Skip to content

Commit

Permalink
Merge pull request #1536 from kmuto/remove-cgi-escapehtml
Browse files Browse the repository at this point in the history 
use h() instead of CGI.escapeHTML()
  • Loading branch information
@takahashim
takahashim authored Aug 16, 2020
2 parents 276b9ac + a0859a5 commit 80a5098
Show file tree
Hide file tree
Showing 11 changed files with 89 additions and 79 deletions.
52 changes: 30 additions & 22 deletions lib/epubmaker/epubcommon.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,11 @@

require 'review/i18n'
require 'review/template'
require 'cgi'
begin
require 'cgi/escape'
rescue LoadError
require 'cgi/util'
end

module EPUBMaker
# EPUBCommon is the common class for EPUB producer.
Expand All @@ -22,6 +26,10 @@ def initialize(producer)
@body_ext = nil
end

def h(str)
CGI.escapeHTML(str)
end

# Return mimetype content.
def mimetype
'application/epub+zip'
Expand Down Expand Up @@ -59,10 +67,10 @@ def ncx_isbn
def ncx_doctitle
<<EOT
<docTitle>
<text>#{CGI.escapeHTML(@producer.config['title'])}</text>
<text>#{h(@producer.config['title'])}</text>
</docTitle>
<docAuthor>
<text>#{@producer.config['aut'].nil? ? '' : CGI.escapeHTML(join_with_separator(@producer.config['aut'], ReVIEW::I18n.t('names_splitter')))}</text>
<text>#{@producer.config['aut'].nil? ? '' : h(join_with_separator(@producer.config['aut'], ReVIEW::I18n.t('names_splitter')))}</text>
</docAuthor>
EOT
end
Expand All @@ -72,7 +80,7 @@ def ncx_navmap(indentarray)
<navMap>
<navPoint id="top" playOrder="1">
<navLabel>
<text>#{CGI.escapeHTML(@producer.config['title'])}</text>
<text>#{h(@producer.config['title'])}</text>
</navLabel>
<content src="#{@producer.config['cover']}"/>
</navPoint>
Expand All @@ -84,7 +92,7 @@ def ncx_navmap(indentarray)
s << <<EOT
<navPoint id="toc" playOrder="#{nav_count}">
<navLabel>
<text>#{CGI.escapeHTML(@producer.res.v('toctitle'))}</text>
<text>#{h(@producer.res.v('toctitle'))}</text>
</navLabel>
<content src="#{@producer.config['bookname']}-toc.#{@producer.config['htmlext']}"/>
</navPoint>
Expand All @@ -100,7 +108,7 @@ def ncx_navmap(indentarray)
s << <<EOT
<navPoint id="nav-#{nav_count}" playOrder="#{nav_count}">
<navLabel>
<text>#{indent[level]}#{CGI.escapeHTML(item.title)}</text>
<text>#{indent[level]}#{h(item.title)}</text>
</navLabel>
<content src="#{item.file}"/>
</navPoint>
Expand Down Expand Up @@ -131,21 +139,21 @@ def cover(type = nil)
raise "coverimage #{@producer.config['coverimage']} not found. Abort." unless file
@body = <<-EOT
<div id="cover-image" class="cover-image">
<img src="#{file}" alt="#{CGI.escapeHTML(@producer.config.name_of('title'))}" class="max"/>
<img src="#{file}" alt="#{h(@producer.config.name_of('title'))}" class="max"/>
</div>
EOT
else
@body = <<-EOT
<h1 class="cover-title">#{CGI.escapeHTML(@producer.config.name_of('title'))}</h1>
<h1 class="cover-title">#{h(@producer.config.name_of('title'))}</h1>
EOT
if @producer.config['subtitle']
@body << <<-EOT
<h2 class="cover-subtitle">#{CGI.escapeHTML(@producer.config.name_of('subtitle'))}</h2>
<h2 class="cover-subtitle">#{h(@producer.config.name_of('subtitle'))}</h2>
EOT
end
end

@title = CGI.escapeHTML(@producer.config.name_of('title'))
@title = h(@producer.config.name_of('title'))
@language = @producer.config['language']
@stylesheets = @producer.config['stylesheet']
tmplfile = if @producer.config['htmlversion'].to_i == 5
Expand All @@ -161,15 +169,15 @@ def cover(type = nil)
# NOTE: this method is not used yet.
# see lib/review/epubmaker.rb#build_titlepage
def titlepage
@title = CGI.escapeHTML(@producer.config.name_of('title'))
@title = h(@producer.config.name_of('title'))

