emoji 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c3d7df5281fcc91b481f756f9b00ec60ce7913f8
-  data.tar.gz: 0b57115afa01104c4feae9487c70ef0fa4eb3285
+  metadata.gz: 5a5314dfa9bd2b9fefb8db7cd2c5b52643a11615
+  data.tar.gz: ce8ef4dfdbf6044d5864f2ab5a4846d19bc3b36e
 SHA512:
-  metadata.gz: aa9dd31820e607c47e33b257078c64965acc25d18c7fc1542c217b9a02eac166dc0c79e487099fe66d95ebca7cbe7d02708cd42712cde9942e4b42e12ca732a3
-  data.tar.gz: 76ef2ae9bd9f69895c3bf5ad00a65e061416fa08eb5ac443cefc7975412cc9c515326fae53d4b4fa7bb882b318f9bf7844ae4500d2ca07f286c525319ad08795
+  metadata.gz: 9dea51512846eb336698457bd4a12f6898c8b9906261b913cc720303a24f03c5c67e7666053ad00f26be58626479f71ba93642911c1a2fb33d37a45a2344630f
+  data.tar.gz: 847d2edef664e9949e59c71112b369d0af4ab5cdd91277d9de02fd05a35908466f1e465372e0413d4aedd188ffdc4231e1122d5f7fdfe7fce06d9f8d9e8255a3

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Releases / Changes
 
+## 1.0.1
+
+* Important html_safe security fix.
+
 ## 1.0.0
 
 * Initial gem release

data/README.md

@@ -41,7 +41,7 @@ Image Replacement APIs:
 
 ```ruby
 > Emoji.replace_unicode_moji_with_images('I ❤ Emoji')
-=> "I <img class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
+=> "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
 
 > Emoji.image_url_for_unicode_moji('❤')
 => "http://localhost:3000/assets/emoji/heart.png"
@@ -81,7 +81,7 @@ and call methods directly on your string to return the same results:
 
 ```ruby
 > 'I ❤ Emoji'.with_emoji_images
-=> "I <img class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
+=> "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/assets/emoji/heart.png\"> Emoji"
 
 > 'heart'.image_url
 > '❤'.image_url

data/lib/emoji.rb

@@ -43,24 +43,28 @@ module Emoji
   end
 
   def self.replace_unicode_moji_with_images(string)
-    unless string && string.match(index.unicode_moji_regex)
-      return string
-    end
-
-    if string.respond_to?(:html_safe?) && string.html_safe?
-      safe_string = string.dup
-    else
-      safe_string = escape_html(string.dup)
+    return string unless string
+    unless string.match(index.unicode_moji_regex)
+      return safe_string(string)
     end
 
+    safe_string = safe_string(string.dup)
     safe_string.gsub!(index.unicode_moji_regex) do |moji|
-      %Q{<img class="emoji" src="#{ image_url_for_unicode_moji(moji) }">}
+      %Q{<img alt="#{moji}" class="emoji" src="#{ image_url_for_unicode_moji(moji) }">}
     end
     safe_string = safe_string.html_safe if safe_string.respond_to?(:html_safe)
 
     safe_string
   end
 
+  def self.safe_string(string)
+    if string.respond_to?(:html_safe?) && string.html_safe?
+      string
+    else
+      escape_html(string)
+    end
+  end
+
   def self.escape_html(string)
     @escaper.escape_html(string)
   end

data/lib/emoji/version.rb

@@ -1,3 +1,3 @@
 module Emoji
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

data/test/emoji_test.rb

@@ -46,13 +46,13 @@ describe Emoji do
 
     it 'should escape html in non html_safe aware strings' do
       replaced_string = Emoji.replace_unicode_moji_with_images('❤<script>')
-      assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+      assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
     end
 
     it 'should replace unicode moji with img tag' do
       base_string = "I ❤ Emoji"
       replaced_string = Emoji.replace_unicode_moji_with_images(base_string)
-      assert_equal "I <img class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
+      assert_equal "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
     end
 
     it 'should handle nil string' do
@@ -60,14 +60,24 @@ describe Emoji do
     end
 
     describe 'with html_safe buffer' do
-      it 'should escape non html_safe? strings' do
+      it 'should escape non html_safe? strings in emoji' do
         string = HtmlSafeString.new('❤<script>')
 
         replaced_string = string.stub(:html_safe?, false) do
           Emoji.replace_unicode_moji_with_images(string)
         end
 
-        assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+        assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\">&lt;script&gt;", replaced_string
+      end
+
+      it 'should escape non html_safe? strings in all strings' do
+        string = HtmlSafeString.new('XSS<script>')
+
+        replaced_string = string.stub(:html_safe?, false) do
+          Emoji.replace_unicode_moji_with_images(string)
+        end
+
+        assert_equal "XSS&lt;script&gt;", replaced_string
       end
 
       it 'should not escape html_safe strings' do
@@ -77,10 +87,10 @@ describe Emoji do
           Emoji.replace_unicode_moji_with_images(string)
         end
         
-        assert_equal "<img class=\"emoji\" src=\"http://localhost:3000/heart.png\"><a href=\"harmless\">", replaced_string
+        assert_equal "<img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"><a href=\"harmless\">", replaced_string
       end
 
-      it 'should always return an html_safe string' do
+      it 'should always return an html_safe string for emoji' do
         string = HtmlSafeString.new('❤')
         replaced_string = string.stub(:html_safe, 'safe_buffer') do
            Emoji.replace_unicode_moji_with_images(string)
@@ -88,6 +98,15 @@ describe Emoji do
 
         assert_equal "safe_buffer", replaced_string
       end
+
+      it 'should always return an html_safe string for any string' do
+        string = HtmlSafeString.new('Content')
+        replaced_string = string.stub(:html_safe, 'safe_buffer') do
+           Emoji.replace_unicode_moji_with_images(string)
+        end
+
+        assert_equal "Content", replaced_string
+      end
     end
   end
 
@@ -108,4 +127,4 @@ describe Emoji do
     end
   end
 
-end
+end

data/test/string_ext_test.rb

@@ -7,7 +7,7 @@ describe String, 'with Emoji extensions' do
     it 'should replace unicode moji with an img tag' do
       base_string = "I ❤ Emoji"
       replaced_string = base_string.with_emoji_images
-      assert_equal "I <img class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
+      assert_equal "I <img alt=\"❤\" class=\"emoji\" src=\"http://localhost:3000/heart.png\"> Emoji", replaced_string
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: emoji
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Steve Klabnik
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-10 00:00:00.000000000 Z
+date: 2014-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -618,7 +618,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.0.3
 signing_key: 
 specification_version: 4
 summary: 'A Ruby gem. For emoji. For everyone. :heart:'
@@ -627,4 +627,3 @@ test_files:
 - test/index_test.rb
 - test/string_ext_test.rb
 - test/test_helper.rb
-has_rdoc: