sanitize-url 0.1.1

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,21 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Jarrett Colby
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,67 @@
+sanitize-url
+============
+
+This gem provides a module called `SanitizeUrl`, which you can mix-in anywhere you like. It provides a single method: `sanitize_url`, which accepts a URL and returns one with JavaScript removed. It also prepends the `http://` scheme if no valid scheme is found.
+
+Why do you need this? Because attackers can sneak JavaScript into URLs, and some browsers may execute it. Say, for example, you have a web app that lets users post links. If you don't sanitize the URLs, you may have a cross-site-scripting vulnerability on your hands. More commonly, well-intentioned users will type URLs without prepending a protocol. If you render these URLs as-in your links, the browser will interpret them as links within your own site, e.g. `http://your-site.com/www.site-they-linked-to.com`.
+
+Rails mitigates some of the danger by automatically URL-encoding in the `link_to` helper, but this does not solve every problem. For example, it doesn't remove plain old `javascript:alert("xss")`, and URLs with numeric character references come out broken. This gem fixes those and other problems.
+
+Basic Usage
+===========
+
+	require 'rubygems'
+	require 'sanitize-url'
+	
+	include SanitizeUrl
+	
+	sanitize_url('www.example.com')
+
+Advanced
+========
+
+This gem uses a whitelist approach, killing any schemes that aren't in the list. This should block `javascript:` and `data:` URLs, both of which can be used for XSS. The default list of allowed schemes is:
+
+	http://
+	https://
+	ftp://
+	ftps://
+	mailto://
+	svn://
+	svn+ssh://
+	git://
+	mailto:
+
+You can pass in your own whitelist like this:
+
+	sanitize_url('http://example.com', :schemes => ['http', 'https'])
+
+If `sanitize_url` receives a URL with a forbidden scheme, it wipes out the entire URL and returns a blank string. You can override this behavior and have it return a string of your choosing like this:
+
+	sanitize_url('javascript:alert("XSS")', :replace_evil_with => 'my replacement')
+	# => 'my replacement'
+
+See the spec/sanitize_url_spec.rb for some examples of the how this gem transforms URLs.
+
+Installation
+============
+
+	gem install sanitize-url
+
+If that doesn't work, it's probably because the gem is hosted on Gemcutter, and your computer doesn't know about Gemcutter yet. To fix that:
+
+	gem install gemcutter
+	gem tumble
+
+Bug Reports
+===========
+
+Since this is a security-related gem, you'll rack up mad karma by reporting a bug. If you find a way to sneak executable JavaScript (or any other form of evil) past the filter, please send me a message on GitHub:
+
+http://github.com/inbox/new/jarrett
+
+For most projects, I prefer that people use GitHub's issue tracker. But given the sensitive nature of security vulnerabilities, I prefer private messages for this one.
+
+== Copyright
+
+Copyright (c) 2010 Jarrett Colby. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "sanitize-url"
+    gem.summary = %Q{Sanitizes untrusted URLs}
+    gem.description = %Q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
+    gem.email = "jarrett@uchicago.edu"
+    gem.homepage = "http://github.com/jarrett/sanitize-url"
+    gem.authors = ["jarrett"]
+    gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "sanitize-url #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.1

