module EscapeUtils

Constants

VERSION

Public Class Methods

html_safe_string_class() click to toggle source

Default String class to return from HTML escaping

# File lib/escape_utils.rb, line 16
def self.html_safe_string_class
  @html_safe_string_class
end

html_safe_string_class=(p1) click to toggle source

static VALUE rb_eu_set_html_safe_string_class(VALUE self, VALUE val)
{
        Check_Type(val, T_CLASS);

        if (rb_funcall(val, rb_intern("<="), 1, rb_cString) == Qnil)
                rb_raise(rb_eArgError, "%s must be a descendent of String", rb_class2name(val));

        rb_html_safe_string_class = val;
        rb_html_safe_string_template_object = rb_class_new_instance(0, NULL, rb_html_safe_string_class);
        OBJ_FREEZE(rb_html_safe_string_template_object);
        rb_ivar_set(self, rb_intern("@html_safe_string_class"), val);
        return val;
}

html_secure() click to toggle source

turn on/off the escaping of the '/' character during HTML escaping Escaping '/' is recommended by the OWASP - www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content This is because quotes around HTML attributes are optional in most/all modern browsers at the time of writing (10/15/2010)

# File lib/escape_utils.rb, line 10
def self.html_secure
  @html_secure
end

html_secure=(p1) click to toggle source

static VALUE rb_eu_set_html_secure(VALUE self, VALUE val)
{
        g_html_secure = RTEST(val);
        rb_ivar_set(self, rb_intern("@html_secure"), val);
        return val;
}

Public Instance Methods

escape_html(p1, p2 = v2) click to toggle source

static VALUE rb_eu_escape_html(int argc, VALUE *argv, VALUE self)
{
        VALUE str, rb_secure;
        gh_buf buf = GH_BUF_INIT;
        int secure = g_html_secure;

        if (rb_scan_args(argc, argv, "11", &str, &rb_secure) == 2) {
                if (rb_secure == Qfalse) {
                        secure = 0;
                }
        }

        Check_Type(str, T_STRING);
        check_utf8_encoding(str);

        if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
                VALUE result = eu_new_str(buf.ptr, buf.size);
                gh_buf_free(&buf);
                return result;
        }

        return str;
}

escape_html_as_html_safe(p1) click to toggle source

static VALUE rb_eu_escape_html_as_html_safe(VALUE self, VALUE str)
{
        VALUE result;
        int secure = g_html_secure;
        gh_buf buf = GH_BUF_INIT;

        Check_Type(str, T_STRING);
        check_utf8_encoding(str);

        if (houdini_escape_html0(&buf, (const uint8_t *)RSTRING_PTR(str), RSTRING_LEN(str), secure)) {
                result = new_html_safe_string(buf.ptr, buf.size);
                gh_buf_free(&buf);
        } else {
                result = new_html_safe_string(RSTRING_PTR(str), RSTRING_LEN(str));
        }

        rb_ivar_set(result, ID_at_html_safe, Qtrue);
        rb_enc_associate(result, rb_enc_get(str));

        return result;
}

escape_javascript(p1) click to toggle source

JavaScript methods

static VALUE rb_eu_escape_js(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_escape_js);
}

escape_uri(p1) click to toggle source

URI methods

static VALUE rb_eu_escape_uri(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_escape_uri);
}

escape_uri_component(p1) click to toggle source

URI component methods

static VALUE rb_eu_escape_uri_component(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_escape_uri_component);
}

escape_url(p1) click to toggle source

URL methods

static VALUE rb_eu_escape_url(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_escape_url);
}

escape_xml(p1) click to toggle source

XML methods

static VALUE rb_eu_escape_xml(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_escape_xml);
}

unescape_html(p1) click to toggle source

static VALUE rb_eu_unescape_html(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_unescape_html);
}

unescape_javascript(p1) click to toggle source

static VALUE rb_eu_unescape_js(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_unescape_js);
}

unescape_uri(p1) click to toggle source

static VALUE rb_eu_unescape_uri(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_unescape_uri);
}

unescape_uri_component(p1) click to toggle source

static VALUE rb_eu_unescape_uri_component(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_unescape_uri_component);
}

unescape_url(p1) click to toggle source

static VALUE rb_eu_unescape_url(VALUE self, VALUE str)
{
        return rb_eu__generic(str, &houdini_unescape_url);
}