Module: EscapeUtils
- Extended by:
- EscapeUtils
- Included in:
- EscapeUtils
- Defined in:
- lib/escape_utils.rb,
lib/escape_utils/version.rb,
lib/escape_utils/html_safety.rb,
ext/escape_utils/escape_utils.c
Defined Under Namespace
Modules: HtmlSafety
Constant Summary collapse
- VERSION =
"1.2.1"
Class Method Summary collapse
-
.html_safe_string_class ⇒ Object
Default String class to return from HTML escaping.
- .html_safe_string_class=(val) ⇒ Object
-
.html_secure ⇒ Object
turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010).
- .html_secure=(val) ⇒ Object
Instance Method Summary collapse
- #escape_html(*args) ⇒ Object
- #escape_html_as_html_safe(str) ⇒ Object
-
#escape_javascript(str) ⇒ Object
JavaScript methods.
-
#escape_uri(str) ⇒ Object
URI methods.
-
#escape_uri_component(str) ⇒ Object
URI component methods.
-
#escape_url(str) ⇒ Object
URL methods.
-
#escape_xml(str) ⇒ Object
XML methods.
- #unescape_html(str) ⇒ Object
- #unescape_javascript(str) ⇒ Object
- #unescape_uri(str) ⇒ Object
- #unescape_uri_component(str) ⇒ Object
- #unescape_url(str) ⇒ Object
Class Method Details
.html_safe_string_class ⇒ Object
Default String class to return from HTML escaping
16 17 18 |
# File 'lib/escape_utils.rb', line 16 def self.html_safe_string_class @html_safe_string_class end |
.html_safe_string_class=(val) ⇒ Object
58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'ext/escape_utils/escape_utils.c', line 58
static VALUE rb_eu_set_html_safe_string_class(VALUE self, VALUE val)
{
Check_Type(val, T_CLASS);
if (rb_funcall(val, rb_intern("<="), 1, rb_cString) == Qnil)
rb_raise(rb_eArgError, "%s must be a descendent of String", rb_class2name(val));
rb_html_safe_string_class = val;
rb_html_safe_string_template_object = rb_class_new_instance(0, NULL, rb_html_safe_string_class);
OBJ_FREEZE(rb_html_safe_string_template_object);
rb_ivar_set(self, rb_intern("@html_safe_string_class"), val);
return val;
}
|
.html_secure ⇒ Object
turn on/off the escaping of the ‘/’ character during HTML escaping Escaping ‘/’ is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)
10 11 12 |
# File 'lib/escape_utils.rb', line 10 def self.html_secure @html_secure end |
.html_secure=(val) ⇒ Object
45 46 47 48 49 50 |
# File 'ext/escape_utils/escape_utils.c', line 45
static VALUE rb_eu_set_html_secure(VALUE self, VALUE val)
{
g_html_secure = RTEST(val);
rb_ivar_set(self, rb_intern("@html_secure"), val);
return val;
}
|
Instance Method Details
#escape_html(*args) ⇒ Object
126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
# File 'ext/escape_utils/escape_utils.c', line 126
static VALUE rb_eu_escape_html(int argc, VALUE *argv, VALUE self)
{
VALUE str, rb_secure;
gh_buf buf = GH_BUF_INIT;
int secure = g_html_secure;
if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
if (rb_secure == Qfalse) {
secure = 0;
}
}
Check_Type(str, T_STRING);
check_utf8_encoding(str);
if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
VALUE result = eu_new_str(buf.ptr, buf.size);
gh_buf_free(&buf);
return result;
}
return str;
}
|
#escape_html_as_html_safe(str) ⇒ Object
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'ext/escape_utils/escape_utils.c', line 104
static VALUE rb_eu_escape_html_as_html_safe(VALUE self, VALUE str)
{
VALUE result;
int secure = g_html_secure;
gh_buf buf = GH_BUF_INIT;
Check_Type(str, T_STRING);
check_utf8_encoding(str);
if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
result = new_html_safe_string(buf.ptr, buf.size);
gh_buf_free(&buf);
} else {
result = new_html_safe_string(RSTRING_PTR(str), RSTRING_LEN(str));
}
rb_ivar_set(result, ID_at_html_safe, Qtrue);
rb_enc_associate(result, rb_enc_get(str));
return result;
}
|
#escape_javascript(str) ⇒ Object
JavaScript methods
168 169 170 171 |
# File 'ext/escape_utils/escape_utils.c', line 168
static VALUE rb_eu_escape_js(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_js);
}
|
#escape_uri(str) ⇒ Object
URI methods
196 197 198 199 |
# File 'ext/escape_utils/escape_utils.c', line 196
static VALUE rb_eu_escape_uri(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_uri);
}
|
#escape_uri_component(str) ⇒ Object
URI component methods
209 210 211 212 |
# File 'ext/escape_utils/escape_utils.c', line 209
static VALUE rb_eu_escape_uri_component(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_uri_component);
}
|
#escape_url(str) ⇒ Object
URL methods
182 183 184 185 |
# File 'ext/escape_utils/escape_utils.c', line 182
static VALUE rb_eu_escape_url(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_url);
}
|
#escape_xml(str) ⇒ Object
XML methods
159 160 161 162 |
# File 'ext/escape_utils/escape_utils.c', line 159
static VALUE rb_eu_escape_xml(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_escape_xml);
}
|
#unescape_html(str) ⇒ Object
150 151 152 153 |
# File 'ext/escape_utils/escape_utils.c', line 150
static VALUE rb_eu_unescape_html(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_html);
}
|
#unescape_javascript(str) ⇒ Object
173 174 175 176 |
# File 'ext/escape_utils/escape_utils.c', line 173
static VALUE rb_eu_unescape_js(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_js);
}
|
#unescape_uri(str) ⇒ Object
201 202 203 204 |
# File 'ext/escape_utils/escape_utils.c', line 201
static VALUE rb_eu_unescape_uri(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_uri);
}
|
#unescape_uri_component(str) ⇒ Object
214 215 216 217 |
# File 'ext/escape_utils/escape_utils.c', line 214
static VALUE rb_eu_unescape_uri_component(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_uri_component);
}
|
#unescape_url(str) ⇒ Object
187 188 189 190 |
# File 'ext/escape_utils/escape_utils.c', line 187
static VALUE rb_eu_unescape_url(VALUE self, VALUE str)
{
return rb_eu__generic(str, &houdini_unescape_url);
}
|