RedCloth 4.3.2 → 4.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cb8013b7856c3d48cf999269f6e5ace370d013e0
-  data.tar.gz: 7de8b1d1218414598ebf7a0c89421a14679fa034
+SHA256:
+  metadata.gz: 3e774a70b77a51fd99310d8ac12418de23dc1028372024f09ff80db0e92dfce3
+  data.tar.gz: f3aa2ff8b6650b883947c9496e6b1ece61b1abdf4a6d85a9b8411c94c125c4f5
 SHA512:
-  metadata.gz: 7e2a5a2be89e930fd388c0432413b41981d8862f27edf32bc32529db441e8b7380185d3dd221439ab3cb9cf2a89ff3cd1eb3f93d1577646ed07d7a264cbad4f7
-  data.tar.gz: 0a28c28367cc94dbb0a256bfae245fe75257cf5e821813b4f802ee79158771b0627e60ea70796b02118b31eb9b6d712473c70a0d4dd58d80d08dbb9921c53289
+  metadata.gz: 2fceea8abce902bbbc98f0c5e969e3acdbeebd2614f409b3befa216d3cf7012158c8175edbaa2f3f84f9ac7474b40dc40302e010914eda205b5b8a3a45bbfcb4
+  data.tar.gz: 7db2b9647d05ee81462c2ffb7fd006a9174c971f80e35a527dfe5878d243e8617f502a6d9801ed9fbe652297648975f2dd5eea3db3991ec86339d892b5c6c8d4

data/CHANGELOG

@@ -1,3 +1,9 @@
+== 4.3.3 / Nov 2nd, 2023
+
+* Add tests for CVE-2023-31606 [Helio Cola]
+* Fix rake compile [Helio Cola and Faria Education Group]
+* Fix CVE-2023-31606 (ReDOS possible in the sanitize_html function) [Kornelius Kalnbach and Merbin Russel]
+
 == 4.3.2 / May 23rd, 2016
 
 * Fix additional case for CVE-2012-6684 [Joshua Siler]

data/README.rdoc

@@ -171,6 +171,13 @@ Example:
 Will become:
 
  <acronym title="American Civil Liberties Union">ACLU</acronym>
+ 
+== Filtering HTML
+
+RedCloth doesn't filter unsafe html tags by default, do to this use the following syntax:
+  RedCloth.new("<script>alert(1)</script>", [:filter_html]).to_html
+which will filter the script tags from the HTML resulting in:
+  "&lt;script&gt;alert(1)&lt;/script&gt;"
 
 == Adding Tables
 

data/Rakefile

@@ -1,7 +1,6 @@
 # encoding: utf-8
 require 'rubygems'
 require 'bundler'
-ENV['RUBYOPT'] = nil # Necessary to prevent Bundler from *&^%$#ing up rake-compiler.
 
 require 'rake/clean'
 
@@ -15,4 +14,4 @@ else
   Bundler.settings.without = [:compilation]
   Bundler.setup(:default, :development)
   load 'tasks/rspec.rake'
-end
+end

data/ext/redcloth_scan/redcloth_inline.c

@@ -7491,7 +7491,7 @@ _eof_trans:
 	break;
 	case 24:
 #line 103 "ragel/redcloth_inline.rl"
-	{te = p+1;{ CAT(block); {cs = 1270; goto _again;} }}
+	{te = p+1;{ CAT(block); {cs = 1270;goto _again;} }}
 	break;
 	case 25:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -7591,7 +7591,7 @@ _eof_trans:
 	break;
 	case 49:
 #line 116 "ragel/redcloth_inline.rl"
-	{te = p+1;{ CAT(block); {cs = 1516; goto _again;} }}
+	{te = p+1;{ CAT(block); {cs = 1516;goto _again;} }}
 	break;
 	case 50:
 #line 117 "ragel/redcloth_inline.rl"
@@ -7735,7 +7735,7 @@ _eof_trans:
 	break;
 	case 85:
 #line 116 "ragel/redcloth_inline.rl"
-	{te = p;p--;{ CAT(block); {cs = 1516; goto _again;} }}
+	{te = p;p--;{ CAT(block); {cs = 1516;goto _again;} }}
 	break;
 	case 86:
 #line 118 "ragel/redcloth_inline.rl"
@@ -7866,7 +7866,7 @@ _eof_trans:
 	{{p = ((te))-1;} PASS_CODE(block, "text", "code"); }
 	break;
 	case 8:
-	{{p = ((te))-1;} CAT(block); {cs = 1516; goto _again;} }
+	{{p = ((te))-1;} CAT(block); {cs = 1516;goto _again;} }
 	break;
 	case 10:
 	{{p = ((te))-1;} PARSE_ATTR("text"); PASS(block, "text", "strong"); }

