Module: EscapeUtils
- Defined in:
- lib/escape_utils.rb,
lib/escape_utils/version.rb,
lib/escape_utils/html_safety.rb,
ext/escape_utils/escape_utils.c
Defined Under Namespace
Modules: HtmlSafety
Constant Summary collapse
- VERSION =
"0.2.1"- @@html_secure =
turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
true
Class Method Summary collapse
- .escape_html(*args) ⇒ Object
- .escape_javascript(str) ⇒ Object
- .escape_uri(str) ⇒ Object
- .escape_url(str) ⇒ Object
- .html_secure ⇒ Object
- .html_secure=(val) ⇒ Object
- .unescape_html(str) ⇒ Object
- .unescape_javascript(str) ⇒ Object
- .unescape_uri(str) ⇒ Object
- .unescape_url(str) ⇒ Object
Class Method Details
.escape_html(*args) ⇒ Object
302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 |
# File 'ext/escape_utils/escape_utils.c', line 302
static VALUE rb_escape_html(int argc, VALUE * argv, VALUE self) {
VALUE str, rb_secure;
int secure = html_secure;
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc;
rb_encoding *original_encoding;
#endif
unsigned char *inBuf, *outBuf;
size_t len, new_len;
if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
if (rb_secure == Qfalse) {
secure = 0;
}
}
Check_Type(str, T_STRING);
#ifdef HAVE_RUBY_ENCODING_H
default_internal_enc = rb_default_internal_encoding();
original_encoding = rb_enc_get(str);
#endif
inBuf = (unsigned char*)RSTRING_PTR(str);
len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we should try to be more intelligent about this
new_len = sizeof(unsigned char)*(len*5);
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = escape_html(outBuf, inBuf, len, secure);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.escape_javascript(str) ⇒ Object
391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 |
# File 'ext/escape_utils/escape_utils.c', line 391
static VALUE rb_escape_javascript(VALUE self, VALUE str) {
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc;
rb_encoding *original_encoding;
#endif
unsigned char *inBuf, *outBuf;
size_t len, new_len;
if (str == Qnil) {
return rb_str_new2("");
}
Check_Type(str, T_STRING);
#ifdef HAVE_RUBY_ENCODING_H
default_internal_enc = rb_default_internal_encoding();
original_encoding = rb_enc_get(str);
#endif
inBuf = (unsigned char*)RSTRING_PTR(str);
len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we should try to be more intelligent about this
new_len = sizeof(unsigned char)*(len*2);
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = escape_javascript(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.escape_uri(str) ⇒ Object
557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 |
# File 'ext/escape_utils/escape_utils.c', line 557
static VALUE rb_escape_uri(VALUE self, VALUE str) {
Check_Type(str, T_STRING);
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc = rb_default_internal_encoding();
rb_encoding *original_encoding = rb_enc_get(str);
#endif
unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
size_t len = RSTRING_LEN(str);
unsigned char *outBuf;
// this is the max size the string could be
// TODO: we should try to be more intelligent about this
size_t new_len = sizeof(unsigned char)*(len*3);
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = escape_uri(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.escape_url(str) ⇒ Object
481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 |
# File 'ext/escape_utils/escape_utils.c', line 481
static VALUE rb_escape_url(VALUE self, VALUE str) {
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc;
rb_encoding *original_encoding;
#endif
unsigned char *inBuf, *outBuf;
size_t len, new_len;
Check_Type(str, T_STRING);
#ifdef HAVE_RUBY_ENCODING_H
default_internal_enc = rb_default_internal_encoding();
original_encoding = rb_enc_get(str);
#endif
inBuf = (unsigned char*)RSTRING_PTR(str);
len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we should try to be more intelligent about this
new_len = sizeof(unsigned char)*(len*3);
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = escape_url(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.html_secure ⇒ Object
