alias html_escape _escape_html end endescape_utils-1.2.1/lib/escape_utils/html/cgi.rb0000644000004100000410000000026212706333543021512 0ustar www-datawww-dataclass CGI extend ::EscapeUtils::HtmlSafety class << self alias escapeHTML _escape_html def unescapeHTML(s) EscapeUtils.unescape_html(s.to_s) end end endescape_utils-1.2.1/lib/escape_utils/javascript/0000755000004100000410000000000012706333543021625 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils/javascript/action_view.rb0000644000004100000410000000025012706333543024456 0ustar www-datawww-datamodule ActionView module Helpers module JavaScriptHelper def escape_javascript(s) EscapeUtils.escape_javascript(s.to_s) end end end end escape_utils-1.2.1/lib/escape_utils/version.rb0000644000004100000410000000005312706333543021467 0ustar www-datawww-datamodule EscapeUtils VERSION = "1.2.1" end escape_utils-1.2.1/lib/escape_utils/xml/0000755000004100000410000000000012706333543020257 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils/xml/builder.rb0000644000004100000410000000021012706333543022223 0ustar www-datawww-datamodule Builder class XmlBase < BlankSlate private def _escape(text) EscapeUtils.escape_xml(text.to_s) end end end escape_utils-1.2.1/lib/escape_utils/url/0000755000004100000410000000000012706333543020261 5ustar www-datawww-dataescape_utils-1.2.1/lib/escape_utils/url/rack.rb0000644000004100000410000000035112706333543021525 0ustar www-datawww-datamodule Rack module Utils def escape(url) EscapeUtils.escape_url(url.to_s) end def unescape(url) EscapeUtils.unescape_url(url.to_s) end module_function :escape module_function :unescape end end escape_utils-1.2.1/lib/escape_utils/url/uri.rb0000644000004100000410000000023212706333543021402 0ustar www-datawww-datamodule URI def self.escape(s, unsafe=nil) EscapeUtils.escape_uri(s.to_s) end def self.unescape(s) EscapeUtils.unescape_uri(s.to_s) end endescape_utils-1.2.1/lib/escape_utils/url/erb.rb0000644000004100000410000000026212706333543021356 0ustar www-datawww-dataclass ERB module Util def url_encode(s) EscapeUtils.escape_url(s.to_s) end alias u url_encode module_function :u module_function :url_encode end endescape_utils-1.2.1/lib/escape_utils/url/cgi.rb0000644000004100000410000000021512706333543021346 0ustar www-datawww-dataclass CGI def self.escape(s) EscapeUtils.escape_url(s.to_s) end def self.unescape(s) EscapeUtils.unescape_url(s.to_s) end endescape_utils-1.2.1/lib/escape_utils/html_safety.rb0000644000004100000410000000052412706333543022324 0ustar www-datawww-datamodule EscapeUtils module HtmlSafety if "".respond_to? :html_safe? def _escape_html(s) if s.html_safe? s.to_s.html_safe else EscapeUtils.escape_html(s.to_s).html_safe end end else def _escape_html(s) EscapeUtils.escape_html(s.to_s) end end end end escape_utils-1.2.1/test/0000755000004100000410000000000012706333543015210 5ustar www-datawww-dataescape_utils-1.2.1/test/html/0000755000004100000410000000000012706333543016154 5ustar www-datawww-dataescape_utils-1.2.1/test/html/escape_test.rb0000644000004100000410000001024412706333543021001 0ustar www-datawww-datarequire File.expand_path("../../helper", __FILE__) class MyCustomHtmlSafeString < String end class HtmlEscapeTest < Minitest::Test def test_escape_source_encoding_is_maintained source = 'foobar' str = EscapeUtils.escape_html_as_html_safe(source) assert_equal source.encoding, str.encoding end def test_escape_binary_encoding_is_maintained source = 'foobar'.b str = EscapeUtils.escape_html_as_html_safe(source) assert_equal source.encoding, str.encoding end def test_escape_uft8_encoding_is_maintained source = 'foobar'.encode 'UTF-8' str = EscapeUtils.escape_html_as_html_safe(source) assert_equal source.encoding, str.encoding end def test_escape_us_ascii_encoding_is_maintained source = 'foobar'.encode 'US-ASCII' str = EscapeUtils.escape_html_as_html_safe(source) assert_equal source.encoding, str.encoding end def test_escape_basic_html_with_secure assert_equal "<some_tag/>", EscapeUtils.escape_html("") secure_before = EscapeUtils.html_secure EscapeUtils.html_secure = true assert_equal "<some_tag/>", EscapeUtils.escape_html("") EscapeUtils.html_secure = secure_before end def test_escape_basic_html_without_secure assert_equal "<some_tag/>", EscapeUtils.escape_html("", false) secure_before = EscapeUtils.html_secure EscapeUtils.html_secure = false assert_equal "<some_tag/>", EscapeUtils.escape_html("") EscapeUtils.html_secure = secure_before end def test_escape_double_quotes assert_equal "<some_tag some_attr="some value"/>", EscapeUtils.escape_html("") end def test_escape_single_quotes assert_equal "<some_tag some_attr='some value'/>", EscapeUtils.escape_html("") end def test_escape_ampersand assert_equal "<b>Bourbon & Branch</b>", EscapeUtils.escape_html("Bourbon & Branch") end def test_returns_original_if_not_escaped str = 'foobar' assert_equal str.object_id, EscapeUtils.escape_html(str).object_id end def test_html_safe_escape_default_works str = EscapeUtils.escape_html_as_html_safe('foobar') assert_equal 'foobar', str end def test_returns_custom_string_class klass_before = EscapeUtils.html_safe_string_class EscapeUtils.html_safe_string_class = MyCustomHtmlSafeString str = EscapeUtils.escape_html_as_html_safe('foobar') assert_equal 'foobar', str assert_equal MyCustomHtmlSafeString, str.class assert_equal true, str.instance_variable_get(:@html_safe) ensure EscapeUtils.html_safe_string_class = klass_before end def test_returns_custom_string_class_when_string_requires_escaping klass_before = EscapeUtils.html_safe_string_class EscapeUtils.html_safe_string_class = MyCustomHtmlSafeString str = EscapeUtils.escape_html_as_html_safe("