data/ext/redcloth_scan/redcloth_scan.c

@@ -23459,7 +23459,7 @@ _eof_trans:
 	break;
 	case 58:
 #line 150 "ragel/redcloth_scan.rl"
-	{ SET_ATTRIBUTES(); {cs = 2479; goto _again;} }
+	{ SET_ATTRIBUTES(); {cs = 2479;goto _again;} }
 	break;
 	case 61:
 #line 1 "NONE"
@@ -23467,7 +23467,7 @@ _eof_trans:
 	break;
 	case 62:
 #line 72 "ragel/redcloth_scan.rl"
-	{te = p+1;{ CAT(block); DONE(block); {cs = 2250; goto _again;} }}
+	{te = p+1;{ CAT(block); DONE(block); {cs = 2250;goto _again;} }}
 	break;
 	case 63:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23475,7 +23475,7 @@ _eof_trans:
 	break;
 	case 64:
 #line 72 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ CAT(block); DONE(block); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ CAT(block); DONE(block); {cs = 2250;goto _again;} }}
 	break;
 	case 65:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23499,15 +23499,15 @@ _eof_trans:
 	break;
 	case 70:
 #line 77 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCKCODE(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCKCODE(); {cs = 2250;goto _again;} }}
 	break;
 	case 71:
 #line 80 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCKCODE(); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCKCODE(); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 72:
 #line 81 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCKCODE(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCKCODE(); {cs = 2250;goto _again;} }}
 	break;
 	case 73:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23519,7 +23519,7 @@ _eof_trans:
 	break;
 	case 75:
 #line 79 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCKCODE(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCKCODE(); {cs = 2250;goto _again;} }}
 	break;
 	case 76:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23536,7 +23536,7 @@ _eof_trans:
 	{{p = ((te))-1;} ADD_EXTENDED_BLOCKCODE(); }
 	break;
 	case 5:
-	{{p = ((te))-1;} ADD_BLOCKCODE(); {cs = 2250; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCKCODE(); {cs = 2250;goto _again;} }
 	break;
 	case 8:
 	{{p = ((te))-1;} rb_str_cat_escaped_for_preformatted(self, block, ts, te); }
@@ -23546,11 +23546,11 @@ _eof_trans:
 	break;
 	case 79:
 #line 86 "ragel/redcloth_scan.rl"
-	{te = p+1;{ CAT(block); ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ CAT(block); ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 80:
 #line 87 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 81:
 #line 11 "ragel/redcloth_common.rl"
@@ -23558,7 +23558,7 @@ _eof_trans:
 	break;
 	case 82:
 #line 86 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ CAT(block); ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ CAT(block); ASET("type", "ignore"); ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 83:
 #line 11 "ragel/redcloth_common.rl"
@@ -23570,7 +23570,7 @@ _eof_trans:
 	break;
 	case 85:
 #line 92 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 86:
 #line 11 "ragel/redcloth_common.rl"
@@ -23590,15 +23590,15 @@ _eof_trans:
 	break;
 	case 90:
 #line 97 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 91:
 #line 100 "ragel/redcloth_scan.rl"
-	{te = p+1;{ CAT(block); ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ CAT(block); ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 92:
 #line 101 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); CAT(html); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); CAT(html); {cs = 2250;goto _again;} }}
 	break;
 	case 93:
 #line 11 "ragel/redcloth_common.rl"
@@ -23610,7 +23610,7 @@ _eof_trans:
 	break;
 	case 95:
 #line 99 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); CAT(html); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); CAT(html); {cs = 2250;goto _again;} }}
 	break;
 	case 96:
 #line 11 "ragel/redcloth_common.rl"
@@ -23627,7 +23627,7 @@ _eof_trans:
 	{{p = ((te))-1;} CAT(block); ADD_EXTENDED_BLOCK(); CAT(html); }
 	break;
 	case 16:
-	{{p = ((te))-1;} ADD_BLOCK(); CAT(html); {cs = 2250; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCK(); CAT(html); {cs = 2250;goto _again;} }
 	break;
 	case 19:
 	{{p = ((te))-1;} CAT(block); }
@@ -23641,7 +23641,7 @@ _eof_trans:
 	break;
 	case 100:
 #line 106 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 101:
 #line 11 "ragel/redcloth_common.rl"
@@ -23665,15 +23665,15 @@ _eof_trans:
 	break;
