1 files changed, 105 insertions, 0 deletions
diff --git a/lib/erubis/enhancer.rb b/lib/erubis/enhancer.rb
index 79c0e8c..8c0f04b 100644
--- a/lib/erubis/enhancer.rb
+++ b/lib/erubis/enhancer.rb
@@ -11,6 +11,98 @@ require 'erubis/eruby'
 module Erubis
 
 
+  ##
+  ## helper for xml
+  ##
+  module XmlHelper
+
+    module_function
+
+    def escape_xml(obj)
+      str = obj.to_s.dup
+      #str = obj.to_s
+      #str = str.dup if obj.__id__ == str.__id__
+      str.gsub!(/&/, '&amp;')
+      str.gsub!(/</, '&lt;')
+      str.gsub!(/>/, '&gt;')
+      str.gsub!(/"/, '&quot;')   #"
+      return str
+    end
+
+    alias h escape_xml
+    alias html_escape escape_xml
+
+  end
+
+
+  module PrivateHelper  # :nodoc:
+
+    module_function
+
+    def report_expr(src, code)
+      code.strip!
+      s = code.dump
+      s.sub!(/\A"/, '')
+      s.sub!(/"\z/, '')
+      src << " $stderr.puts(\"** erubis: #{s} = \#{(#{code}).inspect}\");"
+    end
+
+  end
+
+
+  ##
+  ## convenient module to escape expression value ('<%= ... %>') by default
+  ##
+  ## ex.
+  ##   class LatexEruby < Eruby
+  ##     def self.escape(str)
+  ##       return str.gsub(/[%\\]/, '\\\1')
+  ##     end
+  ##     def escaped_expr(expr_code)
+  ##       return "LatexEruby.escape(#{expr_code})"
+  ##     end
+  ##   end
+  ##
+  module EscapeEnhancer
+
+    protected
+
+    ##
+    ## abstract method to convert expression code into escaped
+    ##
+    ## ex.
+    ##   def escaped_expr(code)
+    ##     return "CGI.escapeHTML(#{code})"
+    ##   end
+    ##
+    def escaped_expr(code)
+      raise NotImplementedError.new("#{self.class.name}#escaped_expr() is not implemented.")
+    end
+
+
+    ##
+    ## escape expression code ('<%= .... %>')
+    ##
+    ## * '<%= ... %>'  => escaped
+    ## * '<%== ... %>' => not escaped
+    ## * '<%=== ... %>' => report expression value into $stderr
+    ##
+    def add_src_expr(src, code, indicator)
+      case indicator
+      when '='    # <%= %>
+        src << " _out << " << escaped_expr(code) << ";"
+      when '=='   # <%== %>
+        super
+      when '==='  # <%=== %>
+        PrivateHelper.report_expr(src, code)
+      else
+        # nothing
+      end
+    end
+
+  end
+
+
   ## (obsolete)
   module FastEnhancer
   end
@@ -53,6 +145,19 @@ module Erubis
   end
 
 
+  ##
+  ## sanitize expression (<%= ... %>) by default
+  ##
+  class XmlEruby < Eruby
+    include EscapeEnhancer
+
+    def escaped_expr(code)
+      return "Erubis::XmlHelper.escape_xml(#{code})"
+    end
+
+  end
+
+
   ## (obsolete)
   class FastEruby < Eruby
     include FastEnhancer