Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/igrigorik/contextual
runtime contextual HTML autoescaper
https://github.com/igrigorik/contextual
Last synced: 2 months ago
JSON representation
runtime contextual HTML autoescaper
- Host: GitHub
- URL: https://github.com/igrigorik/contextual
- Owner: igrigorik
- Created: 2011-10-27T01:00:22.000Z (about 13 years ago)
- Default Branch: master
- Last Pushed: 2012-05-24T18:19:22.000Z (over 12 years ago)
- Last Synced: 2024-10-19T21:39:43.218Z (3 months ago)
- Language: Ruby
- Homepage:
- Size: 1.12 MB
- Stars: 10
- Watchers: 5
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Runtime Contextual Autoescaper
A JRuby wrapper for [Mike Samuel's contextual HTML autoescaper](https://github.com/mikesamuel/html-contextual-autoescaper-java). Same one as [used by Google's Closure Templates](http://code.google.com/closure/templates/docs/security.html).
## Example
First, let's define an Erb template:
```erb
<% def helper(obj); "Hello, #{obj['world']}"; end %>
<%= helper(object) %>
(function () { // Sleepy developers put sensitive info in comments.
var o = <%= object %>,
w = "<%= object['world'] %>";
})();
```Let's load the template and execute it:
```ruby
template = Erubis::ContextualEruby.new(template_string)object = {"world" => "", "color" => "blue"}
puts template.result(binding())
```Output:
```html
Hello, <Cincinnati>
(function () {
var o = {'world':'\x3cCincinnati\x3e','color':'blue'},
w = "\x3cCincinnati\x3e";
})();
```The safe parts are treated as literal chunks of HTML/CSS/JS, the query string parameters are auto URI encoded, same data is also auto escaped within the JS block, and the rendered object within the javascript block is automatically converted to JSON! Additionally, extra comments are removed, data is properly HTML escaped, and so forth.
Contextual will also automatically strip variety of injection cases for JS, CSS, and HTML, and give you a [dozen other features](https://github.com/mikesamuel/html-contextual-autoescaper-java/tree/master/src/tests/com/google/autoesc) for free.
### License
(MIT License) - Copyright (c) 2012 Ilya Grigorik