Class: BetterHtml::BetterErb::ValidatedOutputBuffer::Context

Inherits:

Object

• Object
• BetterHtml::BetterErb::ValidatedOutputBuffer::Context

Defined in:

lib/better_html/better_erb/validated_output_buffer.rb

Instance Method Summary

• #initialize(output, context, code, auto_escape) ⇒ Context constructor

  A new instance of Context.

• #safe_after_attribute_name_append=(value) ⇒ Object
• #safe_after_equal_append=(value) ⇒ Object
• #safe_attribute_name_append=(value) ⇒ Object
• #safe_comment_append=(value) ⇒ Object
• #safe_none_append=(value) ⇒ Object
• #safe_quoted_value_append=(value) ⇒ Object
• #safe_rawtext_append=(value) ⇒ Object
• #safe_space_after_attribute_append=(value) ⇒ Object
• #safe_tag_append=(value) ⇒ Object
• #safe_tag_name_append=(value) ⇒ Object
• #safe_unquoted_value_append=(value) ⇒ Object

Constructor Details

#initialize(output, context, code, auto_escape) ⇒ Context

Returns a new instance of Context.

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 7

def initialize(output, context, code, auto_escape)
  @output = output
  @context = context
  @code = code
  @auto_escape = auto_escape
end

Instance Method Details

#safe_after_attribute_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 53

def safe_after_attribute_name_append=(value)
  return if value.nil?

  unless value.is_a?(BetterHtml::HtmlAttributes)
    raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. " \
      "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please " \
      "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
  end

  @output.safe_append = value.to_s
end

#safe_after_equal_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 65

def safe_after_equal_append=(value)
  raise DontInterpolateHere, "Do not interpolate without quotes after " \
    "attribute around '#{@context[:attribute_name]}=<%=#{@code}%>'."
end

#safe_attribute_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 40

def safe_attribute_name_append=(value)
  return if value.nil?

  value = value.to_s

  unless value =~ /\A[a-z0-9\-]*\z/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a attribute name around '#{@context[:attribute_name]}<%=#{@code}%>'."
  end

  @output.safe_append = value
end

#safe_comment_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 116

def safe_comment_append=(value)
  return if value.nil?

  value = properly_escaped(value)

  # in a <!-- ...here --> we disallow -->
  if value =~ /-->/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a html comment around: <!--#{@context[:comment_text]}<%=#{@code}%>."
  end

  @output.safe_append = value
end

#safe_none_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 130

def safe_none_append=(value)
  return if value.nil?

  @output.safe_append = properly_escaped(value)
end

#safe_quoted_value_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 14

def safe_quoted_value_append=(value)
  return if value.nil?

  value = properly_escaped(value)

  if value.include?(@context[:quote_character])
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a quoted attribute value. The value cannot contain the character #{@context[:quote_character]}."
  end

  @output.safe_append = value
end

#safe_rawtext_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 95

def safe_rawtext_append=(value)
  return if value.nil?

  value = properly_escaped(value)

  if @context[:tag_name].downcase == "script" &&
      (value =~ /<script/i || value =~ %r{</script}i)
    # https://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a script tag around: <#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>. " \
      "A script tag cannot contain <script or </script anywhere inside of it."
  elsif value =~ /<#{Regexp.escape(@context[:tag_name].downcase)}/i ||
      value =~ %r{</#{Regexp.escape(@context[:tag_name].downcase)}}i
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a #{@context[:tag_name].downcase} tag around: " \
      "<#{@context[:tag_name]}>#{@context[:rawtext_text]}<%=#{@code}%>."
  end

  @output.safe_append = value
end

#safe_space_after_attribute_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 34

def safe_space_after_attribute_append=(value)
  raise DontInterpolateHere, "Add a space after this attribute value. Instead of " \
    "<#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\"<%=#{@code}%>> " \
    "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}\" <%=#{@code}%>>."
end

#safe_tag_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 70

def safe_tag_append=(value)
  return if value.nil?

  unless value.is_a?(BetterHtml::HtmlAttributes)
    raise DontInterpolateHere, "Do not interpolate #{value.class} in a tag. " \
      "Instead of <#{@context[:tag_name]} <%=#{@code}%>> please " \
      "try <#{@context[:tag_name]} <%= html_attributes(attr: value) %>>."
  end

  @output.safe_append = value.to_s
end

#safe_tag_name_append=(value) ⇒ Object

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 82

def safe_tag_name_append=(value)
  return if value.nil?

  value = value.to_s

  unless value =~ /\A[a-z0-9\:\-]*\z/
    raise UnsafeHtmlError, "Detected invalid characters as part of the interpolation " \
      "into a tag name around: <#{@context[:tag_name]}<%=#{@code}%>>."
  end

  @output.safe_append = value
end

#safe_unquoted_value_append=(value) ⇒ Object

Raises:

• (DontInterpolateHere)

# File 'lib/better_html/better_erb/validated_output_buffer.rb', line 27

def safe_unquoted_value_append=(value)
  raise DontInterpolateHere, "Do not interpolate without quotes around this " \
    "attribute value. Instead of " \
    "<#{@context[:tag_name]} #{@context[:attribute_name]}=#{@context[:attribute_value]}<%=#{@code}%>> " \
    "try <#{@context[:tag_name]} #{@context[:attribute_name]}=\"#{@context[:attribute_value]}<%=#{@code}%>\">."
end