Class: BetterHtml::BetterErb::ValidatedOutputBuffer::Context

Inherits:

Object

• Object
• BetterHtml::BetterErb::ValidatedOutputBuffer::Context

Defined in:

lib/better_html/better_erb/validated_output_buffer.rb

Instance Method Summary

• #initialize(output, context, code, auto_escape) ⇒ Context constructor

  A new instance of Context.

• #safe_after_attribute_name_append=(value) ⇒ Object
• #safe_after_equal_append=(value) ⇒ Object
• #safe_attribute_name_append=(value) ⇒ Object
• #safe_comment_append=(value) ⇒ Object
• #safe_none_append=(value) ⇒ Object
• #safe_quoted_value_append=(value) ⇒ Object
• #safe_rawtext_append=(value) ⇒ Object
• #safe_space_after_attribute_append=(value) ⇒ Object
• #safe_tag_append=(value) ⇒ Object
• #safe_tag_name_append=(value) ⇒ Object
• #safe_unquoted_value_append=(value) ⇒ Object

Constructor Details

#initialize(output, context, code, auto_escape) ⇒ Context

Returns a new instance of Context.

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 9

def initialize(output, context, code, auto_escape)
  @output = output
  @context = context
  @code = code
  @auto_escape = auto_escape
end

Instance Method Details

#safe_after_attribute_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 53

def safe_after_attribute_name_append=(value)
  return if value.nil?

  unless value.is_a?(BetterHtml::HtmlAttributes)
    raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. "\
      "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please "\
      "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
  end

  @output.safe_append= value.to_s
end

#safe_after_equal_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 65

def safe_after_equal_append=(value)
  raise DontInterpolateHere, "Do not interpolate without quotes after "\
    "attribute around '#{@context[:attribute_name]}=<%=#{@code}%>'."
end

#safe_attribute_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 41

def safe_attribute_name_append=(value)
  return if value.nil?
  value = value.to_s

  unless value =~ /\A[a-z0-9\-]*\z/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a attribute name around '#{@context[:attribute_name]}<%=#{@code}%>'."
  end

  @output.safe_append= value
end

#safe_comment_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 114

def safe_comment_append=(value)
  return if value.nil?
  value = properly_escaped(value)

  # in a <!-- ...here --> we disallow -->
  if value =~ /-->/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a html comment around: <!--#{@context[:comment_text]}<%=#{@code}%>."
  end

  @output.safe_append= value
end

#safe_none_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 127

def safe_none_append=(value)
  return if value.nil?
  @output.safe_append= properly_escaped(value)
end

#safe_quoted_value_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 16

def safe_quoted_value_append=(value)
  return if value.nil?
  value = properly_escaped(value)

  if value.include?(@context[:quote_character])
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a quoted attribute value. The value cannot contain the character #{@context[:quote_character]}."
  end

  @output.safe_append= value
end

#safe_rawtext_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 94

def safe_rawtext_append=(value)
  return if value.nil?

  value = properly_escaped(value)

  if @context[:tag_name].downcase == 'script' &&
      (value =~ /<script/i || value =~ /<\/script/i)
    # https://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a script tag around: <#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>. "\
      "A script tag cannot contain <script or </script anywhere inside of it."
  elsif value =~ /<#{Regexp.escape(@context[:tag_name].downcase)}/i ||
      value =~ /<\/#{Regexp.escape(@context[:tag_name].downcase)}/i
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a #{@context[:tag_name].downcase} tag around: <#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>."
  end

  @output.safe_append= value
end

#safe_space_after_attribute_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 35

def safe_space_after_attribute_append=(value)
  raise DontInterpolateHere, "Add a space after this attribute value. Instead of "\
    "<#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\"<%=#{@code}%>> "\
    "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\" <%=#{@code}%>>."
end

#safe_tag_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 70

def safe_tag_append=(value)
  return if value.nil?

  unless value.is_a?(BetterHtml::HtmlAttributes)
    raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. "\
      "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please "\
      "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
  end

  @output.safe_append= value.to_s
end

#safe_tag_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 82

def safe_tag_name_append=(value)
  return if value.nil?
  value = value.to_s

  unless value =~ /\A[a-z0-9\:\-]*\z/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation "\
      "into a tag name around: <#{@context[:tag_name]}<%=#{@code}%>>."
  end

  @output.safe_append= value
end

#safe_unquoted_value_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 28

def safe_unquoted_value_append=(value)
  raise DontInterpolateHere, "Do not interpolate without quotes around this "\
    "attribute value. Instead of "\
    "<#{@context[:tag_name]} #{@context[:attribute_name]}=#{@context[:attribute_value]}<%=#{@code}%>> "\
    "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}<%=#{@code}%>\">."
end