onebox 1.6.5 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d7ab04f20175f2f5178aeff589be9de5a3c6efbf
4
- data.tar.gz: 30c66d325d2a5f48124dda00297da95373ff2a9e
3
+ metadata.gz: f6930d4a5a9ef64e464c152dbb2529f05a371575
4
+ data.tar.gz: ae19e58e8fda95f03a22501f5a4bfddb3727dfec
5
5
  SHA512:
6
- metadata.gz: 4174a3df1a3af3bb4ef2c3e1604bd06102128d1ec8557bf8bef70f670f47e65015f3764cd49dfc4b6d1638d63f07cdbc1f79a267ca4208a88d66f8a560c2088e
7
- data.tar.gz: bc7fcc8ecdf0b816f64f0ccd37a40841a37b0f0d8aa282fb5a7f3239e18a8929b8a3b321143373f33d5ad547eeccc9c6626a29adfbc6ed7c818d2d4a2cd1b317
6
+ metadata.gz: 090d8eed2fba3e8c9be2ad047439a061b44c8e9ac65c874007579cf1f5e2d1e6f950208cfc2c1e451772b11ff5818534e7745bde83e916f7e4aaa408c7121e01
7
+ data.tar.gz: 20c3b56077aa58cabd1ee7483f67d6436d678f4c5a246fa350f4d26c18faed50b1188a65d4a3bedfd44a1cbc45300f960b2e1d7d2fed3b2281b7f93938364268
@@ -1,3 +1,7 @@
1
+ ## 1.6.6
2
+
3
+ * SECURITY: normalize url for audio/video oneboxes
4
+
1
5
  ## 1.5.64
2
6
 
3
7
  * Escape HTML entities in text when oneboxing Amazon URLs.
@@ -3,14 +3,15 @@ module Onebox
3
3
  class AudioOnebox
4
4
  include Engine
5
5
 
6
- matches_regexp /^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/
6
+ matches_regexp(/^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/i)
7
7
 
8
8
  def always_https?
9
9
  WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
10
10
  end
11
11
 
12
12
  def to_html
13
- "<audio controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></audio>"
13
+ url = ::Onebox::Helpers.normalize_url_for_output(@url)
14
+ "<audio controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
14
15
  end
15
16
  end
16
17
  end
@@ -3,7 +3,7 @@ module Onebox
3
3
  class ImageOnebox
4
4
  include Engine
5
5
 
6
- matches_regexp /^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i
6
+ matches_regexp(/^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i)
7
7
 
8
8
  def always_https?
9
9
  WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
@@ -15,7 +15,7 @@ module Onebox
15
15
  @url.gsub!("https://www.dropbox.com","https://dl.dropboxusercontent.com")
16
16
  end
17
17
 
18
- escaped = url.gsub(/'/, "%27")
18
+ escaped = Onebox::Helpers.normalize_url_for_output(url)
19
19
  "<a href='#{escaped}' target='_blank'><img src='#{escaped}'></a>"
20
20
  end
21
21
  end
@@ -3,14 +3,15 @@ module Onebox
3
3
  class VideoOnebox
4
4
  include Engine
5
5
 
6
- matches_regexp /^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/
6
+ matches_regexp(/^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/i)
7
7
 
8
8
  def always_https?
9
9
  WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
10
10
  end
11
11
 
12
12
  def to_html
13
- "<video width='100%' height='100%' controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></video>"
13
+ url = ::Onebox::Helpers.normalize_url_for_output(@url)
14
+ "<video width='100%' height='100%' controls><source src='#{url}'><a href='#{url}'>#{url}</a></video>"
14
15
  end
15
16
  end
16
17
  end
@@ -200,10 +200,10 @@ module Onebox
200
200
  html_entities = HTMLEntities.new
201
201
  d = { link: link }.merge(raw)
202
202
  if !Onebox::Helpers.blank?(d[:title])
203
- d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title]))
203
+ d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title].strip, 80))
204
204
  end
205
205
  if !Onebox::Helpers.blank?(d[:description])
206
- d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description], 250))
206
+ d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description].strip, 250))
207
207
  end
208
208
  d
209
209
  end
@@ -65,11 +65,20 @@ module Onebox
65
65
  end
66
66
 
67
67
  def self.truncate(string, length = 50)
68
- string.size > length ? string[0..length] + "..." : string
68
+ string.size > length ? string[0...(string.rindex(" ", length)||length)] + "..." : string
69
69
  end
70
70
 
71
71
  def self.title_attr(meta)
72
72
  (meta && !blank?(meta[:title])) ? "title='#{CGI.escapeHTML(meta[:title])}'" : ""
73
73
  end
74
+
75
+ def self.normalize_url_for_output(url)
76
+ url = url.dup
77
+ # expect properly encoded url, remove any unsafe chars
78
+ url.gsub!(/[^a-zA-Z0-9%\-`._~:\/?#\[\]@!$&'\(\)*+,;=]/, "")
79
+ url.gsub!("'", "&quot;")
80
+ url
81
+ end
82
+
74
83
  end
75
84
  end
@@ -1,3 +1,3 @@
1
1
  module Onebox
2
- VERSION = "1.6.5"
2
+ VERSION = "1.6.6"
3
3
  end
@@ -6,7 +6,7 @@ describe Onebox::Engine::AudioOnebox do
6
6
  end
7
7
 
