rack-utf8_sanitizer 1.6.0 → 1.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 53093765db81984315b860f92ab0c1b51cc2e458147bc3cfb3d289424fb9b6d0
4
- data.tar.gz: 21493f9709c2db974d65612a8f22328824f74118ee500f37eeafe957a3dd1d39
3
+ metadata.gz: 4156ca74bbd8c43750cdb733ca500a1cb974492ceb823ffa50e9adaa5733d7d9
4
+ data.tar.gz: 2acc566fb2020de35fa94822f3fcf018988e9166682ccf2f72f7bb9ca7c209d7
5
5
  SHA512:
6
- metadata.gz: 621f2ea1b68feaf198d558d22cdc9dbb22a1133cb61f755450c80757bc4e848a80b337657f0356d59ebef869633e348bb3392612ec7fe7954dc1134f03b04e5a
7
- data.tar.gz: 917f05a6ed39b0656c84f60a076b072ed141418f15aa7b26d43c707be8268a739b1ce698955669bb8620f6e9f0c887e2c24a354f508a7e574af308c513e9da96
6
+ metadata.gz: 5332f698e7d2a06427fe009a1e2f368ca56c4ab04d5b4551f79689dabbce3351733d657e9df14266c6416f5627305e45e511aee701f5a2d783f1b28d7a7d4435
7
+ data.tar.gz: 7df6257e5945eec1c928ab2ab9e446fe9d853c74b572732b5318e655b1b34d89557d949ee1300004ac67111fd170fddba7ab89b842dbbf65c9ca79717bdf1aa2
data/README.md CHANGED
@@ -1,6 +1,9 @@
1
1
  # Rack::UTF8Sanitizer
2
2
 
3
- Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers.
3
+ Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers. Additionally,
4
+ it cleans up invalid UTF8 characters in the request body (depending on the configurable content type filters) by reading
5
+ the input into a string, sanitizing the string, then replacing the Rack input stream with a rewindable input stream backed
6
+ by the sanitized string.
4
7
 
5
8
  ## Installation
6
9
 
@@ -45,7 +48,7 @@ For fields with "percent-encoded data", the algorithm is applied twice to catch
45
48
 
46
49
  ### Sanitizable content types
47
50
 
48
- The default content types to be sanitized are 'text/plain', 'application/x-www-form-urlencoded', 'application/json', 'text/javascript'. You may wish to modify this, for example if your app accepts specific or custom media types in the CONTENT_TYPE header. If you want to change the sanitizable content types, you can pass options when using Rack::UTF8Sanitizer.
51
+ The default content types to be sanitized are 'text/plain', 'application/x-www-form-urlencoded', 'application/json', 'text/javascript'. You may wish to modify this, for example if your app accepts specific or custom media types in the CONTENT_TYPE header. If you want to change the sanitizable content types, you can pass options when using Rack::UTF8Sanitizer.
49
52
 
50
53
  To add sanitizable content types to the list of defaults, pass the `additional_content_types` options when using Rack::UTF8Sanitizer, e.g.
51
54
 
@@ -75,7 +78,35 @@ config.middleware.insert 0, Rack::UTF8Sanitizer, except: [/HTTP_.+/]
75
78
 
76
79
  There are two built in strategies for handling invalid characters. The default strategy is `:replace`, which will cause any invalid characters to be replaces with the unicode replacement character (�). The second built in strategy is `:exception` which will cause an `EncodingError` exception to be raised if invalid characters are found (the exception can then be handled by another Rack middleware).
77
80
 
78
- An object that responds to `#call` and accepts the offending string with invalid characters as an argumant can also be passed as a `:strategy`. This is how you can define custom strategies.
81
+ This is an example of handling the `:exception` strategy with additional middleware:
82
+
83
+ ```ruby
84
+ require "./your/middleware/directory/utf8_sanitizer_exception_handler.rb"
85
+
86
+ config.middleware.insert 0, Rack::UTF8SanitizerExceptionHandler
87
+ config.middleware.insert_after Rack::UTF8SanitizerExceptionHandler, Rack::UTF8Sanitizer, strategy: :exception
88
+ ```
89
+
90
+ Note: The exception handling middleware must be inserted before `Rack::UTF8Sanitizer`
91
+
92
+ ```ruby
93
+ module Rack
94
+ class UTF8SanitizerExceptionHandler
95
+ def initialize(app)
96
+ @app = app
97
+ end
98
+
99
+ def call(env)
100
+ @app.call(env)
101
+ rescue EncodingError => exception
102
+ # OPTIONAL: Add error logging service of your choice here
103
+ return [400, {}, ["Bad Request"]]
104
+ end
105
+ end
106
+ end
107
+ ```
108
+
109
+ An object that responds to `#call` and accepts the offending string with invalid characters as an argument can also be passed as a `:strategy`. This is how you can define custom strategies.
79
110
 
80
111
  ```ruby
81
112
  config.middleware.insert 0, Rack::UTF8Sanitizer, strategy: :exception
@@ -231,7 +231,7 @@ module Rack
231
231
  # Performs the reverse function of `unescape_unreserved`. Unlike
232
232
  # the previous function, we can reuse the logic in URI#encode
233
233
  def escape_unreserved(input)
234
- URI.encode(input, UNSAFE)
234
+ URI::DEFAULT_PARSER.escape(input, UNSAFE)
235
235
  end
236
236
 
237
237
  def sanitize_string(input)
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "rack-utf8_sanitizer"
5
- gem.version = '1.6.0'
5
+ gem.version = '1.7.0'
6
6
  gem.authors = ["whitequark"]
7
7
  gem.license = "MIT"
8
8
  gem.email = ["whitequark@whitequark.org"]
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-utf8_sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.0
4
+ version: 1.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - whitequark
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-06 00:00:00.000000000 Z
11
+ date: 2020-03-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
110
110
  version: '0'
111
111
  requirements: []
112
112
  rubyforge_project:
113
- rubygems_version: 2.7.6
113
+ rubygems_version: 2.7.6.2
114
114
  signing_key:
115
115
  specification_version: 4
116
116
  summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters