From f8e92a4dfede6703f82e2b81480b9da75bbfe0ad Mon Sep 17 00:00:00 2001 From: Dan Sketcher Date: Fri, 28 May 2010 15:41:12 +1000 Subject: [PATCH 1/2] Add support for Rails XSS protection --- lib/semantic_menu.rb | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/lib/semantic_menu.rb b/lib/semantic_menu.rb index 7d77609..13f1532 100644 --- a/lib/semantic_menu.rb +++ b/lib/semantic_menu.rb @@ -22,7 +22,7 @@ def add(title, link, link_opts={}, &block) end def to_s - content_tag :li, link_to(@title, @link, @link_opts) + child_output, ({:class => 'active'} if active?) + content_tag :li, SemanticMenu::Util.html_safe(link_to(@title, @link, @link_opts) + child_output), ({:class => 'active'} if active?) end def level_class @@ -30,7 +30,7 @@ def level_class end def child_output - children.empty? ? '' : content_tag(:ul, @children.collect(&:to_s).join, :class => level_class) + children.empty? ? '' : content_tag(:ul, SemanticMenu::Util.html_safe(@children.collect(&:to_s).join), :class => level_class) end def active? @@ -44,6 +44,29 @@ def on_current_page? end class SemanticMenu < MenuItem + # Adapted from Formtastic::Util, which was in turn + # Adapted from the rails3 compatibility shim in Haml 2.2 + module Util + extend self + ## Rails XSS Safety + + # Returns the given text, marked as being HTML-safe. + # With older versions of the Rails XSS-safety mechanism, + # this destructively modifies the HTML-safety of `text`. + # + # @param text [String] + # @return [String] `text`, marked as HTML-safe + def html_safe(text) + return text if text.nil? + return text.html_safe if defined?(ActiveSupport::SafeBuffer) + return text.html_safe! + end + + def rails_safe_buffer_class + return ActionView::SafeBuffer if defined?(ActionView::SafeBuffer) + ActiveSupport::SafeBuffer + end + end def initialize(controller, opts={},&block) @@controller = controller @@ -55,6 +78,6 @@ def initialize(controller, opts={},&block) end def to_s - content_tag(:ul, @children.collect(&:to_s).join, @opts) + content_tag(:ul, SemanticMenu::Util.html_safe(@children.collect(&:to_s).join), @opts) end end From 7bbf5e1b07bfb41e096f9db1ac7dcea4a3141e00 Mon Sep 17 00:00:00 2001 From: Dan Sketcher Date: Fri, 18 Feb 2011 13:17:47 +1000 Subject: [PATCH 2/2] Replace deprecated Kernel#returning with Object#tap --- lib/semantic_menu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/semantic_menu.rb b/lib/semantic_menu.rb index 13f1532..83e55c7 100644 --- a/lib/semantic_menu.rb +++ b/lib/semantic_menu.rb @@ -15,7 +15,7 @@ def initialize(title, link, level, link_opts={}) end def add(title, link, link_opts={}, &block) - returning(MenuItem.new(title, link, @level +1, link_opts)) do |adding| + MenuItem.new(title, link, @level +1, link_opts).tap do |adding| @children << adding yield adding if block_given? end