8
8
  it "supports mp3" do
9
- expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<audio/)
9
+ expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.MP3').to_s).to match(/<audio/)
10
10
  end
11
11
 
12
12
  it "supports wav" do
@@ -28,4 +28,8 @@ describe Onebox::Engine::AudioOnebox do
28
28
  it "includes a fallback direct link to the audio" do
29
29
  expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<a.*mp3/)
30
30
  end
31
+
32
+ it "correctly escapes single quotes" do
33
+ expect(Onebox.preview("http://test.com/test'ing.mp3").to_s).not_to match(/test'ing/)
34
+ end
31
35
  end
@@ -38,6 +38,6 @@ describe Onebox::Engine::ImageOnebox do
38
38
  end
39
39
 
40
40
  it "doesn't inline single quotes" do
41
- expect(Onebox.preview("http://host/path/to/image'withquote.png").to_s).to match(/image%27withquote/)
41
+ expect(Onebox.preview("http://host/path/to/Image'withquote.png").to_s).to match(/Image&quot;withquote/)
42
42
  end
43
43
  end
@@ -10,7 +10,7 @@ describe Onebox::Engine::VideoOnebox do
10
10
  end
11
11
 
12
12
  it "supports mov" do
13
- expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.mov').to_s).to match(/<video/)
13
+ expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.MOV').to_s).to match(/<video/)
14
14
  end
15
15
 
16
16
  it "supports webm" do
@@ -2,15 +2,26 @@ require 'spec_helper'
2
2
 
3
3
  RSpec.describe Onebox::Helpers do
4
4
  describe '.blank?' do
5
- it { expect(Onebox::Helpers.blank?("")).to be(true) }
6
- it { expect(Onebox::Helpers.blank?(" ")).to be(true) }
7
- it { expect(Onebox::Helpers.blank?("test")).to be(false) }
8
- it { expect(Onebox::Helpers.blank?(["test", "testing"])).to be(false) }
9
- it { expect(Onebox::Helpers.blank?([])).to be(true) }
10
- it { expect(Onebox::Helpers.blank?({})).to be(true) }
11
- it { expect(Onebox::Helpers.blank?({a: 'test'})).to be(false) }
12
- it { expect(Onebox::Helpers.blank?(nil)).to be(true) }
13
- it { expect(Onebox::Helpers.blank?(true)).to be(false) }
14
- it { expect(Onebox::Helpers.blank?(false)).to be(true) }
5
+ it { expect(described_class.blank?("")).to be(true) }
6
+ it { expect(described_class.blank?(" ")).to be(true) }
7
+ it { expect(described_class.blank?("test")).to be(false) }
8
+ it { expect(described_class.blank?(["test", "testing"])).to be(false) }
9
+ it { expect(described_class.blank?([])).to be(true) }
10
+ it { expect(described_class.blank?({})).to be(true) }
11
+ it { expect(described_class.blank?({a: 'test'})).to be(false) }
12
+ it { expect(described_class.blank?(nil)).to be(true) }
13
+ it { expect(described_class.blank?(true)).to be(false) }
14
+ it { expect(described_class.blank?(false)).to be(true) }
15
15
  end
16
- end
16
+
17
+ describe ".truncate" do
18
+ let(:test_string) { "Chops off on spaces" }
19
+ it { expect(described_class.truncate(test_string)).to eq(test_string) }
20
+ it { expect(described_class.truncate(test_string,5)).to eq("Chops...") }
21
+ it { expect(described_class.truncate(test_string,7)).to eq("Chops...") }
22
+ it { expect(described_class.truncate(test_string,9)).to eq("Chops off...") }
23
+ it { expect(described_class.truncate(test_string,10)).to eq("Chops off...") }
24
+ it { expect(described_class.truncate(test_string,100)).to eq("Chops off on spaces") }
25
+ it { expect(described_class.truncate(" #{test_string} ",6)).to eq(" Chops...") }
26
+ end
27
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: onebox
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.5
4
+ version: 1.6.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Joanna Zeta
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2016-12-15 00:00:00.000000000 Z
13
+ date: 2016-12-19 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: multi_json
@@ -464,7 +464,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
464
464
  version: '0'
465
465
  requirements: []
466
466
  rubyforge_project:
467
- rubygems_version: 2.5.2
467
+ rubygems_version: 2.5.1
468
468
  signing_key:
469
469
  specification_version: 4
470
470
  summary: A gem for turning URLs into previews.
@@ -528,3 +528,4 @@ test_files:
528
528
  - spec/lib/onebox_spec.rb
529
529
  - spec/spec_helper.rb
530
530
  - spec/support/html_spec_helper.rb
531
+ has_rdoc: