RedCloth 4.2.9 → 4.3.4

data/redcloth.gemspec

@@ -6,15 +6,23 @@ require "redcloth/version"
 Gem::Specification.new do |s|
   s.name        = "RedCloth"
   s.version     = RedCloth::VERSION.to_s
-  s.authors     = ["Jason Garber", "why the lucky stiff", "Ola Bini"]
+  s.authors     = ["Jason Garber", "Joshua Siler", "Ola Bini"]
   s.description = "Textile parser for Ruby."
   s.summary     = RedCloth::SUMMARY
-  s.email       = "redcloth-upwards@rubyforge.org"
-  s.homepage    = "http://redcloth.org"
-  s.rubyforge_project = "redcloth"
+  s.homepage    = "https://github.com/jgarber/redcloth"
+  s.license = "MIT"
 
+  s.platform = 'ruby'
+  s.required_ruby_version = Gem::Requirement.new(">= 2.4")
   s.rubygems_version   = "1.3.7"
-  s.default_executable = "redcloth"
+
+  if s.respond_to?(:metadata=)
+    s.metadata = {
+      "bug_tracker_uri" => "https://github.com/jgarber/redcloth/issues",
+      "changelog_uri" => "https://github.com/jgarber/redcloth/blob/master/CHANGELOG",
+      "source_code_uri" => "https://github.com/jgarber/redcloth"
+    }
+  end
 
   s.files            = Dir['.gemtest', '.rspec', 'CHANGELOG', 'COPYING', 'Gemfile', 'README.rdoc', 'Rakefile', 'doc/**/*', 'bin/**/*', 'lib/**/*', 'redcloth.gemspec', 'spec/**/*', 'tasks/**/*']
   s.test_files       = Dir['spec/**/*']
@@ -23,30 +31,16 @@ Gem::Specification.new do |s|
   s.rdoc_options     = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "RedCloth", "--main", "README.rdoc"]
   s.require_paths   += ["lib/case_sensitive_require", "ext"]
 
-  s.files -= Dir['lib/redcloth.jar']
-  s.files -= Dir['lib/**/*.dll']
   s.files -= Dir['lib/**/*.bundle']
   s.files -= Dir['lib/**/*.so']
-  
-  s.platform = RUBY_PLATFORM[/java/] || 'ruby'
-  case s.platform.to_s
-  when /java/
-    s.files += ['lib/redcloth_scan.jar']
-  else # MRI or Rubinius
-    s.files += %w[attributes inline scan].map {|f| "ext/redcloth_scan/redcloth_#{f}.c"}
-    s.files += ["ext/redcloth_scan/redcloth.h"]
-    s.extensions = Dir['ext/**/extconf.rb']
-  end
 
-  s.add_development_dependency('bundler', '~> 1.0.10')
-  s.add_development_dependency('rake', '~> 0.8.7')
-  s.add_development_dependency('rspec', '~> 2.4')
-  s.add_development_dependency('diff-lcs', '~> 1.1.2')
-  
-  # Have to load these even though they're only needed for
-  # gem packaging. Otherwise, Bundler complains that they're
-  # not installed even though they're not required.
-  # See https://github.com/carlhuda/bundler/issues/issue/1021
-  s.add_development_dependency('rvm', '~> 1.2.6')
-  s.add_development_dependency('rake-compiler', '~> 0.7.1')
+  s.files += %w[attributes inline scan].map {|f| "ext/redcloth_scan/redcloth_#{f}.c"}
+  s.files += ["ext/redcloth_scan/redcloth.h"]
+  s.extensions = Dir['ext/**/extconf.rb']
+
+  s.add_development_dependency('bundler', '> 1.3.4')
+  s.add_development_dependency('rake', '~> 13')
+  s.add_development_dependency('rspec', '~> 3.12')
+  s.add_development_dependency('diff-lcs', '~> 1.5')
+
 end

data/spec/custom_tags_spec.rb

@@ -4,7 +4,7 @@ module FigureTag
   def fig( opts )
     label, img = opts[:text].split('|').map! {|str| str.strip}
 
