RedCloth 4.3.0 → 4.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of RedCloth might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +4 -0
  3. data/lib/redcloth/formatters/html.rb +9 -5
  4. data/lib/redcloth/version.rb +1 -1
  5. data/spec/security/CVE-2012-6684_spec.rb +8 -0
  6. data/tasks/release.rake +7 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b7fe64e2539886d29943f4e885d85dcf8dc03447
4
- data.tar.gz: 9459eee884a36becdf207f1d5392840bae5e45d8
3
+ metadata.gz: f4dab006159116d5844e7b36a71a8f91137b348d
4
+ data.tar.gz: df7575fcd69f0277ea3bb4be5fc9a7d2e40fc2e4
5
5
  SHA512:
6
- metadata.gz: 4530cd8f7da18a7240faf7fb0f03e8ee6fa34120db0bbee548c4df6d6a3725f9030e703eb891228a0238f67bbfce65d8c601f26d43795b9b14f3e37bdebc786d
7
- data.tar.gz: 40dd60702099cd06ae4480d00714e3d155c914ea87fc0f24f12d2c2ea4bc114e206740248ea9f7928575a5668d7d53d6b26c33f1ef4623652ee1a98b4f63090c
6
+ metadata.gz: ff442c6bdda870628086f27ac426a365d219ca66b62be13da42ad56e1ed71de93eede49766a3bbf94944988aa971c99cc46c4055521945116154f9ca72dbf8ae
7
+ data.tar.gz: 44ab0803ef262e6ed09c58a181720a8a625653001e9b98ebf92d715f375646344d72f7af1e74e85f1788417274bc9e8fae1ecceede466c2728d045e0eef229a0
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ == 4.3.1 / May 17th, 2016
2
+
3
+ * Fix additional case for CVE-2012-6684 [Joshua Siler]
4
+
1
5
  == 4.3.0 / April 29th, 2016
2
6
 
3
7
  * Remove JRuby and Windows cross compilation and support
data/lib/redcloth/formatters/html.rb CHANGED
@@ -119,11 +119,15 @@ module RedCloth::Formatters::HTML
119
119
  end
120
120
 
121
121
  def image(opts)
122
- opts.delete(:align)
123
- opts[:alt] = opts[:title]
124
- img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"
125
- img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
126
- img
122
+ if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
123
+ opts[:title]
124
+ else
125
+ opts.delete(:align)
126
+ opts[:alt] = opts[:title]
127
+ img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"
128
+ img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
129
+ img
130
+ end
127
131
  end
128
132
 
129
133
  def footno(opts)
data/lib/redcloth/version.rb CHANGED
@@ -2,7 +2,7 @@ module RedCloth
2
2
  module VERSION
3
3
  MAJOR = 4
4
4
  MINOR = 3
5
- TINY = 0
5
+ TINY = 1
6
6
  # RELEASE_CANDIDATE = 0
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY].compact.join('.')
data/spec/security/CVE-2012-6684_spec.rb CHANGED
@@ -10,5 +10,13 @@ describe 'CVE-2012-6684' do
10
10
  expect(output).to_not match(/href=.javascript:alert/)
11
11
  end
12
12
 
13
+ it 'should not let javascript links pass through on images' do
14
+ output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html
15
+ expect(output).to match(/src=.javascript:alert/)
16
+ expect(output).to match(/href=.javascript:prompt/)
13
17
 
18
+ output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
19
+ expect(output).to_not match(/src=.javascript:alert/)
20
+ expect(output).to_not match(/href=.javascript:prompt/)
21
+ end
14
22
  end
data/tasks/release.rake CHANGED
@@ -1,8 +1,14 @@
1
1
  namespace :release do
2
2
  desc 'Push all gems to rubygems.org'
3
+ # git tag and push tag
4
+ # branch into stable vx.x branch
5
+ # change version in version.rb
6
+ # update changelog
7
+ # run rake test
8
+
3
9
  task :gem do
4
10
  puts "Did you git tag and git push the tag for this release yet?"
5
- sh("rm *.gem")
11
+ #sh("rm *.gem")
6
12
  sh("gem build redcloth.gemspec")
7
13
  sh("gem push RedCloth-*.gem")
8
14
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: RedCloth
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.0
4
+ version: 4.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jason Garber
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2016-05-02 00:00:00.000000000 Z
13
+ date: 2016-05-17 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -174,7 +174,7 @@ rubyforge_project: redcloth
174
174
  rubygems_version: 2.4.8
175
175
  signing_key:
176
176
  specification_version: 4
177
- summary: RedCloth-4.3.0
177
+ summary: RedCloth-4.3.1
178
178
  test_files:
179
179
  - spec/benchmark_spec.rb
180
180
  - spec/parser_spec.rb