 	case 106:
 #line 111 "ragel/redcloth_scan.rl"
-	{te = p+1;{  ADD_BLOCKCODE();  INLINE(html, "bc_close");  SET_PLAIN_BLOCK("p"); {cs = 2250; goto _again;} }}
+	{te = p+1;{  ADD_BLOCKCODE();  INLINE(html, "bc_close");  SET_PLAIN_BLOCK("p"); {cs = 2250;goto _again;} }}
 	break;
 	case 107:
 #line 114 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCKCODE(); CAT(html); RSTRIP_BANG(html); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCKCODE(); CAT(html); RSTRIP_BANG(html); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 108:
 #line 115 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250;goto _again;} }}
 	break;
 	case 109:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23685,7 +23685,7 @@ _eof_trans:
 	break;
 	case 111:
 #line 113 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250;goto _again;} }}
 	break;
 	case 112:
 #line 6 "ragel/redcloth_common.c.rl"
@@ -23702,7 +23702,7 @@ _eof_trans:
 	{{p = ((te))-1;} ADD_EXTENDED_BLOCKCODE(); CAT(html); }
 	break;
 	case 24:
-	{{p = ((te))-1;} ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCKCODE(); INLINE(html, "bc_close"); SET_PLAIN_BLOCK("p"); {cs = 2250;goto _again;} }
 	break;
 	case 27:
 	{{p = ((te))-1;} rb_str_cat_escaped_for_preformatted(self, block, ts, te); }
@@ -23724,23 +23724,23 @@ _eof_trans:
 	break;
 	case 118:
 #line 120 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250;goto _again;} }}
 	break;
 	case 119:
 #line 123 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCK(); INLINE(html, "bq_close"); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCK(); INLINE(html, "bq_close"); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 120:
 #line 124 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250;goto _again;} }}
 	break;
 	case 121:
 #line 125 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCK(); INLINE(html, "bq_close"); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCK(); INLINE(html, "bq_close"); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 122:
 #line 126 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250;goto _again;} }}
 	break;
 	case 123:
 #line 11 "ragel/redcloth_common.rl"
@@ -23752,7 +23752,7 @@ _eof_trans:
 	break;
 	case 125:
 #line 122 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250;goto _again;} }}
 	break;
 	case 126:
 #line 11 "ragel/redcloth_common.rl"
@@ -23769,7 +23769,7 @@ _eof_trans:
 	{{p = ((te))-1;} ADD_EXTENDED_BLOCK(); }
 	break;
 	case 30:
-	{{p = ((te))-1;} ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCK(); INLINE(html, "bq_close"); {cs = 2250;goto _again;} }
 	break;
 	case 35:
 	{{p = ((te))-1;} CAT(block); }
@@ -23795,23 +23795,23 @@ _eof_trans:
 	break;
 	case 133:
 #line 131 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 134:
 #line 134 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 135:
 #line 135 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 136:
 #line 136 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_EXTENDED_BLOCK(); END_EXTENDED(); {cs = 2250;goto _again;} }}
 	break;
 	case 137:
 #line 137 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 138:
 #line 11 "ragel/redcloth_common.rl"
@@ -23823,11 +23823,11 @@ _eof_trans:
 	break;
 	case 140:
 #line 133 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 141:
 #line 138 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159;goto _again;} }}
 	break;
 	case 142:
 #line 11 "ragel/redcloth_common.rl"
@@ -23844,10 +23844,10 @@ _eof_trans:
 	{{p = ((te))-1;} ADD_EXTENDED_BLOCK(); }
 	break;
 	case 38:
-	{{p = ((te))-1;} ADD_BLOCK(); {cs = 2250; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCK(); {cs = 2250;goto _again;} }
 	break;
 	case 43:
-	{{p = ((te))-1;} ADD_BLOCK(); CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCK(); CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159;goto _again;} }
 	break;
 	case 44:
 	{{p = ((te))-1;} CAT(block); }
@@ -23857,7 +23857,7 @@ _eof_trans:
 	break;
 	case 145:
 #line 144 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 146:
 #line 11 "ragel/redcloth_common.rl"
@@ -23865,7 +23865,7 @@ _eof_trans:
 	break;
 	case 147:
 #line 144 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); {cs = 2250;goto _again;} }}
 	break;
 	case 148:
 #line 11 "ragel/redcloth_common.rl"
@@ -23885,7 +23885,7 @@ _eof_trans:
 	break;
 	case 152:
