bbcoder 1.0.0 → 1.0.1

data/Gemfile

@@ -1,3 +1,3 @@
-source :rubygems
+source "https://rubygems.org"
 
 gemspec

data/Gemfile.lock

@@ -1,26 +1,28 @@
 PATH
   remote: .
   specs:
-    bbcoder (1.0.0)
+    bbcoder (1.0.1)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
     diff-lcs (1.1.3)
+    rake (0.9.2.2)
     rr (1.0.4)
-    rspec (2.9.0)
-      rspec-core (~> 2.9.0)
-      rspec-expectations (~> 2.9.0)
-      rspec-mocks (~> 2.9.0)
-    rspec-core (2.9.0)
-    rspec-expectations (2.9.1)
+    rspec (2.10.0)
+      rspec-core (~> 2.10.0)
+      rspec-expectations (~> 2.10.0)
+      rspec-mocks (~> 2.10.0)
+    rspec-core (2.10.0)
+    rspec-expectations (2.10.0)
       diff-lcs (~> 1.1.3)
-    rspec-mocks (2.9.0)
+    rspec-mocks (2.10.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   bbcoder!
+  rake
   rr
   rspec

data/README.md

@@ -1,3 +1,9 @@
+Status
+--------
+I consider bbcoder to be stable so you won't see many updates to it in the future.  It is perfectly fine to use in prodution.  The gem itself is pretty simple so it should work across
+the board with newer frameworks etc.  If you find any issues or think it needs a feature please submit an issue.
+
+
 Features
 --------
 
@@ -13,9 +19,13 @@ p, b, i, u, s, del, ins, ol, ul, li, dl, dt, dd, quote, code, spoiler, url, img,
 Usage
 --------
 
-    BBCoder.new(text).to_html
+    BBCoder.new(h(text)).to_html
     # or
-    "[p]my string[/p]".bbcode_to_html
+    h("[p]my string[/p]").bbcode_to_html
+    # h() is a Rails helper function, you may use CGI.escapeHTML instead
+
+See configuration section below on adding new parseable tags
+
 
 Install
 -------
@@ -23,6 +33,36 @@ Install
     gem install bbcoder
 
 
+Autolinking, Smileys, XSS prevention, Newlines
+--------------------------------------
+
+bbcoder is not meant to handle smileys, autolinking or xss attacks.  There are other libraries to help do this for us.  I also do not consider these elements part of bbcode itself (even though there is no standard) so bbcoder will not provide support for them except in this README to give examples on how to combine them together.
+
+
+#### Autolinking
+Rails 2.x has a helper auto_link by default that can do this for you.  For Rails 3.x you can install the rails_autolink gem.
+
+
+#### Smileys
+At the moment I use a jquery library to display smileys after the page has loaded.  The library I use https://github.com/JangoSteve/jQuery-CSSEmoticons however it would be nice to see a gem that can parse smileys out of text into appropriate html elements with specific tags.  CSS3 font-face anyone?
+
+
+#### XSS
+Please make sure you escaped or sanitized all HTML in the string before passing it to bbcoder!
+
+bbcoder will now do a whitelist check against img tags and url tags by default and only allow http/https links.  You can override this by putting in your own configuration if you wish.  If you find any other flaws or holes please report so we can fix.  bbcoder will not sanitize the rest of your input, it will only attempt to whitelist the actual html elements it will generate.
+
+
+#### Newlines
+When typing into a textarea a user will use newlines to indicate space between lines.  This is not translated properly into br tags.  I do not consider this a function for bbcoder either atm, however I do use it in combination with XSS/Sanitize above:
+
+
+##### XSS + Newlines Helper
+      def bbcode(text)
+        Sanitize.clean(text.to_s).bbcode_to_html.gsub(/\n|\r\n/, "<br />").html_safe
+      end
+
+
 Configuration Examples
 -----------------------
 
@@ -41,7 +81,15 @@ Configuration Examples
       tag :ol
       tag :li, :parents => [:ol, :ul]
 
-      tag :img, :match => /^.*(png|bmp|jpe?g|gif)$/ do
+      tag :url, :match_link => /^https?:\/\// do
+        if meta.nil? || meta.empty?
+          %(<a href="#{content}">#{content}</a>)
+        else
+          %(<a href="#{meta}">#{content}</a>)
+        end
+      end
+
+      tag :img, :match => /^https?:\/\/.*(png|bmp|jpe?g|gif)$/, :singular => true do
         %(<a href="#{singular? ? meta : content}"><img src="#{singular? ? meta : content}" /></a>)
       end
 
@@ -53,13 +101,7 @@ Configuration Examples
         EOS
       end
 
-      tag :url do
-        if meta.nil? || meta.empty?
-          %(<a href="#{content}">#{content}</a>)
-        else
-          %(<a href="#{meta}">#{content}</a>)
-        end
-      end
+      remove :spoiler # Removes [spoiler]
     end
 
