sanitize-rails 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +4 -0
- data/lib/sanitize/rails.rb +1 -0
- data/lib/sanitize/rails/engine.rb +20 -3
- data/lib/sanitize/rails/matchers.rb +33 -8
- data/lib/sanitize/rails/version.rb +1 -1
- data/sanitize-rails.gemspec +1 -0
- data/test/sanitize_rails_engine_test.rb +14 -0
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bfbc2ae7c47122752b36bf9fd44265540afa1926
|
|
4
|
+
data.tar.gz: 4f1db27d08d573d55d58ae19dc93b97c5c3de292
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 866afa7c09eaa6247abede68c7de213cfc8a8e744e4a7e5c078f70c8692c1fb3006e2fa560b23f31e617532b439c97c183a9482e6e68039ebcd634c4f0acb162
|
|
7
|
+
data.tar.gz: bbd0cbb0e5bd12ae42a8ff199098d13d8e81cf686c2c29fa10d9ccd332cb1c13b4a6b5ec412255515cbc211d42b6907e075a594d197dcf7a78781def3fdc7e6f
|
data/README.md
CHANGED
|
@@ -20,6 +20,10 @@ an initializer, say `config/initializers/sanitizer.rb`:
|
|
|
20
20
|
...
|
|
21
21
|
)
|
|
22
22
|
|
|
23
|
+
You may pass `escape_entities: false` if you don't want to escape
|
|
24
|
+
html entities. Example: `Hello & World` will not be changed to
|
|
25
|
+
`Hello & World`
|
|
26
|
+
|
|
23
27
|
Check out the [example][] in the `example/` directory.
|
|
24
28
|
|
|
25
29
|
## Usage
|
data/lib/sanitize/rails.rb
CHANGED
|
@@ -16,7 +16,8 @@ module Sanitize::Rails
|
|
|
16
16
|
{
|
|
17
17
|
:elements => ::ActionView::Base.sanitized_allowed_tags.to_a,
|
|
18
18
|
:attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a},
|
|
19
|
-
:protocols => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a }
|
|
19
|
+
:protocols => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a },
|
|
20
|
+
:escape_entities => true
|
|
20
21
|
}
|
|
21
22
|
rescue
|
|
22
23
|
warn "ActionView not available, falling back to Sanitize's BASIC config"
|
|
@@ -25,6 +26,10 @@ module Sanitize::Rails
|
|
|
25
26
|
@sanitizer ||= ::Sanitize.new(@@config)
|
|
26
27
|
end
|
|
27
28
|
|
|
29
|
+
def coder
|
|
30
|
+
@coder ||= HTMLEntities.new
|
|
31
|
+
end
|
|
32
|
+
|
|
28
33
|
# Returns a copy of the given `string` after sanitizing it and marking it
|
|
29
34
|
# as `html_safe`
|
|
30
35
|
#
|
|
@@ -32,14 +37,14 @@ module Sanitize::Rails
|
|
|
32
37
|
# means that text passed through `Sanitize::Rails::Engine.clean`
|
|
33
38
|
# will not be escaped by ActionView's XSS filtering utilities.
|
|
34
39
|
def clean(string)
|
|
35
|
-
::ActiveSupport::SafeBuffer.new
|
|
40
|
+
::ActiveSupport::SafeBuffer.new cleaned_fragment(string)
|
|
36
41
|
end
|
|
37
42
|
|
|
38
43
|
# Sanitizes the given `string` in place and does NOT mark it as `html_safe`
|
|
39
44
|
#
|
|
40
45
|
def clean!(string)
|
|
41
46
|
return '' if string.nil?