 #line 154 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); RESET_NEST(); LIST_LAYOUT(); {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); RESET_NEST(); LIST_LAYOUT(); {cs = 2250;goto _again;} }}
 	break;
 	case 153:
 #line 11 "ragel/redcloth_common.rl"
@@ -23893,11 +23893,11 @@ _eof_trans:
 	break;
 	case 154:
 #line 153 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); LIST_LAYOUT(); {cs = 2159; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); LIST_LAYOUT(); {cs = 2159;goto _again;} }}
 	break;
 	case 155:
 #line 154 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); RESET_NEST(); LIST_LAYOUT(); {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); RESET_NEST(); LIST_LAYOUT(); {cs = 2250;goto _again;} }}
 	break;
 	case 156:
 #line 11 "ragel/redcloth_common.rl"
@@ -23911,7 +23911,7 @@ _eof_trans:
 #line 1 "NONE"
 	{	switch( act ) {
 	case 47:
-	{{p = ((te))-1;} ADD_BLOCK(); LIST_LAYOUT(); {cs = 2159; goto _again;} }
+	{{p = ((te))-1;} ADD_BLOCK(); LIST_LAYOUT(); {cs = 2159;goto _again;} }
 	break;
 	case 49:
 	{{p = ((te))-1;} CAT(block); }
@@ -23925,7 +23925,7 @@ _eof_trans:
 	break;
 	case 160:
 #line 162 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ADD_BLOCK(); INLINE(html, "dl_close");  {cs = 2250; goto _again;} }}
+	{te = p+1;{ ADD_BLOCK(); INLINE(html, "dl_close");  {cs = 2250;goto _again;} }}
 	break;
 	case 161:
 #line 11 "ragel/redcloth_common.rl"
@@ -23941,7 +23941,7 @@ _eof_trans:
 	break;
 	case 164:
 #line 162 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ADD_BLOCK(); INLINE(html, "dl_close");  {cs = 2250; goto _again;} }}
+	{te = p;p--;{ ADD_BLOCK(); INLINE(html, "dl_close");  {cs = 2250;goto _again;} }}
 	break;
 	case 165:
 #line 11 "ragel/redcloth_common.rl"
@@ -24009,7 +24009,7 @@ _eof_trans:
 	break;
 	case 181:
 #line 171 "ragel/redcloth_scan.rl"
-	{te = p+1;{ ASET("type", "notextile"); CAT(block); {cs = 2420; goto _again;} }}
+	{te = p+1;{ ASET("type", "notextile"); CAT(block); {cs = 2420;goto _again;} }}
 	break;
 	case 182:
 #line 173 "ragel/redcloth_scan.rl"
@@ -24029,7 +24029,7 @@ _eof_trans:
       CLEAR_REGS();
       RESET_TYPE();
       CAT(block);
-      {cs = 2465; goto _again;}
+      {cs = 2465;goto _again;}
     }}
 	break;
 	case 186:
@@ -24038,7 +24038,7 @@ _eof_trans:
 	break;
 	case 187:
 #line 167 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ASET("type", "ignored_line"); {cs = 2434; goto _again;} }}
+	{te = p;p--;{ ASET("type", "ignored_line"); {cs = 2434;goto _again;} }}
 	break;
 	case 188:
 #line 168 "ragel/redcloth_scan.rl"
@@ -24046,19 +24046,19 @@ _eof_trans:
 	break;
 	case 189:
 #line 169 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ASET("type", "notextile"); {cs = 2435; goto _again;} }}
+	{te = p;p--;{ ASET("type", "notextile"); {cs = 2435;goto _again;} }}
 	break;
 	case 190:
 #line 170 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ CAT(block); {cs = 2431; goto _again;} }}
+	{te = p;p--;{ CAT(block); {cs = 2431;goto _again;} }}
 	break;
 	case 191:
 #line 171 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ASET("type", "notextile"); CAT(block); {cs = 2420; goto _again;} }}
+	{te = p;p--;{ ASET("type", "notextile"); CAT(block); {cs = 2420;goto _again;} }}
 	break;
 	case 192:
 #line 172 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ {cs = 2423; goto _again;} }}
+	{te = p;p--;{ {cs = 2423;goto _again;} }}
 	break;
 	case 193:
 #line 173 "ragel/redcloth_scan.rl"
@@ -24066,23 +24066,23 @@ _eof_trans:
 	break;
 	case 194:
 #line 174 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ ASET("type", "html_block"); {cs = 2443; goto _again;} }}
+	{te = p;p--;{ ASET("type", "html_block"); {cs = 2443;goto _again;} }}
 	break;
 	case 195:
 #line 175 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ INLINE(html, "bc_open"); ASET("type", "code"); SET_PLAIN_BLOCK("code"); {cs = 2449; goto _again;} }}
+	{te = p;p--;{ INLINE(html, "bc_open"); ASET("type", "code"); SET_PLAIN_BLOCK("code"); {cs = 2449;goto _again;} }}
 	break;
 	case 196:
 #line 176 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ INLINE(html, "bq_open"); ASET("type", "p"); {cs = 2457; goto _again;} }}
+	{te = p;p--;{ INLINE(html, "bq_open"); ASET("type", "p"); {cs = 2457;goto _again;} }}
 	break;
 	case 197:
 #line 177 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ {cs = 2465; goto _again;} }}
