Skip to content

R
rails

张重言 / rails

通知 1
Star 0
Fork 0
R
rails

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
output_safety.rb 2.0 KB
Newer Older
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 
require "erb"

class ERB
  module Util
    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

    # A utility method for escaping HTML tag characters.
    # This method is also aliased as <tt>h</tt>.
    #
    # In your ERb templates, use this method to escape any unsafe content. For example:
    #   <%=h @person.name %>
    #
    # ==== Example:
    #   puts html_escape("is a > 0 & a < 10?")
    #   # => is a &gt; 0 &amp; a &lt; 10?
    def html_escape(s)
      s = s.to_s
      if s.html_safe?
        s
      else
        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
      end
    end

    undef :h
    alias h html_escape

    module_function :html_escape
    module_function :h

    # A utility method for escaping HTML entities in JSON strings.
    # This method is also aliased as <tt>j</tt>.
    #
    # In your ERb templates, use this method to escape any HTML entities:
    #   <%=j @person.to_json %>
    #
    # ==== Example:
    #   puts json_escape("is a > 0 & a < 10?")
    #   # => is a \u003E 0 \u0026 a \u003C 10?
    def json_escape(s)
      s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] }
    end

    alias j json_escape
    module_function :j
    module_function :json_escape
  end
end
J
String#<< should work for any object which responds to :to_str, so enable this...  
José Valim 已提交
51 52 53 54 55 56 57 58 59 60 61 62 
class Object
  def html_safe?
    false
  end
end

class Fixnum
  def html_safe?
    true
  end
end
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
63 64 65 
module ActiveSupport #:nodoc:
  class SafeBuffer < String
    alias safe_concat concat
M
Switch to on-by-default XSS escaping for rails.  
Michael Koziarski 已提交
66
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
67 68 69 70 71 72 73 
    def concat(value)
      if value.html_safe?
        super(value)
      else
        super(ERB::Util.h(value))
      end
    end
J
Remove concat before overriding it  
Joshua Peek 已提交
74
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 
    def +(other)
      dup.concat(other)
    end

    def <<(value)
      self.concat(value)
    end

    def html_safe?
      true
    end

    def html_safe
      self
    end
J
Remove concat before overriding it  
Joshua Peek 已提交
90
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
91 92 93 
    def to_s
      self
    end
M
Switch to on-by-default XSS escaping for rails.  
Michael Koziarski 已提交
94 
  end
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
95 
end
J
Remove concat before overriding it  
Joshua Peek 已提交
96
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
97 98 99 
class String
  def html_safe!
    raise "You can't call html_safe! on a String"
M
Switch to on-by-default XSS escaping for rails.  
Michael Koziarski 已提交
100 
  end
J
Remove concat before overriding it  
Joshua Peek 已提交
101
Y
For performance reasons, you can no longer call html_safe! on Strings....  
Yehuda Katz 已提交
102 103 104 
  def html_safe
    ActiveSupport::SafeBuffer.new(self)
  end
M
Switch to on-by-default XSS escaping for rails.  
Michael Koziarski 已提交
105 
end