From 695bd85683972ad74c8d9938d4e35ae510543d1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:07:38 +0100 Subject: [PATCH 1/9] Add notice: tests are only expected to run in *nix environment --- TESTING.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/TESTING.md b/TESTING.md index 6abec93..38ec4df 100644 --- a/TESTING.md +++ b/TESTING.md @@ -1,5 +1,7 @@ ## Running the mustache.js Test Suite +Notice: the tests are only expected to run on unixoid systems. + The mustache.js test suite uses the [RSpec](http://rspec.info/) testing framework. In order to run the tests you'll need to install [Ruby](http://ruby-lang.org/) as well as the `rake`, `rspec` (>=2), and `json` [RubyGems](http://rubygems.org/). From 96efb0a06462bb823aebc8e35939ea628653eaee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:08:47 +0100 Subject: [PATCH 2/9] Add section describing how to install Ruby and gems using a package manager --- TESTING.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/TESTING.md b/TESTING.md index 38ec4df..a23bfc5 100644 --- a/TESTING.md +++ b/TESTING.md @@ -6,6 +6,18 @@ The mustache.js test suite uses the [RSpec](http://rspec.info/) testing framework. In order to run the tests you'll need to install [Ruby](http://ruby-lang.org/) as well as the `rake`, `rspec` (>=2), and `json` [RubyGems](http://rubygems.org/). +### How to install Ruby, Ruby gems and the required gems with a package manager + +Tested on Ubuntu 10.10. + + $ sudo apt-get install ruby1.8-dev + $ sudo apt-get install rubygems1.8 + $ sudo gem install rake rspec + + $ # needed to build native json extension for json gem + $ sudo apt-get install build-essential libreadline5-dev + $ sudo gem install json + ### How to install Ruby and the required gems from source Make sure you have the required tools to compile it: From 068ed5472916d6501f3e9af7f7a86fc68643c543 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:12:03 +0100 Subject: [PATCH 3/9] Add section to describe how to install node.js using a package manager --- TESTING.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/TESTING.md b/TESTING.md index a23bfc5..fd1239e 100644 --- a/TESTING.md +++ b/TESTING.md @@ -48,6 +48,13 @@ Install the required gems: That's it! +### How to install node.js using a package manager + +Notice: the version of node.js included in Ubuntu repositories is quite old. +It is recommended to install node.js from source instead. + + $ sudo apt-get install node + ### How to run the tests The mustache.js test suite currently uses 4 different JavaScript runtime engines From ecc228f4fdf971c4f690502b94b82399cc49aa3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:17:41 +0100 Subject: [PATCH 4/9] Add section to describe how to install node.js from source --- TESTING.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/TESTING.md b/TESTING.md index fd1239e..174d566 100644 --- a/TESTING.md +++ b/TESTING.md @@ -55,6 +55,17 @@ It is recommended to install node.js from source instead. $ sudo apt-get install node +### How to install node.js from source + + $ git clone https://github.com/joyent/node.git + $ cd node + $ # select the version to install, master is unstable; + $ # latest stable version is advertised on http://nodejs.org + $ git checkout v0.6.11 + $ ./configure + $ make + $ sudo make install + ### How to run the tests The mustache.js test suite currently uses 4 different JavaScript runtime engines From d33d413fc35d1fa33343c6cf0b2adfbf15a790d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:38:34 +0100 Subject: [PATCH 5/9] Delete sections describing install using a package manager The installation of gems using the package manager is tweaked for Ubuntu/Debian and 'rake' is not made available on the path after install using gem. The install from source leads to a more consistent setup. --- TESTING.md | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/TESTING.md b/TESTING.md index 174d566..0be439b 100644 --- a/TESTING.md +++ b/TESTING.md @@ -6,18 +6,6 @@ The mustache.js test suite uses the [RSpec](http://rspec.info/) testing framework. In order to run the tests you'll need to install [Ruby](http://ruby-lang.org/) as well as the `rake`, `rspec` (>=2), and `json` [RubyGems](http://rubygems.org/). -### How to install Ruby, Ruby gems and the required gems with a package manager - -Tested on Ubuntu 10.10. - - $ sudo apt-get install ruby1.8-dev - $ sudo apt-get install rubygems1.8 - $ sudo gem install rake rspec - - $ # needed to build native json extension for json gem - $ sudo apt-get install build-essential libreadline5-dev - $ sudo gem install json - ### How to install Ruby and the required gems from source Make sure you have the required tools to compile it: @@ -48,13 +36,6 @@ Install the required gems: That's it! -### How to install node.js using a package manager - -Notice: the version of node.js included in Ubuntu repositories is quite old. -It is recommended to install node.js from source instead. - - $ sudo apt-get install node - ### How to install node.js from source $ git clone https://github.com/joyent/node.git From 02de820560ffbb933a8bd3ff18869e9744fba7c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:42:39 +0100 Subject: [PATCH 6/9] Add rule to ignore temp vim files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index c44d96c..65128cd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +# ignore temp vim files +*.swp .DS_Store .rvmrc runner.js From 9f8937bd69c1ad8166bc814799c23c0ddc52793f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 10:43:54 +0100 Subject: [PATCH 7/9] Revert "Use ''' instead of ''', which showed in template output" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As reported by Chad Weider (Thanks!), the apostrophe should not be escaped as "'" in HTML documents, but using a numeric entity "'" or "'". Unlike """, "'" has not beed defined in the W3C Recommendation for HTML 4 [1]. References: [1] HTML 4.01 Specification ยง24.4.1 The list of characters http://www.w3.org/TR/html4/sgml/entities.html#h-24.3.1 [2] Why shouldn't `'` be used to escape single quotes? http://stackoverflow.com/questions/2083754 /why-shouldnt-apos-be-used-to-escape-single-quotes [3] OWASP - The Open Web Application Security Project RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content "' is not recommended" https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content See details of the discussion on Github issue tracker: https://github.com/janl/mustache.js/pull/166 This reverts commit e20cee5f3e102be48e9be0575c71278178190d48. Conflicts: mustache.js --- mustache.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mustache.js b/mustache.js index 929f397..28bed23 100644 --- a/mustache.js +++ b/mustache.js @@ -40,7 +40,7 @@ var Mustache = function () { "<": "<", ">": ">", '"': '"', - "'": ''' + "'": ''' }; function escapeHTML(string) { From aa5a034e2f3cb6393efc8c67cdc87ca22af9e065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 12:28:46 +0100 Subject: [PATCH 8/9] Add unit test for bug: extra escaping of & in ' entity for apostrophe When found in a replacement value, ' should be left untouched, not escaped as &#39; which makes the entity visible instead of displaying an apostrophe in a browser. --- spec/_files/escaped.js | 1 + spec/_files/escaped.mustache | 1 + spec/_files/escaped.txt | 1 + 3 files changed, 3 insertions(+) diff --git a/spec/_files/escaped.js b/spec/_files/escaped.js index 7a8baef..875776a 100644 --- a/spec/_files/escaped.js +++ b/spec/_files/escaped.js @@ -2,5 +2,6 @@ var escaped = { title: function() { return "Bear > Shark"; }, + subtitle: 'Rock 'n Roll', entities: """ }; diff --git a/spec/_files/escaped.mustache b/spec/_files/escaped.mustache index ea25951..b8f82d0 100644 --- a/spec/_files/escaped.mustache +++ b/spec/_files/escaped.mustache @@ -1,2 +1,3 @@