+	{te = p;p--;{ {cs = 2465;goto _again;} }}
 	break;
 	case 198:
 #line 178 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ {cs = 2475; goto _again;} }}
+	{te = p;p--;{ {cs = 2475;goto _again;} }}
 	break;
 	case 199:
 #line 179 "ragel/redcloth_scan.rl"
@@ -24090,15 +24090,15 @@ _eof_trans:
 	break;
 	case 200:
 #line 180 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159; goto _again;} }}
+	{te = p;p--;{ CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159;goto _again;} }}
 	break;
 	case 201:
 #line 181 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ {p = (((ts + 1)))-1;} INLINE(html, "dl_open"); ASET("type", "dt"); {cs = 2484; goto _again;} }}
+	{te = p;p--;{ {p = (((ts + 1)))-1;} INLINE(html, "dl_open"); ASET("type", "dt"); {cs = 2484;goto _again;} }}
 	break;
 	case 202:
 #line 182 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ INLINE(table, "table_close"); DONE(table); {cs = 2465; goto _again;} }}
+	{te = p;p--;{ INLINE(table, "table_close"); DONE(table); {cs = 2465;goto _again;} }}
 	break;
 	case 203:
 #line 183 "ragel/redcloth_scan.rl"
@@ -24106,7 +24106,7 @@ _eof_trans:
 	break;
 	case 204:
 #line 184 "ragel/redcloth_scan.rl"
-	{te = p;p--;{ RESET_TYPE(); {cs = 2465; goto _again;} }}
+	{te = p;p--;{ RESET_TYPE(); {cs = 2465;goto _again;} }}
 	break;
 	case 205:
 #line 185 "ragel/redcloth_scan.rl"
@@ -24118,20 +24118,20 @@ _eof_trans:
       CLEAR_REGS();
       RESET_TYPE();
       CAT(block);
-      {cs = 2465; goto _again;}
+      {cs = 2465;goto _again;}
     }}
 	break;
 	case 207:
 #line 167 "ragel/redcloth_scan.rl"
-	{{p = ((te))-1;}{ ASET("type", "ignored_line"); {cs = 2434; goto _again;} }}
+	{{p = ((te))-1;}{ ASET("type", "ignored_line"); {cs = 2434;goto _again;} }}
 	break;
 	case 208:
 #line 171 "ragel/redcloth_scan.rl"
-	{{p = ((te))-1;}{ ASET("type", "notextile"); CAT(block); {cs = 2420; goto _again;} }}
+	{{p = ((te))-1;}{ ASET("type", "notextile"); CAT(block); {cs = 2420;goto _again;} }}
 	break;
 	case 209:
 #line 182 "ragel/redcloth_scan.rl"
-	{{p = ((te))-1;}{ INLINE(table, "table_close"); DONE(table); {cs = 2465; goto _again;} }}
+	{{p = ((te))-1;}{ INLINE(table, "table_close"); DONE(table); {cs = 2465;goto _again;} }}
 	break;
 	case 210:
 #line 183 "ragel/redcloth_scan.rl"
@@ -24143,51 +24143,51 @@ _eof_trans:
       CLEAR_REGS();
       RESET_TYPE();
       CAT(block);
-      {cs = 2465; goto _again;}
+      {cs = 2465;goto _again;}
     }}
 	break;
 	case 212:
 #line 1 "NONE"
 	{	switch( act ) {
 	case 55:
-	{{p = ((te))-1;} ASET("type", "ignored_line"); {cs = 2434; goto _again;} }
+	{{p = ((te))-1;} ASET("type", "ignored_line"); {cs = 2434;goto _again;} }
 	break;
 	case 58:
-	{{p = ((te))-1;} CAT(block); {cs = 2431; goto _again;} }
+	{{p = ((te))-1;} CAT(block); {cs = 2431;goto _again;} }
 	break;
 	case 59:
-	{{p = ((te))-1;} ASET("type", "notextile"); CAT(block); {cs = 2420; goto _again;} }
+	{{p = ((te))-1;} ASET("type", "notextile"); CAT(block); {cs = 2420;goto _again;} }
 	break;
 	case 61:
 	{{p = ((te))-1;} ASET("type", "html"); CAT(block); ADD_BLOCK(); }
 	break;
 	case 62:
-	{{p = ((te))-1;} ASET("type", "html_block"); {cs = 2443; goto _again;} }
+	{{p = ((te))-1;} ASET("type", "html_block"); {cs = 2443;goto _again;} }
 	break;
 	case 67:
 	{{p = ((te))-1;} INLINE(html, "hr"); }
 	break;
 	case 68:
-	{{p = ((te))-1;} CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159; goto _again;} }
+	{{p = ((te))-1;} CLEAR_LIST(); LIST_LAYOUT(); {cs = 2159;goto _again;} }
 	break;
 	case 69:
-	{{p = ((te))-1;} {p = (((ts + 1)))-1;} INLINE(html, "dl_open"); ASET("type", "dt"); {cs = 2484; goto _again;} }
+	{{p = ((te))-1;} {p = (((ts + 1)))-1;} INLINE(html, "dl_open"); ASET("type", "dt"); {cs = 2484;goto _again;} }
 	break;
 	case 70:
-	{{p = ((te))-1;} INLINE(table, "table_close"); DONE(table); {cs = 2465; goto _again;} }
+	{{p = ((te))-1;} INLINE(table, "table_close"); DONE(table); {cs = 2465;goto _again;} }
 	break;
 	case 71:
 	{{p = ((te))-1;} STORE_LINK_ALIAS(); DONE(block); }
 	break;
 	case 72:
-	{{p = ((te))-1;} RESET_TYPE(); {cs = 2465; goto _again;} }
+	{{p = ((te))-1;} RESET_TYPE(); {cs = 2465;goto _again;} }
 	break;
 	case 75:
 	{{p = ((te))-1;} 
       CLEAR_REGS();
       RESET_TYPE();
       CAT(block);
-      {cs = 2465; goto _again;}
+      {cs = 2465;goto _again;}
     }
 	break;
 	}

