make dependency on escape_utils optional

2023-03-27 23:18:01 -04:00 · 2011-09-03 11:45:30 -06:00 · 2011-09-03 11:45:30 -06:00 · be74517b9d
commit be74517b9d
parent 2e6467c823
3 changed files with 41 additions and 8 deletions
--- a/rack-protection/README.md
+++ b/rack-protection/README.md
@ -92,3 +92,11 @@ First stable release.
 Changes:

 * Fix bug in JsonCsrf
+
+## v1.1.0 (not yet release)
+
+Second public release.
+
+Changes:
+
+* Dependency on `escape_utils` is now optional
--- a/rack-protection/lib/rack/protection/escaped_params.rb
+++ b/rack-protection/lib/rack/protection/escaped_params.rb
@ -1,5 +1,10 @@
 require 'rack/protection'
-require 'escape_utils'
+require 'rack/utils'
+
+begin
+  require 'escape_utils'
+rescue LoadError
+end

 module Rack
  module Protection
@ -16,14 +21,28 @@ module Rack
    # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
    #          Available: :html (default), :javascript, :url
    class EscapedParams < Base
-      default_options :escape => :html
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options :escape => :html,
+        :escaper => defined?(EscapeUtils) ? EscapeUtils : self

      def initialize(*)
        super
-        modes = Array options[:escape]
-        code  = "def self.escape_string(str) %s end"
-        modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
-        eval code % 'str'
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        if @javascript and not @escaper.respond_to? :escape_javascript
+          fail("Use EscapeUtils for JavaScript escaping.")
+        end
      end

      def call(env)
@ -32,7 +51,7 @@ module Rack
        post_was = handle(request.POST) rescue nil
        app.call env
      ensure
-        request.GET.replace get_was
+        request.GET.replace  get_was  if get_was
        request.POST.replace post_was if post_was
      end

@ -56,6 +75,13 @@ module Rack
        hash.each { |k,v| hash[k] = escape(v) }
        hash
      end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
    end
  end
 end
--- a/rack-protection/rack-protection.gemspec
+++ b/rack-protection/rack-protection.gemspec
@ -59,7 +59,6 @@ Gem::Specification.new do |s|

  # dependencies
  s.add_dependency "rack"
-  s.add_dependency "escape_utils"
  s.add_development_dependency "rack-test"
  s.add_development_dependency "rspec", "~> 2.0"
 end