627 628 629 |
# File 'ext/escape_utils/escape_utils.c', line 627 static VALUE rb_s_get_html_secure(VALUE self) { return rb_cvar_get(self, rb_html_secure); } |
.html_secure=(val) ⇒ Object
631 632 633 634 635 636 |
# File 'ext/escape_utils/escape_utils.c', line 631
static VALUE rb_s_set_html_secure(VALUE self, VALUE val) {
html_secure = RTEST(val);
rb_cvar_set(self, rb_html_secure, val);
return val;
}
|
.unescape_html(str) ⇒ Object
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 |
# File 'ext/escape_utils/escape_utils.c', line 351
static VALUE rb_unescape_html(VALUE self, VALUE str) {
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc;
rb_encoding *original_encoding;
#endif
unsigned char *inBuf, *outBuf;
size_t len, new_len;
Check_Type(str, T_STRING);
#ifdef HAVE_RUBY_ENCODING_H
default_internal_enc = rb_default_internal_encoding();
original_encoding = rb_enc_get(str);
#endif
inBuf = (unsigned char*)RSTRING_PTR(str);
len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we could be more intelligent about this, but probably not
new_len = sizeof(unsigned char) * len;
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = unescape_html(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.unescape_javascript(str) ⇒ Object
436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 |
# File 'ext/escape_utils/escape_utils.c', line 436
static VALUE rb_unescape_javascript(VALUE self, VALUE str) {
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc;
rb_encoding *original_encoding;
#endif
unsigned char *inBuf, *outBuf;
size_t len, new_len;
if (str == Qnil) {
return rb_str_new2("");
}
Check_Type(str, T_STRING);
#ifdef HAVE_RUBY_ENCODING_H
default_internal_enc = rb_default_internal_encoding();
original_encoding = rb_enc_get(str);
#endif
inBuf = (unsigned char*)RSTRING_PTR(str);
len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we could be more intelligent about this, but probably not
new_len = sizeof(unsigned char) * len;
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = unescape_javascript(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.unescape_uri(str) ⇒ Object
592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 |
# File 'ext/escape_utils/escape_utils.c', line 592
static VALUE rb_unescape_uri(VALUE self, VALUE str) {
Check_Type(str, T_STRING);
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc = rb_default_internal_encoding();
rb_encoding *original_encoding = rb_enc_get(str);
#endif
unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
size_t len = RSTRING_LEN(str);
unsigned char *outBuf;
// this is the max size the string could be
// TODO: we should try to be more intelligent about this
size_t new_len = sizeof(unsigned char)*len;
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
// perform our escape, returning the new string's length
new_len = unescape_uri(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|
.unescape_url(str) ⇒ Object
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 |
# File 'ext/escape_utils/escape_utils.c', line 522
static VALUE rb_unescape_url(VALUE self, VALUE str) {
Check_Type(str, T_STRING);
VALUE rb_output_buf;
#ifdef HAVE_RUBY_ENCODING_H
rb_encoding *default_internal_enc = rb_default_internal_encoding();
rb_encoding *original_encoding = rb_enc_get(str);
#endif
unsigned char *inBuf = (unsigned char*)RSTRING_PTR(str);
size_t len = RSTRING_LEN(str);
// this is the max size the string could be
// TODO: we could be more intelligent about this, but probably not
size_t new_len = sizeof(unsigned char) * len;
unsigned char *outBuf;
// create our new ruby string
rb_output_buf = rb_str_new(NULL, new_len);
// perform our escape, returning the new string's length
outBuf = (unsigned char *)RSTRING_PTR(rb_output_buf);
new_len = unescape_url(outBuf, inBuf, len);
// shrink our new ruby string
rb_str_resize(rb_output_buf, new_len);
#ifdef HAVE_RUBY_ENCODING_H
rb_enc_associate(rb_output_buf, original_encoding);
if (default_internal_enc) {
rb_output_buf = rb_str_export_to_enc(rb_output_buf, default_internal_enc);
}
#endif
return rb_output_buf;
}
|