Module: EscapeUtils

Extended by:
EscapeUtils
Included in:
EscapeUtils
Defined in:
lib/escape_utils.rb,
lib/escape_utils/version.rb,
lib/escape_utils/html_safety.rb,
ext/escape_utils/escape_utils.c

Defined Under Namespace

Modules: HtmlSafety

Constant Summary collapse

VERSION = 
"1.2.1"

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.html_safe_string_classObject

Default String class to return from HTML escaping



16
17
18
 
# File 'lib/escape_utils.rb', line 16

def self.html_safe_string_class
  @html_safe_string_class
end

.html_safe_string_class=(val) ⇒ Object 



58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'ext/escape_utils/escape_utils.c', line 58

static VALUE rb_eu_set_html_safe_string_class(VALUE self, VALUE val)
{
	Check_Type(val, T_CLASS);

	if (rb_funcall(val, rb_intern("<="), 1, rb_cString) == Qnil)
		rb_raise(rb_eArgError, "%s must be a descendent of String", rb_class2name(val));

	rb_html_safe_string_class = val;
	rb_html_safe_string_template_object = rb_class_new_instance(0, NULL, rb_html_safe_string_class);
	OBJ_FREEZE(rb_html_safe_string_template_object);
	rb_ivar_set(self, rb_intern("@html_safe_string_class"), val);
	return val;
}

.html_secureObject

turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)



10
11
12
 
# File 'lib/escape_utils.rb', line 10

def self.html_secure
  @html_secure
end

.html_secure=(val) ⇒ Object 



45
46
47
48
49
50
 
# File 'ext/escape_utils/escape_utils.c', line 45

static VALUE rb_eu_set_html_secure(VALUE self, VALUE val)
{
	g_html_secure = RTEST(val);
	rb_ivar_set(self, rb_intern("@html_secure"), val);
	return val;
}

Instance Method Details

#escape_html(*args) ⇒ Object 



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'ext/escape_utils/escape_utils.c', line 126

static VALUE rb_eu_escape_html(int argc, VALUE *argv, VALUE self)
{
	VALUE str, rb_secure;
	gh_buf buf = GH_BUF_INIT;
	int secure = g_html_secure;

	if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
		if (rb_secure == Qfalse) {
			secure = 0;
		}
	}

	Check_Type(str, T_STRING);
	check_utf8_encoding(str);

	if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
		VALUE result = eu_new_str(buf.ptr, buf.size);
		gh_buf_free(&buf);
		return result;
	}

	return str;
}

#escape_html_as_html_safe(str) ⇒ Object 



104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'ext/escape_utils/escape_utils.c', line 104

static VALUE rb_eu_escape_html_as_html_safe(VALUE self, VALUE str)
{
	VALUE result;
	int secure = g_html_secure;
	gh_buf buf = GH_BUF_INIT;

	Check_Type(str, T_STRING);
	check_utf8_encoding(str);

	if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
		result = new_html_safe_string(buf.ptr, buf.size);
		gh_buf_free(&buf);
	} else {
		result = new_html_safe_string(RSTRING_PTR(str), RSTRING_LEN(str));
	}

	rb_ivar_set(result, ID_at_html_safe, Qtrue);
	rb_enc_associate(result, rb_enc_get(str));

	return result;
}

#escape_javascript(str) ⇒ Object

JavaScript methods



168
169
170
171
 
# File 'ext/escape_utils/escape_utils.c', line 168

static VALUE rb_eu_escape_js(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_js);
}

#escape_uri(str) ⇒ Object

URI methods



196
197
198
199
 
# File 'ext/escape_utils/escape_utils.c', line 196

static VALUE rb_eu_escape_uri(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_uri);
}

#escape_uri_component(str) ⇒ Object

URI component methods



209
210
211
212
 
# File 'ext/escape_utils/escape_utils.c', line 209

static VALUE rb_eu_escape_uri_component(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_uri_component);
}

#escape_url(str) ⇒ Object

URL methods



182
183
184
185
 
# File 'ext/escape_utils/escape_utils.c', line 182

static VALUE rb_eu_escape_url(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_url);
}

#escape_xml(str) ⇒ Object

XML methods



159
160
161
162
 
# File 'ext/escape_utils/escape_utils.c', line 159

static VALUE rb_eu_escape_xml(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_escape_xml);
}

#unescape_html(str) ⇒ Object 



150
151
152
153
 
# File 'ext/escape_utils/escape_utils.c', line 150

static VALUE rb_eu_unescape_html(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_html);
}

#unescape_javascript(str) ⇒ Object 



173
174
175
176
 
# File 'ext/escape_utils/escape_utils.c', line 173

static VALUE rb_eu_unescape_js(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_js);
}

#unescape_uri(str) ⇒ Object 



201
202
203
204
 
# File 'ext/escape_utils/escape_utils.c', line 201

static VALUE rb_eu_unescape_uri(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_uri);
}

#unescape_uri_component(str) ⇒ Object 



214
215
216
217
 
# File 'ext/escape_utils/escape_utils.c', line 214

static VALUE rb_eu_unescape_uri_component(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_uri_component);
}

#unescape_url(str) ⇒ Object 



187
188
189
190
 
# File 'ext/escape_utils/escape_utils.c', line 187

static VALUE rb_eu_unescape_url(VALUE self, VALUE str)
{
	return rb_eu__generic(str, &houdini_unescape_url);
}