Sha256: a65a1b81b40dca0881853f97fa3a0da20a0036a25042c1eb40c7a3574acab41c

Contents?: true

Size: 962 Bytes

Versions: 4

Compression:

Stored size: 962 Bytes

Contents

# frozen_string_literal: true

module TaintedLove
  module Replacer
    class ReplaceActionView < Base
      def should_replace?
        Object.const_defined?('ActionView')
      end

      def replace!
        ActionView::OutputBuffer.class_eval do
          def append=(value)
            if value.tainted? && value.html_safe?
              TaintedLove.report(
                :ReplaceActionView,
                value,
                [:xss],
                'Tainted string is html_safe'
              )
            end

            self << value
          end
        end

        # Untaint the yield of a template
        mod = Module.new do
          def render(*args, &block)
            super(*args) do |*sub_args, &sub_block|
              block.call(*sub_args, &sub_block).untaint
            end.untaint
          end
        end

        ActionView::Template.prepend(mod) if Object.const_defined?('ActionView::Template')
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
tainted_love-0.4.1 lib/tainted_love/replacer/replace_action_view.rb
tainted_love-0.4.0 lib/tainted_love/replacer/replace_action_view.rb
tainted_love-0.1.5 lib/tainted_love/replacer/replace_action_view.rb
tainted_love-0.1.4 lib/tainted_love/replacer/replace_action_view.rb