require 'erb' require 'active_support/core_ext/kernel/singleton_class' class ERB module Util HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } # A utility method for escaping HTML tag characters. # This method is also aliased as h. # # In your ERB templates, use this method to escape any unsafe content. For example: # <%=h @person.name %> # # ==== Example: # puts html_escape("is a > 0 & a < 10?") # # => is a > 0 & a < 10? def html_escape(s) s = s.to_s if s.html_safe? s else s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/ 0 & a < 10?") # # => is a \u003E 0 \u0026 a \u003C 10? # # Note that after this operation is performed the output is not # valid JSON. In particular double quotes are removed: # # json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}') # # => {name:john,created_at:2010-04-28T01:39:31Z,id:1} # # This method is also aliased as +j+, and available as a helper # in Rails templates: # # <%=j @person.to_json %> # def json_escape(s) result = s.to_s.gsub(/[&"><]/) { |special| JSON_ESCAPE[special] } s.html_safe? ? result.html_safe : result end alias j json_escape module_function :j module_function :json_escape end end class Object def html_safe? false end end class Numeric def html_safe? true end end module ActiveSupport #:nodoc: class SafeBuffer < String UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze alias_method :original_concat, :concat private :original_concat class SafeConcatError < StandardError def initialize super "Could not concatenate to the buffer because it is not html safe." end end def safe_concat(value) raise SafeConcatError if dirty? original_concat(value) end def initialize(*) @dirty = false super end def initialize_copy(other) super @dirty = other.dirty? end def concat(value) if dirty? || value.html_safe? super(value) else super(ERB::Util.h(value)) end end alias << concat def +(other) dup.concat(other) end def html_safe? !dirty? end def to_s self end def to_param to_str end def encode_with(coder) coder.represent_scalar nil, to_str end def to_yaml(*args) return super() if defined?(YAML::ENGINE) && !YAML::ENGINE.syck? to_str.to_yaml(*args) end for unsafe_method in UNSAFE_STRING_METHODS class_eval <<-EOT, __FILE__, __LINE__ + 1 def #{unsafe_method}(*args) super.to_str end def #{unsafe_method}!(*args) @dirty = true super end EOT end protected def dirty? @dirty end end end class String def html_safe ActiveSupport::SafeBuffer.new(self) end end