sanitize-rails 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bfbc2ae7c47122752b36bf9fd44265540afa1926
-  data.tar.gz: 4f1db27d08d573d55d58ae19dc93b97c5c3de292
+  metadata.gz: c819bce23ea04e1acd72e959589b2e0a4b509ba8
+  data.tar.gz: 9b3b305b20a916fa669c63b996a80661bc7fc214
 SHA512:
-  metadata.gz: 866afa7c09eaa6247abede68c7de213cfc8a8e744e4a7e5c078f70c8692c1fb3006e2fa560b23f31e617532b439c97c183a9482e6e68039ebcd634c4f0acb162
-  data.tar.gz: bbd0cbb0e5bd12ae42a8ff199098d13d8e81cf686c2c29fa10d9ccd332cb1c13b4a6b5ec412255515cbc211d42b6907e075a594d197dcf7a78781def3fdc7e6f
+  metadata.gz: bc5faf19b023736f41e095fc87159f10e02a0fb36b0d26040fd57cb48ea106cc10d4d3b93c0fd15a6f05eb6d88dbf3bd7803334035b97ae03d8a865fc7fcf789
+  data.tar.gz: 0dde098f9ef4b40c5572888862339fba2d9fa932531fed50e838e7b79f0e4149f94805b9c9a06a3b034ecea64068069fecd72b9ad3d4f8638e8216f122a6e353

data/lib/sanitize/rails.rb

@@ -3,12 +3,11 @@
 #
 # https://github.com/vjt/sanitize-rails
 #
-# (C) 2011-2014 vjt@openssl.it
+# (C) 2011-2015 vjt@openssl.it
 #
 # MIT License
 #
 require 'sanitize'
-require 'htmlentities'
 require 'sanitize/rails/railtie' if defined? Rails
 
 module Sanitize::Rails

data/lib/sanitize/rails/engine.rb

@@ -3,8 +3,36 @@ module Sanitize::Rails
   module Engine
     extend self
 
+    # Changes the Sanitizer configuration.
+    #
     def configure(config)
-      @@config = config.freeze
+      @_config = config.freeze
+      @_cleaner = nil
+    end
+
+    # Returns the current Sanitizer configuration. The configuration is built
+    # from Rails configuration, if defined, else Sanitize::Config::BASIC is
+    # used.
+    #
+    # FIXME: Remove this, as it is meant only not to break assumptions on old
+    # applications.
+    #
+    if defined?(::ActionView::Base) &&
+      ::ActionView::Base.respond_to?(:sanitized_allowed_tags) &&
+      ::ActionView::Base.sanitized_allowed_tags.respond_to?(:size) &&
+      ::ActionView::Base.sanitized_allowed_tags.size > 0
+
+      def config
+	@_config ||= {
+	  :elements => ::ActionView::Base.sanitized_allowed_tags.to_a,
+	  :attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a },
+	  :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a }
+	}
+      end
+    else
+      def config
+	@_config ||= ::Sanitize::Config::BASIC
+      end
     end
 
     # Returns a memoized instance of the Engine with the
@@ -12,22 +40,7 @@ module Sanitize::Rails
     # the ActionView's default config
     #
     def cleaner
-      @@config ||= begin
-        {
-          :elements   => ::ActionView::Base.sanitized_allowed_tags.to_a,
-          :attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a},
-          :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a },
-          :escape_entities => true
-        }
-      rescue
-        warn "ActionView not available, falling back to Sanitize's BASIC config"
-        ::Sanitize::Config::BASIC
-      end
-      @sanitizer ||= ::Sanitize.new(@@config)
-    end
-
-    def coder
-      @coder ||= HTMLEntities.new
+      @_cleaner ||= ::Sanitize.new(config)
     end
 
     # Returns a copy of the given `string` after sanitizing it and marking it
@@ -63,14 +76,8 @@ module Sanitize::Rails
 
     private
 
-    def escape_entities
-      @@config[:escape_entities].nil? ? true : @@config[:escape_entities]
-    end
-
     def cleaned_fragment(string)
-      result = cleaner.fragment(string)
-      result = coder.decode(result) unless escape_entities
-      result
+      cleaner.fragment(string)
     end
   end
 end

data/lib/sanitize/rails/version.rb

@@ -1,5 +1,5 @@
 class Sanitize
   module Rails
-    VERSION = '1.0.1'
+    VERSION = '1.1.0'
   end
 end

data/sanitize-rails.gemspec

@@ -17,7 +17,6 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
   s.files         = `git ls-files`.split("\n")
 
-  s.add_dependency "rails", ">= 3.0"
+  s.add_dependency "rails",    ">= 3.0"
   s.add_dependency "sanitize", "~> 3.0"
-  s.add_dependency "htmlentities", "~> 4.3.3"
 end

data/test/sanitize_rails_engine_test.rb

@@ -47,16 +47,14 @@ class SanitizeRailsEngineTest < Minitest::Test
     assert_instance_of ::ActiveSupport::SafeBuffer, new_string
   end
 
-  def test_clean_not_making_html_entities
-    string = %Q|<script>hello & world</script>|
-    @engine.configure(escape_entities: false)
+  def test_clean_not_producing_malicious_html_entities
+    string = %Q|&lt;script&gt;hello & world&lt;/script&gt;|
     @engine.clean! string
-    assert_equal string, "hello & world"
+    assert_equal string, "&lt;script&gt;hello &amp; world&lt;/script&gt;"
   end
 
   def test_clean_making_html_entities
     string = %Q|<script>hello & world</script>|
-    @engine.configure(escape_entities: true)
     @engine.clean! string
     assert_equal string, "hello &amp; world"
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sanitize-rails
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Marcello Barnaba
@@ -40,20 +40,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: htmlentities
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.3.3
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.3.3
 description: 
 email:
 - vjt@openssl.it