@body = <<EOT
<h1 class="tp-title">#{@title}</h1>
EOT

if @producer.config['subtitle']
@body << <<EOT
<h2 class="tp-subtitle">#{CGI.escapeHTML(@producer.config.name_of('subtitle'))}</h2>
<h2 class="tp-subtitle">#{h(@producer.config.name_of('subtitle'))}</h2>
EOT
end

Expand All @@ -179,7 +187,7 @@ def titlepage
<br />
<br />
</p>
<h2 class="tp-author">#{CGI.escapeHTML(join_with_separator(@producer.config.names_of('aut'), ReVIEW::I18n.t('names_splitter')))}</h2>
<h2 class="tp-author">#{h(join_with_separator(@producer.config.names_of('aut'), ReVIEW::I18n.t('names_splitter')))}</h2>
EOT
end

Expand All @@ -192,7 +200,7 @@ def titlepage
<br />
<br />
</p>
<h3 class="tp-publisher">#{CGI.escapeHTML(join_with_separator(publisher, ReVIEW::I18n.t('names_splitter')))}</h3>
<h3 class="tp-publisher">#{h(join_with_separator(publisher, ReVIEW::I18n.t('names_splitter')))}</h3>
EOT
end

Expand All @@ -209,18 +217,18 @@ def titlepage

# Return colophon content.
def colophon
@title = CGI.escapeHTML(@producer.res.v('colophontitle'))
@title = h(@producer.res.v('colophontitle'))
@body = <<EOT
<div class="colophon">
EOT

if @producer.config['subtitle'].nil?
@body << <<EOT
<p class="title">#{CGI.escapeHTML(@producer.config.name_of('title'))}</p>
<p class="title">#{h(@producer.config.name_of('title'))}</p>
EOT
else
@body << <<EOT
<p class="title">#{CGI.escapeHTML(@producer.config.name_of('title'))}<br /><span class="subtitle">#{CGI.escapeHTML(@producer.config.name_of('subtitle'))}</span></p>
<p class="title">#{h(@producer.config.name_of('title'))}<br /><span class="subtitle">#{h(@producer.config.name_of('subtitle'))}</span></p>
EOT
end

Expand All @@ -229,7 +237,7 @@ def colophon
@body << %Q( <table class="colophon">\n)
@body << @producer.config['colophon_order'].map do |role|
if @producer.config[role]
%Q( <tr><th>#{CGI.escapeHTML(@producer.res.v(role))}</th><td>#{CGI.escapeHTML(join_with_separator(@producer.config.names_of(role), ReVIEW::I18n.t('names_splitter')))}</td></tr>\n)
%Q( <tr><th>#{h(@producer.res.v(role))}</th><td>#{h(join_with_separator(@producer.config.names_of(role), ReVIEW::I18n.t('names_splitter')))}</td></tr>\n)
else
''
end
Expand All @@ -238,7 +246,7 @@ def colophon
@body << %Q( <tr><th>ISBN</th><td>#{@producer.isbn_hyphen}</td></tr>\n) if @producer.isbn_hyphen
@body << %Q( </table>\n)
if @producer.config['rights'] && !@producer.config['rights'].empty?
@body << %Q( <p class="copyright">#{join_with_separator(@producer.config.names_of('rights').map { |m| CGI.escapeHTML(m) }, '<br />')}</p>\n)
@body << %Q( <p class="copyright">#{join_with_separator(@producer.config.names_of('rights').map { |m| h(m) }, '<br />')}</p>\n)
end
@body << %Q( </div>\n)

Expand Down Expand Up @@ -289,9 +297,9 @@ def date_to_s(date)

# Return own toc content.
def mytoc
@title = CGI.escapeHTML(@producer.res.v('toctitle'))
@title = h(@producer.res.v('toctitle'))

