RedCloth 4.3.1 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of RedCloth might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/lib/redcloth/formatters/html.rb +2 -2
- data/lib/redcloth/version.rb +1 -1
- data/spec/security/CVE-2012-6684_spec.rb +11 -0
- data/tasks/release.rake +2 -2
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cb8013b7856c3d48cf999269f6e5ace370d013e0
|
4
|
+
data.tar.gz: 7de8b1d1218414598ebf7a0c89421a14679fa034
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7e2a5a2be89e930fd388c0432413b41981d8862f27edf32bc32529db441e8b7380185d3dd221439ab3cb9cf2a89ff3cd1eb3f93d1577646ed07d7a264cbad4f7
|
7
|
+
data.tar.gz: 0a28c28367cc94dbb0a256bfae245fe75257cf5e821813b4f802ee79158771b0627e60ea70796b02118b31eb9b6d712473c70a0d4dd58d80d08dbb9921c53289
|
data/CHANGELOG
CHANGED
@@ -111,7 +111,7 @@ module RedCloth::Formatters::HTML
|
|
111
111
|
end
|
112
112
|
|
113
113
|
def link(opts)
|
114
|
-
if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
|
114
|
+
if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/i
|
115
115
|
opts[:name]
|
116
116
|
else
|
117
117
|
"<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
|
@@ -119,7 +119,7 @@ module RedCloth::Formatters::HTML
|
|
119
119
|
end
|
120
120
|
|
121
121
|
def image(opts)
|
122
|
-
if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
|
122
|
+
if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/i || opts[:href] =~ /^\s*javascript:/i )
|
123
123
|
opts[:title]
|
124
124
|
else
|
125
125
|
opts.delete(:align)
|
data/lib/redcloth/version.rb
CHANGED
@@ -8,6 +8,9 @@ describe 'CVE-2012-6684' do
|
|
8
8
|
# PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
|
9
9
|
output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
|
10
10
|
expect(output).to_not match(/href=.javascript:alert/)
|
11
|
+
|
12
|
+
output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
|
13
|
+
expect(output).to_not match(/href=.jAvascript:alert/)
|
11
14
|
end
|
12
15
|
|
13
16
|
it 'should not let javascript links pass through on images' do
|
@@ -18,5 +21,13 @@ describe 'CVE-2012-6684' do
|
|
18
21
|
output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
|
19
22
|
expect(output).to_not match(/src=.javascript:alert/)
|
20
23
|
expect(output).to_not match(/href=.javascript:prompt/)
|
24
|
+
|
25
|
+
output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html
|
26
|
+
expect(output).to match(/src=.jAvascript:alert/)
|
27
|
+
expect(output).to match(/href=.jAvascript:prompt/)
|
28
|
+
|
29
|
+
output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
|
30
|
+
expect(output).to_not match(/src=.jAvascript:alert/)
|
31
|
+
expect(output).to_not match(/href=.jAvascript:prompt/)
|
21
32
|
end
|
22
33
|
end
|
data/tasks/release.rake
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
namespace :release do
|
2
2
|
desc 'Push all gems to rubygems.org'
|
3
3
|
# git tag and push tag
|
4
|
+
# git tag vx.x.x
|
5
|
+
# git push --follow-tags
|
4
6
|
# branch into stable vx.x branch
|
5
7
|
# change version in version.rb
|
6
8
|
# update changelog
|
7
9
|
# run rake test
|
8
10
|
|
9
11
|
task :gem do
|
10
|
-
puts "Did you git tag and git push the tag for this release yet?"
|
11
|
-
#sh("rm *.gem")
|
12
12
|
sh("gem build redcloth.gemspec")
|
13
13
|
sh("gem push RedCloth-*.gem")
|
14
14
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: RedCloth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.3.
|
4
|
+
version: 4.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jason Garber
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2016-05-
|
13
|
+
date: 2016-05-24 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: bundler
|
@@ -174,7 +174,7 @@ rubyforge_project: redcloth
|
|
174
174
|
rubygems_version: 2.4.8
|
175
175
|
signing_key:
|
176
176
|
specification_version: 4
|
177
|
-
summary: RedCloth-4.3.
|
177
|
+
summary: RedCloth-4.3.2
|
178
178
|
test_files:
|
179
179
|
- spec/benchmark_spec.rb
|
180
180
|
- spec/parser_spec.rb
|