Class: Brakeman::Rails2XSSPluginErubis

Inherits:

Erubis::Eruby

Object
Erubis::Eruby
Brakeman::Rails2XSSPluginErubis

show all

Includes:: ErubisPatch

Defined in:: lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

Overview

This is from the rails_xss plugin for Rails 2

Constant Summary collapse

BLOCK_EXPR =

/\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/

Instance Method Summary collapse

#add_expr_escaped(src, code) ⇒ Object
#add_expr_literal(src, code) ⇒ Object
#add_postamble(src) ⇒ Object
#add_preamble(src) ⇒ Object
#add_text(src, text) ⇒ Object

This is different from rails_xss - fixes some line number issues.

Methods included from ErubisPatch

#convert

Instance Method Details

#add_expr_escaped(src, code) ⇒ `Object`



45
46
47

# File 'lib/brakeman/parsers/rails2_xss_plugin_erubis.rb', line 45

def add_expr_escaped(src, code)
  src << '@output_buffer << ' << escaped_expr(code) << ';'
end

#add_expr_literal(src, code) ⇒ `Object`

# File 'lib/brakeman/parsers/rails2_xss_plugin_erubis.rb', line 37

def add_expr_literal(src, code)
  if code =~ BLOCK_EXPR
    src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
  else
    src << '@output_buffer << ((' << code << ').to_s);'
  end
end

#add_postamble(src) ⇒ `Object`



49
50
51

# File 'lib/brakeman/parsers/rails2_xss_plugin_erubis.rb', line 49

def add_postamble(src)
  #src << '@output_buffer.to_s'
end

#add_preamble(src) ⇒ `Object`



9
10
11

# File 'lib/brakeman/parsers/rails2_xss_plugin_erubis.rb', line 9

def add_preamble(src)
  #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
end

#add_text(src, text) ⇒ `Object`

This is different from rails_xss - fixes some line number issues

# File 'lib/brakeman/parsers/rails2_xss_plugin_erubis.rb', line 14

def add_text(src, text)
  if text == "\n"
    src << "\n"
  elsif text.include? "\n"
    lines = text.split("\n")
    if text.match(/\n\z/)
      lines.each do |line|
        src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
      end
    else
      lines[0..-2].each do |line|
        src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
      end

      src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
    end
  else
    src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
  end
end

Class: Brakeman::Rails2XSSPluginErubis

Overview

Constant Summary collapse

Instance Method Summary collapse

Methods included from ErubisPatch

Instance Method Details

#add_expr_escaped(src, code) ⇒ Object

#add_expr_literal(src, code) ⇒ Object

#add_postamble(src) ⇒ Object

#add_preamble(src) ⇒ Object

#add_text(src, text) ⇒ Object

#add_expr_escaped(src, code) ⇒ `Object`

#add_expr_literal(src, code) ⇒ `Object`

#add_postamble(src) ⇒ `Object`

#add_preamble(src) ⇒ `Object`

#add_text(src, text) ⇒ `Object`