rinku 1.5.0 → 1.5.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ext/rinku/rinku.c +29 -1
- data/lib/rails_rinku.rb +4 -2
- data/lib/rinku.rb +1 -1
- data/rinku.gemspec +1 -1
- data/test/autolink_test.rb +5 -0
- metadata +5 -5
data/ext/rinku/rinku.c
CHANGED
|
@@ -77,6 +77,34 @@ autolink__print(struct buf *ob, const struct buf *link, void *payload)
|
|
|
77
77
|
bufput(ob, link->data, link->size);
|
|
78
78
|
}
|
|
79
79
|
|
|
80
|
+
/*
|
|
81
|
+
* Rinku assumes valid HTML encoding for all input, but there's still
|
|
82
|
+
* the case where a link can contain a double quote `"` that allows XSS.
|
|
83
|
+
*
|
|
84
|
+
* We need to properly escape the character we use for the `href` attribute
|
|
85
|
+
* declaration
|
|
86
|
+
*/
|
|
87
|
+
static void print_link(struct buf *ob, const char *link, size_t size)
|
|
88
|
+
{
|
|
89
|
+
size_t i = 0, org;
|
|
90
|
+
|
|
91
|
+
while (i < size) {
|
|
92
|
+
org = i;
|
|
93
|
+
|
|
94
|
+
while (i < size && link[i] != '"')
|
|
95
|
+
i++;
|
|
96
|
+
|
|
97
|
+
if (i > org)
|
|
98
|
+
bufput(ob, link + org, i - org);
|
|
99
|
+
|
|
100
|
+
if (i >= size)
|
|
101
|
+
break;
|
|
102
|
+
|
|
103
|
+
BUFPUTSL(ob, """);
|
|
104
|
+
i++;
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
|
|
80
108
|
/* From sundown/html/html.c */
|
|
81
109
|
static int
|
|
82
110
|
html_is_tag(const uint8_t *tag_data, size_t tag_size, const char *tagname)
|
|
@@ -226,7 +254,7 @@ rinku_autolink(
|
|
|
226
254
|
bufput(ob, text + i, end - i - rewind);
|
|
227
255
|
|
|
228
256
|
bufputs(ob, g_hrefs[(int)action]);
|
|
229
|
-
|
|
257
|
+
print_link(ob, link->data, link->size);
|
|
230
258
|
|
|
231
259
|
if (link_attr) {
|
|
232
260
|
BUFPUTSL(ob, "\" ");
|
data/lib/rails_rinku.rb
CHANGED
|
@@ -11,13 +11,15 @@ module RailsRinku
|
|
|
11
11
|
options[:skip] = args[2]
|
|
12
12
|
end
|
|
13
13
|
options.reverse_merge!(:link => :all, :html => {})
|
|
14
|
-
text = text
|
|
14
|
+
text = h(text) unless text.html_safe?
|
|
15
15
|
|
|
16
|
-
Rinku.auto_link
|
|
16
|
+
Rinku.auto_link(
|
|
17
|
+
text,
|
|
17
18
|
options[:link],
|
|
18
19
|
tag_options(options[:html]),
|
|
19
20
|
options[:skip],
|
|
20
21
|
&block
|
|
22
|
+
).html_safe
|
|
21
23
|
end
|
|
22
24
|
end
|
|
23
25
|
|
data/lib/rinku.rb
CHANGED
data/rinku.gemspec
CHANGED
data/test/autolink_test.rb
CHANGED
|
@@ -15,6 +15,11 @@ class RedcarpetAutolinkTest < Test::Unit::TestCase
|
|
|
15
15
|
assert_equal expected, Rinku.auto_link(url)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
def test_escapes_quotes
|
|
19
|
+
assert_linked %(<a href="http://website.com/"onmouseover=document.body.style.backgroundColor="pink";//">http://website.com/"onmouseover=document.body.style.backgroundColor="pink";//</a>),
|
|
20
|
+
%(http://website.com/"onmouseover=document.body.style.backgroundColor="pink";//)
|
|
21
|
+
end
|
|
22
|
+
|
|
18
23
|
def test_global_skip_tags
|
|
19
24
|
assert_equal Rinku.skip_tags, nil
|
|
20
25
|
Rinku.skip_tags = ['pre']
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rinku
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 1
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 1
|
|
8
8
|
- 5
|
|
9
|
-
-
|
|
10
|
-
version: 1.5.
|
|
9
|
+
- 1
|
|
10
|
+
version: 1.5.1
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- "Vicent Mart\xC3\xAD"
|
|
@@ -15,7 +15,7 @@ autorequire:
|
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
17
|
|
|
18
|
-
date:
|
|
18
|
+
date: 2012-02-13 00:00:00 Z
|
|
19
19
|
dependencies: []
|
|
20
20
|
|
|
21
21
|
description: " A fast and very smart autolinking library that\n acts as a drop-in replacement for Rails `auto_link`\n"
|
|
@@ -69,7 +69,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
69
69
|
requirements: []
|
|
70
70
|
|
|
71
71
|
rubyforge_project:
|
|
72
|
-
rubygems_version: 1.8.
|
|
72
|
+
rubygems_version: 1.8.15
|
|
73
73
|
signing_key:
|
|
74
74
|
specification_version: 3
|
|
75
75
|
summary: Mostly autolinking
|