-    html  = %Q{<div class="img" id="figure-#{label.tr('.', '-')}">\n}
+    html  = %Q{<div class="img" id="figure-#{label.tr('.', '-')}">\n}.dup
     html << %Q{  <a class="fig" href="/images/#{img}">\n}
     html << %Q{    <img src="/images/thumbs/#{img}" alt="Figure #{label}" />\n}
     html << %Q{  </a>\n}
@@ -15,13 +15,13 @@ end
 
 describe "custom tags" do
   it "should recognize the custom tag" do
-    input  = %Q{The first line of text.\n\n}
+    input  = %Q{The first line of text.\n\n}.dup
     input << %Q{fig. 1.1 | img.jpg\n\n}
     input << %Q{The last line of text.\n}
     r = RedCloth.new input
     r.extend FigureTag
 
-    html  = %Q{<p>The first line of text.</p>\n}
+    html  = %Q{<p>The first line of text.</p>\n}.dup
     html << %Q{<div class="img" id="figure-1-1">\n}
     html << %Q{  <a class="fig" href="/images/img.jpg">\n}
     html << %Q{    <img src="/images/thumbs/img.jpg" alt="Figure 1.1" />\n}
@@ -30,13 +30,13 @@ describe "custom tags" do
     html << %Q{<div>\n}
     html << %Q{<p>The last line of text.</p>}
     
-    r.to_html.should == html
+    expect(r.to_html).to eq(html)
   end
 
   it "should fall back if custom tag isn't defined" do
     r = RedCloth.new %Q/fig()>[no]{color:red}. 1.1 | img.jpg/
     
-    r.to_html.should == "<p>fig()>[no]{color:red}. 1.1 | img.jpg</p>"
+    expect(r.to_html).to eq("<p>fig()>[no]{color:red}. 1.1 | img.jpg</p>")
   end
   
   it "should not call just regular string methods" do
@@ -45,6 +45,6 @@ describe "custom tags" do
 
     html  = "<p>next. </p>"
 
-    r.to_html.should == html
+    expect(r.to_html).to eq(html)
   end
-end
+end

data/spec/erb_spec.rb

@@ -5,6 +5,6 @@ describe "ERB helper" do
     template = %{<%=t "This new ERB tag makes is so _easy_ to use *RedCloth*" %>}
     expected = %{<p>This new <span class="caps">ERB</span> tag makes is so <em>easy</em> to use <strong>RedCloth</strong></p>}
     
-    ERB.new(template).result.should == expected
+    expect(ERB.new(template).result).to eq(expected)
   end
 end

data/spec/extension_spec.rb

@@ -20,7 +20,7 @@ describe RedClothSmileyExtension do
 
     html  = %Q{<p>You&#8217;re so silly! <img src='/images/emoticons/58_80.png' title=':P' class='smiley' /></p>}
 
-    RedCloth.new(input).to_html(:textile, :refs_smiley).should == html
+    expect(RedCloth.new(input).to_html(:textile, :refs_smiley)).to eq(html)
   end
   
 end

data/spec/fixtures/threshold.yml

@@ -159,7 +159,7 @@ in: '"link text":http://example.com/'
 html: <p><a href="http://example.com/">link text</a></p>
 ---
 name: local links
-desc: The host name may be ommitted for local links.
+desc: The host name may be omitted for local links.
 in: '"link text":/example'
 html: <p><a href="/example">link text</a></p>
 ---

data/spec/formatters/html_spec.rb

@@ -6,8 +6,8 @@ describe "HTML" do
   end
   
   it "should not raise an error when orphaned parentheses in a link are followed by punctuation and words in HTML" do
-    lambda {
+    expect {
       RedCloth.new(%Q{Test "(read this":http://test.host), ok}).to_html
-    }.should_not raise_error
+    }.not_to raise_error
   end
 end

data/spec/formatters/latex_spec.rb

@@ -6,8 +6,8 @@ describe "LaTeX" do
   end
   
   it "should not raise an error when orphaned parentheses in a link are followed by punctuation and words in LaTeX" do
-    lambda { 
+    expect { 
       RedCloth.new(%Q{Test "(read this":http://test.host), ok}).to_latex
-    }.should_not raise_error
+    }.not_to raise_error
   end
 end

