module Immunio
  # Hooks for the ERB template engine.
  # (Default one used in Rails < 5.1).
  module ErubisHooks
    extend ActiveSupport::Concern

    included do
      Immunio::Utils.alias_method_chain self, :add_expr, :immunio
    end

    def add_expr_with_immunio(src, code, indicator)
      # Wrap expressions in the templates to track their rendered value.
      # Do not wrap expressions with blocks, eg.: <%= form_tag do %>
      # TODO should we support blocks?
      Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
        unless code =~ ActionView::Template::Handlers::Erubis::BLOCK_EXPR
          # escape unless we see the == indicator
          escape = !(indicator == '==')
          code = Immunio::Template.generate_render_var_code(code, escape)
        end
        Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
          add_expr_without_immunio(src, code, indicator)
        end
      end
    end
  end
end

if Gem::Version.new(Rails.version) < Gem::Version.new('5.1')
  Immunio::Plugin.load(
    'Erubis',
    feature: 'xss',
    hooks: Immunio::XSS_HOOKS) do |plugin|

    ActionView::Template::Handlers::Erubis.send :include, Immunio::ErubisHooks

    plugin.loaded! Rails.version
  end
end