RedCloth 4.3.1 → 4.3.2

This diff has not been reviewed by any users.
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f4dab006159116d5844e7b36a71a8f91137b348d
4
- data.tar.gz: df7575fcd69f0277ea3bb4be5fc9a7d2e40fc2e4
3
+ metadata.gz: cb8013b7856c3d48cf999269f6e5ace370d013e0
4
+ data.tar.gz: 7de8b1d1218414598ebf7a0c89421a14679fa034
5
5
  SHA512:
6
- metadata.gz: ff442c6bdda870628086f27ac426a365d219ca66b62be13da42ad56e1ed71de93eede49766a3bbf94944988aa971c99cc46c4055521945116154f9ca72dbf8ae
7
- data.tar.gz: 44ab0803ef262e6ed09c58a181720a8a625653001e9b98ebf92d715f375646344d72f7af1e74e85f1788417274bc9e8fae1ecceede466c2728d045e0eef229a0
6
+ metadata.gz: 7e2a5a2be89e930fd388c0432413b41981d8862f27edf32bc32529db441e8b7380185d3dd221439ab3cb9cf2a89ff3cd1eb3f93d1577646ed07d7a264cbad4f7
7
+ data.tar.gz: 0a28c28367cc94dbb0a256bfae245fe75257cf5e821813b4f802ee79158771b0627e60ea70796b02118b31eb9b6d712473c70a0d4dd58d80d08dbb9921c53289
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ == 4.3.2 / May 23rd, 2016
2
+
3
+ * Fix additional case for CVE-2012-6684 [Joshua Siler]
4
+
1
5
  == 4.3.1 / May 17th, 2016
2
6
 
3
7
  * Fix additional case for CVE-2012-6684 [Joshua Siler]
@@ -111,7 +111,7 @@ module RedCloth::Formatters::HTML
111
111
  end
112
112
 
113
113
  def link(opts)
114
- if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
114
+ if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/i
115
115
  opts[:name]
116
116
  else
117
117
  "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
@@ -119,7 +119,7 @@ module RedCloth::Formatters::HTML
119
119
  end
120
120
 
121
121
  def image(opts)
122
- if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
122
+ if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/i || opts[:href] =~ /^\s*javascript:/i )
123
123
  opts[:title]
124
124
  else
125
125
  opts.delete(:align)
@@ -2,7 +2,7 @@ module RedCloth
2
2
  module VERSION
3
3
  MAJOR = 4
4
4
  MINOR = 3
5
- TINY = 1
5
+ TINY = 2
6
6
  # RELEASE_CANDIDATE = 0
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY].compact.join('.')
@@ -8,6 +8,9 @@ describe 'CVE-2012-6684' do
8
8
  # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
9
9
  output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
10
10
  expect(output).to_not match(/href=.javascript:alert/)
11
+
12
+ output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
13
+ expect(output).to_not match(/href=.jAvascript:alert/)
11
14
  end
12
15
 
13
16
  it 'should not let javascript links pass through on images' do
@@ -18,5 +21,13 @@ describe 'CVE-2012-6684' do
18
21
  output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
19
22
  expect(output).to_not match(/src=.javascript:alert/)
20
23
  expect(output).to_not match(/href=.javascript:prompt/)
24
+
25
+ output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html
26
+ expect(output).to match(/src=.jAvascript:alert/)
27
+ expect(output).to match(/href=.jAvascript:prompt/)
28
+
29
+ output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
30
+ expect(output).to_not match(/src=.jAvascript:alert/)
31
+ expect(output).to_not match(/href=.jAvascript:prompt/)
21
32
  end
22
33
  end
@@ -1,14 +1,14 @@
1
1
  namespace :release do
2
2
  desc 'Push all gems to rubygems.org'
3
3
  # git tag and push tag
4
+ # git tag vx.x.x
5
+ # git push --follow-tags
4
6
  # branch into stable vx.x branch
5
7
  # change version in version.rb
6
8
  # update changelog
7
9
  # run rake test
8
10
 
9
11
  task :gem do
10
- puts "Did you git tag and git push the tag for this release yet?"
11
- #sh("rm *.gem")
12
12
  sh("gem build redcloth.gemspec")
13
13
  sh("gem push RedCloth-*.gem")
14
14
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: RedCloth
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.1
4
+ version: 4.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jason Garber
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2016-05-17 00:00:00.000000000 Z
13
+ date: 2016-05-24 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -174,7 +174,7 @@ rubyforge_project: redcloth
174
174
  rubygems_version: 2.4.8
175
175
  signing_key:
176
176
  specification_version: 4
177
- summary: RedCloth-4.3.1
177
+ summary: RedCloth-4.3.2
178
178
  test_files:
179
179
  - spec/benchmark_spec.rb
180
180
  - spec/parser_spec.rb