erb_safe_ext
add method to erb. Protect from XSS attack.
I think change the origin <%= method is not always good. maybe add a <%~ method is better.
Install
$ gem install erb_safe_ext
Introduction
<%~ "<script>alert('safety:)');</script>" %>
## <script>alert('safety:)');</script>
<%= "<script>alert('danger!');</script>" %>
## <script>alert('danger!');</script>
Test code
require 'erb_safe_ext'
template = ERB.new "<%~ \"<script>alert('safety:)');</script>\" %>\n<%= \"<script>alert('danger!');</script>\" %>\n----finish----\n"
puts template.result
readme about version <= 1.0.4
Introduction
<%= "<script>alert('safety:)');</script>" %>
## <script>alert('safety:)');</script>
it will default wrap the dangerous code with ERB::Util.html_escape(code)
works fine with ruby2.0.
the <%== is the backup of ERB's original <%= function.
<%== "<script>alert('danger!');</script>" %>
## <script>alert('danger!');</script>
Test code
require 'erb_safe_ext'
template = ERB.new "<%= \"<script>alert('safety:)');</script>\" %>\n<%#= 'here' -%>\n<%== \"<script>alert('danger!');</script>\" %>\n----finish----\n"
puts template.result
About Sinatra
work fine with sinatra(current version is 1.4.4).
but don't do following things:
require 'erubis'add gems that dependent on erubis, such as
better_errors(you may find out all dependences in fileGemfile.lock)
Sinatra exception template
the original sinatra exception template display ugly with erb_safe_ext, so I rewrite it.
require 'sinatra/base'
require 'erb_safe_ext/sinatra/exception_template'