loofah 0.4.7 → 1.0.0.beta.1

data/CHANGELOG.rdoc

@@ -1,5 +1,12 @@
 = Changelog
 
+== 1.0.0.beta.1 (UNRELEASED)
+
+Notes:
+
+* Moved ActiveRecord functionality into `loofah-activerecord` gem.
+* Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
+
 == 0.4.7 (2010-03-09)
 
 Enhancements:

data/MIT-LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License
 
-Copyright (c) 2009 Mike Dalessio, Bryan Helmkamp
+Copyright (c) 2009, 2010 by Mike Dalessio, Bryan Helmkamp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/Manifest.txt

@@ -1,17 +1,13 @@
 CHANGELOG.rdoc
-DEPRECATED.rdoc
 MIT-LICENSE.txt
 Manifest.txt
 README.rdoc
 Rakefile
-TODO.rdoc
 benchmark/benchmark.rb
 benchmark/fragment.html
 benchmark/helper.rb
 benchmark/www.slashdot.com.html
-init.rb
 lib/loofah.rb
-lib/loofah/active_record.rb
 lib/loofah/elements.rb
 lib/loofah/helpers.rb
 lib/loofah/html/document.rb
@@ -24,7 +20,6 @@ lib/loofah/scrubber.rb
 lib/loofah/scrubbers.rb
 lib/loofah/xml/document.rb
 lib/loofah/xml/document_fragment.rb
-lib/loofah/xss_foliate.rb
 test/helper.rb
 test/html5/test_sanitizer.rb
 test/integration/test_ad_hoc.rb
@@ -32,9 +27,7 @@ test/integration/test_helpers.rb
 test/integration/test_html.rb
 test/integration/test_scrubbers.rb
 test/integration/test_xml.rb
-test/unit/test_active_record.rb
 test/unit/test_api.rb
 test/unit/test_helpers.rb
 test/unit/test_scrubber.rb
 test/unit/test_scrubbers.rb
-test/unit/test_xss_foliate.rb

data/README.rdoc

@@ -6,15 +6,19 @@
 
 == Description
 
-Loofah is a general library for manipulating HTML/XML documents and
-fragments. It's built on top of Nokogiri and libxml2, so it's fast and
-has a nice API.
+Loofah is a general library for manipulating and transforming HTML/XML
+documents and fragments. It's built on top of Nokogiri and libxml2, so
+it's fast and has a nice API.
 
 Loofah excels at HTML sanitization (XSS prevention). It includes some
 nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
 most likely won't make your codes less secure. (These statements have
 not been evaluated by Netexperts.)
 
+ActiveRecord extensions for sanitization are available in the
+`loofah-activerecord` gem (see
+http://github.com/flavorjones/loofah-activerecord).
+
 == Features
 
 * Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists).
@@ -25,11 +29,8 @@ not been evaluated by Netexperts.)
   * _Whitewash_ the markup, removing all attributes and namespaced nodes.
 * Common HTML transformation tasks are built-in:
   * Add the _nofollow_ attribute to all hyperlinks.
-* Format markup as plain text.
-* Replace Rails's +strip_tags+ and +sanitize+ helper methods.
-* Two ActiveRecord extensions:
-  * Loofah::XssFoliate, an XssTerminate[http://github.com/look/xss_terminate/tree/master] drop-in replacement, is an *opt-out* sanitizer. By default all models and attributes are sanitized.
-  * Loofah::ActiveRecordExtension is an *opt-in* sanitizer. You must explicitly declare attributes to be sanitized.
+* Format markup as plain text, with or without sensible whitespace handling around block elements.
+* Replace Rails's +strip_tags+ and +sanitize+ view helper methods.
 
 == Compare and Contrast
 
@@ -37,7 +38,7 @@ Loofah is one of two known Ruby XSS/sanitization solutions that
 guarantees well-formed and valid markup (the other is Sanitize, which
 also uses Nokogiri).
 
-Loofah works fine on XML, XHTML and HTML documents.
+Loofah works on XML, XHTML and HTML documents.
 
 Also, it's pretty fast. Here is a benchmark comparing Loofah to other
 commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
@@ -226,45 +227,15 @@ are the same thing as (and arguably semantically clearer than):
   Loofah.xml_fragment(bad_xml).scrub!(custom_scrubber)
   Loofah.xml_document(bad_xml).scrub!(custom_scrubber)
 
-=== ActiveRecord Extension \#1: Opt-In
-
-See Loofah::ActiveRecordExtension for full documentation. The methods
-mixed into ActiveRecord are:
-
-* Loofah::ActiveRecordExtension.html_document
-* Loofah::ActiveRecordExtension.html_fragment
-
-which are used to declare how specific string and text attributes
-should be scrubbed at +before_validation+.
-
-  # app/model/post.rb
-  class Post < ActiveRecord::Base
-    html_fragment :body, :scrub => :prune  # scrubs 'body' at before_validation
-  end
-
-=== ActiveRecord Extension \#2: Opt-Out
-
-See Loofah::XssFoliate::ClassMethods for more documentation. The methods mixed into ActiveRecord are:
-
-* Loofah::XssFoliate::ClassMethods.xss_foliate
-* Loofah::XssFoliate::ClassMethods.xss_foliated?
-
-which are used to declare how specific string and text attributes
-should be scrubbed at +before_validation+.
-
-Attributes are stripped by default, unless another scrubber is
-specified or the attribute is present in an +:except+ clause.
-
 === View Helpers
 
