hikidoc:56
From: KAKUTANI Shintaro <shintaro@k...>
Date: Tue, 09 Jan 2007 23:26:10 +0900
Subject: [hikidoc:56] mod_ruby環境下でのsyntaxを利用するとSecurityError
かくたにです。 唐突にsyntaxパッケージを利用したコードの色付けに興味が出たので、 tDiary + mod_rubyで試してみました。 結果、私の環境ではSyntaxの中でのrequireがSecurityErrorになりました。 Syntax::Convertors::HTML.for_syntaxに渡す文字列が原因です。 自分のところの用途ではuntaintして問題ないのですが、この対処で良いのでしょうか。 ついでに、syntaxがサンプルに提供しているCSSを使えるように少しイジってみました。 以下、パッチです。syntaxを利用するテストの動かし方がわからず、本質的ではないところが 長くてすみません。 Index: test/test_hikidoc.rb =================================================================== --- test/test_hikidoc.rb (revision 44) +++ test/test_hikidoc.rb (working copy) @@ -200,14 +200,62 @@ assert_equal( %Q|<p><strong><span class="plugin">{{foo}}</span></strong></p>\n|, HikiDoc.new( "'''{{foo}}'''" ).to_html ) end + begin + require 'rubygems' + require_gem 'syntax' + require 'syntax' + rescue LoadError + end if Object.const_defined?(:Syntax) def test_syntax_ruby - assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< ruby\nclass A\n def foo(bar)\n end\nend\n>>>" ).to_html ) - assert_equal( "<pre>\n<span class=\"keyword\">class </span><span class=\"class\">A</span>\n <span class=\"keyword\">def </span><span class=\"method\">foo</span><span class=\"punct\">(</span><span class=\"ident\">bar</span><span class=\"punct\">)</span>\n <span class=\"keyword\">end</span>\n<span class=\"keyword\">end</span>\n</pre>\n", HikiDoc.new( "<<< Ruby\nclass A\n def foo(bar)\n end\nend\n>>>" ).to_html ) - assert_equal( "<pre>\n<span class=\"punct\">'</span><span class=\"string\">a<">b</span><span class=\"punct\">'</span>\n</pre>\n", HikiDoc.new( "<<< ruby\n'a<\">b'\n>>>" ).to_html ) + hiki_text = " +<<< ruby +class A + def foo(bar) + end +end +>>>" + assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html ) +<pre class="ruby"> +<span class="keyword">class </span><span class="class">A</span> + <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span> + <span class="keyword">end</span> +<span class="keyword">end</span> +</pre> + EXPECTED end + + def test_syntax_ruby_with_initcap_type + hiki_text = " +<<< Ruby +class A + def foo(bar) end +end +>>>" + assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html ) +<pre class="ruby"> +<span class="keyword">class </span><span class="class">A</span> + <span class="keyword">def </span><span class="method">foo</span><span class="punct">(</span><span class="ident">bar</span><span class="punct">)</span> + <span class="keyword">end</span> +<span class="keyword">end</span> +</pre> + EXPECTED + end + + def test_ruby_syntax_with_character_entities + hiki_text = %q! +<<< ruby +'a<">b' +>>>! + assert_equal( <<-EXPECTED, HikiDoc.new( hiki_text ).to_html ) +<pre class="ruby"> +<span class="punct">'</span><span class="string">a<">b</span><span class="punct">'</span> +</pre> + EXPECTED + end + end private @@ -216,4 +264,5 @@ rescue SyntaxError false end + end Index: lib/hikidoc.rb =================================================================== --- lib/hikidoc.rb (revision 44) +++ lib/hikidoc.rb (working copy) @@ -148,8 +148,11 @@ ret.gsub!( /^#{MULTI_PRE_OPEN_RE}[ \t]*(\w*)$(.*?)^#{MULTI_PRE_CLOSE_RE}$/m ) do |str| begin raise if $1.empty? - convertor = Syntax::Convertors::HTML.for_syntax($1.downcase) - "\n" + store_block( convertor.convert( unescape_html( restore_pre( $2 ) ) ) ) + "\n\n" + multi_pre_syntax_type = $1.downcase.untaint + convertor = Syntax::Convertors::HTML.for_syntax( multi_pre_syntax_type ) + converted_text = convertor.convert( unescape_html( restore_pre( $2 ) ), false ) + pre_format = %Q|<pre class="#{multi_pre_syntax_type}">%s</pre>| + "\n" + store_block( pre_format % converted_text ) + "\n\n" rescue "\n" + store_block( "<pre>%s</pre>" % restore_pre( $2 ) ) + "\n\n" end -- ML: hikidoc@m... 使い方: http://QuickML.com/
-> 56 2007-01-09 15:26 [shintaro@k... ] mod_ruby環境下でのsyntaxを利用するとSecurityError 59 2007-03-05 10:15 ┗[kazuhiko@f... ]