data/spec/parser_spec.rb

@@ -4,15 +4,15 @@ describe RedCloth do
   
   describe "#new" do
     it "should accept options" do
-      lambda {
+      expect {
         RedCloth.new("test", [:hard_breaks])
-      }.should_not raise_error(ArgumentError)
+      }.not_to raise_error
     end
   end
   
   it "should have a VERSION" do
-    RedCloth.const_defined?("VERSION").should be_true
-    RedCloth::VERSION.const_defined?("STRING").should be_true
+    expect(RedCloth.const_defined?("VERSION")).to be_truthy
+    expect(RedCloth::VERSION.const_defined?("STRING")).to be_truthy
   end
   
   it "should show the version as a string" do
@@ -21,7 +21,7 @@ describe RedCloth do
   end
   
   it "should have EXTENSION_LANGUAGE" do
-    RedCloth.const_defined?("EXTENSION_LANGUAGE").should be_true
+    RedCloth.const_defined?("EXTENSION_LANGUAGE").should be_truthy
     RedCloth::EXTENSION_LANGUAGE.should_not be_empty
     RedCloth::DESCRIPTION.should include(RedCloth::EXTENSION_LANGUAGE)
   end
@@ -85,8 +85,9 @@ describe RedCloth do
   
   if RUBY_VERSION > "1.9.0"
     it "should preserve character encoding" do
-      input = "This is an ISO-8859-1 string"
+      input = "This is an ISO-8859-1 string".dup
       input.force_encoding 'iso-8859-1'
+
       output = RedCloth.new(input).to_html
       
       output.should == "<p>This is an <span class=\"caps\">ISO</span>-8859-1 string</p>"
@@ -94,7 +95,7 @@ describe RedCloth do
     end
     
     it "should not raise ArgumentError: invalid byte sequence" do
-      s = "\xa3"
+      s = "\xa3".dup
       s.force_encoding 'iso-8859-1'
       lambda { RedCloth.new(s).to_html }.should_not raise_error
     end

data/spec/security/CVE-2012-6684_spec.rb

@@ -0,0 +1,33 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
+
+require 'redcloth'
+
+describe 'CVE-2012-6684' do
+
+  it 'should not let javascript links pass through' do
+    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
+    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/href=.javascript:alert/)
+
+    output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/href=.jAvascript:alert/)
+  end
+
+  it 'should not let javascript links pass through on images' do
+  	output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html
+    expect(output).to match(/src=.javascript:alert/)
+    expect(output).to match(/href=.javascript:prompt/)
+
+    output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/src=.javascript:alert/)
+    expect(output).to_not match(/href=.javascript:prompt/)
+
+    output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html
+    expect(output).to match(/src=.jAvascript:alert/)
+    expect(output).to match(/href=.jAvascript:prompt/)
+
+    output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/src=.jAvascript:alert/)
+    expect(output).to_not match(/href=.jAvascript:prompt/)
+  end
+end