 Loofah has two "view helpers": Loofah::Helpers.sanitize and
 Loofah::Helpers.strip_tags, both of which are drop-in replacements for
-the ActionView helpers of the same name.
+the Rails ActionView helpers of the same name.
 
 == Requirements
 
 * Nokogiri >= 1.3.3
-* Rails 2.3, 2.2, 2.1, 2.0 or 1.2 (if you're using the ActiveRecord extensions)
 
 == Installation
 
@@ -289,7 +260,6 @@ And the IRC channel is \#loofah on freenode.
 * Nokogiri: http://nokogiri.org
 * libxml2: http://xmlsoft.org
 * html5lib: http://code.google.com/p/html5lib
-* XssTerminate: http://github.com/look/xss_terminate/tree/master
 
 == Authors
 
@@ -302,7 +272,6 @@ Featuring code contributed by:
 * John Barnette
 * Josh Owens
 * Paul Dix
-* Josh Nichols
 * Luke Melia
 
 And a big shout-out to Corey Innis for the name, and feedback on the API.
@@ -322,7 +291,7 @@ name that nobody could spell properly.
 
 The MIT License
 
-Copyright (c) 2009 Mike Dalessio, Bryan Helmkamp
+Copyright (c) 2009, 2010 by Mike Dalessio, Bryan Helmkamp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/Rakefile

@@ -3,6 +3,7 @@ gem 'hoe', '>= 2.3.0'
 require 'hoe'
 
 Hoe.plugin :git
+Hoe.plugin :bundler
 
 Hoe.spec "loofah" do
   developer "Mike Dalessio", "mike.dalessio@gmail.com"
@@ -12,23 +13,14 @@ Hoe.spec "loofah" do
   self.history_file     = "CHANGELOG.rdoc"
   self.readme_file      = "README.rdoc"
 
-  extra_deps << ["nokogiri", ">= 1.3.3"]
+  extra_deps     << ["nokogiri", ">=1.3.3"]
   extra_dev_deps << ["mocha", ">=0.9"]
-  extra_dev_deps << ["thoughtbot-shoulda", ">=2.10"]
-  extra_dev_deps << ["acts_as_fu", ">=0.0.5"]
-
-  # note: .hoerc should have the following line to omit rails tests and tmp
-  #   exclude: !ruby/regexp /\/tmp\/|\/rails_tests\/|CVS|TAGS|\.(svn|git|DS_Store)/
+  extra_dev_deps << ["shoulda", ">=2.10"]
+  extra_dev_deps << ["rake", ">=0.8"]
 end
 
-if File.exist?("rails_test/Rakefile")
-  load "rails_test/Rakefile"
-else
-  task :test do
-    puts "----------"
-    puts "-- NOTE: An additional Rails regression test suite is available in source repository"
-    puts "----------"
-  end
+task :gemspec do
+  system %q(rake debug_gem | grep -v "^\(in " > loofah.gemspec)
 end
 
 task :redocs => :fix_css

data/lib/loofah.rb

@@ -29,7 +29,7 @@ require 'loofah/helpers'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '0.4.7'
+  VERSION = '1.0.0.beta.1'
 
   # The minimum required version of Nokogiri
   REQUIRED_NOKOGIRI_VERSION = '1.3.3'
@@ -85,13 +85,3 @@ end
 if Nokogiri::VERSION < Loofah::REQUIRED_NOKOGIRI_VERSION
   raise RuntimeError, "Loofah requires Nokogiri #{Loofah::REQUIRED_NOKOGIRI_VERSION} or later (currently #{Nokogiri::VERSION})"
 end
-
-if defined? Rails.configuration and Rails.configuration.frameworks.include?([:active_record]) # rails 2.1 and later
-  Rails.configuration.after_initialize do
-    require 'loofah/active_record'
-    require 'loofah/xss_foliate'
-  end
-elsif defined? ActiveRecord::Base # rails 2.0
-  require 'loofah/active_record'
-  require 'loofah/xss_foliate'
-end

data/test/helper.rb

@@ -2,7 +2,6 @@ require 'rubygems'
 require 'test/unit'
 require 'shoulda'
 require 'mocha'
-require 'acts_as_fu'
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah"))
 
 puts "=> testing with Nokogiri #{Nokogiri::VERSION_INFO.inspect}"

data/test/integration/test_scrubbers.rb

@@ -7,7 +7,7 @@ class TestScrubbers < Test::Unit::TestCase
   INVALID_PRUNED   = "<div>quux</div>"
   INVALID_STRIPPED = "foo<p>bar</p>bazz<div>quux</div>"
 
