loofah 0.4.3 → 0.4.4

data/CHANGELOG.rdoc

@@ -1,5 +1,11 @@
 = Changelog
 
+== 0.4.4 (2010-02-01)
+
+Bug fixes:
+
+  * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
+
 == 0.4.3 (2010-01-29)
 
 Enhancements:

data/lib/loofah.rb

@@ -26,7 +26,7 @@ require 'loofah/helpers'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '0.4.3'
+  VERSION = '0.4.4'
 
   # The minimum required version of Nokogiri
   REQUIRED_NOKOGIRI_VERSION = '1.3.3'

data/lib/loofah/xss_foliate.rb

@@ -180,7 +180,7 @@ module Loofah
 
           # :text if we're here
           fragment = Loofah.scrub_fragment(value, :strip)
-          self[field] = fragment.nil? ? "" : fragment.text
+          self[field] = fragment.nil? ? "" : fragment.to_s
         end
       end
 

data/test/test_ad_hoc.rb

@@ -251,7 +251,7 @@ mso-bidi-language:#0400;}
       What's up <strong>doc</strong>?
     HTML
     stripped = Loofah.scrub_document(html, :prune).text
-    assert_equal "What's up doc?".strip, stripped.strip
+    assert_equal %Q(What\'s up doc?).strip, stripped.strip
   end
 
   def test_dont_remove_whitespace
@@ -268,5 +268,4 @@ mso-bidi-language:#0400;}
     html = "<p>this is &lt; that &quot;&amp;&quot; the other &gt; boo&apos;ya</p>"
     assert_equal 'this is < that "&" the other > boo\'ya', Loofah.scrub_document(html, :prune).text
   end
-
 end

data/test/test_xss_foliate.rb

@@ -56,7 +56,7 @@ class TestXssFoliate < Test::Unit::TestCase
       end
 
       context "when passed a symbol" do
-        should "do the right thing" do
+        should "calls the right scrubber" do
           assert_nothing_raised(ArgumentError) { Post.xss_foliate :prune => :plain_text }
           Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
           Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :prune).once
@@ -65,7 +65,7 @@ class TestXssFoliate < Test::Unit::TestCase
       end
 
       context "when passed an array of symbols" do
-        should "do the right thing" do
+        should "calls the right scrubbers" do
           assert_nothing_raised(ArgumentError) {
             Post.xss_foliate :prune => [:plain_text, :html_string]
           }
@@ -76,7 +76,7 @@ class TestXssFoliate < Test::Unit::TestCase
       end
 
       context "when passed a string" do
-        should "do the right thing" do
+        should "calls the right scrubber" do
           assert_nothing_raised(ArgumentError) { Post.xss_foliate :prune => 'plain_text' }
           Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
           Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :prune).once
@@ -85,7 +85,7 @@ class TestXssFoliate < Test::Unit::TestCase
       end
 
       context "when passed an array of strings" do
-        should "do the right thing" do
+        should "calls the right scrubbers" do
           assert_nothing_raised(ArgumentError) {
             Post.xss_foliate :prune => ['plain_text', 'html_string']
           }
@@ -107,7 +107,7 @@ class TestXssFoliate < Test::Unit::TestCase
           Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once.returns(mock_doc)
           Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :strip).once.returns(mock_doc)
           Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
-          mock_doc.expects(:text).twice
+          mock_doc.expects(:to_s).twice
           assert new_post.valid?
         end
       end
@@ -118,9 +118,11 @@ class TestXssFoliate < Test::Unit::TestCase
         end
 
         should "not scrub omitted field" do
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
+          mock_doc = mock
+          Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once.returns(mock_doc)
           Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :strip).never
           Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
+          mock_doc.expects(:to_s).once
           assert new_post.valid?
         end
       end
@@ -132,9 +134,11 @@ class TestXssFoliate < Test::Unit::TestCase
           end
 
           should "not that field appropriately" do
-            Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
-            Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, method).once
+            mock_doc = mock
+            Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once.returns(mock_doc)
+            Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, method).once.returns(mock_doc)
             Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
+            mock_doc.expects(:to_s).twice
             assert new_post.valid?
           end
         end
@@ -167,5 +171,18 @@ class TestXssFoliate < Test::Unit::TestCase
       end
     end
 
+    context "given an XSS attempt" do
+      setup do
+        Post.xss_foliate :strip => :html_string
+      end
+
+      should "escape html entities" do
+        hackattack = "&lt;script&gt;alert('evil')&lt;/script&gt;"
+        post = new_post :html_string => hackattack, :plain_text => hackattack
+        post.valid?
+        assert_equal "&lt;script&gt;alert('evil')&lt;/script&gt;", post.html_string
+        assert_equal "&lt;script&gt;alert('evil')&lt;/script&gt;", post.plain_text
+      end
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: loofah
 version: !ruby/object:Gem::Version 
-  version: 0.4.3
+  version: 0.4.4
 platform: ruby
 authors: 
 - Mike Dalessio
@@ -31,7 +31,7 @@ cert_chain:
   FlqnTjy13J3nD30uxy9a1g==
   -----END CERTIFICATE-----
 
-date: 2010-01-31 00:00:00 -05:00
+date: 2010-02-01 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 

metadata.gz.sig

@@ -1,2 +1 @@
-7S���V"�<jw�'���\�y�qpҩ�@*��]�<��@�F+������B�o��0�L��,��Ud����!A!�K;�oœ�A.
e��lm.��x
d�l��^i,:$�_�Om��J�
-ا4�`����o���G
ȇ�����5�3Q�h�Aњ���@�Z3����}��> �R7ñp�p���
+cُ�c,�t���T߈Z�DYF��f(��m�:i]K�j�ܓ���E3ƫ��q��;~~�Ƌm�>q�>.���Ɨ�8�=�%H�N,�!�3kR��c��A�>M�u�?���� ���.���ǣld!��
�1
$�\����	ͺY��g