@body = %Q( <h1 class="toc-title">#{CGI.escapeHTML(@producer.res.v('toctitle'))}</h1>\n)
@body = %Q( <h1 class="toc-title">#{h(@producer.res.v('toctitle'))}</h1>\n)
if @producer.config['epubmaker']['flattoc'].nil?
@body << hierarchy_ncx('ul')
else
Expand Down Expand Up @@ -385,7 +393,7 @@ def flat_ncx(type, indent = nil)
@producer.contents.each do |item|
next if !item.notoc.nil? || item.level.nil? || item.file.nil? || item.title.nil? || item.level > @producer.config['toclevel'].to_i
is = indent == true ? ' ' * item.level : ''
s << %Q(<li><a href="#{item.file}">#{is}#{CGI.escapeHTML(item.title)}</a></li>\n)
s << %Q(<li><a href="#{item.file}">#{is}#{h(item.title)}</a></li>\n)
end
s << %Q(</#{type}>\n)

Expand Down
9 changes: 4 additions & 5 deletions lib/epubmaker/epubv2.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
#

require 'epubmaker/epubcommon'
require 'cgi'
require 'epubmaker/zip_exporter'

module EPUBMaker
Expand Down Expand Up @@ -37,9 +36,9 @@ def opf_metainfo
%w[title language date type format source description relation coverage subject rights].each do |item|
next unless @producer.config[item]
if @producer.config[item].is_a?(Array)
s << @producer.config.names_of(item).map { |i| %Q( <dc:#{item}>#{CGI.escapeHTML(i)}</dc:#{item}>\n) }.join
s << @producer.config.names_of(item).map { |i| %Q( <dc:#{item}>#{h(i)}</dc:#{item}>\n) }.join
else
s << %Q( <dc:#{item}>#{CGI.escapeHTML(@producer.config.name_of(item).to_s)}</dc:#{item}>\n)
s << %Q( <dc:#{item}>#{h(@producer.config.name_of(item).to_s)}</dc:#{item}>\n)
end
end

Expand All @@ -54,15 +53,15 @@ def opf_metainfo
%w[aut a-adp a-ann a-arr a-art a-asn a-aqt a-aft a-aui a-ant a-bkp a-clb a-cmm a-dsr a-edt a-ill a-lyr a-mdc a-mus a-nrt a-oth a-pht a-prt a-red a-rev a-spn a-ths a-trc a-trl].each do |role|
next unless @producer.config[role]
@producer.config.names_of(role).each do |v|
s << %Q( <dc:creator opf:role="#{role.sub('a-', '')}">#{CGI.escapeHTML(v)}</dc:creator>\n)
s << %Q( <dc:creator opf:role="#{role.sub('a-', '')}">#{h(v)}</dc:creator>\n)
end
end

# contributor (should be array)
%w[adp ann arr art asn aqt aft aui ant bkp clb cmm dsr edt ill lyr mdc mus nrt oth pht prt red rev spn ths trc trl].each do |role|
next unless @producer.config[role]
@producer.config.names_of(role).each do |v|
s << %Q( <dc:contributor opf:role="#{role}">#{CGI.escapeHTML(v)}</dc:contributor>\n)
s << %Q( <dc:contributor opf:role="#{role}">#{h(v)}</dc:contributor>\n)
if role == 'prt'
s << %Q( <dc:publisher>#{v}</dc:publisher>\n)
end
Expand Down
36 changes: 18 additions & 18 deletions lib/epubmaker/epubv3.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,23 +47,23 @@ def opf_metainfo
if @producer.config[item].is_a?(Array)
@producer.config[item].each_with_index do |v, i|
if v.is_a?(Hash)
s << %Q( <dc:#{item} id="#{item}-#{i}">#{CGI.escapeHTML(v['name'])}</dc:#{item}>\n)
s << %Q( <dc:#{item} id="#{item}-#{i}">#{h(v['name'])}</dc:#{item}>\n)
v.each_pair do |name, val|
next if name == 'name'
s << %Q( <meta refines="##{item}-#{i}" property="#{name}">#{CGI.escapeHTML(val)}</meta>\n)
s << %Q( <meta refines="##{item}-#{i}" property="#{name}">#{h(val)}</meta>\n)
end
else
s << %Q( <dc:#{item} id="#{item}-#{i}">#{CGI.escapeHTML(v.to_s)}</dc:#{item}>\n)
s << %Q( <dc:#{item} id="#{item}-#{i}">#{h(v.to_s)}</dc:#{item}>\n)
end
end
elsif @producer.config[item].is_a?(Hash)
s << %Q( <dc:#{item} id="#{item}">#{CGI.escapeHTML(@producer.config[item]['name'])}</dc:#{item}>\n)
s << %Q( <dc:#{item} id="#{item}">#{h(@producer.config[item]['name'])}</dc:#{item}>\n)
@producer.config[item].each_pair do |name, val|
next if name == 'name'
s << %Q( <meta refines="##{item}" property="#{name}">#{CGI.escapeHTML(val)}</meta>\n)
s << %Q( <meta refines="##{item}" property="#{name}">#{h(val)}</meta>\n)
end
else
s << %Q( <dc:#{item} id="#{item}">#{CGI.escapeHTML(@producer.config[item].to_s)}</dc:#{item}>\n)
s << %Q( <dc:#{item} id="#{item}">#{h(@producer.config[item].to_s)}</dc:#{item}>\n)
end
end

