loofah 0.4.2 → 0.4.3

data/CHANGELOG.rdoc

@@ -1,5 +1,18 @@
 = Changelog
 
+== 0.4.3 (2010-01-29)
+
+Enhancements:
+
+  * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
+  * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
+
+Miscellaneous:
+
+  * Modified documentation for bootstrapping XssFoliate in a Rails
+    app, since the use of Bundler breaks the previously-documented
+    method. To be safe, always use an initializer file.
+
 == 0.4.2 (2010-01-22)
 
 Enhancements:

data/README.rdoc

@@ -1,8 +1,8 @@
 = Loofah
 
+* http://github.com/flavorjones/loofah
 * http://loofah.rubyforge.org
 * http://rubyforge.org/projects/loofah
-* http://github.com/flavorjones/loofah
 
 == Description
 
@@ -79,19 +79,19 @@ root node, you don't have a *document*, you have a *fragment*. For
 HTML, another rule of thumb is that *documents* have \<html\>
 and \<body\> tags, and *fragments* usually do not.
 
-HTML fragments should be parsed with Loofah.fragment. Loofah won't
-wrap the result in +html+ and +body+ tags, won't add a DOCTYPE
-declaration, and will ignore +head+ elements.
+HTML fragments should be parsed with Loofah.fragment. The result won't
+be wrapped in +html+ or +body+ tags, won't have a DOCTYPE declaration,
++head+ elements will be silently ignored, and multiple root nodes are
+allowed.
 
-XML fragments should be parsed with Loofah.xml_fragment. Loofah won't
-add a DOCTYPE declaration and will allow multiple root nodes.
+XML fragments should be parsed with Loofah.xml_fragment. The result
+won't have a DOCTYPE declaration, and multiple root nodes are allowed.
 
-HTML documents should be parsed with Loofah.document, which will add
-the DOCTYPE declaration, and properly handle +head+ and +body+
-elements.
+HTML documents should be parsed with Loofah.document. The result will
+have a DOCTYPE declaration, along with +html+, +head+ and +body+ tags.
 
-XML documents should be parsed with Loofah.xml_document. Loofah will
-make sure there's a DOCTYPE declaration and a single root node.
+XML documents should be parsed with Loofah.xml_document. The result
+will have a DOCTYPE declaration and a single root node.
 
 === Loofah::HTML::Document and Loofah::HTML::DocumentFragment
 
@@ -286,8 +286,8 @@ And the IRC channel is \#loofah on freenode.
 
 == Authors
 
-* {Mike Dalessio}[mailto:mike.dalessio@gmail.com] (@flavorjones)
-* {Bryan Helmkamp}[mailto:bryan@brynary.com]
+* {Mike Dalessio}[http://mike.daless.io] (@flavorjones[http://twitter.com/flavorjones])
+* Bryan Helmkamp
 
 Featuring code contributed by:
 
@@ -300,6 +300,12 @@ Featuring code contributed by:
 
 And a big shout-out to Corey Innis for the name, and feedback on the API.
 
+== Thank You
+
+The following people have generously donated via the Pledgie[http://pledgie.com] badge on the {Loofah github page}[http://github.com/flavorjones/loofah]:
+
+* Bill Harding
+
 == Historical Note
 
 This library was formerly known as Dryopteris, which was a very bad

data/lib/loofah.rb

@@ -26,7 +26,7 @@ require 'loofah/helpers'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '0.4.2'
+  VERSION = '0.4.3'
 
   # The minimum required version of Nokogiri
   REQUIRED_NOKOGIRI_VERSION = '1.3.3'

data/lib/loofah/active_record.rb

@@ -2,10 +2,8 @@ module Loofah
   #
   # Loofah can scrub ActiveRecord attributes in a before_validation callback:
   #
-  #   # in environment.rb
-  #   Rails::Initializer.run do |config|
-  #     config.gem 'loofah'
-  #   end
+  #   # config/initializers/loofah.rb
+  #   require 'loofah'
   #
   #   # db/schema.rb
   #   create_table "posts" do |t|

data/lib/loofah/scrubbers.rb

@@ -60,7 +60,6 @@ module Loofah
   #
   #
   module Scrubbers
-
     #
     #  === scrub!(:strip)
     #
@@ -195,5 +194,12 @@ module Loofah
       :strip => Strip,
       :nofollow => NoFollow
     }
+
+    #
+    #  Returns an array of symbols representing the built-in scrubbers
+    #
+    def self.scrubber_symbols
+      MAP.keys
+    end
   end
 end