{{title}}

+

{{subtitle}}

But not {{entities}}. diff --git a/spec/_files/escaped.txt b/spec/_files/escaped.txt index 73ac5ce..7f750d4 100644 --- a/spec/_files/escaped.txt +++ b/spec/_files/escaped.txt @@ -1,2 +1,3 @@

Bear > Shark

+

Rock 'n Roll

But not ". From 172c34a24fc7aac5c4e254f57ee0384f15202aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= Date: Mon, 20 Feb 2012 12:30:55 +0100 Subject: [PATCH 9/9] Bug fix: do not escape & in ' entity for apostrophe The fix consists in adding #? in the negative look-ahead expected to reject entity references: & // character '&' (?! // not followed by #? // an optional # (numerical entity), followed by \w+ // a word, followed by ; // character ';' ) instead of & // character '&' (?! // not followed by \w+ // a word, followed by ; // character ';' ) --- mustache.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mustache.js b/mustache.js index 28bed23..6259024 100644 --- a/mustache.js +++ b/mustache.js @@ -44,7 +44,7 @@ var Mustache = function () { }; function escapeHTML(string) { - return String(string).replace(/&(?!\w+;)|[<>"']/g, function (s) { + return String(string).replace(/&(?!#?\w+;)|[<>"']/g, function (s) { return escapeMap[s] || s; }); }