hikidoc:56
From: KAKUTANI Shintaro <shintaro@k...>
Date: Tue, 09 Jan 2007 23:26:10 +0900
Subject: [hikidoc:56] mod_ruby環境下でのsyntaxを利用するとSecurityError
かくたにです。
唐突にsyntaxパッケージを利用したコードの色付けに興味が出たので、
tDiary + mod_rubyで試してみました。
結果、私の環境ではSyntaxの中でのrequireがSecurityErrorになりました。
Syntax::Convertors::HTML.for_syntaxに渡す文字列が原因です。
自分のところの用途ではuntaintして問題ないのですが、この対処で良いのでしょうか。
ついでに、syntaxがサンプルに提供しているCSSを使えるように少しイジってみました。
以下、パッチです。syntaxを利用するテストの動かし方がわからず、本質的ではないところが
長くてすみません。
Index: test/test_hikidoc.rb
===================================================================
--- test/test_hikidoc.rb (revision 44)
+++ test/test_hikidoc.rb (working copy)
@@ -200,14 +200,62 @@
assert_equal( %Q|<p><strong><span class="plugin">{{foo}}</span></strong></p>\n|, HikiDoc.new( "'''{{foo}}'''" ).to_html )
end
+ begin
+ require 'rubygems'
+ require_gem 'syntax'
+ require 'syntax'
+ rescue LoadError
+ end
if Object.const_defined?(:Syntax)
def test_syntax_ruby
- assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< ruby\nclass A\n def foo(bar)\n end\nend\n>>>" ).to_html )
- assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< Ruby\nclass A\n def foo(bar)\n end\nend\n>>>" ).to_html )
- assert_equal( "<pre>\n<span class=\"punct\">'</span><span class=\"string\">a<">b</span><span class=\"punct\">'</span>\n</pre>\n", HikiDoc.new( "<<< ruby\n'a<\">b'\n>>>" ).to_html )
+ hiki_text = "
+<<< ruby
+class A
+ def foo(bar)
+ end
+end
+>>>"
+ assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="keyword">class </span><span class="class">A</span>
+ <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span>
+ <span class="keyword">end</span>
+<span class="keyword">end</span>
+</pre>
+ EXPECTED
end
+
+ def test_syntax_ruby_with_initcap_type
+ hiki_text = "
+<<< Ruby
+class A
+ def foo(bar)
end
+end
+>>>"
+ assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="keyword">class </span><span class="class">A</span>
+ <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span>
+ <span class="keyword">end</span>
+<span class="keyword">end</span>
+</pre>
+ EXPECTED
+ end
+
+ def test_ruby_syntax_with_character_entities
+ hiki_text = %q!
+<<< ruby
+'a<">b'
+>>>!
+ assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="punct">'</span><span class="string">a<">b</span><span class="punct">'</span>
+</pre>
+ EXPECTED
+ end
+ end
private
@@ -216,4 +264,5 @@
rescue SyntaxError
false
end
+
end
Index: lib/hikidoc.rb
===================================================================
--- lib/hikidoc.rb (revision 44)
+++ lib/hikidoc.rb (working copy)
@@ -148,8 +148,11 @@
ret.gsub!( /^#{MULTI_PRE_OPEN_RE}[ \t]*(\w*)$(.*?)^#{MULTI_PRE_CLOSE_RE}$/m ) do |str|
begin
raise if $1.empty?
- convertor = Syntax::Convertors::HTML.for_syntax($1.downcase)
- "\n" + store_block( convertor.convert( unescape_html( restore_pre( $2 ) ) ) ) + "\n\n"
+ multi_pre_syntax_type = $1.downcase.untaint
+ convertor = Syntax::Convertors::HTML.for_syntax( multi_pre_syntax_type )
+ converted_text = convertor.convert( unescape_html( restore_pre( $2 ) ), false )
+ pre_format = %Q|<pre class="#{multi_pre_syntax_type}">%s</pre>|
+ "\n" + store_block( pre_format % converted_text ) + "\n\n"
rescue
"\n" + store_block( "<pre>%s</pre>" % restore_pre( $2 ) ) + "\n\n"
end
--
ML: hikidoc@m...
使い方: http://QuickML.com/
-> 56 2007-01-09 15:26 [shintaro@k... ] mod_ruby環境下でのsyntaxを利用するとSecurityError 59 2007-03-05 10:15 ┗[kazuhiko@f... ]