Module: Zafu::Security

Defined in:: lib/zafu/security.rb

Constant Summary collapse

SECURE_REGEXP =

%r{<%|%>|<\Z}

SAFE_CODE =

{'<%' => '&lt;%', '%>' => '%&gt;', '<' => '&lt;'}

Instance Method Summary collapse

#erb_escape(text) ⇒ Object

Make sure translations and other literal values cannot be used to build erb.
#form_quote(text) ⇒ Object

Instance Method Details

#erb_escape(text) ⇒ `Object`

Make sure translations and other literal values cannot be used to build erb.

# File 'lib/zafu/security.rb', line 6

def erb_escape(text)
  # Do not only replace '<%' ! or <r:t>min</r:t>% ==> <% ...
  text.gsub(SECURE_REGEXP) {|code| SAFE_CODE[code]}
end

#form_quote(text) ⇒ `Object`



11
12
13

# File 'lib/zafu/security.rb', line 11

def form_quote(text)
  erb_escape(text).gsub("'", "&apos;")
end