Skip to content

Commit

Permalink
deprecate Mojo::Util::xss_escape in favor of Mojo::Util::xml_escape
Browse files Browse the repository at this point in the history
  • Loading branch information
@kraih
kraih committed Feb 9, 2016
1 parent ba7fa4d commit ccbd7e9
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 20 deletions.
4 changes: 3 additions & 1 deletion Changes
View file
@@ -1,5 +1,7 @@

6.45 2016-02-08
6.45 2016-02-09
- Deprecated Mojo::Util::xss_escape in favor of Mojo::Util::xml_escape.
- Improved Mojo::Template performance slightly.

6.44 2016-02-04
- Removed deprecated format_regex attribute from Mojolicious::Routes::Pattern.
Expand Down
4 changes: 2 additions & 2 deletions lib/Mojo/Template.pm
View file
Expand Up @@ -14,7 +14,7 @@ has capture_end => 'end';
has capture_start => 'begin';
has comment_mark => '#';
has encoding => 'UTF-8';
has escape => sub { \&Mojo::Util::xss_escape };
has escape => sub { \&Mojo::Util::xml_escape };
has [qw(escape_mark expression_mark trim_mark)] => '=';
has [qw(line_start replace_mark)] => '%';
has name => 'template';
Expand Down Expand Up @@ -495,7 +495,7 @@ Encoding used for template files.
$mt = $mt->escape(sub {...});
A callback used to escape the results of escaped expressions, defaults to
L<Mojo::Util/"xss_escape">.
L<Mojo::Util/"xml_escape">.
$mt->escape(sub {
my $str = shift;
Expand Down
27 changes: 16 additions & 11 deletions lib/Mojo/Util.pm
View file
Expand Up @@ -57,9 +57,12 @@ our @EXPORT_OK = (
qw(md5_sum monkey_patch punycode_decode punycode_encode quote),
qw(secure_compare sha1_bytes sha1_sum slurp split_cookie_header),
qw(split_header spurt squish steady_time tablify term_escape trim unindent),
qw(unquote url_escape url_unescape xml_escape xor_encode xss_escape)
qw(unquote url_escape url_unescape xml_escape xor_encode)
);

# DEPRECATED in Clinking Beer Mugs!
push @EXPORT_OK, 'xss_escape';

sub b64_decode { decode_base64 $_[0] }
sub b64_encode { encode_base64 $_[0], $_[1] }

Expand Down Expand Up @@ -324,7 +327,8 @@ sub url_unescape {
}

sub xml_escape {
my $str = shift;
return $_[0] if ref $_[0] && ref $_[0] eq 'Mojo::ByteStream';
my $str = shift // '';
$str =~ s/([&<>"'])/$XML{$1}/ge;
return $str;
}
Expand All @@ -340,9 +344,11 @@ sub xor_encode {
return $output .= $buffer ^ substr($key, 0, length $buffer, '');
}

# DEPRECATED in Clinking Beer Mugs!
sub xss_escape {
no warnings 'uninitialized';
ref $_[0] eq 'Mojo::ByteStream' ? $_[0] : xml_escape("$_[0]");
deprecated
'Mojo::Util::xss_escape is DEPRECATED in favor of Mojo::Util::xml_escape';
xml_escape(@_);
}

sub _adapt {
Expand Down Expand Up @@ -790,23 +796,22 @@ L<RFC 3986|http://tools.ietf.org/html/rfc3986>.
my $escaped = xml_escape $str;
Escape unsafe characters C<&>, C<E<lt>>, C<E<gt>>, C<"> and C<'> in string.
Escape unsafe characters C<&>, C<E<lt>>, C<E<gt>>, C<"> and C<'> in string, but
do not escape L<Mojo::ByteStream> objects.
# "&lt;div&gt;"
xml_escape '<div>';
# "<div>"
use Mojo::ByteStream 'b';
xml_escape b('<div>');
=head2 xor_encode
my $encoded = xor_encode $str, $key;
XOR encode string with variable length key.
=head2 xss_escape
my $escaped = xss_escape $str;
Same as L</"xml_escape">, but does not escape L<Mojo::ByteStream> objects.
=head1 SEE ALSO
L<Mojolicious>, L<Mojolicious::Guides>, L<http://mojolicious.org>.
Expand Down
8 changes: 4 additions & 4 deletions t/mojo/util.t
View file
Expand Up @@ -16,7 +16,7 @@ use Mojo::Util
qw(monkey_patch punycode_decode punycode_encode quote secure_compare),
qw(secure_compare sha1_bytes sha1_sum slurp split_cookie_header),
qw(split_header spurt squish steady_time tablify term_escape trim unindent),
qw(unquote url_escape url_unescape xml_escape xor_encode xss_escape);
qw(unquote url_escape url_unescape xml_escape xor_encode);

# camelize
is camelize('foo_bar_baz'), 'FooBarBaz', 'right camelized result';
Expand Down Expand Up @@ -219,9 +219,9 @@ is xml_escape('привет<foo>'), 'привет&lt;foo&gt;',
# xml_escape (nothing to escape)
is xml_escape('привет'), 'привет', 'no changes';

# xss_escape
is xss_escape('<p>'), '&lt;p&gt;', 'right XSS escaped result';
is xss_escape(b('<p>')), '<p>', 'right XSS escaped result';
# xml_escape (XSS)
is xml_escape('<p>'), '&lt;p&gt;', 'right XSS escaped result';
is xml_escape(b('<p>')), '<p>', 'right XSS escaped result';

# punycode_encode
is punycode_encode('bücher'), 'bcher-kva', 'right punycode encoded result';
Expand Down
7 changes: 5 additions & 2 deletions t/pod_coverage.t
View file
Expand Up @@ -7,8 +7,11 @@ plan skip_all => 'set TEST_POD to enable this test (developer only!)'
plan skip_all => 'Test::Pod::Coverage 1.04+ required for this test!'
unless eval 'use Test::Pod::Coverage 1.04; 1';

my %RULES = ('Mojo::Transaction::WebSocket' =>
{also_private => [qw(build_frame parse_frame)]},);
my %RULES = (
'Mojo::Transaction::WebSocket' =>
{also_private => [qw(build_frame parse_frame)]},
'Mojo::Util' => {also_private => ['xss_escape']}
);
pod_coverage_ok($_, $RULES{$_} || {}) for all_modules();

done_testing();

0 comments on commit ccbd7e9

Please sign in to comment.