Expand All @@ -81,14 +81,14 @@ def opf_metainfo
next unless @producer.config[role]
@producer.config[role].each_with_index do |v, i|
if v.is_a?(Hash)
s << %Q( <dc:creator id="#{role}-#{i}">#{CGI.escapeHTML(v['name'])}</dc:creator>\n)
s << %Q( <dc:creator id="#{role}-#{i}">#{h(v['name'])}</dc:creator>\n)
s << %Q( <meta refines="##{role}-#{i}" property="role" scheme="marc:relators">#{role.sub('a-', '')}</meta>\n)
v.each_pair do |name, val|
next if name == 'name'
s << %Q( <meta refines="##{role.sub('a-', '')}-#{i}" property="#{name}">#{CGI.escapeHTML(val)}</meta>\n)
s << %Q( <meta refines="##{role.sub('a-', '')}-#{i}" property="#{name}">#{h(val)}</meta>\n)
end
else
s << %Q( <dc:creator id="#{role}-#{i}">#{CGI.escapeHTML(v)}</dc:creator>\n)
s << %Q( <dc:creator id="#{role}-#{i}">#{h(v)}</dc:creator>\n)
s << %Q( <meta refines="##{role}-#{i}" property="role" scheme="marc:relators">#{role.sub('a-', '')}</meta>\n)
end
end
Expand All @@ -99,27 +99,27 @@ def opf_metainfo
next unless @producer.config[role]
@producer.config[role].each_with_index do |v, i|
if v.is_a?(Hash)
s << %Q( <dc:contributor id="#{role}-#{i}">#{CGI.escapeHTML(v['name'])}</dc:contributor>\n)
s << %Q( <dc:contributor id="#{role}-#{i}">#{h(v['name'])}</dc:contributor>\n)
s << %Q( <meta refines="##{role}-#{i}" property="role" scheme="marc:relators">#{role}</meta>\n)
v.each_pair do |name, val|
next if name == 'name'
s << %Q( <meta refines="##{role}-#{i}" property="#{name}">#{CGI.escapeHTML(val)}</meta>\n)
s << %Q( <meta refines="##{role}-#{i}" property="#{name}">#{h(val)}</meta>\n)
end
else
s << %Q( <dc:contributor id="#{role}-#{i}">#{CGI.escapeHTML(v)}</dc:contributor>\n)
s << %Q( <dc:contributor id="#{role}-#{i}">#{h(v)}</dc:contributor>\n)
s << %Q( <meta refines="##{role}-#{i}" property="role" scheme="marc:relators">#{role}</meta>\n)
end

if %w[prt pbl].include?(role)
if v.is_a?(Hash)
s << %Q( <dc:publisher id="pub-#{role}-#{i}">#{CGI.escapeHTML(v['name'])}</dc:publisher>\n)
s << %Q( <dc:publisher id="pub-#{role}-#{i}">#{h(v['name'])}</dc:publisher>\n)
s << %Q( <meta refines="#pub-#{role}-#{i}" property="role" scheme="marc:relators">#{role}</meta>\n)
v.each_pair do |name, val|
next if name == 'name'
s << %Q( <meta refines="#pub-#{role}-#{i}" property="#{name}">#{CGI.escapeHTML(val)}</meta>\n)
s << %Q( <meta refines="#pub-#{role}-#{i}" property="#{name}">#{h(val)}</meta>\n)
end
else
s << %Q( <dc:publisher id="pub-#{role}-#{i}">#{CGI.escapeHTML(v)}</dc:publisher>\n)
s << %Q( <dc:publisher id="pub-#{role}-#{i}">#{h(v)}</dc:publisher>\n)
s << %Q( <meta refines="#pub-#{role}-#{i}" property="role" scheme="marc:relators">prt</meta>\n)
end
end
Expand All @@ -129,7 +129,7 @@ def opf_metainfo
## add custom <meta> element
if @producer.config['opf_meta'].present?
@producer.config['opf_meta'].each do |k, v|
s << %Q( <meta property="#{k}">#{CGI.escapeHTML(v)}</meta>\n)
s << %Q( <meta property="#{k}">#{h(v)}</meta>\n)
end
end

