Parent

Class/Module Index [+]

Quicksearch

Brakeman::Rails2XSSPluginErubis

This is from the rails_xss plugin for Rails 2

Constants

BLOCK_EXPR

Public Instance Methods

add_expr_escaped(src, code) click to toggle source
# File lib/brakeman/parsers/rails2_xss_plugin_erubis.rb, line 39
def add_expr_escaped(src, code)
  src << '@output_buffer << ' << escaped_expr(code) << ';'
end
add_expr_literal(src, code) click to toggle source
# File lib/brakeman/parsers/rails2_xss_plugin_erubis.rb, line 31
def add_expr_literal(src, code)
  if code =~ BLOCK_EXPR
    src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
  else
    src << '@output_buffer << ((' << code << ').to_s);'
  end
end
add_postamble(src) click to toggle source
# File lib/brakeman/parsers/rails2_xss_plugin_erubis.rb, line 43
def add_postamble(src)
  #src << '@output_buffer.to_s'
end
add_preamble(src) click to toggle source
# File lib/brakeman/parsers/rails2_xss_plugin_erubis.rb, line 3
def add_preamble(src)
  #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
end
add_text(src, text) click to toggle source

This is different from rails_xss - fixes some line number issues

# File lib/brakeman/parsers/rails2_xss_plugin_erubis.rb, line 8
def add_text(src, text)
  if text == "\n"
    src << "\n"
  elsif text.include? "\n"
    lines = text.split("\n")
    if text.match(/\n\z/)
      lines.each do |line|
        src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
      end
    else
      lines[0..-2].each do |line|
        src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
      end

      src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
    end
  else
    src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
  end
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.