-  WHITEWASH_FRAGMENT = "<o:div>no</o:div><div id='no'>foo</div><invalid>bar</invalid>"
+  WHITEWASH_FRAGMENT = "<o:div>no</o:div><div id='no'>foo</div><invalid>bar</invalid><!--[if gts mso9]><div>microsofty stuff</div><![endif]-->"
   WHITEWASH_RESULT   = "<div>foo</div>"
 
   NOFOLLOW_FRAGMENT = '<a href="http://www.example.com/">Click here</a>'

metadata

@@ -1,51 +1,35 @@
 --- !ruby/object:Gem::Specification 
 name: loofah
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 62196353
+  prerelease: true
   segments: 
+  - 1
+  - 0
   - 0
-  - 4
-  - 7
-  version: 0.4.7
+  - beta
+  - 1
+  version: 1.0.0.beta.1
 platform: ruby
 authors: 
 - Mike Dalessio
 - Bryan Helmkamp
 autorequire: 
 bindir: bin
-cert_chain: 
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDPDCCAiSgAwIBAgIBADANBgkqhkiG9w0BAQUFADBEMRYwFAYDVQQDDA1taWtl
-  LmRhbGVzc2lvMRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJk/IsZAEZ
-  FgNjb20wHhcNMDkwODExMDU0MjQ5WhcNMTAwODExMDU0MjQ5WjBEMRYwFAYDVQQD
-  DA1taWtlLmRhbGVzc2lvMRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJ
-  k/IsZAEZFgNjb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDANjr7
-  lZ1DKtK8YvNp+5kBzIpwrpClHRrosqo01qmWfGBxZckQUtrJUwGPxpzvIHVq1VKp
-  a9FXU/QWYek/1S0vhkOf9XGmFBnVCtbJhwGeyzsQFFSoQIfs2hd5gO0dSRpuKdi3
-  slfJAXzFKg1u/7OCVPgrY/mkdh34MzL5p0gSDzPt7vLPibctHg0GoepYT5Fh1tMQ
-  luzgrN0weTw/QoEWTMQcNk6CyUpzv0pOe7d0qEPQ9Lx7Lz64gIym3f0pKFpWLfME
-  l7PFLeR95zw2zsuZQwCR5ma5zjXD3mo2jk1mVqiI8qplOL1u30FU7hRhTV5n/Qe9
-  elDQoZW9Xz0R5JGDAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0G
-  A1UdDgQWBBRXWlUJZXcR1jkZPE24+mjUTCqNxjANBgkqhkiG9w0BAQUFAAOCAQEA
-  jDh5M41sg1MZKG1DXzQmo/IADeWRmXyb3EZaED9lhFFpoQqaralgpgmvuc0GswvO
-  QIZijh03tPQz8lgp1U1OFZod2ZwbEVTtVZpxs1ssjMraOA6KzlsNROH0XonIiy6j
-  r2Q0UF35ax8pvr3D5Y6AKzIW1F3aeiREylUDJlb/i1dPQ2PVK0yRrSQoK2epwM9E
-  zoczlHTTJc/tRvH5Up3Agcv9y+J0U9a1Af9NRsnHPVBdo2H32MsJ99x5NRDWJmJg
-  ohH37UR7njcc6j4fo22IwTqXaaXJdtVdAWjXP/xs5B3cPYSP6uqFnR46Jf86Iqj1
-  FlqnTjy13J3nD30uxy9a1g==
-  -----END CERTIFICATE-----
+cert_chain: []
 
-date: 2010-03-09 00:00:00 -05:00
+date: 2010-07-21 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: nokogiri
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 29
         segments: 
         - 1
         - 3
@@ -57,93 +41,92 @@ dependencies:
   name: rubyforge
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 7
         segments: 
         - 2
         - 0
-        - 3
-        version: 2.0.3
+        - 4
+        version: 2.0.4
   type: :development
   version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: gemcutter
-  prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 3
-        - 0
-        version: 0.3.0
-  type: :development
-  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: mocha
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 25
         segments: 
         - 0
         - 9
         version: "0.9"
   type: :development
-  version_requirements: *id004
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
-  name: thoughtbot-shoulda
+  name: shoulda
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 23
         segments: 
         - 2
         - 10
         version: "2.10"
   type: :development
-  version_requirements: *id005
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
-  name: acts_as_fu
+  name: rake
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 27
         segments: 
         - 0
-        - 0
-        - 5
-        version: 0.0.5
+        - 8
+        version: "0.8"
   type: :development
-  version_requirements: *id006
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: hoe
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 21
         segments: 
         - 2
-        - 5
-        - 0
-        version: 2.5.0
+        - 6
+        - 1
+        version: 2.6.1
   type: :development
-  version_requirements: *id007
+  version_requirements: *id006
 description: |-
-  Loofah is a general library for manipulating HTML/XML documents and
-  fragments. It's built on top of Nokogiri and libxml2, so it's fast and
-  has a nice API.
+  Loofah is a general library for manipulating and transforming HTML/XML
+  documents and fragments. It's built on top of Nokogiri and libxml2, so
+  it's fast and has a nice API.
   