data/spec/security/CVE-2023-31606_spec.rb

@@ -0,0 +1,49 @@
+# https://github.com/advisories/GHSA-qcm3-vfq5-wfr2
+# https://github.com/e23e/CVE-2023-31606#readme
+# https://github.com/jgarber/redcloth/issues/73
+# https://github.com/jgarber/redcloth/pull/75
+
+require 'redcloth'
+
+describe 'CVE-2023-31606' do
+
+  it 'process malicious html without delay' do
+    # INFO (Helio): inside RedCloth repo, running `$ bundle exec rspec .`, with the test below, I can't replicate,
+    # on my development machine, the time spent on this sample text.
+    # However, on the same development machine, when I run this test this code, in a test-redcloth-regexp.rb script, in a rails app
+    # with `gem 'RedCloth'` in it, I was able to get the results indicated in the issue (https://github.com/jgarber/redcloth/issues/73),
+    # by https://github.com/e23e
+    # Here are the outputs:
+    # hac@MBP tcard % time ruby test-redcloth-regexp.rb
+    # 0.158047
+    # ruby test-redcloth-regexp.rb  0.12s user 0.11s system 82% cpu 0.279 total
+    # hac@MBP tcard % time ruby test-redcloth-regexp.rb
+    # 18.457945
+    # ruby test-redcloth-regexp.rb  18.32s user 0.22s system 99% cpu 18.556 total
+    # hac@MBP tcard % cat !$
+    # cat test-redcloth-regexp.rb
+    # require 'RedCloth'
+    # text = '<A' + 'A' * (54773)
+    # t1 = Time.now
+    # text = RedCloth.new(text, [:sanitize_html]).to_html
+    # t2 = Time.now
+    # puts (t2-t1)
+    # hac@MBP tcard %
+
+    text = '<A' + 'A' * (54773)
+
+    t1 = Time.now
+    res = RedCloth.new(text, [:sanitize_html]).to_html
+    t2 = Time.now
+
+    expect(t2-t1).to be <= 3
+  end
+
+  it 'should keep the generated HTML the same' do
+    text = "<a href=https://example.com> Example </a>"
+    result = RedCloth.new(text, [:sanitize_html]).to_html
+
+    expect(result).to eq("<p><a href=\"https://example.com\"> Example </a></p>")
+  end
+
+end

data/spec/spec_helper.rb

@@ -10,11 +10,11 @@ def examples_from_yaml(&block)
     if doc[formatter]
       example("should output #{formatter} for #{name}") do
         output = method("format_as_#{formatter}").call(doc)
-        output.should == doc[formatter]
+        expect(output).to eq(doc[formatter])
       end
     else
       example("should not raise errors when rendering #{formatter} for #{name}") do
-        lambda { method("format_as_#{formatter}").call(doc) }.should_not raise_error
+        expect { method("format_as_#{formatter}").call(doc) }.not_to raise_error
       end
     end
   end
@@ -26,11 +26,11 @@ def fixtures
   Dir[File.join(File.dirname(__FILE__), *%w[fixtures *.yml])].each do |testfile|
     testgroup = File.basename(testfile, '.yml')
     num = 0
-    YAML::load_documents(File.open(testfile)) do |doc|
+    YAML::load_stream(File.open(testfile)) do |doc|
       name = doc['name'] || num
       @fixtures["#{testgroup} #{name}"] = doc
       num += 1
     end
   end
   @fixtures
-end
+end

data/tasks/compile.rake

@@ -12,19 +12,16 @@ CLOBBER.include [
 ]
 
 # Load the Gem specification for the current platform (Ruby or JRuby).
-def gemspec(platform = RUBY_PLATFORM[/java/] || 'ruby')
+def gemspec(platform = 'ruby')
   Gem::Specification.load(File.expand_path('../../redcloth.gemspec', __FILE__))
 end
 
 require 'rake/extensiontask'
-require 'rake/javaextensiontask'
 require File.dirname(__FILE__) + '/ragel_extension_task'
 
-if defined?(JRUBY_VERSION)
-  Rake::JavaRagelExtensionTask.new('redcloth_scan', gemspec)
-else
-  extconf = "ext/redcloth_scan/extconf.rb"
-  file extconf do
+
+extconf = "ext/redcloth_scan/extconf.rb"
+file extconf do
     FileUtils.mkdir(File.dirname(extconf)) unless File.directory?(File.dirname(extconf))
     File.open(extconf, "w") do |io|
       io.write(<<-EOF)
@@ -32,16 +29,10 @@ require 'mkmf'
 CONFIG['warnflags'].gsub!(/-Wshorten-64-to-32/, '') if CONFIG['warnflags']
 $CFLAGS << ' -O0 -Wall ' if CONFIG['CC'] =~ /gcc/
 dir_config("redcloth_scan")
-have_library("c", "main")
 create_makefile("redcloth_scan")
       EOF
     end
-  end
-
-  Rake::RagelExtensionTask.new("redcloth_scan", gemspec) do |ext|
-    if ENV['RUBY_CC_VERSION']
-      ext.cross_compile = true
-      ext.cross_platform = ['i386-mingw32', 'i386-mswin32-60']
-    end
-  end
 end
+
+Rake::RagelExtensionTask.new("redcloth_scan", gemspec) do |ext|
+end

