RubyGems - rinku - Versions diffs - 1.5.0 → 1.5.1 - Mend

rinku 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

data/ext/rinku/rinku.c CHANGED Viewed

@@ -77,6 +77,34 @@ autolink__print(struct buf *ob, const struct buf *link, void *payload)
 	bufput(ob, link->data, link->size);
 }
+/*
+ * Rinku assumes valid HTML encoding for all input, but there's still
+ * the case where a link can contain a double quote `"` that allows XSS.
+ *
+ * We need to properly escape the character we use for the `href` attribute
+ * declaration
+ */
+static void print_link(struct buf *ob, const char *link, size_t size)
+{
+	size_t i = 0, org;
+	while (i < size) {
+		org = i;
+		while (i < size && link[i] != '"')
+			i++;
+		if (i > org)
+			bufput(ob, link + org, i - org);
+		if (i >= size)
+			break;
+		BUFPUTSL(ob, "&quot;");
+		i++;
+	}
+}
 /* From sundown/html/html.c */
 static int
 html_is_tag(const uint8_t *tag_data, size_t tag_size, const char *tagname)
@@ -226,7 +254,7 @@ rinku_autolink(
 			bufput(ob, text + i, end - i - rewind);
 			bufputs(ob, g_hrefs[(int)action]);
-			bufput(ob, link->data, link->size);
+			print_link(ob, link->data, link->size);
 			if (link_attr) {
 				BUFPUTSL(ob, "\" ");

data/lib/rails_rinku.rb CHANGED Viewed

@@ -11,13 +11,15 @@ module RailsRinku
       options[:skip] = args[2]
     end
     options.reverse_merge!(:link => :all, :html => {})
-    text = text.html_safe unless text.html_safe?
+    text = h(text) unless text.html_safe?
-    Rinku.auto_link text,
+    Rinku.auto_link(
+      text,
       options[:link],
       tag_options(options[:html]),
       options[:skip],
       &block
+    ).html_safe
   end
 end

data/lib/rinku.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Rinku
-  VERSION = "1.2.2"
+  VERSION = "1.5.1"
   attr_accessor :skip_tags
   extend self
 end

data/rinku.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   s.name = 'rinku'
-  s.version = '1.5.0'
+  s.version = '1.5.1'
   s.summary = "Mostly autolinking"
   s.description = <<-EOF
     A fast and very smart autolinking library that

data/test/autolink_test.rb CHANGED Viewed

@@ -15,6 +15,11 @@ class RedcarpetAutolinkTest < Test::Unit::TestCase
     assert_equal expected, Rinku.auto_link(url)
   end
+  def test_escapes_quotes
+    assert_linked %(<a href="http://website.com/&quot;onmouseover=document.body.style.backgroundColor=&quot;pink&quot;;//">http://website.com/"onmouseover=document.body.style.backgroundColor="pink";//</a>),
+      %(http://website.com/"onmouseover=document.body.style.backgroundColor="pink";//)
+  end
   def test_global_skip_tags
     assert_equal Rinku.skip_tags, nil
     Rinku.skip_tags = ['pre']

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rinku
 version: !ruby/object:Gem::Version
-  hash: 3
+  hash: 1
   prerelease:
   segments:
   - 1
   - 5
-  - 0
-  version: 1.5.0
+  - 1
+  version: 1.5.1
 platform: ruby
 authors:
 - "Vicent Mart\xC3\xAD"
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-12-04 00:00:00 Z
+date: 2012-02-13 00:00:00 Z
 dependencies: []
 description: "    A fast and very smart autolinking library that\n    acts as a drop-in replacement for Rails `auto_link`\n"
@@ -69,7 +69,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.6
+rubygems_version: 1.8.15
 signing_key:
 specification_version: 3
 summary: Mostly autolinking