data/lib/redcloth/formatters/base.rb

@@ -28,7 +28,7 @@ module RedCloth::Formatters
       opts.delete(:class) if filter_classes
       opts.delete(:id) if filter_ids
 
-      atts = ''
+      atts = ''.dup
       opts[:"text-align"] = opts.delete(:align)
       opts[:style] += ';' if opts[:style] && (opts[:style][-1..-1] != ';')
       [:float, :"text-align", :"vertical-align"].each do |a|

data/lib/redcloth/formatters/html.rb

@@ -324,7 +324,7 @@ private
   # Clean unauthorized tags.
   def clean_html( text, allowed_tags = BASIC_TAGS )
     text.gsub!( /<!\[CDATA\[/, '' )
-    text.gsub!( /<(\/*)([A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m|
+    text.gsub!( /<(\/*)([A-Za-z]\w*+)([^>]*?)(\s?\/?)>/ ) do |m|
       raw = $~
       tag = raw[2].downcase
       if allowed_tags.has_key? tag

data/lib/redcloth/formatters/latex.rb

@@ -165,7 +165,7 @@ module RedCloth::Formatters::LATEX
 
   # FIXME: need caption and label elements similar to image -> figure
   def table_close(opts)
-    output  = "\\begin{table}\n"
+    output  = "\\begin{table}\n".dup
     output << "  \\centering\n"
     output << "  \\begin{tabular}{ #{"l " * @table[0].size }}\n"
     @table.each do |row|

data/lib/redcloth/version.rb

@@ -2,7 +2,7 @@ module RedCloth
   module VERSION
     MAJOR = 4
     MINOR = 3
-    TINY  = 2
+    TINY  = 3
 #    RELEASE_CANDIDATE = 0
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')

data/redcloth.gemspec

@@ -33,9 +33,9 @@ Gem::Specification.new do |s|
   s.extensions = Dir['ext/**/extconf.rb']
 
   s.add_development_dependency('bundler', '> 1.3.4')
-  s.add_development_dependency('rake', '~> 10.0.3')
-  s.add_development_dependency('rspec', '~> 2.4')
-  s.add_development_dependency('diff-lcs', '~> 1.1.2')
+  s.add_development_dependency('rake', '~> 13')
+  s.add_development_dependency('rspec', '~> 3.12')
+  s.add_development_dependency('diff-lcs', '~> 1.5')
 
   s.license = "MIT"
 end

data/spec/custom_tags_spec.rb

@@ -4,7 +4,7 @@ module FigureTag
   def fig( opts )
     label, img = opts[:text].split('|').map! {|str| str.strip}
 
-    html  = %Q{<div class="img" id="figure-#{label.tr('.', '-')}">\n}
+    html  = %Q{<div class="img" id="figure-#{label.tr('.', '-')}">\n}.dup
     html << %Q{  <a class="fig" href="/images/#{img}">\n}
     html << %Q{    <img src="/images/thumbs/#{img}" alt="Figure #{label}" />\n}
     html << %Q{  </a>\n}
@@ -15,13 +15,13 @@ end
 
 describe "custom tags" do
   it "should recognize the custom tag" do
-    input  = %Q{The first line of text.\n\n}
+    input  = %Q{The first line of text.\n\n}.dup
     input << %Q{fig. 1.1 | img.jpg\n\n}
     input << %Q{The last line of text.\n}
     r = RedCloth.new input
     r.extend FigureTag
 
-    html  = %Q{<p>The first line of text.</p>\n}
+    html  = %Q{<p>The first line of text.</p>\n}.dup
     html << %Q{<div class="img" id="figure-1-1">\n}
     html << %Q{  <a class="fig" href="/images/img.jpg">\n}
     html << %Q{    <img src="/images/thumbs/img.jpg" alt="Figure 1.1" />\n}
@@ -47,4 +47,4 @@ describe "custom tags" do
 
     r.to_html.should == html
   end
-end
+end

data/spec/fixtures/threshold.yml

@@ -159,7 +159,7 @@ in: '"link text":http://example.com/'
 html: <p><a href="http://example.com/">link text</a></p>
 ---
 name: local links
-desc: The host name may be ommitted for local links.
+desc: The host name may be omitted for local links.
 in: '"link text":/example'
 html: <p><a href="/example">link text</a></p>
 ---

data/spec/parser_spec.rb

@@ -85,8 +85,9 @@ describe RedCloth do
   
   if RUBY_VERSION > "1.9.0"
     it "should preserve character encoding" do
-      input = "This is an ISO-8859-1 string"
+      input = "This is an ISO-8859-1 string".dup
       input.force_encoding 'iso-8859-1'
+
       output = RedCloth.new(input).to_html
       
       output.should == "<p>This is an <span class=\"caps\">ISO</span>-8859-1 string</p>"
@@ -94,7 +95,7 @@ describe RedCloth do
     end
     
     it "should not raise ArgumentError: invalid byte sequence" do
-      s = "\xa3"
+      s = "\xa3".dup
       s.force_encoding 'iso-8859-1'
       lambda { RedCloth.new(s).to_html }.should_not raise_error
     end

data/spec/security/CVE-2023-31606_spec.rb

@@ -0,0 +1,49 @@
+# https://github.com/advisories/GHSA-qcm3-vfq5-wfr2
+# https://github.com/e23e/CVE-2023-31606#readme
+# https://github.com/jgarber/redcloth/issues/73
+# https://github.com/jgarber/redcloth/pull/75
+
+require 'redcloth'
+
+describe 'CVE-2023-31606' do
+
+  it 'process malicious html without delay' do
+    # INFO (Helio): inside RedCloth repo, running `$ bundle exec rspec .`, with the test below, I can't replicate,
+    # on my development machine, the time spent on this sample text.
+    # However, on the same development machine, when I run this test this code, in a test-redcloth-regexp.rb script, in a rails app
+    # with `gem 'RedCloth'` in it, I was able to get the results indicated in the issue (https://github.com/jgarber/redcloth/issues/73),
+    # by https://github.com/e23e
+    # Here are the outputs:
+    # hac@MBP tcard % time ruby test-redcloth-regexp.rb
+    # 0.158047
+    # ruby test-redcloth-regexp.rb  0.12s user 0.11s system 82% cpu 0.279 total
+    # hac@MBP tcard % time ruby test-redcloth-regexp.rb
+    # 18.457945
+    # ruby test-redcloth-regexp.rb  18.32s user 0.22s system 99% cpu 18.556 total
+    # hac@MBP tcard % cat !$
+    # cat test-redcloth-regexp.rb
+    # require 'RedCloth'
+    # text = '<A' + 'A' * (54773)
+    # t1 = Time.now
+    # text = RedCloth.new(text, [:sanitize_html]).to_html
+    # t2 = Time.now
+    # puts (t2-t1)
+    # hac@MBP tcard %
+
+    text = '<A' + 'A' * (54773)
+
+    t1 = Time.now
+    res = RedCloth.new(text, [:sanitize_html]).to_html
+    t2 = Time.now
+
+    expect(t2-t1).to be <= 3
+  end
+
+  it 'should keep the generated HTML the same' do
+    text = "<a href=https://example.com> Example </a>"
+    result = RedCloth.new(text, [:sanitize_html]).to_html
+
+    expect(result).to eq("<p><a href=\"https://example.com\"> Example </a></p>")
+  end
+
+end