data/tasks/ragel_extension_task.rb

@@ -42,17 +42,14 @@ module Rake
       {
         'scan' => {
           'c'    => "#{@ext_dir}/redcloth_scan.c",
-          'java' => "#{@ext_dir}/RedclothScanService.java",
           'rb'   => "#{@ext_dir}/redcloth_scan.rb"
         },
         'inline' => {
           'c'    => "#{@ext_dir}/redcloth_inline.c",
-          'java' => "#{@ext_dir}/RedclothInline.java",
           'rb'   => "#{@ext_dir}/redcloth_inline.rb"
         },
         'attributes' => {
           'c'    => "#{@ext_dir}/redcloth_attributes.c",
-          'java' => "#{@ext_dir}/RedclothAttributes.java",
           'rb'   => "#{@ext_dir}/redcloth_attributes.rb"
         }
       }[machine][lang]
@@ -88,7 +85,6 @@ module Rake
     def host_language_flag
       {
         'c'      => 'C',
-        'java'   => 'J',
         'rb'     => 'R'
       }[lang]
     end
@@ -96,7 +92,6 @@ module Rake
     def preferred_code_style
       {
         'c'      => 'T0',
-        'java'   => nil,
         'rb'     => 'F1'
       }[lang]
     end
@@ -117,11 +112,5 @@ module Rake
       "c"
     end
   end  
-  class JavaRagelExtensionTask < JavaExtensionTask
-    include RagelGenerationTasks
-    
-    def lang
-      "java"
-    end
-  end
+  
 end

data/tasks/release.rake

@@ -1,15 +1,15 @@
 namespace :release do
-  desc 'Upload all packages and tag git'
-  task :all => ['build:all', :release, :push_native_gems]
+  desc 'Push all gems to rubygems.org'
+  # 1. run rake test
+  # 2. update changelog
+  # 3. change version in version.rb
+  # 4. branch into stable vx.x branch
+  # 5. git tag and push tag
+  # 5.1. git tag vx.x.x
+  # 5.2. git push --follow-tags
 
-  desc 'Push all gems to rubygems.org (gemcutter)'
-  task :push_native_gems do
-    Dir.chdir('pkg') do
-      Dir['*.gem'].select {|g| g =~ /\w+-[^-]+-\w+.gem/ }.each do |gem_file|
-        sh("gem push #{gem_file}")
-      end
-    end
+  task :gem do
+    sh("gem build redcloth.gemspec")
+    sh("gem push RedCloth-*.gem")
   end
 end
-
-Rake::Task['release'].prerequisites.unshift('build')

data/tasks/rvm.rake

@@ -1,12 +1,14 @@
+require 'rvm'
+
 namespace :rvm do
   
-  RVM_RUBIES = ['jruby-1.5.6' , 'ruby-1.8.6-p398', 'ruby-1.9.1-p243', 'ruby-1.9.2-p136', 'ree-1.8.7-2010.02']
+  RVM_RUBIES = ['ruby-1.8.6-p398', 'ruby-1.9.1-p243', 'ruby-1.9.2-p136', 'ruby-2.2.3p173']
   RVM_GEMSET_NAME = 'redcloth'
   
   task :setup do
     unless @rvm_setup
       rvm_lib_path = "#{`echo $rvm_path`.strip}/lib"
-      $LOAD_PATH.unshift(rvm_lib_path) unless $LOAD_PATH.include?(rvm_lib_path)
+      #$LOAD_PATH.unshift(rvm_lib_path) unless $LOAD_PATH.include?(rvm_lib_path)
       require 'rvm'
       require 'tmpdir'
       @rvm_setup = true
@@ -21,7 +23,7 @@ namespace :rvm do
       # gets confused when locked to java and running ruby and vice-versa.
       STDERR << RVM.run('bundle update').stderr 
             
-      result = RVM.perform_set_operation(:rake)
+      result = RVM.run("rake test")
       STDOUT << result.stdout
       STDERR << result.stderr
     end