RubyGems - rails-html-sanitizer - Versions diffs - 1.0.1 → 1.0.2 - Mend

rails-html-sanitizer 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rails-html-sanitizer might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +3 -3
data/lib/rails/html/sanitizer.rb +6 -2
data/lib/rails/html/sanitizer/version.rb +1 -1
data/test/sanitizer_test.rb +14 -2
metadata +4 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0de608f734dd970b1714ac2d6e922cc481ad682b
-  data.tar.gz: 71d5809c45563d3a9d570d65ea3db5b0b280fb6d
+  metadata.gz: 330722b1f148ac96ebebc529d2b971d2f32584bb
+  data.tar.gz: 5441eea2b71bd6786f38061d60db7c80f18896ff
 SHA512:
-  metadata.gz: 77d1633dd6754c952e333102c6f0f765180c762229966fb5fb44997062e0b48d87fb7dfc7562f8edd0df29ca9a6eca17182eb6a861e9d66629c541ffd8bc4dfd
-  data.tar.gz: fe3f6534221bce529ad63d9f5375fcf51e3a660a33ada62dddc3244b4964e04e2c14b2b495d1c7060e273897e307f8f095a71dc02df65a8b35ff1340f96f82df
+  metadata.gz: c346b077718dd1ebba5c1aecab78421e30b3dbda64a7a43ecf0cea96b3f25ea72f9b93dc2f7b36d11453d8249f87847ef4087f1bc1086812314e1ff3fcc67eef
+  data.tar.gz: 0e598d16bae9973b706e739ff87ea767d96859d2a27349890bb848c783161bfffccf99d26ffa231ee4e9a3ccb4dfe137ab76c6ef88eb6b32fee9f7dc3dfdb2c5

data/README.md CHANGED

@@ -1,9 +1,9 @@
 # Rails Html Sanitizers
-In Rails 5 this gem will be responsible for sanitizing HTML fragments in Rails applications,
-i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
+In Rails 4.2 and above this gem will be responsible for sanitizing HTML fragments in Rails
+applications, i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
-Include it in your Gemfile now to test for any incompatibilities and enjoy a safer and cleaner future.
+Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using [Loofah](https://github.com/flavorjones/loofah) directly (that's what handles sanitization under the hood).
 ## Installation

data/lib/rails/html/sanitizer.rb CHANGED

@@ -28,7 +28,7 @@ module Rails
         Loofah.fragment(html).tap do |fragment|
           remove_xpaths(fragment, XPATHS_TO_REMOVE)
-        end.text
+        end.text(options)
       end
     end
@@ -120,7 +120,7 @@ module Rails
           loofah_fragment.scrub!(:strip)
         end
-        loofah_fragment.to_s
+        properly_encode(loofah_fragment, encoding: 'UTF-8')
       end
       def sanitize_css(style_string)
@@ -136,6 +136,10 @@ module Rails
       def allowed_attributes(options)
         options[:attributes] || self.class.allowed_attributes
       end
+      def properly_encode(fragment, options)
+        fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
+      end
     end
   end
 end

data/lib/rails/html/sanitizer/version.rb CHANGED

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.0.1"
+      VERSION = "1.0.2"
     end
   end
 end

data/test/sanitizer_test.rb CHANGED

@@ -104,6 +104,11 @@ class SanitizersTest < Minitest::Test
     assert_equal "Frozen string with no tags", full_sanitize("Frozen string with no tags".freeze)
   end
+  def test_full_sanitize_allows_turning_off_encoding_special_chars
+    assert_equal '&amp;', full_sanitize('&')
+    assert_equal '&', full_sanitize('&', encode_special_chars: false)
+  end
   def test_strip_links_with_tags_in_tags
     expected = "a href='hello'&gt;all <b>day</b> long/a&gt;"
     input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
@@ -173,7 +178,7 @@ class SanitizersTest < Minitest::Test
   end
   def test_should_allow_anchors
-    assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\">baz</a>)
+    assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\"></a>)
   end
   def test_video_poster_sanitization
@@ -441,6 +446,13 @@ class SanitizersTest < Minitest::Test
     assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
   end
+  def test_sanitize_ascii_8bit_string
+    white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
+      assert_equal '<a>hello</a>', sanitized
+      assert_equal Encoding::UTF_8, sanitized.encoding
+    end
+  end
 protected
   def xpath_sanitize(input, options = {})
@@ -472,7 +484,7 @@ protected
   end
   def scope_allowed_tags(tags)
-    Rails::Html::WhiteListSanitizer.allowed_tags = %w(u)
+    Rails::Html::WhiteListSanitizer.allowed_tags = tags
     yield Rails::Html::WhiteListSanitizer.new
   ensure

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-09-25 00:00:00.000000000 Z
+date: 2015-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -81,7 +81,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: HTML sanitization to Rails applications
+description: HTML sanitization for Rails applications
 email:
 - rafaelmfranca@gmail.com
 - kaspth@gmail.com
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.1
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.