   Loofah excels at HTML sanitization (XSS prevention). It includes some
   nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
   most likely won't make your codes less secure. (These statements have
   not been evaluated by Netexperts.)
+  
+  ActiveRecord extensions for sanitization are available in the
+  `loofah-activerecord` gem (see
+  http://github.com/flavorjones/loofah-activerecord).
 email: 
 - mike.dalessio@gmail.com
 - bryan@brynary.com
@@ -154,25 +137,19 @@ extensions: []
 extra_rdoc_files: 
 - MIT-LICENSE.txt
 - Manifest.txt
-- TODO.rdoc
 - CHANGELOG.rdoc
-- DEPRECATED.rdoc
 - README.rdoc
 files: 
 - CHANGELOG.rdoc
-- DEPRECATED.rdoc
 - MIT-LICENSE.txt
 - Manifest.txt
 - README.rdoc
 - Rakefile
-- TODO.rdoc
 - benchmark/benchmark.rb
 - benchmark/fragment.html
 - benchmark/helper.rb
 - benchmark/www.slashdot.com.html
-- init.rb
 - lib/loofah.rb
-- lib/loofah/active_record.rb
 - lib/loofah/elements.rb
 - lib/loofah/helpers.rb
 - lib/loofah/html/document.rb
@@ -185,7 +162,6 @@ files:
 - lib/loofah/scrubbers.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
-- lib/loofah/xss_foliate.rb
 - test/helper.rb
 - test/html5/test_sanitizer.rb
 - test/integration/test_ad_hoc.rb
@@ -193,12 +169,10 @@ files:
 - test/integration/test_html.rb
 - test/integration/test_scrubbers.rb
 - test/integration/test_xml.rb
-- test/unit/test_active_record.rb
 - test/unit/test_api.rb
 - test/unit/test_helpers.rb
 - test/unit/test_scrubber.rb
 - test/unit/test_scrubbers.rb
-- test/unit/test_xss_foliate.rb
 has_rdoc: true
 homepage: http://github.com/flavorjones/loofah
 licenses: []
@@ -210,36 +184,40 @@ rdoc_options:
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version 
+      hash: 25
       segments: 
-      - 0
-      version: "0"
+      - 1
+      - 3
+      - 1
+      version: 1.3.1
 requirements: []
 
 rubyforge_project: loofah
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
-summary: Loofah is a general library for manipulating HTML/XML documents and fragments
+summary: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments
 test_files: 
+- test/integration/test_html.rb
+- test/integration/test_ad_hoc.rb
 - test/integration/test_helpers.rb
 - test/integration/test_scrubbers.rb
-- test/integration/test_ad_hoc.rb
 - test/integration/test_xml.rb
-- test/integration/test_html.rb
-- test/unit/test_xss_foliate.rb
-- test/unit/test_helpers.rb
+- test/html5/test_sanitizer.rb
 - test/unit/test_scrubber.rb
+- test/unit/test_helpers.rb
 - test/unit/test_scrubbers.rb
 - test/unit/test_api.rb
-- test/unit/test_active_record.rb
-- test/html5/test_sanitizer.rb

data.tar.gz.sig

@@ -1,4 +0,0 @@
-����'�e�#$G(�ޓ���z�_�%R#�
-ި�-�8
-��JS![e�&�޽�'u�`�2mR���[ȇ��Qi��v�iq_�п�����{�\e�XU�hb�`�����׭��|*�V���l�E��D_en"l������4��x�:P���&�({j��
��c87;
--%pcvy�c��kf��1#�S��мd�:���`����7��f�ޑ��Z��k.pAZ�СZY #~1< C!VU}�z�Z����

data/DEPRECATED.rdoc

@@ -1,12 +0,0 @@
-= Deprecations
-
-In Loofah 0.3.0, some methods have been deprecated. The following
-lists the equivalent calls with the post-0.2 API:
-
-* <tt>strip_tags(string_or_io)</tt> is now <tt>scrub_document(string_or_io, :prune).text</tt>
-* <tt>whitewash(string_or_io)</tt> is now <tt>scrub_fragment(string_or_io, :whitewash).to_s</tt>
-* <tt>whitewash_document(string_or_io)</tt> is now <tt>scrub_document(string_or_io, :whitewash).to_s</tt>
-* <tt>sanitize(string_or_io)</tt> is now <tt>scrub_fragment(string_or_io, :escape).to_xml</tt>
-* <tt>sanitize_document(string_or_io)</tt> is now <tt>scrub_document(string_or_io, :escape).to_xml</tt>
-
-Have a nice day.

data/TODO.rdoc

@@ -1,4 +0,0 @@
-= TODO
-
-* Allow a <tt>text</tt> option to insert nice newlines after headers and block elements.
-* <tt>to_markdown<tt>

data/init.rb

@@ -1 +0,0 @@
-require "loofah"

data/lib/loofah/active_record.rb

@@ -1,60 +0,0 @@
-module Loofah
-  #
-  # Loofah can scrub ActiveRecord attributes in a before_validation callback:
-  #
-  #   # config/initializers/loofah.rb
-  #   require 'loofah'
-  #
-  #   # db/schema.rb
-  #   create_table "posts" do |t|
-  #     t.string  "title"
-  #     t.string  "body"
-  #   end
-  #
-  #   # app/model/post.rb
-  #   class Post < ActiveRecord::Base
-  #     html_fragment :body, :scrub => :prune  # scrubs 'body' in a before_validation
-  #   end
-  #
-  module ActiveRecordExtension
-    #
-    #  :call-seq:
-    #    html_fragment(attribute, :scrub => scrubber_specification)
-    #
-    #  Scrub an ActiveRecord attribute +attribute+ as an HTML *fragment*
-    #  using the method specified by +scrubber_specification+.
-    #
-    #  +scrubber_specification+ must be an argument acceptable to Loofah::ScrubBehavior.scrub!, namely:
-    #
-    #  * a symbol for one of the built-in scrubbers (see Loofah::Scrubbers for a full list)
-    #  * or a Scrubber instance. (see Loofah::Scrubber for help on implementing a custom scrubber)
-    #
-    def html_fragment(attr, options={})
-      raise ArgumentError, "html_fragment requires :scrub option" unless method = options[:scrub]
-      before_validation do |record|
-        record[attr] = Loofah.scrub_fragment(record[attr], method).to_s
-      end
-    end
-
-    #
-    #  :call-seq:
-    #    model.html_document(attribute, :scrub => scrubber_specification)
-    #
-    #  Scrub an ActiveRecord attribute +attribute+ as an HTML *document*
-    #  using the method specified by +scrubber_specification+.
-    #
-    #  +scrubber_specification+ must be an argument acceptable to Loofah::ScrubBehavior.scrub!, namely:
-    #
-    #  * a symbol for one of the built-in scrubbers (see Loofah::Scrubbers for a full list)
-    #  * or a Scrubber instance.
-    #
-    def html_document(attr, options={})
-      raise ArgumentError, "html_document requires :scrub option" unless method = options[:scrub]
-      before_validation do |record|
-        record[attr] = Loofah.scrub_document(record[attr], method).to_s
-      end
-    end
-  end
-end
-
-ActiveRecord::Base.extend(Loofah::ActiveRecordExtension)

data/lib/loofah/xss_foliate.rb

@@ -1,211 +0,0 @@
-module Loofah
-  #
-  #  A replacement for
-  #  XssTerminate[http://github.com/look/xss_terminate/tree/master],
-  #  XssFoliate will strip all tags from your ActiveRecord models'
-  #  string and text attributes.
-  #
-  #  Please read the Loofah documentation for an explanation of the
-  #  different scrubbing methods, and
-  #  Loofah::XssFoliate::ClassMethods for more information on the
-  #  methods.
-  #
-  #  If you'd like to scrub all fields in all your models (and perhaps *opt-out* in specific models):
-  #
-  #    # config/initializers/loofah.rb
-  #    require 'loofah'
-  #    Loofah::XssFoliate.xss_foliate_all_models
-  #
-  #    # db/schema.rb
-  #    create_table "posts" do |t|
-  #      t.string  "title"
-  #      t.text    "body"
-  #      t.string  "author"
-  #    end
-  #
-  #    # app/model/post.rb
-  #    class Post < ActiveRecord::Base
-  #      #  by default, title, body and author will all be scrubbed down to their inner text
-  #    end
-  #
-  #  OR
-  #
-  #    # app/model/post.rb
-  #    class Post < ActiveRecord::Base
-  #      xss_foliate :except => :author  # opt-out of sanitizing author
-  #    end
-  #
-  #  OR
-  #
-  #      xss_foliate :strip => [:title, body]  # strip unsafe tags from both title and body
-  #
-  #  OR
-  #
-  #      xss_foliate :except => :title         # scrub body and author but not title
-  #
-  #  OR
-  #
-  #      # remove all tags from title, remove unsafe tags from body
-  #      xss_foliate :sanitize => :title, :scrub => :body
-  #
-  #  OR
-  #
-  #      # old xss_terminate code will work if you s/_terminate/_foliate/
-  #      # was: xss_terminate :except => [:title], :sanitize => [:body]
-  #      xss_foliate :except => [:title], :sanitize => [:body]
-  #
-  #  Alternatively, if you would like to *opt-in* to the models and attributes that are sanitized:
-  #
-  #    # config/initializers/loofah.rb
-  #    require 'loofah'
-  #    ## note omission of call to Loofah::XssFoliate.xss_foliate_all_models
-  #
-  #    # db/schema.rb
-  #    create_table "posts" do |t|
-  #      t.string  "title"
-  #      t.text    "body"
-  #      t.string  "author"
-  #    end
-  #
-  #    # app/model/post.rb
-  #    class Post < ActiveRecord::Base
-  #      xss_foliate  # scrub title, body and author down to their inner text
-  #    end
-  #
-  module XssFoliate
-    #
-    #  A replacement for
-    #  XssTerminate[http://github.com/look/xss_terminate/tree/master],
-    #  XssFoliate will strip all tags from your ActiveRecord models'
-    #  string and text attributes.
-    #
-    #  See Loofah::XssFoliate for more example usage.
-    #
-    module ClassMethods
-      # :stopdoc:
-      VALID_OPTIONS = [:except, :html5lib_sanitize, :sanitize] + Loofah::Scrubbers.scrubber_symbols
-      ALIASED_OPTIONS = {:html5lib_sanitize => :escape, :sanitize => :strip}
-      REAL_OPTIONS = VALID_OPTIONS - ALIASED_OPTIONS.keys
-      # :startdoc:
-
-      #
-      #  Annotate your model with this method to specify which fields
-      #  you want scrubbed, and how you want them scrubbed. XssFoliate
-      #  assumes all character fields are HTML fragments (as opposed to
-      #  full documents, see the Loofah[http://loofah.rubyforge.org/]
-      #  documentation for a full explanation of the difference).
-      #
-      #  Example call:
-      #
-      #   xss_foliate :except => :author, :strip => :body, :prune => [:title, :description]
-      #
-      #  *Note* that the values in the options hash can be either an
-      #  array of attributes or a single attribute.
-      #
-      #  Options:
-      #
-      #   :except => [fields] # don't scrub these fields
-      #   :strip  => [fields] # strip unsafe tags from these fields
-      #   :escape => [fields] # escape unsafe tags from these fields
-      #   :prune  => [fields] # prune unsafe tags and subtrees from these fields
-      #   :text   => [fields] # remove everything except the inner text from these fields
-      #
-      #  XssTerminate compatibility options (note that the default
-      #  behavior in XssTerminate corresponds to :text)
-      #
-      #   :html5lib_sanitize => [fields] # same as :escape
-      #   :sanitize          => [fields] # same as :strip
-      #
-      #  The default is :text for all fields unless otherwise specified.
-      #
-      def xss_foliate(options = {})
-        callback_already_declared = \
-        if respond_to?(:before_validation_callback_chain)
-          # Rails 2.1 and later
-          before_validation_callback_chain.any? {|cb| cb.method == :xss_foliate_fields}
-        else
-          # Rails 2.0
-          cbs = read_inheritable_attribute(:before_validation)
-          (! cbs.nil?) && cbs.any? {|cb| cb == :xss_foliate_fields}
-        end
-
-        unless callback_already_declared
-          before_validation        :xss_foliate_fields
-          class_inheritable_reader :xss_foliate_options
-          include XssFoliate::InstanceMethods
-        end
-
-        options.keys.each do |option|
-          raise ArgumentError, "unknown xss_foliate option #{option}" unless VALID_OPTIONS.include?(option)
-        end
-
-        REAL_OPTIONS.each do |option|
-          options[option] = Array(options[option]).collect { |val| val.to_sym }
-        end
-
-        ALIASED_OPTIONS.each do |option, real|
-          options[real] += Array(options.delete(option)).collect { |val| val.to_sym } if options[option]
-        end
-
-        write_inheritable_attribute(:xss_foliate_options, options)
-      end
-
-      #
-      #  Class method to determine whether or not this model is applying
-      #  xss_foliation to its attributes. Could be useful in test suites.
-      #
-      def xss_foliated?
-        options = read_inheritable_attribute(:xss_foliate_options)
-        ! (options.nil? || options.empty?)
-      end
-    end
-
-    module InstanceMethods
-      def xss_foliate_fields # :nodoc:
-        # fix a bug with Rails internal AR::Base models that get loaded before
-        # the plugin, like CGI::Sessions::ActiveRecordStore::Session
-        return if xss_foliate_options.nil?
-
-        self.class.columns.each do |column|
-          next unless (column.type == :string || column.type == :text)
-
-          field = column.name.to_sym
-          value = self[field]
-
-          next if value.nil? || !value.is_a?(String)
-
-          next if xss_foliate_options[:except].include?(field)
-
-          next if xss_foliated_with_standard_scrubber(field)
-
-          # :text if we're here
-          fragment = Loofah.scrub_fragment(value, :strip)
-          self[field] = fragment.nil? ? "" : fragment.text
-        end
-      end
-
-      private
-
-      def xss_foliated_with_standard_scrubber(field)
-        Loofah::Scrubbers.scrubber_symbols.each do |method|
-          if xss_foliate_options[method].include?(field)
-            fragment = Loofah.scrub_fragment(self[field], method)
-            self[field] = fragment.nil? ? "" : fragment.to_s
-            return true
-          end
-        end
-        false
-      end
-    end
-
-    def self.xss_foliate_all_models
-      ActiveRecord::Base.xss_foliate
-    end
-  end
-end
-
-ActiveRecord::Base.extend(Loofah::XssFoliate::ClassMethods)
-
-if defined?(LOOFAH_XSS_FOLIATE_ALL_MODELS) && LOOFAH_XSS_FOLIATE_ALL_MODELS
-  Loofah::XssFoliate.xss_foliate_all_models
-end