 
@@ -69,6 +111,7 @@ Options for #tag
 * :match (regex) -> convert this tag and its content to html only if the content and meta matches the regex (see img tag above for example)
 * :match_meta (regex) -> same as :match except only for meta
 * :match_content (regex) -> same as :match except only for content
+* :match_link (regex) -> special :match case, will match meta if it exists otherwise tries to match content (see url tag for usage)
 * :parents ([symbol]) -> ignore this tag if there is no open tag that matches its parents
 * :singular (true|false) -> use this if the tag does not require an ending tag
 
@@ -79,6 +122,7 @@ When you pass a block to #tag it is expecting you to return a string.  You have
 * content -> Everything between the two tags (with [b]strong arm[/b] content returns 'strong arm')
 * singular? -> Tells you if this tag is being parsed in singular form or if it had an ending tag (affects if content has any data)
 
+You can remove all configured tags by calling `BBCoder.configuration.clear`.
 
 Author
 ------

data/Rakefile

@@ -4,13 +4,14 @@ Bundler.setup
 require "rspec"
 require "rspec/core/rake_task"
 
-Rspec::Core::RakeTask.new(:spec)
+RSpec::Core::RakeTask.new(:spec)
 
 gemspec = eval(File.read(File.join(Dir.pwd, "bbcoder.gemspec")))
 
 task :build => "#{gemspec.full_name}.gem"
 
 task :test => :spec
+task :default => :spec
 
 file "#{gemspec.full_name}.gem" => gemspec.files + ["bbcoder.gemspec"] do
   system "gem build bbcoder.gemspec"

data/bbcoder.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
+  s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rr'
 end

data/lib/bbcoder.rb

@@ -21,9 +21,10 @@ BBCoder.configure do
   tag :dd, :parents => [:dl]
 
   tag :quote do
+    quoted = meta.empty? ? '' : "\n  <legend>#{meta} says</legend>"
+
     <<-EOS
-<fieldset>
-<legend>#{meta} says</legend>
+<fieldset>#{quoted}
   <blockquote>
     #{content}
   </blockquote>
@@ -48,7 +49,7 @@ BBCoder.configure do
     EOS
   end
 
-  tag :url do
+  tag :url, :match_link => /^https?:\/\// do
     if meta.nil? || meta.empty?
       %(<a href="#{content}">#{content}</a>)
     else
@@ -56,7 +57,7 @@ BBCoder.configure do
     end
   end
 
-  tag :img, :match => /^.*(png|bmp|jpe?g|gif)$/, :singular => true do
+  tag :img, :match => /^https?:\/\/.*(png|bmp|jpe?g|gif)$/, :singular => true do
     %(<a href="#{singular? ? meta : content}"><img src="#{singular? ? meta : content}" /></a>)
   end
 

data/lib/bbcoder/configuration.rb

@@ -6,6 +6,14 @@ class BBCoder
       @@tags[value]
     end
 
+    def clear
+      @@tags = {}
+    end
+
+    def remove name
+      @@tags.delete(name.to_sym)
+    end
+
     def tag(name, options = {}, &block)
       unless block.nil?
         block.binding.eval <<-EOS

data/lib/bbcoder/tag.rb

@@ -8,7 +8,9 @@ class BBCoder
     end
 
     def to_html(meta, content, singularity = false)
-      return self.class.reform(name, meta, content, singularity, true) unless content_valid?(content, singularity) && meta_valid?(meta, singularity)
+      unless content_valid?(content, singularity) && meta_valid?(meta, singularity) && link_valid?(meta, content)
+        return self.class.reform(name, meta, content, singularity, true)
+      end
 
       if options[:block].nil?
         "<#{options[:as]}>#{content}</#{options[:as]}>"
@@ -22,6 +24,19 @@ class BBCoder
       end
     end
 
+    def link_valid?(meta, content)
+      # only run if we have a :match_link
+      return true if options[:match_link].nil?
+
+      if meta.nil? || meta.empty?
+        return false if content.match(options[:match_link]).nil?
+      else
+        return false if meta.match(options[:match_link]).nil?
+      end
+
+      return true
+    end
+
     def meta_valid?(meta, singularity)
       return true if meta.nil?
 

