rails_autolink 1.1.5 → 1.1.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a9a91def4e38bcb28f15482c69da7024e299a19c
4
- data.tar.gz: e987cc56142e5e1a882dfac7dd2aec775f3c68b4
3
+ metadata.gz: 91c4563b853f02631b7bf2d4b4cc26fed12c6e02
4
+ data.tar.gz: 6e4207505ba1093565b223b36fe7ca1c35020acc
5
5
  SHA512:
6
- metadata.gz: ec0d9d57552ac9d0198c4593265c6f8f68d5acc3398c136b1dc3c35228da77cb46c4025444d31a786159b5025514266ef220a98691a01a5e40c78fb19a959739
7
- data.tar.gz: a5ece6112a62cf23086f764938ad2781a86ed25539fd0e2b7b8a978fd3b57d1b8d6c7214b2bceb2871574c722e33ce9005018af13235d23e2bce3d84ebcbbce8
6
+ metadata.gz: be27ad19fd951b6631eba721eb250ce6cd32dde1c819ff4834c2ccb9bd676c708d099e6ca9fe5dbf878bf4b70095713a0fa3577c6a8f82d8f0ef8cdddce8fea7
7
+ data.tar.gz: fa33c890166fc907cbc4d54ec6aeda58c60b7850dcb80c8684b79c77e72042e2ea685338ef6882dea0c4b801dde29bec1559880e4f34f86c1b02059fc5d3fab2
data/.gitignore CHANGED
@@ -10,4 +10,6 @@ pkg
10
10
  rdoc
11
11
  test/tmp
12
12
  test/version_tmp
13
- tmp
13
+ tmp
14
+ .rvmrc
15
+ .ruby-*
@@ -1,3 +1,11 @@
1
+ === 1.1.6 / 2014-06-08
2
+
3
+ * Fixed a potential XSS vulnerability #47
4
+ * Hold onto trailing = and & characters as part of urls #45
5
+ * Ensure test compatibility with Rails 3.2.x/4.0.x/4.1.x #44
6
+ * Readme typo #41
7
+ * require timeout in tests #40
8
+
1
9
  === 1.1.5 / 2013-10-23
2
10
 
3
11
  * Improved performance of email regex
data/Gemfile CHANGED
@@ -1,6 +1,13 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
+ # To test on latest Rails release, use the following:
3
4
  gem 'rails'
4
- gem 'arel'
5
- gem 'rack'
6
5
  gem 'minitest'
6
+
7
+ # To test on Rails 4.0.x release, use the following e.g. for 4.0.1:
8
+ # gem 'rails', '= 4.0.1'
9
+ # gem 'minitest'
10
+
11
+ # To test on Rails 3.2.x, use the following e.g. for 3.2.17:
12
+ # gem 'rails', '= 3.2.17'
13
+ # gem 'minitest', '= 4.2'
@@ -11,7 +11,7 @@ bridge the gap for people migrating.
11
11
  == FEATURES:
12
12
 
13
13
  By default auto_link returns sanitized html_safe strings.
14
- This behaviour can be overriden setting the <tt>:sanitize</tt> option to false
14
+ This behaviour can be overridden by setting the <tt>:sanitize</tt> option to false
15
15
  (thus making it insecure if you don't have the content under control).
16
16
 
17
17
  == SYNOPSIS:
data/Rakefile CHANGED
@@ -6,3 +6,5 @@ Rake::TestTask.new do |t|
6
6
  t.libs << 'test'
7
7
  t.pattern = 'test/test_*.rb'
8
8
  end
9
+
10
+ task :default => :test
@@ -72,7 +72,7 @@ module RailsAutolink
72
72
 
73
73
  AUTO_LINK_RE = %r{
74
74
  (?: ((?:ed2k|ftp|http|https|irc|mailto|news|gopher|nntp|telnet|webcal|xmpp|callto|feed|svn|urn|aim|rsync|tag|ssh|sftp|rtsp|afs|file):)// | www\. )
75
- [^\s<\u00A0]+
75
+ [^\s<\u00A0"]+
76
76
  }ix
77
77
 
78
78
  # regexps for determining context, used high-volume
@@ -98,7 +98,7 @@ module RailsAutolink
98
98
  href
99
99
  else
100
100
  # don't include trailing punctuation character as part of the URL
101
- while href.sub!(/[^#{WORD_PATTERN}\/-]$/, '')
101
+ while href.sub!(/[^#{WORD_PATTERN}\/-=&]$/, '')
102
102
  punctuation.push $&
103
103
  if opening = BRACKETS[punctuation.last] and href.scan(opening).size > href.scan(punctuation.last).size
104
104
  href << punctuation.pop
@@ -1,3 +1,3 @@
1
1
  module RailsAutolink
2
- VERSION = '1.1.5'
2
+ VERSION = '1.1.6'
3
3
  end
@@ -2,20 +2,16 @@
2
2
 
3
3
  require "minitest/autorun"
4
4
  require "rails"
5
- require "rails_autolink/helpers"
6
5
  require 'erb'
7
6
  require 'cgi'
8
- require 'active_support/core_ext/class/attribute_accessors'
7
+ require 'active_support'
8
+ require 'active_support/core_ext'
9
9
  require 'action_pack'
10
- require 'action_view/helpers/capture_helper'
11
- require 'action_view/helpers/sanitize_helper'
12
- require 'action_view/helpers/url_helper'
13
- require 'action_view/helpers/tag_helper'
14
- require 'active_support/core_ext/module/attribute_accessors'
15
- require 'active_support/core_ext/string/encoding'
10
+ require 'action_view'
11
+ require 'action_view/helpers'
16
12
  require 'action_dispatch/testing/assertions'
17
- require 'action_view/helpers/text_helper'
18
- require 'action_view/helpers/output_safety_helper'
13
+ require 'timeout'
14
+ require "rails_autolink/helpers"
19
15
 
