require 'erb'
require 'active_support/core_ext/kernel/singleton_class'
class ERB
module Util
HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
JSON_ESCAPE_REGEXP = /[&><]/
# A utility method for escaping HTML tag characters.
# This method is also aliased as h.
#
# In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# puts html_escape('is a > 0 & a < 10?')
# # => is a > 0 & a < 10?
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
remove_method(:h)
alias h html_escape
module_function :h
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
# A utility method for escaping HTML without affecting existing escaped entities.
#
# html_escape_once('1 < 2 & 3')
# # => "1 < 2 & 3"
#
# html_escape_once('<< Accept & Checkout')
# # => "<< Accept & Checkout"
def html_escape_once(s)
result = s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
s.html_safe? ? result.html_safe : result
end
module_function :html_escape_once
# A utility method for escaping HTML entities in JSON strings. Specifically, the
# &, > and < characters are replaced with their equivilant unicode escaped form -
# \u0026, \u003e, and \u003c. These sequences has identical meaning as the original
# characters inside the context of a JSON string, so assuming the input is a valid
# and well-formed JSON value, the output will have equivilant meaning when parsed:
#
# json = JSON.generate({ name: ""})
# # => "{\"name\":\"\"}"
#
# json_escape(json)
# # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
#
# JSON.parse(json) == JSON.parse(json_escape(json))
# # => true
#
# The intended use case for this method is to escape JSON strings before including
# them inside a script tag to avoid XSS vulnerability:
#
#
#
# WARNING: this helper only works with valid JSON. Using this on non-JSON values
# will open up serious XSS vulnerabilities. For example, if you replace the
# +current_user.to_json+ in the example above with user input instead, the browser
# will happily eval() that string as JavaScript.
#
# The escaping performed in this method is identical to those performed in the
# ActiveSupport JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
# set to true. Because this transformation is idempotent, this helper can be
# applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
#
# Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
# is enabled, or if you are unsure where your JSON string originated from, it
# is recommended that you always apply this helper (other libraries, such as the
# JSON gem, does not provide this kind of protection by default; also some gems
# might override +#to_json+ to bypass ActiveSupport's encoder).
#
# The output of this helper method is marked as HTML safe so that you can directly
# include it inside a +