data/lib/bbcoder/version.rb

@@ -1,3 +1,3 @@
 class BBCoder
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

data/spec/base_spec.rb

@@ -5,9 +5,22 @@ describe BBCoder do
   subject { BBCoder.new("[p]Text and now [b]bolded.[/b][/p]") }
 
   context "#configuration" do
+    before do
+      @tags = BBCoder::Configuration.class_variable_get(:@@tags).clone
+    end
+
+    after do
+      BBCoder::Configuration.class_variable_set(:@@tags, @tags)
+    end
+
     it "should return the same object for multiple calls" do
       BBCoder.configuration.should == BBCoder.configuration
     end
+
+    it "should allow to clear the configuration" do
+      BBCoder.configuration.clear
+      BBCoder.configuration[:spoiler].should be_nil
+    end
   end
 
   context "#buffer" do
@@ -17,6 +30,14 @@ describe BBCoder do
   end
 
   context "#configure" do
+    before do
+      @tags = BBCoder::Configuration.class_variable_get(:@@tags).clone
+    end
+
+    after do
+      BBCoder::Configuration.class_variable_set(:@@tags, @tags)
+    end
+
     it "should fail without a block" do
       lambda { BBCoder.configure }.should raise_error
     end
@@ -26,6 +47,13 @@ describe BBCoder do
       mock(BBCoder).configuration.stub!.instance_eval(&block)
       BBCoder.configure(&block)
     end
+
+    it "should be able to remove a tag" do
+      BBCoder.configure do
+        remove :spoiler
+      end
+      BBCoder.configuration[:spoiler].should be_nil
+    end
   end
 
   context "#initialize" do

data/spec/bbcoder_spec.rb

@@ -2,6 +2,33 @@ require 'spec_helper'
 
 describe BBCoder do
 
+  context "quotes" do
+    it "displays the quoted party if provided" do
+      string = "[quote=weedman]Said some thing about some stuff[/quote]"
+
+      string.bbcode_to_html.should == <<-EOS
+<fieldset>
+  <legend>weedman says</legend>
+  <blockquote>
+    Said some thing about some stuff
+  </blockquote>
+</fieldset>
+      EOS
+    end
+
+    it "has no legend if no quoted party provided" do
+      string = "[quote]Said some thing about some stuff[/quote]"
+
+      string.bbcode_to_html.should == <<-EOS
+<fieldset>
+  <blockquote>
+    Said some thing about some stuff
+  </blockquote>
+</fieldset>
+      EOS
+    end
+  end
+
   context "with dirty input" do
     it "should parse content with \" in it" do
       '[p]Text phrase: "going away"[/p]'.bbcode_to_html.should == '<p>Text phrase: "going away"</p>'
@@ -20,7 +47,7 @@ describe BBCoder do
 
       result = <<-EOS
 <fieldset>
-<legend>weedman says</legend>
+  <legend>weedman says</legend>
   <blockquote>
     YES I STICKY IT ALL oF YOU WHO DON\'T LIKE it SEND YOUR HATE HERE\n\nhttp://www.gamesyn.com/plugin.php?plugin=PrivateMessages&file=message_send.php&id=20&tid=1583\n\n:} have a good day
   </blockquote>
@@ -67,7 +94,6 @@ EOS
       output = "[p]Text and now [b]bold then [i]italics[/i][/b][/p] and then a [quote]Quote[/quote]".bbcode_to_html
       output.should == <<-EOS
 <p>Text and now <strong>bold then <em>italics</em></strong></p> and then a <fieldset>
-<legend> says</legend>
   <blockquote>
     Quote
   </blockquote>
@@ -151,5 +177,46 @@ EOS
       "[img=image.exe]".bbcode_to_html.should == "[img=image.exe]"
     end
   end
+
+  context "with xss attacks" do
+    it "should reject anything other than http/https for url tags" do
+      "[url=javascript:alert('You got hacked!')]hacked[/url]".bbcode_to_html.should == "[url=javascript:alert('You got hacked!')]hacked[/url]"
+      "[url]javascript:alert('You got hacked!')[/url]".bbcode_to_html.should == "[url]javascript:alert('You got hacked!')[/url]"
+
+      '[url=javascript:window.alert("You got hacked!")]click[/url]'.bbcode_to_html.should == '[url=javascript:window.alert("You got hacked!")]click[/url]'
+    end
+
+    it "should reject anything other than http/https for img tags" do
+      "[img=javascript:alert('XSS');jpg]".bbcode_to_html.should == "[img=javascript:alert('XSS');jpg]"
+      "[img]javascript:alert('XSS');png[/img]".bbcode_to_html.should == "[img]javascript:alert('XSS');png[/img]"
+      '[img]javascript:window.alert("You got hacked!")//.jpg[/img]'.bbcode_to_html.should == '[img]javascript:window.alert("You got hacked!")//.jpg[/img]'
+
+      attack = "[img]
+j
+a
+v
+a
+s
+c
+r
+i
+p
+t
+:
+a
+l
+e
+r
+t
+(
+'
+X
+S
+S
+'
+);jpg[/img]"
+        attack.bbcode_to_html.should == attack
+    end
+  end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bbcoder
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,8 +9,24 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-13 00:00:00.000000000 Z
+date: 2013-11-12 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -92,7 +108,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: bbcoder
-rubygems_version: 1.8.21
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: BBCode parser