data/test/unit/test_active_record.rb

@@ -1,143 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'helper'))
-
-require 'loofah/active_record'
-
-class TestActiveRecord < Test::Unit::TestCase
-
-  HTML_STRING = "<div>omgwtfbbq</div>"
-  PLAIN_TEXT  = "vanilla text"
-
-  context "with a Post model" do
-    setup do
-      ActsAsFu.build_model(:posts) do
-        string :plain_text
-        string :html_string
-      end
-    end
-
-    context "scrubbing a single field as a fragment" do
-      context "using a symbol to indicate the attribute" do
-        setup do
-          Post.html_fragment :html_string, :scrub => :prune
-          assert ! Post.xss_foliated?
-          @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
-        end
-
-        should "scrub the specified field" do
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).never
-          @post.valid?
-        end
-
-        should "only call scrub_fragment once" do
-          Loofah.expects(:scrub_fragment).once
-          @post.valid?
-        end
-
-        should "generate strings" do
-          @post.valid?
-          assert_equal String,      @post.html_string.class
-          assert_equal HTML_STRING, @post.html_string
-        end
-      end
-
-      context "using a string to indicate the attribute" do
-        setup do
-          Post.html_fragment 'html_string', :scrub => :prune
-          assert ! Post.xss_foliated?
-          @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
-        end
-
-        should "scrub the specified field" do
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).never
-          @post.valid?
-        end
-      end
-    end
-
-    context "scrubbing a single field as a document" do
-      context "using a symbol to indicate the attribute" do
-        setup do
-          Post.html_document :html_string, :scrub => :strip
-          @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
-        end
-
-        should "scrub the specified field, but not other fields" do
-          Loofah.expects(:scrub_document).with(HTML_STRING, :strip).once
-          Loofah.expects(:scrub_document).with(PLAIN_TEXT,  :strip).never
-          @post.valid?
-        end
-
-        should "only call scrub_document once" do
-          Loofah.expects(:scrub_document).once
-          @post.valid?
-        end
-
-        should "generate strings" do
-          @post.valid?
-          assert_equal String, @post.html_string.class
-        end
-      end
-
-      context "using a string to indicate the attribute" do
-        setup do
-          Post.html_document 'html_string', :scrub => :strip
-          @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
-        end
-
-        should "scrub the specified field, but not other fields" do
-          Loofah.expects(:scrub_document).with(HTML_STRING, :strip).once
-          Loofah.expects(:scrub_document).with(PLAIN_TEXT,  :strip).never
-          @post.valid?
-        end
-      end
-    end
-
-    context "not passing any options" do
-      should "raise ArgumentError" do
-        assert_raises(ArgumentError) {
-          Post.html_fragment :foo
-        }
-      end
-    end
-
-    context "not passing :scrub option" do
-      should "raise ArgumentError" do
-        assert_raise(ArgumentError) {
-          Post.html_fragment :foo, :bar => :quux
-        }
-      end
-    end
-
-    context "passing a :scrub option" do
-      should "not raise ArgumentError" do
-        assert_nothing_raised {
-          Post.html_fragment :foo, :scrub => :quux
-        }
-      end
-    end
-
-    context "passing a Scrubber" do
-      setup do
-        @called = false
-        @scrubber = Loofah::Scrubber.new do |node|
-          @called = true
-        end
-      end
-
-      should "not raise ArgumentError" do
-        assert_nothing_raised {
-          Post.html_fragment :html_string, :scrub => @scrubber
-        }
-      end
-
-      should "scrub properly" do
-        Post.html_fragment :html_string, :scrub => @scrubber
-        post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
-        post.valid?
-        assert @called
-      end
-    end
-  end
-end

