rack-sanitize 0.0.1

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,5 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg

data/Gemfile

@@ -0,0 +1,10 @@
+source :rubygems
+
+gem "sanitize", "~>1.2.0"
+
+group :test do
+  gem "rspec", "~>1.3.0"
+  gem "rack-test", "~>0.5.4"
+  gem "sinatra", "~>1.0"
+  gem "activesupport", "~>3.0.0.rc2"
+end

data/Gemfile.lock

@@ -0,0 +1,23 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.0.0.rc2)
+    nokogiri (1.4.3.1)
+    rack (1.2.1)
+    rack-test (0.5.4)
+      rack (>= 1.0)
+    rspec (1.3.0)
+    sanitize (1.2.0)
+      nokogiri (~> 1.4.1)
+    sinatra (1.0)
+      rack (>= 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (~> 3.0.0.rc2)
+  rack-test (~> 0.5.4)
+  rspec (~> 1.3.0)
+  sanitize (~> 1.2.0)
+  sinatra (~> 1.0)

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 robotapocalypse
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,18 @@
+= rack-sanitize
+
+Description goes here.
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but
+   bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2009 robotapocalypse. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "rack-sanitize"
+    gem.summary = %Q{Rack middleware to sanitize GET and POST parameters}
+    gem.description = %Q{Remove all malicious HTML from your request before it reaches your application}
+    gem.email = "pherph@gmail.com"
+    gem.homepage = "http://github.com/robotapocalypse/rack-sanitize"
+    gem.authors = ["robotapocalypse"]
+    gem.add_dependency "sanitize", "~>1.2.0"
+    gem.add_development_dependency "rspec", "~>1.3.0"
+    gem.add_development_dependency "rack-test", "~>0.5.4"
+    gem.add_development_dependency "sinatra", "~>1.0"
+    gem.add_development_dependency "activesupport", "~>3.0.0.rc2"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  if File.exist?('VERSION')
+    version = File.read('VERSION')
+  else
+    version = ""
+  end
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "rack-sanitize #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/lib/rack/sanitize.rb

@@ -0,0 +1,30 @@
+require 'sanitize'
+
+module Rack
+  class Sanitize
+    def initialize(app, config={})
+      @app    = app
+      @config = config
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+      request.GET.each {|k,v| request.GET[k] = sanitize(v)}
+      request.POST.each {|k,v| request.POST[k] = sanitize(v)}
+      @app.call(env)
+    end
+
+private
+
+    def sanitize(value)
+      if value.is_a?(Hash)
+        value.each {|k,v| value[k] = sanitize(v)}
+      elsif value.is_a?(Array)
+        value.map {|v| sanitize(v)}
+      elsif value.is_a?(String)
+        ::Sanitize.clean(value, @config)
+      end
+    end
+
+  end
+end

data/rack-sanitize.gemspec

@@ -0,0 +1,69 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{rack-sanitize}
+  s.version = "0.0.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["robotapocalypse"]
+  s.date = %q{2010-08-29}
+  s.description = %q{Remove all malicious HTML from your request before it reaches your application}
+  s.email = %q{pherph@gmail.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "Gemfile",
+     "Gemfile.lock",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/rack/sanitize.rb",
+     "rack-sanitize.gemspec",
+     "spec/rack/sanitize_spec.rb",
+     "spec/spec.opts",
+     "spec/spec_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/robotapocalypse/rack-sanitize}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{Rack middleware to sanitize GET and POST parameters}
+  s.test_files = [
+    "spec/rack/sanitize_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<sanitize>, ["~> 1.2.0"])
+      s.add_development_dependency(%q<rspec>, ["~> 1.3.0"])
+      s.add_development_dependency(%q<rack-test>, ["~> 0.5.4"])
+      s.add_development_dependency(%q<sinatra>, ["~> 1.0"])
+      s.add_development_dependency(%q<activesupport>, ["~> 3.0.0.rc2"])
+    else
+      s.add_dependency(%q<sanitize>, ["~> 1.2.0"])
+      s.add_dependency(%q<rspec>, ["~> 1.3.0"])
+      s.add_dependency(%q<rack-test>, ["~> 0.5.4"])
+      s.add_dependency(%q<sinatra>, ["~> 1.0"])
+      s.add_dependency(%q<activesupport>, ["~> 3.0.0.rc2"])
+    end
+  else
+    s.add_dependency(%q<sanitize>, ["~> 1.2.0"])
+    s.add_dependency(%q<rspec>, ["~> 1.3.0"])
+    s.add_dependency(%q<rack-test>, ["~> 0.5.4"])
+    s.add_dependency(%q<sinatra>, ["~> 1.0"])
+    s.add_dependency(%q<activesupport>, ["~> 3.0.0.rc2"])
+  end
+end
+

