From: Jean-Christophe Beaupré Date: Thu, 4 Dec 2014 16:44:41 +0000 (-0500) Subject: string: Escape all HTML’s metacharacters. X-Git-Tag: v0.7~79^2~3 X-Git-Url: http://nitlanguage.org string: Escape all HTML’s metacharacters. In `html_escape`, escape all characters that OWASP recommends to escape. Signed-off-by: Jean-Christophe Beaupré --- diff --git a/lib/html/html.nit b/lib/html/html.nit index f58bdf6..f7ae180 100644 --- a/lib/html/html.nit +++ b/lib/html/html.nit @@ -119,7 +119,7 @@ class HTMLTag # Set a 'value' for 'key' # var img = new HTMLTag("img") # img.attr("src", "./image.png").attr("alt", "image") - # assert img.write_to_string == """image""" + # assert img.write_to_string == """image""" fun attr(key: String, value: String): HTMLTag do attrs[key] = value return self diff --git a/lib/standard/string.nit b/lib/standard/string.nit index 664ecbc..604386f 100644 --- a/lib/standard/string.nit +++ b/lib/standard/string.nit @@ -653,9 +653,11 @@ abstract class Text return buf.to_s end - # Escape the four characters `<`, `>`, `&`, and `"` with their html counterpart + # Escape the characters `<`, `>`, `&`, `"`, `'` and `/` as HTML/XML entity references. # - # assert "a&b->\"x\"".html_escape == "a&b->"x"" + # assert "a&b-<>\"x\"/'".html_escape == "a&b-<>"x"/'" + # + # SEE: fun html_escape: SELFTYPE do var buf = new FlatBuffer @@ -669,7 +671,11 @@ abstract class Text else if c == '>' then buf.append ">" else if c == '"' then - buf.append """ + buf.append """ + else if c == '\'' then + buf.append "'" + else if c == '/' then + buf.append "/" else buf.add c end diff --git a/tests/sav/html_page.res b/tests/sav/html_page.res index 079146d..84ba2b7 100644 --- a/tests/sav/html_page.res +++ b/tests/sav/html_page.res @@ -1,2 +1,2 @@ -Nit
theNitProgramming Language

A Fun Language for Serious Programming

# What is Nit?

Nit is an object-oriented programming language. The goal of Nit is to propose a robust statically typed programming language where structure is not a pain.

So, what does the famous hello world program look like, in Nit?

print 'Hello, World!'

# Feature Highlights

Usability

Nit's goal is to be usable by real programmers for real projects

  • KISS principle
  • Script-like language without verbosity nor cryptic statements
  • Painless static types: static typing should help programmers
  • Efficient development, efficient execution, efficient evolution.

Robustness

Nit will help you to write bug-free programs

  • Strong static typing
  • No more NullPointerException

Object-Oriented

Nit's guideline is to follow the most powerful OO principles

# Getting Started

Get Nit from its Git repository:

$ git clone http://nitlanguage.org/nit.git

Build the compiler (may be long):

$ cd nit
+Nit
theNitProgramming Language
A Fun Language for Serious Programming
# What is Nit?
Nit is an object-oriented programming language. The goal of Nit is to propose a robust statically typed programming language where structure is not a pain.
So, what does the famous hello world program look like, in Nit?
print 'Hello, World!'
# Feature Highlights
Usability
Nit's goal is to be usable by real programmers for real projects
  • KISS principle
  • Script-like language without verbosity nor cryptic statements
  • Painless static types: static typing should help programmers
  • Efficient development, efficient execution, efficient evolution.
Robustness
Nit will help you to write bug-free programs
  • Strong static typing
  • No more NullPointerException
Object-Oriented
Nit's guideline is to follow the most powerful OO principles
# Getting Started
Get Nit from its Git repository:
$ git clone http://nitlanguage.org/nit.git
Build the compiler (may be long):
$ cd nit
 $ make
Compile a program:
$ bin/nitc examples/hello_world.nit
Execute the program:
$ ./hello_world

\ No newline at end of file
diff --git a/tests/sav/nitlight_args1.res b/tests/sav/nitlight_args1.res
index 33325f6..547af57 100644
--- a/tests/sav/nitlight_args1.res
+++ b/tests/sav/nitlight_args1.res
@@ -1,67 +1,67 @@
-# This file is part of NIT ( http://www.nitlanguage.org ).
+# This file is part of NIT ( http://www.nitlanguage.org ).
 #
 # Copyright 2006-2008 Jean Privat <jean@pryen.org>
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
+# Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
+# distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
 import end
 
-interface Object
+interface Object
 end
 
-enum Bool
+enum Bool
 end
 
-enum Int
-	fun output is intern
+enum Int
+	fun output is intern
 end
 
-class A
-	init do 5.output
-	fun run do 6.output
+class A
+	init do 5.output
+	fun run do 6.output
 end
 
-class B
-	var val: Int
-	init(v: Int)
+class B
+	var val: Int
+	init(v: Int)
 	do
-		7.output
-		self.val = v
+		7.output
+		self.val = v
 	end
-	fun run do val.output
+	fun run do val.output
 end
 
-class C
-	var val1: Int
-	var val2: Int = 10
+class C
+	var val1: Int
+	var val2: Int = 10
 end
 
-fun foo do 2.output
-fun bar(i: Int) do i.output
-fun baz: Int do return 4
+fun foo do 2.output
+fun bar(i: Int) do i.output
+fun baz: Int do return 4
 
-1.output
-foo
-bar(3)
-baz.output
+1.output
+foo
+bar(3)
+baz.output
 
-var a = new A
-a.run
+var a = new A
+a.run
 
-var b = new B(8)
-b.run
+var b = new B(8)
+b.run
 
-var c = new C(9)
-c.val1.output
-c.val2.output
+var c = new C(9)
+c.val1.output
+c.val2.output
 
\ No newline at end of file
diff --git a/tests/sav/nitunit_args1.res b/tests/sav/nitunit_args1.res
index 12b7181..dc528b1 100644
--- a/tests/sav/nitunit_args1.res
+++ b/tests/sav/nitunit_args1.res
@@ -11,8 +11,8 @@ TestSuites:
 Class suites: 1; Test Cases: 3; Failures: 1
 assert true
 assert false
-assert undefined_identifier
-outoutout
\ No newline at end of file
diff --git a/tests/sav/test_docdown_args1.res b/tests/sav/test_docdown_args1.res
index d3ab2e0..593a60f 100644
--- a/tests/sav/test_docdown_args1.res
+++ b/tests/sav/test_docdown_args1.res
@@ -62,7 +62,7 @@ bullet
block
 
a first example
assert 1 + 1 == 2
 
and a last example to illustrate the to_s method on A.
var a = new A
-assert a.to_s == "A"
+assert a.to_s == "A"
\ No newline at end of file