|
|
42
|
-
string.replace
|
|
47
|
+
string.replace cleaned_fragment(string)
|
|
43
48
|
end
|
|
44
49
|
|
|
45
50
|
def callback_for(options) #:nodoc:
|
|
@@ -55,5 +60,17 @@ module Sanitize::Rails
|
|
|
55
60
|
def method_for(fields) #:nodoc:
|
|
56
61
|
"sanitize_#{fields.join('_')}".intern
|
|
57
62
|
end
|
|
63
|
+
|
|
64
|
+
private
|
|
65
|
+
|
|
66
|
+
def escape_entities
|
|
67
|
+
@@config[:escape_entities].nil? ? true : @@config[:escape_entities]
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def cleaned_fragment(string)
|
|
71
|
+
result = cleaner.fragment(string)
|
|
72
|
+
result = coder.decode(result) unless escape_entities
|
|
73
|
+
result
|
|
74
|
+
end
|
|
58
75
|
end
|
|
59
76
|
end
|
|
@@ -24,11 +24,37 @@ module Sanitize::Rails::Matchers
|
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
-
#
|
|
27
|
+
# Syntactic sugar
|
|
28
28
|
alias_method :sanitize_fields, :sanitize_field
|
|
29
29
|
|
|
30
30
|
# Add matchers module to rspec configuration
|
|
31
|
-
RSpec.configure { |c| c.include(self) } if defined? RSpec and RSpec.respond_to?(:configure)
|
|
31
|
+
::RSpec.configure { |c| c.include(self) } if defined? ::RSpec and ::RSpec.respond_to?(:configure)
|
|
32
|
+
|
|
33
|
+
# RSpec 3 syntax
|
|
34
|
+
module RSpec3
|
|
35
|
+
|
|
36
|
+
def failure_message
|
|
37
|
+
"Expected #{should_helper} to return sanitized value '#{valid_value}', got '#{attribute_values}'"
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def failure_message_when_negated
|
|
41
|
+
"Expected #{field_helper} not to be sanitized"
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
# RSpec 2 syntax
|
|
47
|
+
module RSpec2
|
|
48
|
+
|
|
49
|
+
def failure_message_for_should
|
|
50
|
+
"Expected #{should_helper} to return sanitized value '#{valid_value}', got '#{attribute_values}'"
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def failure_message_for_should_not
|
|
54
|
+
"Expected #{field_helper} not to be sanitized"
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
end
|
|
32
58
|
|
|
33
59
|
# Actual matcher class
|
|
34
60
|
class SanitizeFieldsMatcher
|
|
@@ -65,12 +91,11 @@ module Sanitize::Rails::Matchers
|
|
|
65
91
|
fields.all? { |field| valid_value == instance.send(field) }
|
|
66
92
|
end
|
|
67
93
|
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
"Expected #{field_helper} not to be sanitized"
|
|
94
|
+
# Conditionally include RSpec modules according to loaded version
|
|
95
|
+
if defined? ::RSpec::Core::Version::STRING
|
|
96
|
+
include (::RSpec::Core::Version::STRING.split('.')[0] == '2') ? RSpec2 : RSpec3
|
|
97
|
+
else
|
|
98
|
+
raise 'RSpec version detection failed, are you using RSpec 2 or 3?'
|
|
74
99
|
end
|
|
75
100
|
|
|
76
101
|
def description
|
data/sanitize-rails.gemspec
CHANGED
|
@@ -47,6 +47,20 @@ class SanitizeRailsEngineTest < Minitest::Test
|
|
|
47
47
|
assert_instance_of ::ActiveSupport::SafeBuffer, new_string
|
|
48
48
|
end
|
|
49
49
|
|
|
50
|
+
def test_clean_not_making_html_entities
|
|
51
|
+
string = %Q|<script>hello & world</script>|
|
|
52
|
+
@engine.configure(escape_entities: false)
|
|
53
|
+
@engine.clean! string
|
|
54
|
+
assert_equal string, "hello & world"
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def test_clean_making_html_entities
|
|
58
|
+
string = %Q|<script>hello & world</script>|
|
|
59
|
+
@engine.configure(escape_entities: true)
|
|
60
|
+
@engine.clean! string
|
|
61
|
+
assert_equal string, "hello & world"
|
|
62
|
+
end
|
|
63
|
+
|
|
50
64
|
def test_clean_returns_blank_string_for_nil_input
|
|
51
65
|
assert_equal '', @engine.clean(nil)
|
|
52
66
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize-rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marcello Barnaba
|
|
@@ -40,6 +40,20 @@ dependencies:
|
|
|
40
40
|
- - "~>"
|
|
41
41
|
- !ruby/object:Gem::Version
|
|
42
42
|
version: '3.0'
|
|
43
|
+
- !ruby/object:Gem::Dependency
|
|
44
|
+
name: htmlentities
|
|
45
|
+
requirement: !ruby/object:Gem::Requirement
|
|
46
|
+
requirements:
|
|
47
|
+
- - "~>"
|
|
48
|
+
- !ruby/object:Gem::Version
|
|
49
|
+
version: 4.3.3
|
|
50
|
+
type: :runtime
|
|
51
|
+
prerelease: false
|
|
52
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
53
|
+
requirements:
|
|
54
|
+
- - "~>"
|
|
55
|
+
- !ruby/object:Gem::Version
|
|
56
|
+
version: 4.3.3
|
|
43
57
|
description:
|
|
44
58
|
email:
|
|
45
59
|
- vjt@openssl.it
|
|
@@ -89,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
89
103
|
version: '0'
|
|
90
104
|
requirements: []
|
|
91
105
|
rubyforge_project:
|
|
92
|
-
rubygems_version: 2.
|
|
106
|
+
rubygems_version: 2.4.5
|
|
93
107
|
signing_key:
|
|
94
108
|
specification_version: 4
|
|
95
109
|
summary: A sanitizer bridge for Rails applications
|