Class: Brakeman::Rails3Erubis

Inherits:

Erubis::Eruby

• Object
• Erubis::Eruby
• Brakeman::Rails3Erubis

Includes:

ErubisPatch

Defined in:

lib/brakeman/parsers/rails3_erubis.rb

Overview

This is from Rails 5 version of the Erubis handler github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73

Constant Summary

BLOCK_EXPR =

/\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/

Instance Method Summary

• #add_expr(src, code, indicator) ⇒ Object

  Erubis toggles <%= and <%== behavior when escaping is enabled.

• #add_expr_escaped(src, code) ⇒ Object
• #add_expr_literal(src, code) ⇒ Object
• #add_postamble(src) ⇒ Object
• #add_preamble(src) ⇒ Object
• #add_stmt(src, code) ⇒ Object
• #add_text(src, text) ⇒ Object
• #convert_input(src, input) ⇒ Object

  This is borrowed from graphql’s erb plugin: github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38.

• #flush_newline_if_pending(src) ⇒ Object

Methods included from ErubisPatch

#convert

Instance Method Details

#add_expr(src, code, indicator) ⇒ Object

Erubis toggles <%= and <%== behavior when escaping is enabled. We override to always treat <%== as escaped.

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 33

def add_expr(src, code, indicator)
  case indicator
  when '=='
    add_expr_escaped(src, code)
  else
    super
  end
end

#add_expr_escaped(src, code) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 53

def add_expr_escaped(src, code)
  flush_newline_if_pending(src)
  if code =~ BLOCK_EXPR
    src << "@output_buffer.safe_expr_append= " << code
  else
    src << "@output_buffer.safe_expr_append=(" << code << ");"
  end
end

#add_expr_literal(src, code) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 44

def add_expr_literal(src, code)
  flush_newline_if_pending(src)
  if code =~ BLOCK_EXPR
    src << '@output_buffer.append= ' << code
  else
    src << '@output_buffer.append=(' << code << ');'
  end
end

#add_postamble(src) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 67

def add_postamble(src)
  flush_newline_if_pending(src)
  src << '@output_buffer.to_s; }'
end

#add_preamble(src) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 10

def add_preamble(src)
  @newline_pending = 0
  src << "_this_is_to_make_yields_syntactally_correct {"
  src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
end

#add_stmt(src, code) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 62

def add_stmt(src, code)
  flush_newline_if_pending(src)
  super
end

#add_text(src, text) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 16

def add_text(src, text)
  return if text.empty?

  if text == "\n"
    @newline_pending += 1
  else
    src << "@output_buffer.safe_append='"
    src << "\n" * @newline_pending if @newline_pending > 0
    src << escape_text(text)
    src << "'.freeze;"

    @newline_pending = 0
  end
end

#convert_input(src, input) ⇒ Object

This is borrowed from graphql’s erb plugin: github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 81

def convert_input(src, input)
  input = input.gsub(/<%graphql/, "<%#")
  super(src, input)
end

#flush_newline_if_pending(src) ⇒ Object

# File 'lib/brakeman/parsers/rails3_erubis.rb', line 72

def flush_newline_if_pending(src)
  if @newline_pending > 0
    src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
    @newline_pending = 0
  end
end