data/spec/rack/sanitize_spec.rb

@@ -0,0 +1,73 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe Rack::Sanitize do
+  it "should sanitize GETs" do
+    get '/get', {"a" => "ok", "okie" => %Q{<script src="http://iammalicious.com">dokie</script>}}
+    last_response.body.should == "GETs: a=ok&okie=dokie"
+  end
+
+  it "should sanitize POSTs" do
+    post '/post', {"a" => "ok", "okie" => %Q{<script src="http://iammalicious.com">dokie</script>}}
+    last_response.body.should == "POSTs: a=ok&okie=dokie"
+  end
+
+  it "should sanitize nested parameters" do
+    params = {
+      "parent" => {
+        "a" => {"okay" => %Q{<script src="http://iammalicious.com">arsehole</script>}},
+        "okie" => %Q{<script src="http://iammalicious.com">dokie</script>}
+      }
+    }
+
+    get '/get', params
+    last_response.body.should == "GETs: parent[a][okay]=arsehole&parent[okie]=dokie"
+
+    post '/post', params
+    last_response.body.should == "POSTs: parent[a][okay]=arsehole&parent[okie]=dokie"
+  end
+
+  it "should sanitize elements in an array" do
+    params = {
+      "person" => {
+        "pets" => [
+          {"dog" => "<script>woof</script>"},
+          {"cat" => "<script>meow</script>"}
+        ]
+      },
+      "beer" => ["<script>porter</script>", "pilsner"]
+    }
+
+    get '/get', params
+    last_response.body.should == "GETs: person[pets][][dog]=woof&person[pets][][cat]=meow&beer[]=porter&beer[]=pilsner"
+
+    post '/post', params
+    last_response.body.should == "POSTs: person[pets][][dog]=woof&person[pets][][cat]=meow&beer[]=porter&beer[]=pilsner"
+  end
+
+  it "should allow the sanitize configuration to be set" do
+    @app = Rack::Builder.app do
+      use Rack::Sanitize, Sanitize::Config::RELAXED
+      run PotentialVictim
+    end
+
+    params = {"image" => %Q{<img src="/hello.jpg" />}}
+
+    get '/get', params
+    last_response.body.should == %Q{GETs: image=<img src="/hello.jpg" />}
+
+    post '/post', params
+    last_response.body.should == %Q{POSTs: image=<img src="/hello.jpg" />}
+  end
+
+  it "should sanitize if the path matches" do
+
+  end
+
+  it "should not sanitize if the path does not match" do
+
+  end
+
+  it "should default to sanitizing both GETs and POSTs" do
+
+  end
+end

data/spec/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format progress
+--loadby mtime
+--reverse

data/spec/spec_helper.rb

@@ -0,0 +1,29 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'rack/sanitize'
+require 'rack/test'
+require 'spec'
+require 'spec/autorun'
+require 'sinatra/base'
+require 'active_support/core_ext/object/to_query'
+
+class PotentialVictim < Sinatra::Base
+  get '/get' do
+    "GETs: #{Rack::Utils.unescape(request.GET.to_query)}"
+  end
+
+  post '/post' do
+    "POSTs: #{Rack::Utils.unescape(request.POST.to_query)}"
+  end
+end
+
+Spec::Runner.configure do |config|
+  config.include Rack::Test::Methods
+
+  def app
+    @app ||= Rack::Builder.app do
+      use Rack::Sanitize
+      run PotentialVictim
+    end
+  end
+end

metadata

@@ -0,0 +1,152 @@
+--- !ruby/object:Gem::Specification 
+name: rack-sanitize
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- robotapocalypse
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-08-29 00:00:00 -06:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: sanitize
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 2
+        - 0
+        version: 1.2.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 3
+        - 0
+        version: 1.3.0
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rack-test
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 5
+        - 4
+        version: 0.5.4
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: sinatra
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 0
+        version: "1.0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        - 0
+        - rc2
+        version: 3.0.0.rc2
+  type: :development
+  version_requirements: *id005
+description: Remove all malicious HTML from your request before it reaches your application
+email: pherph@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/rack/sanitize.rb
+- rack-sanitize.gemspec
+- spec/rack/sanitize_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/robotapocalypse/rack-sanitize
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Rack middleware to sanitize GET and POST parameters
+test_files: 
+- spec/rack/sanitize_spec.rb
+- spec/spec_helper.rb