Module: EscapeUtils

Extended by:

EscapeUtils

Included in:

EscapeUtils

Defined in:

lib/escape_utils.rb,
lib/escape_utils/version.rb,
lib/escape_utils/html_safety.rb,
ext/escape_utils/escape_utils.c

Defined Under Namespace

Modules: HtmlSafety

Constant Summary

VERSION =

"0.3.1"

@@html_secure =

turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)

true

Class Method Summary

• .html_secure ⇒ Object
• .html_secure=(val) ⇒ Object

Instance Method Summary

• #escape_html(*args) ⇒ Object

  HTML methods.

• #escape_javascript(str) ⇒ Object

  JavaScript methods.

• #escape_uri(str) ⇒ Object

  URI methods.

• #escape_url(str) ⇒ Object

  URL methods.

• #escape_xml(str) ⇒ Object

  XML methods.

• #unescape_html(str) ⇒ Object
• #unescape_javascript(str) ⇒ Object
• #unescape_uri(str) ⇒ Object
• #unescape_url(str) ⇒ Object

Class Method Details

.html_secure ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 58

static VALUE rb_eu_get_html_secure(VALUE self)
{
	return rb_cvar_get(self, rb_html_secure);
}

.html_secure=(val) ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 63

static VALUE rb_eu_set_html_secure(VALUE self, VALUE val)
{
	g_html_secure = RTEST(val);
	rb_cvar_set(self, rb_html_secure, val);
	return val;
}

Instance Method Details

#escape_html(*args) ⇒ Object

HTML methods

# File 'ext/escape_utils/escape_utils.c', line 97

static VALUE rb_eu_escape_html(int argc, VALUE *argv, VALUE self)
{
	VALUE str, rb_secure;
	gh_buf buf = GH_BUF_INIT;
	int secure = g_html_secure;

	if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
		if (rb_secure == Qfalse) {
			secure = 0;
		}
	}

	Check_Type(str, T_STRING);
	check_utf8_encoding(str);

	if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
		VALUE result = eu_new_str(buf.ptr, buf.size);
		gh_buf_free(&buf);
		return result;
	}

	return str;
}

#escape_javascript(str) ⇒ Object

JavaScript methods

# File 'ext/escape_utils/escape_utils.c', line 139

static VALUE rb_eu_escape_js(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_js);
}

#escape_uri(str) ⇒ Object

URI methods

# File 'ext/escape_utils/escape_utils.c', line 167

static VALUE rb_eu_escape_uri(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_uri);
}

#escape_url(str) ⇒ Object

URL methods

# File 'ext/escape_utils/escape_utils.c', line 153

static VALUE rb_eu_escape_url(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_url);
}

#escape_xml(str) ⇒ Object

XML methods

# File 'ext/escape_utils/escape_utils.c', line 130

static VALUE rb_eu_escape_xml(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_xml);
}

#unescape_html(str) ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 121

static VALUE rb_eu_unescape_html(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_html);
}

#unescape_javascript(str) ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 144

static VALUE rb_eu_unescape_js(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_js);
}

#unescape_uri(str) ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 172

static VALUE rb_eu_unescape_uri(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_uri);
}

#unescape_url(str) ⇒ Object

# File 'ext/escape_utils/escape_utils.c', line 158

static VALUE rb_eu_unescape_url(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_url);
}