WWW_App:
Turn Ruby into HTML and CSS.
I was going to put a JS features, but I found out that I don't need them thanks to Turu.
NOTE:
This is not ready.
Ruby:
To install:
gem install www_app
To Use:
WWW_App.new {
style {
a._link / a._visited / a._hover {
color '#f88'
}
a {
_link / _visited { color '#fff' }
_hover { color '#ccc' }
}
div.id(:main).__.div.^(:drowsy) / a.^(:excited)._link {
border '1px dashed grey'
div.^(:mon) / div.^(:tues) {
border '1px dashed weekday'
}
}
} # === style
div.id(:main).^(:css_class_name) {
border '1px solid #000'
background_color 'grey'
style {
a._link / a._visited {
color '#fig'
}
_.^(:scary) {
border '2px dotted red'
background_color 'white'
}
}
p { "I'm a paragraph." }
p {
text %^
I'm also
^.strip
br
text ' a paragraph.'
}
}
}.to_html
Security:
1) Server-side: All data from user should be run through :render
to
ensure sanitization/escaping.
2) Server-side: All JS meant for :script tags should be escaped before encoded into JSON.
3) Client-side: No untrusted data presented to user: :inner_html/:inner_text
:
only uses content from the server after it has been sanitized/escaped.
4) Client-side: No client-side sanitization/escaping. Too many bugs and security issues because of browser incompability/implementations. Content to be used in client-size JS can only come from the server using "lockboxed vars".
5) Client-side: When using :inner_html
, check for: /<script/i
in String.
6) All forms require a CSRF token.
Notes:
1) Blockquotes no longer allow the :cite attribute. Instead use the cite
tag.
More info at: http://html5doctor.com/cite-and-blockquote-reloaded/
2) Originally, this was going to be programs written in 100% JSON. This has changed because it turns out people do not want to create programs, they just want to customize them: https://www.youtube.com/watch?v=9nd9DwCdQR0#t=857
3) JSON Applet was changed to WWW_Applet. WWW_Applet was then changed to WWW_App.