add method to erb. Protect from XSS attack.
I think change the origin <%= method is not always good. maybe add a <%~ method is better.
$ gem install erb_safe_ext<%~ "<script>alert('safety:)');</script>" %>
## <script>alert('safety:)');</script><%= "<script>alert('danger!');</script>" %>
## <script>alert('danger!');</script>require 'erb_safe_ext'
template = ERB.new <<-EOF
<%~ "<script>alert('safety:)');</script>" %>
<%= "<script>alert('danger!');</script>" %>
----finish----
EOF
puts template.result<%= "<script>alert('safety:)');</script>" %>
## <script>alert('safety:)');</script>it will default wrap the dangerous code with ERB::Util.html_escape(code)
works fine with ruby2.0.
the <%== is the backup of ERB's original <%= function.
<%== "<script>alert('danger!');</script>" %>
## <script>alert('danger!');</script>require 'erb_safe_ext'
template = ERB.new <<-EOF
<%= "<script>alert('safety:)');</script>" %>
<%#= 'here' -%>
<%== "<script>alert('danger!');</script>" %>
----finish----
EOF
puts template.resultwork fine with sinatra(current version is 1.4.4).
but don't do following things:
-
require 'erubis' -
add gems that dependent on erubis, such as
better_errors(you may find out all dependences in fileGemfile.lock)
the original sinatra exception template display ugly with erb_safe_ext, so I rewrite it.
require 'sinatra/base'
require 'erb_safe_ext/sinatra/exception_template'