20
16
  class TestRailsAutolink < MiniTest::Unit::TestCase
21
17
  include ActionView::Helpers::CaptureHelper
@@ -138,6 +134,14 @@ class TestRailsAutolink < MiniTest::Unit::TestCase
138
134
  assert_equal linked_email, auto_link(linked_email)
139
135
  end
140
136
 
137
+ def test_auto_link_with_malicious_attr
138
+ url1 = "http://api.rubyonrails.com/Foo.html"
139
+ malicious = "\"onmousemove=\"prompt()"
140
+ combination = "#{url1}#{malicious}"
141
+
142
+ assert_equal %(<p><a href="#{url1}">#{url1}</a>#{malicious}</p>), auto_link("<p>#{combination}</p>")
143
+ end
144
+
141
145
  def test_auto_link_at_eol
142
146
  url1 = "http://api.rubyonrails.com/Foo.html"
143
147
  url2 = "http://www.ruby-doc.org/core/Bar.html"
@@ -174,7 +178,12 @@ class TestRailsAutolink < MiniTest::Unit::TestCase
174
178
 
175
179
  def test_auto_link_email_addres_with_especial_chars
176
180
  email_raw = "and&re$la*+r-a.o'rea=l~ly@tenderlovemaking.com"
177
- email_sanitized = "and&amp;re$la*+r-a.o&#39;rea=l~ly@tenderlovemaking.com"
181
+ email_sanitized = if Rails.version =~ /^3/
182
+ # mail_to changed the number base it rendered HTML encoded characters at some point
183
+ "and&amp;re$la*+r-a.o&#x27;rea=l~ly@tenderlovemaking.com"
184
+ else
185
+ "and&amp;re$la*+r-a.o&#39;rea=l~ly@tenderlovemaking.com"
186
+ end
178
187
  email_result = %{<a href="mailto:#{email_raw}">#{email_sanitized}</a>}
179
188
  assert_equal email_result, auto_link(email_raw)
180
189
  assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
@@ -311,6 +320,16 @@ class TestRailsAutolink < MiniTest::Unit::TestCase
311
320
  end
312
321
  end
313
322
 
323
+ def test_autolink_with_trailing_equals_on_link
324
+ url = "http://www.rubyonrails.com/foo.cgi?trailing_equals="
325
+ assert_equal generate_result(url), auto_link(url)
326
+ end
327
+
328
+ def test_autolink_with_trailing_amp_on_link
329
+ url = "http://www.rubyonrails.com/foo.cgi?trailing_ampersand=value&"
330
+ assert_equal generate_result(url), auto_link(url)
331
+ end
332
+
314
333
  def test_auto_link_does_not_timeout_when_parsing_odd_email_input
315
334
  inputs = %w(
316
335
  foo@...................................
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_autolink
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.5
4
+ version: 1.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aaron Patterson
@@ -10,20 +10,20 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-10-23 00:00:00.000000000 Z
13
+ date: 2014-06-08 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: rails
17
17
  requirement: !ruby/object:Gem::Requirement
18
18
  requirements:
19
- - - '>'
19
+ - - ">"
20
20
  - !ruby/object:Gem::Version
21
21
  version: '3.1'
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
25
25
  requirements:
26
- - - '>'
26
+ - - ">"
27
27
  - !ruby/object:Gem::Version
28
28
  version: '3.1'
29
29
  description: This is an extraction of the `auto_link` method from rails. The `auto_link`
@@ -34,15 +34,15 @@ executables: []
34
34
  extensions: []
35
35
  extra_rdoc_files: []
36
36
  files:
37
- - lib/rails_autolink/helpers.rb
38
- - lib/rails_autolink/version.rb
39
- - lib/rails_autolink.rb
40
- - .autotest
41
- - .gitignore
37
+ - ".autotest"
38
+ - ".gitignore"
42
39
  - CHANGELOG.rdoc
43
40
  - Gemfile
44
41
  - README.rdoc
45
42
  - Rakefile
43
+ - lib/rails_autolink.rb
44
+ - lib/rails_autolink/helpers.rb
45
+ - lib/rails_autolink/version.rb
46
46
  - rails_autolink.gemspec
47
47
  - test/test_rails_autolink.rb
48
48
  homepage: https://github.com/tenderlove/rails_autolink
@@ -55,17 +55,17 @@ require_paths:
55
55
  - lib
56
56
  required_ruby_version: !ruby/object:Gem::Requirement
57
57
  requirements:
58
- - - '>='
58
+ - - ">="
59
59
  - !ruby/object:Gem::Version
60
60
  version: 1.9.3
61
61
  required_rubygems_version: !ruby/object:Gem::Requirement
62
62
  requirements:
63
- - - '>='
63
+ - - ">="
64
64
  - !ruby/object:Gem::Version
65
65
  version: '0'
66
66
  requirements: []
67
67
  rubyforge_project:
68
- rubygems_version: 2.1.5
68
+ rubygems_version: 2.2.2
69
69
  signing_key:
70
70
  specification_version: 4
71
71
  summary: Automatic generation of html links in texts