data/spec/spec_helper.rb

@@ -26,11 +26,11 @@ def fixtures
   Dir[File.join(File.dirname(__FILE__), *%w[fixtures *.yml])].each do |testfile|
     testgroup = File.basename(testfile, '.yml')
     num = 0
-    YAML::load_documents(File.open(testfile)) do |doc|
+    YAML::load_stream(File.open(testfile)) do |doc|
       name = doc['name'] || num
       @fixtures["#{testgroup} #{name}"] = doc
       num += 1
     end
   end
   @fixtures
-end
+end

data/tasks/release.rake

@@ -1,16 +1,15 @@
 namespace :release do
   desc 'Push all gems to rubygems.org'
-  # git tag and push tag
-  # git tag vx.x.x
-  # git push --follow-tags
-  # branch into stable vx.x branch
-  # change version in version.rb
-  # update changelog
-  # run rake test
+  # 1. run rake test
+  # 2. update changelog
+  # 3. change version in version.rb
+  # 4. branch into stable vx.x branch
+  # 5. git tag and push tag
+  # 5.1. git tag vx.x.x
+  # 5.2. git push --follow-tags
 
   task :gem do
     sh("gem build redcloth.gemspec")
     sh("gem push RedCloth-*.gem")
   end
 end
-

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: RedCloth
 version: !ruby/object:Gem::Version
-  version: 4.3.2
+  version: 4.3.3
 platform: ruby
 authors:
 - Jason Garber
 - Joshua Siler
 - Ola Bini
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-05-24 00:00:00.000000000 Z
+date: 2023-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -32,42 +32,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.0.3
+        version: '13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.0.3
+        version: '13'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: diff-lcs
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: '1.5'
 description: Textile parser for Ruby.
 email: redcloth-upwards@rubyforge.org
 executables:
@@ -136,6 +136,7 @@ files:
 - spec/formatters/style_filtered_html_spec.rb
 - spec/parser_spec.rb
 - spec/security/CVE-2012-6684_spec.rb
+- spec/security/CVE-2023-31606_spec.rb
 - spec/spec_helper.rb
 - tasks/compile.rake
 - tasks/ragel_extension_task.rb
@@ -146,7 +147,7 @@ homepage: http://redcloth.org
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 - "--line-numbers"
@@ -170,42 +171,42 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: redcloth
-rubygems_version: 2.4.8
-signing_key: 
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
-summary: RedCloth-4.3.2
+summary: RedCloth-4.3.3
 test_files:
 - spec/benchmark_spec.rb
-- spec/parser_spec.rb
-- spec/extension_spec.rb
 - spec/custom_tags_spec.rb
-- spec/spec_helper.rb
 - spec/erb_spec.rb
-- spec/fixtures/lists.yml
-- spec/fixtures/links.yml
-- spec/fixtures/code.yml
-- spec/fixtures/textism.yml
+- spec/extension_spec.rb
 - spec/fixtures/basic.yml
+- spec/fixtures/code.yml
+- spec/fixtures/definitions.yml
+- spec/fixtures/extra_whitespace.yml
 - spec/fixtures/filter_html.yml
-- spec/fixtures/table.yml
-- spec/fixtures/instiki.yml
 - spec/fixtures/filter_pba.yml
-- spec/fixtures/threshold.yml
+- spec/fixtures/html.yml
 - spec/fixtures/images.yml
-- spec/fixtures/definitions.yml
-- spec/fixtures/sanitize_html.yml
+- spec/fixtures/instiki.yml
+- spec/fixtures/links.yml
+- spec/fixtures/lists.yml
 - spec/fixtures/poignant.yml
-- spec/fixtures/extra_whitespace.yml
-- spec/fixtures/html.yml
-- spec/formatters/id_filtered_html_spec.rb
+- spec/fixtures/sanitize_html.yml
+- spec/fixtures/table.yml
+- spec/fixtures/textism.yml
+- spec/fixtures/threshold.yml
+- spec/formatters/class_filtered_html_spec.rb
+- spec/formatters/filtered_html_spec.rb
 - spec/formatters/html_no_breaks_spec.rb
 - spec/formatters/html_spec.rb
+- spec/formatters/id_filtered_html_spec.rb
 - spec/formatters/latex_spec.rb
-- spec/formatters/style_filtered_html_spec.rb
-- spec/formatters/class_filtered_html_spec.rb
-- spec/formatters/no_span_caps_html_spec.rb
-- spec/formatters/filtered_html_spec.rb
 - spec/formatters/lite_mode_html_spec.rb
+- spec/formatters/no_span_caps_html_spec.rb
 - spec/formatters/sanitized_html_spec.rb
+- spec/formatters/style_filtered_html_spec.rb
+- spec/parser_spec.rb
 - spec/security/CVE-2012-6684_spec.rb
+- spec/security/CVE-2023-31606_spec.rb
+- spec/spec_helper.rb