RedCloth 4.3.0 → 4.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of RedCloth might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/lib/redcloth/formatters/html.rb +9 -5
- data/lib/redcloth/version.rb +1 -1
- data/spec/security/CVE-2012-6684_spec.rb +8 -0
- data/tasks/release.rake +7 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f4dab006159116d5844e7b36a71a8f91137b348d
|
|
4
|
+
data.tar.gz: df7575fcd69f0277ea3bb4be5fc9a7d2e40fc2e4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ff442c6bdda870628086f27ac426a365d219ca66b62be13da42ad56e1ed71de93eede49766a3bbf94944988aa971c99cc46c4055521945116154f9ca72dbf8ae
|
|
7
|
+
data.tar.gz: 44ab0803ef262e6ed09c58a181720a8a625653001e9b98ebf92d715f375646344d72f7af1e74e85f1788417274bc9e8fae1ecceede466c2728d045e0eef229a0
|
data/CHANGELOG
CHANGED
|
@@ -119,11 +119,15 @@ module RedCloth::Formatters::HTML
|
|
|
119
119
|
end
|
|
120
120
|
|
|
121
121
|
def image(opts)
|
|
122
|
-
opts
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
122
|
+
if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
|
|
123
|
+
opts[:title]
|
|
124
|
+
else
|
|
125
|
+
opts.delete(:align)
|
|
126
|
+
opts[:alt] = opts[:title]
|
|
127
|
+
img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"
|
|
128
|
+
img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
|
|
129
|
+
img
|
|
130
|
+
end
|
|
127
131
|
end
|
|
128
132
|
|
|
129
133
|
def footno(opts)
|
data/lib/redcloth/version.rb
CHANGED
|
@@ -10,5 +10,13 @@ describe 'CVE-2012-6684' do
|
|
|
10
10
|
expect(output).to_not match(/href=.javascript:alert/)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
+
it 'should not let javascript links pass through on images' do
|
|
14
|
+
output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html
|
|
15
|
+
expect(output).to match(/src=.javascript:alert/)
|
|
16
|
+
expect(output).to match(/href=.javascript:prompt/)
|
|
13
17
|
|
|
18
|
+
output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
|
|
19
|
+
expect(output).to_not match(/src=.javascript:alert/)
|
|
20
|
+
expect(output).to_not match(/href=.javascript:prompt/)
|
|
21
|
+
end
|
|
14
22
|
end
|
data/tasks/release.rake
CHANGED
|
@@ -1,8 +1,14 @@
|
|
|
1
1
|
namespace :release do
|
|
2
2
|
desc 'Push all gems to rubygems.org'
|
|
3
|
+
# git tag and push tag
|
|
4
|
+
# branch into stable vx.x branch
|
|
5
|
+
# change version in version.rb
|
|
6
|
+
# update changelog
|
|
7
|
+
# run rake test
|
|
8
|
+
|
|
3
9
|
task :gem do
|
|
4
10
|
puts "Did you git tag and git push the tag for this release yet?"
|
|
5
|
-
sh("rm *.gem")
|
|
11
|
+
#sh("rm *.gem")
|
|
6
12
|
sh("gem build redcloth.gemspec")
|
|
7
13
|
sh("gem push RedCloth-*.gem")
|
|
8
14
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: RedCloth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jason Garber
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2016-05-
|
|
13
|
+
date: 2016-05-17 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: bundler
|
|
@@ -174,7 +174,7 @@ rubyforge_project: redcloth
|
|
|
174
174
|
rubygems_version: 2.4.8
|
|
175
175
|
signing_key:
|
|
176
176
|
specification_version: 4
|
|
177
|
-
summary: RedCloth-4.3.
|
|
177
|
+
summary: RedCloth-4.3.1
|
|
178
178
|
test_files:
|
|
179
179
|
- spec/benchmark_spec.rb
|
|
180
180
|
- spec/parser_spec.rb
|