RubyGems - emoji - Versions diffs - 1.0.0 → 1.0.1 - Mend

emoji 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c3d7df5281fcc91b481f756f9b00ec60ce7913f8
-  data.tar.gz: 0b57115afa01104c4feae9487c70ef0fa4eb3285
+  metadata.gz: 5a5314dfa9bd2b9fefb8db7cd2c5b52643a11615
+  data.tar.gz: ce8ef4dfdbf6044d5864f2ab5a4846d19bc3b36e
 SHA512:
-  metadata.gz: aa9dd31820e607c47e33b257078c64965acc25d18c7fc1542c217b9a02eac166dc0c79e487099fe66d95ebca7cbe7d02708cd42712cde9942e4b42e12ca732a3
-  data.tar.gz: 76ef2ae9bd9f69895c3bf5ad00a65e061416fa08eb5ac443cefc7975412cc9c515326fae53d4b4fa7bb882b318f9bf7844ae4500d2ca07f286c525319ad08795
+  metadata.gz: 9dea51512846eb336698457bd4a12f6898c8b9906261b913cc720303a24f03c5c67e7666053ad00f26be58626479f71ba93642911c1a2fb33d37a45a2344630f
+  data.tar.gz: 847d2edef664e9949e59c71112b369d0af4ab5cdd91277d9de02fd05a35908466f1e465372e0413d4aedd188ffdc4231e1122d5f7fdfe7fce06d9f8d9e8255a3

data/CHANGELOG.md CHANGED

@@ -1,5 +1,9 @@
 # Releases / Changes
+## 1.0.1
+* Important html_safe security fix.
 ## 1.0.0
 * Initial gem release

data/README.md CHANGED

@@ -41,7 +41,7 @@ Image Replacement APIs:
 ```ruby
 > Emoji.replace_unicode_moji_with_images('I ❤ Emoji')
-=> "I <img class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
+=> "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
 > Emoji.image_url_for_unicode_moji('❤')
 => "http://localhost:3000/assets/emoji/heart.png"
@@ -81,7 +81,7 @@ and call methods directly on your string to return the same results:
 ```ruby
 > 'I ❤ Emoji'.with_emoji_images
-=> "I <img class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
+=> "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
 > 'heart'.image_url
 > '❤'.image_url

data/lib/emoji.rb CHANGED

@@ -43,24 +43,28 @@ module Emoji
   end
   def self.replace_unicode_moji_with_images(string)
-    unless string && string.match(index.unicode_moji_regex)
-      return string
-    end
-    if string.respond_to?(:html_safe?) && string.html_safe?
-      safe_string = string.dup
-    else
-      safe_string = escape_html(string.dup)
+    return string unless string
+    unless string.match(index.unicode_moji_regex)
+      return safe_string(string)
     end
+    safe_string = safe_string(string.dup)
     safe_string.gsub!(index.unicode_moji_regex) do |moji|
-      %Q{<img class="emoji" src="#{ image_url_for_unicode_moji(moji) }">}
+      %Q{<img alt="#{moji}" class="emoji" src="#{ image_url_for_unicode_moji(moji) }">}
     end
     safe_string = safe_string.html_safe if safe_string.respond_to?(:html_safe)
     safe_string
   end
+  def self.safe_string(string)
+    if string.respond_to?(:html_safe?) && string.html_safe?
+      string
+    else
+      escape_html(string)
+    end
+  end
   def self.escape_html(string)
     @escaper.escape_html(string)
   end

data/lib/emoji/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Emoji
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

data/test/emoji_test.rb CHANGED

@@ -46,13 +46,13 @@ describe Emoji do
     it 'should escape html in non html_safe aware strings' do
       replaced_string = Emoji.replace_unicode_moji_with_images('❤<script>')
-      assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+      assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
     end
     it 'should replace unicode moji with img tag' do
       base_string = "I ❤ Emoji"
       replaced_string = Emoji.replace_unicode_moji_with_images(base_string)
-      assert_equal "I <img class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
+      assert_equal "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
     end
     it 'should handle nil string' do
@@ -60,14 +60,24 @@ describe Emoji do
     end
     describe 'with html_safe buffer' do
-      it 'should escape non html_safe? strings' do
+      it 'should escape non html_safe? strings in emoji' do
         string = HtmlSafeString.new('❤<script>')
         replaced_string = string.stub(:html_safe?, false) do
           Emoji.replace_unicode_moji_with_images(string)
         end
-        assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+        assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+      end
+      it 'should escape non html_safe? strings in all strings' do
+        string = HtmlSafeString.new('XSS<script>')
+        replaced_string = string.stub(:html_safe?, false) do
+          Emoji.replace_unicode_moji_with_images(string)
+        end
+        assert_equal "XSS&lt;script&gt;", replaced_string
       end
       it 'should not escape html_safe strings' do
@@ -77,10 +87,10 @@ describe Emoji do
           Emoji.replace_unicode_moji_with_images(string)
         end
-        assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\"><a href=\"harmless\">", replaced_string
+        assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"><a href=\"harmless\">", replaced_string
       end
-      it 'should always return an html_safe string' do
+      it 'should always return an html_safe string for emoji' do
         string = HtmlSafeString.new('❤')
         replaced_string = string.stub(:html_safe, 'safe_buffer') do
            Emoji.replace_unicode_moji_with_images(string)
@@ -88,6 +98,15 @@ describe Emoji do
         assert_equal "safe_buffer", replaced_string
       end
+      it 'should always return an html_safe string for any string' do
+        string = HtmlSafeString.new('Content')
+        replaced_string = string.stub(:html_safe, 'safe_buffer') do
+           Emoji.replace_unicode_moji_with_images(string)
+        end
+        assert_equal "Content", replaced_string
+      end
     end
   end
@@ -108,4 +127,4 @@ describe Emoji do
     end
   end
-end
+end

data/test/string_ext_test.rb CHANGED

@@ -7,7 +7,7 @@ describe String, 'with Emoji extensions' do
     it 'should replace unicode moji with an img tag' do
       base_string = "I ❤ Emoji"
       replaced_string = base_string.with_emoji_images
-      assert_equal "I <img class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
+      assert_equal "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
     end
   end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: emoji
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Steve Klabnik
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-02-10 00:00:00.000000000 Z
+date: 2014-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -618,7 +618,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.14
+rubygems_version: 2.0.3
 signing_key:
 specification_version: 4
 summary: 'A Ruby gem. For emoji. For everyone. :heart:'
@@ -627,4 +627,3 @@ test_files:
 - test/index_test.rb
 - test/string_ext_test.rb
 - test/test_helper.rb
-has_rdoc: