Class: Brakeman::RailsXSSErubis

Inherits:

Erubis::Eruby

Object
Erubis::Eruby
Brakeman::RailsXSSErubis

show all

Defined in:

lib/brakeman/scanner.rb

Overview

This is from Rails 3 version of the Erubis handler

Constant Summary

BLOCK_EXPR =

/\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/

Instance Method Summary (collapse)

Instance Method Details

- (`Object`) add_expr_escaped(src, code)

# File 'lib/brakeman/scanner.rb', line 410

def add_expr_escaped(src, code)
  if code =~ BLOCK_EXPR
    src << "@output_buffer.safe_append= " << code
  else
    src << "@output_buffer.safe_concat(" << code << ");"
  end
end

- (`Object`) add_expr_literal(src, code)

# File 'lib/brakeman/scanner.rb', line 394

def add_expr_literal(src, code)
  if code =~ BLOCK_EXPR
    src << '@output_buffer.append= ' << code
  else
    src << '@output_buffer.append= (' << code << ');'
  end
end

- (`Object`) add_postamble(src)

Add code to output buffer.



419
420
421

# File 'lib/brakeman/scanner.rb', line 419

def add_postamble(src)
  # src << '_buf.to_s'
end

- (`Object`) add_preamble(src)



367
368
369

# File 'lib/brakeman/scanner.rb', line 367

def add_preamble(src)
  # src << "_buf = ActionView::SafeBuffer.new;\n"
end

- (`Object`) add_stmt(src, code)

# File 'lib/brakeman/scanner.rb', line 402

def add_stmt(src, code)
  if code =~ BLOCK_EXPR
    src << '@output_buffer.append_if_string= ' << code
  else
    super
  end
end

- (`Object`) add_text(src, text)

# File 'lib/brakeman/scanner.rb', line 371

def add_text(src, text)
  if text == "\n"
    src << "\n"
  elsif text.include? "\n"
    lines = text.split("\n")
    if text.match(/\n\z/)
      lines.each do |line|
        src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
      end
    else
      lines[0..-2].each do |line|
        src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
      end

      src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
    end
  else
    src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
  end
end

Class: Brakeman::RailsXSSErubis

Overview

Constant Summary

Instance Method Summary (collapse)

Instance Method Details

- (Object) add_expr_escaped(src, code)

- (Object) add_expr_literal(src, code)

- (Object) add_postamble(src)

- (Object) add_preamble(src)

- (Object) add_stmt(src, code)

- (Object) add_text(src, text)

- (`Object`) add_expr_escaped(src, code)

- (`Object`) add_expr_literal(src, code)

- (`Object`) add_postamble(src)

- (`Object`) add_preamble(src)

- (`Object`) add_stmt(src, code)

- (`Object`) add_text(src, text)