Expand Down Expand Up @@ -206,11 +206,11 @@ def ncx(indentarray)

@body = <<EOT
<nav xmlns:epub="http://www.idpf.org/2007/ops" epub:type="toc" id="toc">
<h1 class="toc-title">#{CGI.escapeHTML(@producer.res.v('toctitle'))}</h1>
<h1 class="toc-title">#{h(@producer.res.v('toctitle'))}</h1>
#{ncx_main} </nav>
EOT

@title = CGI.escapeHTML(@producer.res.v('toctitle'))
@title = h(@producer.res.v('toctitle'))
@language = @producer.config['language']
@stylesheets = @producer.config['stylesheet']
tmplfile = File.expand_path('./html/layout-html5.html.erb', ReVIEW::Template::TEMPLATE_DIR)
Expand Down
1 change: 0 additions & 1 deletion lib/review/builder.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
require 'review/compiler'
require 'review/sec_counter'
require 'stringio'
require 'cgi'
require 'fileutils'
require 'tempfile'
require 'csv'
Expand Down
7 changes: 6 additions & 1 deletion lib/review/epub2html.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,15 @@

require 'zip'
require 'rexml/document'
require 'cgi'
require 'optparse'
require 'review/version'

begin
require 'cgi/escape'
rescue
require 'cgi/util'
end

module ReVIEW
class Epub2Html
def self.execute(*args)
Expand Down
14 changes: 7 additions & 7 deletions lib/review/epubmaker.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,9 +340,9 @@ def build_part(part, basetmpdir, htmlfile)
File.open(File.join(basetmpdir, htmlfile), 'w') do |f|
@body = ''
@body << %Q(<div class="part">\n)
@body << %Q(<h1 class="part-number">#{CGI.escapeHTML(ReVIEW::I18n.t('part', part.number))}</h1>\n)
@body << %Q(<h1 class="part-number">#{h(ReVIEW::I18n.t('part', part.number))}</h1>\n)
if part.name.strip.present?
@body << %Q(<h2 class="part-title">#{CGI.escapeHTML(part.name.strip)}</h2>\n)
@body << %Q(<h2 class="part-title">#{h(part.name.strip)}</h2>\n)
end
@body << %Q(</div>\n)

Expand Down Expand Up @@ -563,19 +563,19 @@ def copy_frontmatter(basetmpdir)

def build_titlepage(basetmpdir, htmlfile)
# TODO: should be created via epubcommon
@title = CGI.escapeHTML(@config.name_of('booktitle'))
@title = h(@config.name_of('booktitle'))
File.open(File.join(basetmpdir, htmlfile), 'w') do |f|
@body = ''
@body << %Q(<div class="titlepage">\n)
@body << %Q(<h1 class="tp-title">#{CGI.escapeHTML(@config.name_of('booktitle'))}</h1>\n)
@body << %Q(<h1 class="tp-title">#{h(@config.name_of('booktitle'))}</h1>\n)
if @config['subtitle']
@body << %Q(<h2 class="tp-subtitle">#{CGI.escapeHTML(@config.name_of('subtitle'))}</h2>\n)
@body << %Q(<h2 class="tp-subtitle">#{h(@config.name_of('subtitle'))}</h2>\n)
end
if @config['aut']
@body << %Q(<h2 class="tp-author">#{CGI.escapeHTML(@config.names_of('aut').join(ReVIEW::I18n.t('names_splitter')))}</h2>\n)
@body << %Q(<h2 class="tp-author">#{h(@config.names_of('aut').join(ReVIEW::I18n.t('names_splitter')))}</h2>\n)
end
if @config['pbl']
@body << %Q(<h3 class="tp-publisher">#{CGI.escapeHTML(@config.names_of('pbl').join(ReVIEW::I18n.t('names_splitter')))}</h3>\n)
@body << %Q(<h3 class="tp-publisher">#{h(@config.names_of('pbl').join(ReVIEW::I18n.t('names_splitter')))}</h3>\n)
end
@body << '</div>'

Expand Down
Loading

0 comments on commit 80a5098

Please sign in to comment.