[前][次][番号順一覧][スレッド一覧]

hikidoc:56

From: KAKUTANI Shintaro <shintaro@k...>
Date: Tue, 09 Jan 2007 23:26:10 +0900
Subject: [hikidoc:56] mod_ruby環境下でのsyntaxを利用するとSecurityError

かくたにです。

唐突にsyntaxパッケージを利用したコードの色付けに興味が出たので、
tDiary + mod_rubyで試してみました。

結果、私の環境ではSyntaxの中でのrequireがSecurityErrorになりました。
Syntax::Convertors::HTML.for_syntaxに渡す文字列が原因です。
自分のところの用途ではuntaintして問題ないのですが、この対処で良いのでしょうか。

ついでに、syntaxがサンプルに提供しているCSSを使えるように少しイジってみました。
以下、パッチです。syntaxを利用するテストの動かし方がわからず、本質的ではないところが
長くてすみません。

Index: test/test_hikidoc.rb
===================================================================
--- test/test_hikidoc.rb	(revision 44)
+++ test/test_hikidoc.rb	(working copy)
@@ -200,14 +200,62 @@
     assert_equal( %Q|<p><strong><span class="plugin">{{foo}}</span></strong></p>\n|, HikiDoc.new( "'''{{foo}}'''" ).to_html )
   end
 
+  begin
+    require 'rubygems'
+    require_gem 'syntax'
+    require 'syntax'
+  rescue LoadError
+  end
   if Object.const_defined?(:Syntax)
 
     def test_syntax_ruby
-      assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n  <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n  <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< ruby\nclass A\n  def foo(bar)\n  end\nend\n>>>" ).to_html )
-      assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n  <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n  <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< Ruby\nclass A\n  def foo(bar)\n  end\nend\n>>>" ).to_html )
-      assert_equal( "<pre>\n<span class=\"punct\">'</span><span class=\"string\">a&lt;&quot;&gt;b</span><span class=\"punct\">'</span>\n</pre>\n", HikiDoc.new( "<<< ruby\n'a<\">b'\n>>>" ).to_html )
+      hiki_text = "
+<<< ruby
+class A
+  def foo(bar)
+  end
+end
+>>>"
+      assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="keyword">class </span><span class="class">A</span>
+  <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span>
+  <span class="keyword">end</span>
+<span class="keyword">end</span>
+</pre>
+      EXPECTED
     end
+
+    def test_syntax_ruby_with_initcap_type
+      hiki_text = "
+<<< Ruby
+class A
+  def foo(bar)
   end
+end
+>>>"  
+      assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="keyword">class </span><span class="class">A</span>
+  <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span>
+  <span class="keyword">end</span>
+<span class="keyword">end</span>
+</pre>
+      EXPECTED
+  end
+
+  def test_ruby_syntax_with_character_entities
+      hiki_text = %q!
+<<< ruby
+'a<">b'
+>>>!
+      assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html )
+<pre class="ruby">
+<span class="punct">'</span><span class="string">a&lt;&quot;&gt;b</span><span class="punct">'</span>
+</pre>
+      EXPECTED
+    end
+  end
   
   private
   
@@ -216,4 +264,5 @@
   rescue SyntaxError
     false
   end
+
 end
Index: lib/hikidoc.rb
===================================================================
--- lib/hikidoc.rb	(revision 44)
+++ lib/hikidoc.rb	(working copy)
@@ -148,8 +148,11 @@
     ret.gsub!( /^#{MULTI_PRE_OPEN_RE}[ \t]*(\w*)$(.*?)^#{MULTI_PRE_CLOSE_RE}$/m ) do |str|
       begin
         raise if $1.empty?
-        convertor = Syntax::Convertors::HTML.for_syntax($1.downcase)
-        "\n" + store_block( convertor.convert( unescape_html( restore_pre( $2 ) ) ) ) + "\n\n"
+        multi_pre_syntax_type = $1.downcase.untaint
+        convertor = Syntax::Convertors::HTML.for_syntax( multi_pre_syntax_type )
+        converted_text = convertor.convert( unescape_html( restore_pre( $2 ) ), false )
+        pre_format = %Q|<pre class="#{multi_pre_syntax_type}">%s</pre>|
+        "\n" + store_block( pre_format % converted_text ) + "\n\n"
       rescue
         "\n" + store_block( "<pre>%s</pre>" % restore_pre( $2 ) ) + "\n\n"
       end

--
ML: hikidoc@m...
使い方: http://QuickML.com/

[前][次][番号順一覧][スレッド一覧]

->      56 2007-01-09 15:26 [shintaro@k...       ] mod_ruby環境下でのsyntaxを利用するとSecurityError
        59 2007-03-05 10:15 ┗[kazuhiko@f...       ]