data/test/unit/test_xss_foliate.rb

@@ -1,188 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'helper'))
-
-class TestXssFoliate < Test::Unit::TestCase
-
-  HTML_STRING = "<div>omgwtfbbq</div>"
-  PLAIN_TEXT = "vanilla text"
-  INTEGER_VALUE = "1234"
-  WHITESPACEY = " <br> "
-
-  def new_post(overrides={})
-    Post.new({:html_string => HTML_STRING, :plain_text => PLAIN_TEXT, :not_a_string => INTEGER_VALUE}.merge(overrides))
-  end
-
-  context "with a Post model" do
-    setup do
-      ActsAsFu.build_model(:posts) do
-        string :plain_text
-        string :html_string
-        integer :not_a_string
-      end
-    end
-
-    context "#xss_foliated?" do
-      context "when xss_foliate has not been called" do
-        should "return false" do
-          assert ! Post.xss_foliated?
-        end
-      end
-
-      context "when xss_foliate has been called with no options" do
-        setup do
-          Post.xss_foliate
-        end
-
-        should "return true" do
-          assert Post.xss_foliated?
-        end
-      end
-
-      context "when xss_foliate has been called with options" do
-        setup do
-          Post.xss_foliate :prune => :plain_text
-        end
-
-        should "return true" do
-          assert Post.xss_foliated?
-        end
-      end
-    end
-
-    context "#xss_foliate" do
-      context "when passed invalid option" do
-        should "raise ArgumentError" do
-          assert_raise(ArgumentError) { Post.xss_foliate :quux => [:foo] }
-        end
-      end
-
-      context "when passed a symbol" do
-        should "calls the right scrubber" do
-          assert_nothing_raised(ArgumentError) { Post.xss_foliate :prune => :plain_text }
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).once
-          new_post.valid?
-        end
-      end
-
-      context "when passed an array of symbols" do
-        should "calls the right scrubbers" do
-          assert_nothing_raised(ArgumentError) {
-            Post.xss_foliate :prune => [:plain_text, :html_string]
-          }
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).once
-          new_post.valid?
-        end
-      end
-
-      context "when passed a string" do
-        should "calls the right scrubber" do
-          assert_nothing_raised(ArgumentError) { Post.xss_foliate :prune => 'plain_text' }
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :strip).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).once
-          new_post.valid?
-        end
-      end
-
-      context "when passed an array of strings" do
-        should "calls the right scrubbers" do
-          assert_nothing_raised(ArgumentError) {
-            Post.xss_foliate :prune => ['plain_text', 'html_string']
-          }
-          Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :prune).once
-          new_post.valid?
-        end
-      end
-    end
-
-    context "declaring scrubbed fields" do
-      context "on all fields" do
-        setup do
-          Post.xss_foliate
-        end
-
-        should "scrub all fields" do
-          mock_doc = mock
-          Loofah.expects(:scrub_fragment).with(HTML_STRING,   :strip).once.returns(mock_doc)
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,    :strip).once.returns(mock_doc)
-          Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
-          mock_doc.expects(:text).twice
-          assert new_post.valid?
-        end
-      end
-
-      context "omitting one field" do
-        setup do
-          Post.xss_foliate :except => [:plain_text]
-        end
-
-        should "not scrub omitted field" do
-          mock_doc = mock
-          Loofah.expects(:scrub_fragment).with(HTML_STRING,   :strip).once.returns(mock_doc)
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,    :strip).never
-          Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
-          mock_doc.expects(:text).once
-          new_post.valid?
-        end
-      end
-
-      Loofah::Scrubbers.scrubber_symbols.each do |method|
-        context "declaring one field to be scrubbed with #{method}" do
-          setup do
-            Post.xss_foliate method => [:plain_text]
-          end
-
-          should "scrub that field appropriately" do
-            mock_doc = mock
-            Loofah.expects(:scrub_fragment).with(HTML_STRING,   :strip).once
-            Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,    method).once.returns(mock_doc)
-            Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip).never
-            mock_doc.expects(:to_s)
-            new_post.valid?
-          end
-        end
-      end
-
-      context "declaring one field to be scrubbed with html5lib_sanitize" do
-        setup do
-          Post.xss_foliate :html5lib_sanitize => [:plain_text]
-        end
-
-        should "not that field appropriately" do
-          Loofah.expects(:scrub_fragment).with(HTML_STRING,   :strip) .once
-          Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,    :escape).once
-          Loofah.expects(:scrub_fragment).with(INTEGER_VALUE, :strip) .never
-          new_post.valid?
-        end
-      end
-    end
-
-    context "invalid model data" do
-      setup do
-        Post.validates_presence_of :html_string
-        Post.xss_foliate
-      end
-
-      should "not be valid after sanitizing" do
-        Loofah.expects(:scrub_fragment).with(WHITESPACEY, :strip).once
-        Loofah.expects(:scrub_fragment).with(PLAIN_TEXT,  :strip).once
-        assert ! new_post(:html_string => WHITESPACEY).valid?
-      end
-    end
-
-    context "given an XSS attempt" do
-      setup do
-        Post.xss_foliate :strip => :html_string
-      end
-
-      should "escape html entities" do
-        hackattack = "<div>&lt;script&gt;alert('evil')&lt;/script&gt;</div>"
-        post = new_post :html_string => hackattack, :plain_text => hackattack
-        post.valid?
-        assert_equal "<div>&lt;script&gt;alert('evil')&lt;/script&gt;</div>", post.html_string
-        assert_equal "&lt;script&gt;alert('evil')&lt;/script&gt;", post.plain_text
-      end
-    end
-  end
-end