data/lib/loofah/xss_foliate.rb

@@ -12,11 +12,9 @@ module Loofah
   #
   #  If you'd like to scrub all fields in all your models (and perhaps *opt-out* in specific models):
   #
-  #    # config/environment
-  #    LOOFAH_XSS_FOLIATE_ALL_MODELS = true
-  #    Rails::Initializer.run do |config|
-  #      config.gem "loofah"
-  #    end
+  #    # config/initializers/loofah.rb
+  #    require 'loofah'
+  #    Loofah::XssFoliate.xss_foliate_all_models
   #
   #    # db/schema.rb
   #    create_table "posts" do |t|
@@ -58,11 +56,9 @@ module Loofah
   #
   #  Alternatively, if you would like to *opt-in* to the models and attributes that are sanitized:
   #
-  #    # config/environment.rb
-  #    LOOFAH_XSS_FOLIATE_ALL_MODELS = false # default, this line could be omitted
-  #    Rails::Initializer.run do |config|
-  #      config.gem "loofah"
-  #    end
+  #    # config/initializers/loofah.rb
+  #    require 'loofah'
+  #    ## note omission of call to Loofah::XssFoliate.xss_foliate_all_models
   #
   #    # db/schema.rb
   #    create_table "posts" do |t|
@@ -87,7 +83,7 @@ module Loofah
     #
     module ClassMethods
       # :stopdoc:
-      VALID_OPTIONS = [:except, :strip, :escape, :prune, :text, :html5lib_sanitize, :sanitize]
+      VALID_OPTIONS = [:except, :html5lib_sanitize, :sanitize] + Loofah::Scrubbers.scrubber_symbols
       ALIASED_OPTIONS = {:html5lib_sanitize => :escape, :sanitize => :strip}
       REAL_OPTIONS = VALID_OPTIONS - ALIASED_OPTIONS.keys
       # :startdoc:
@@ -165,7 +161,6 @@ module Loofah
     end
 
     module InstanceMethods
-
       def xss_foliate_fields # :nodoc:
         # fix a bug with Rails internal AR::Base models that get loaded before
         # the plugin, like CGI::Sessions::ActiveRecordStore::Session
@@ -179,34 +174,38 @@ module Loofah
 
           next if value.nil? || !value.is_a?(String)
 
-          if xss_foliate_options[:except].include?(field)
-            next
+          next if xss_foliate_options[:except].include?(field)
 
-          elsif xss_foliate_options[:strip].include?(field)
-            fragment = Loofah.scrub_fragment(value, :strip)
-            self[field] = fragment.nil? ? "" : fragment.to_s
+          next if xss_foliated_with_standard_scrubber(field)
 
-          elsif xss_foliate_options[:prune].include?(field)
-            fragment = Loofah.scrub_fragment(value, :prune)
-            self[field] = fragment.nil? ? "" : fragment.to_s
+          # :text if we're here
+          fragment = Loofah.scrub_fragment(value, :strip)
+          self[field] = fragment.nil? ? "" : fragment.text
+        end
+      end
 
-          elsif xss_foliate_options[:escape].include?(field)
-            fragment = Loofah.scrub_fragment(value, :escape)
-            self[field] = fragment.nil? ? "" : fragment.to_s
+      private
 
-          else # :text
-            fragment = Loofah.scrub_fragment(value, :strip)
-            self[field] = fragment.nil? ? "" : fragment.text
+      def xss_foliated_with_standard_scrubber(field)
+        Loofah::Scrubbers.scrubber_symbols.each do |method|
+          if xss_foliate_options[method].include?(field)
+            fragment = Loofah.scrub_fragment(self[field], method)
+            self[field] = fragment.nil? ? "" : fragment.to_s
+            return true
           end
         end
-
+        false
       end
     end
+
+    def self.xss_foliate_all_models
+      ActiveRecord::Base.xss_foliate
+    end
   end
 end
 
 ActiveRecord::Base.extend(Loofah::XssFoliate::ClassMethods)
 
 if defined?(LOOFAH_XSS_FOLIATE_ALL_MODELS) && LOOFAH_XSS_FOLIATE_ALL_MODELS
-  ActiveRecord::Base.xss_foliate
+  Loofah::XssFoliate.xss_foliate_all_models
 end

data/test/test_xss_foliate.rb

@@ -125,7 +125,7 @@ class TestXssFoliate < Test::Unit::TestCase
         end
       end
 
-      [:strip, :escape, :prune].each do |method|
+      Loofah::Scrubbers.scrubber_symbols.each do |method|
         context "declaring one field to be scrubbed with #{method}" do
           setup do
             Post.xss_foliate method => [:plain_text]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: loofah
 version: !ruby/object:Gem::Version 
-  version: 0.4.2
+  version: 0.4.3
 platform: ruby
 authors: 
 - Mike Dalessio
@@ -31,7 +31,7 @@ cert_chain:
   FlqnTjy13J3nD30uxy9a1g==
   -----END CERTIFICATE-----
 
-date: 2010-01-23 00:00:00 -05:00
+date: 2010-01-31 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -143,7 +143,7 @@ files:
 - test/test_scrubbers.rb
 - test/test_xss_foliate.rb
 has_rdoc: true
-homepage: http://loofah.rubyforge.org
+homepage: http://github.com/flavorjones/loofah
 licenses: []
 
 post_install_message: 

metadata.gz.sig

@@ -1,2 +1,2 @@
-L���l�~��j��{V��}��!L���$-�5�չ�(>��am��|:{0 ֑��ߌ���OKid�$�Jq|%���ƽ�k
-X]��,���<�)���)T��q��Z����u�
Haã�ju=��te�d���?":���m�d�#���ܷS]��,�`_o�I�
+7S���V"�<jw�'���\�y�qpҩ�@*��]�<��@�F+������B�o��0�L��,��Ud����!A!�K;�oœ�A.
e��lm.��x
d�l��^i,:$�_�Om��J�
+ا4�`����o���G
ȇ�����5�3Q�h�Aњ���@�Z3����}��> �R7ñp�p���