diff options
author | Michael Koziarski <michael@koziarski.com> | 2009-10-08 09:31:20 +1300 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2009-10-08 09:31:20 +1300 |
commit | 9415935902f120a9bac0bfce7129725a0db38ed3 (patch) | |
tree | 654d184caccfd7e1de4d60236fb7813bf1177d84 /activesupport/lib | |
parent | f27e7ebc0e2a55a268631c78d49a5b70b06ad59a (diff) | |
download | rails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.gz rails-9415935902f120a9bac0bfce7129725a0db38ed3.tar.bz2 rails-9415935902f120a9bac0bfce7129725a0db38ed3.zip |
Switch to on-by-default XSS escaping for rails.
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
Diffstat (limited to 'activesupport/lib')
-rw-r--r-- | activesupport/lib/active_support/core_ext/string.rb | 3 | ||||
-rw-r--r-- | activesupport/lib/active_support/core_ext/string/output_safety.rb | 43 |
2 files changed, 45 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/core_ext/string.rb b/activesupport/lib/active_support/core_ext/string.rb index d06a5a32fb..6c52f12712 100644 --- a/activesupport/lib/active_support/core_ext/string.rb +++ b/activesupport/lib/active_support/core_ext/string.rb @@ -7,4 +7,5 @@ require 'active_support/core_ext/string/access' require 'active_support/core_ext/string/iterators' require 'active_support/core_ext/string/xchar' require 'active_support/core_ext/string/behavior' -require 'active_support/core_ext/string/interpolation'
\ No newline at end of file +require 'active_support/core_ext/string/interpolation' +require 'active_support/core_ext/string/output_safety'
\ No newline at end of file diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb new file mode 100644 index 0000000000..2cca4763f4 --- /dev/null +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -0,0 +1,43 @@ +class String + def html_safe? + defined?(@_rails_html_safe) && @_rails_html_safe + end + + def html_safe! + @_rails_html_safe = true + self + end + + def html_safe + dup.html_safe! + end + + alias original_plus + + def +(other) + result = original_plus(other) + if html_safe? && also_html_safe?(other) + result.html_safe! + else + result + end + end + + alias original_concat << + def <<(other) + result = original_concat(other) + unless html_safe? && also_html_safe?(other) + @_rails_html_safe = false + end + result + end + + def concat(other) + self << other + end + + private + def also_html_safe?(other) + other.respond_to?(:html_safe?) && other.html_safe? + end + +end
\ No newline at end of file |