data/lib/sanitize-url.rb

@@ -0,0 +1,109 @@
+# Helper methods in this module are module methods so that they won't
+# pollute the namespace into which the module is mixed in.
+module SanitizeUrl
+	ALPHANUMERIC_CHAR_CODES = (48..57).to_a + (65..90).to_a + (97..122).to_a
+	
+	VALID_OPAQUE_SPECIAL_CHARS = ['!', '*', "'", '(', ')', ';', ':', '@', '&', '=', '+', '$', ',', '/', '?', '%', '#', '[', ']', '-', '_', '.', '~']
+	VALID_OPAQUE_SPECIAL_CHAR_CODES = VALID_OPAQUE_SPECIAL_CHARS.collect { |c| c[0] }
+	VALID_OPAQUE_CHAR_CODES = ALPHANUMERIC_CHAR_CODES + VALID_OPAQUE_SPECIAL_CHAR_CODES
+	
+	VALID_SCHEME_SPECIAL_CHARS = ['+', '.', '-']
+	VALID_SCHEME_SPECIAL_CHAR_CODES = VALID_SCHEME_SPECIAL_CHARS.collect { |c| c[0] }
+	VALID_SCHEME_CHAR_CODES = ALPHANUMERIC_CHAR_CODES + VALID_SCHEME_SPECIAL_CHAR_CODES
+	
+	HTTP_STYLE_SCHEMES = ['http', 'https', 'ftp', 'ftps', 'svn', 'svn+ssh', 'git'] # Common schemes whose format should be "scheme://" instead of "scheme:"
+	
+	def sanitize_url(url, options = {})
+		raise(ArgumentError, 'options[:schemes] must be an array') if options.has_key?(:schemes) and !options[:schemes].is_a?(Array)
+		options = {
+			:replace_evil_with => '',
+			:schemes => ['http', 'https', 'ftp', 'ftps', 'mailto', 'svn', 'svn+ssh', 'git']
+		}.merge(options)
+		
+		url = SanitizeUrl.dereference_numerics(url)
+		
+		# Schemes can consist of letters, digits, or any of the following special chars: + . -
+		# The scheme must begin with a letter and be terminated by a colon.
+		# Everything after the scheme is opaque for our purposes. (See http://www.w3.org/DesignIssues/Axioms.html#opaque)
+		
+		# Try to match a URI with a scheme. We check for percent-encoded characters in the scheme.
+		url.match(/^(.+?)(:|%3A)(.*)$/)
+		dirty_scheme = $1
+		if dirty_scheme
+			unescaped_opaque = $3
+			return options[:replace_evil_with] if unescaped_opaque.nil? or unescaped_opaque.empty? or unescaped_opaque.match(/^\/+$/)
+		else
+			# Use http as the best guest, and the rest of the URL will be considered opaque
+			dirty_scheme = 'http'
+			unescaped_opaque = url
+		end
+		# Remove URL encoding from the scheme
+		dirty_scheme.gsub!(/%([a-zA-Z0-9]{2})/) do
+			code = $1.to_i(16)
+			VALID_SCHEME_CHAR_CODES.include?(code) ? code.chr : ''
+		end
+		
+		# Clean the scheme by removing invalid characters
+		scheme = ''
+		dirty_scheme.each_byte do |code|
+			scheme << code.chr if VALID_SCHEME_CHAR_CODES.include?(code)
+		end
+		
+		# URL-encode the opaque portion as necessary. Only encode those bytes that are absolutely not allowed in URLs.
+		opaque = ''
+		unescaped_opaque.each_byte do |code|
+			if SanitizeUrl.url_encode?(code)
+				opaque << '%' << code.to_s(16).upcase
+			else
+				opaque << code.chr
+			end
+		end
+		
+		if options[:schemes].include?(scheme.downcase)
+			if HTTP_STYLE_SCHEMES.include?(scheme.downcase) and !opaque.match(/^\/\//)
+				# It's an HTTP-like scheme, but the two slashes are missing. We'll fix that as a courtesy.
+				url = scheme + '://' + opaque
+			else
+				# Either the scheme doesn't need the two slashes, or the opaque portion already has them.
+				url = scheme + ':' + opaque
+			end
+			return url
+		else
+			return options[:replace_evil_with]
+		end
+	end	
+	
+	def self.dereference_numerics(str)
+		# Decimal code points, e.g. &#106; &#106 &#0000106; &#0000106
+		str = str.gsub(/&#([a-fA-f0-9]+);?/) do
+			char_or_url_encoded($1.to_i)
+		end
+		# Hex code points, e.g. &#x6A; &#x6A
+		str.gsub(/&#[xX]([a-fA-f0-9]+);?/) do
+			char_or_url_encoded($1.to_i(16))
+		end		
+	end
+	
+	# Return either the literal char or the URL-encoded equivalent,
+	# depending on our normalization rules. Requires a decimal
+	# code point. Code point can be outside the single-byte range.
+	def self.char_or_url_encoded(code)
+		if url_encode?(code)
+			utf_8_str = ([code.to_i].pack('U'))
+			'%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
+		else
+			code.chr
+		end
+	end
+	
+	# Should we URL-encode the byte?
+	# Must receive an integer code point
+	def self.url_encode?(code)
+		!(
+			(code >= 48 and code <= 57)  or   # Numbers
+			(code >= 65 and code <= 90)  or   # Uppercase
+			(code >= 97 and code <= 122) or   # Lowercase
+			VALID_OPAQUE_CHAR_CODES.include?(code)
+		)
+	end
+end

data/sanitize-url.gemspec

@@ -0,0 +1,55 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{sanitize-url}
+  s.version = "0.1.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["jarrett"]
+  s.date = %q{2010-02-25}
+  s.description = %q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
+  s.email = %q{jarrett@uchicago.edu}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.markdown"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.markdown",
+     "Rakefile",
+     "VERSION",
+     "lib/sanitize-url.rb",
+     "sanitize-url.gemspec",
+     "spec/sanitize_url_spec.rb",
+     "spec/spec_helper.rb",
+     "test.rb"
+  ]
+  s.homepage = %q{http://github.com/jarrett/sanitize-url}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Sanitizes untrusted URLs}
+  s.test_files = [
+    "spec/sanitize_url_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+    else
+      s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+  end
+end
+

data/spec/sanitize_url_spec.rb

@@ -0,0 +1,164 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe SanitizeUrl do
+	include SanitizeUrl
+	
+	describe '#sanitize_url' do
+		it 'replaces JavaScript URLs with options[:replace_evil_with]' do
+			urls = [
+				'javascript:alert("1");',
+				'javascript//:alert("2");',
+				'javascript://alert("3");',
+				'javascript/:/alert("4");',
+				'j a v a script:alert("5");',
+				' javascript:alert("6");',
+				'JavaScript:alert("7");',
+				"java\nscript:alert(\"8\");",
+				"java\rscript:alert(\"9\");"
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		it 'replaces data: URLs with options[:replace_evil_with]' do
+			urls = [
+				'data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+',
+				'data://text/html;base64,PHNjcmlwdD5hbGVydCgnMicpPC9zY3JpcHQ+',
+				'data//:text/html;base64,PHNjcmlwdD5hbGVydCgnMycpPC9zY3JpcHQ+',
+				'data/:/text/html;base64,PHNjcmlwdD5hbGVydCgnNCcpPC9zY3JpcHQ+',
+				' data:text/html;base64,PHNjcmlwdD5hbGVydCgnNScpPC9zY3JpcHQ+',
+				'da ta:text/html;base64,PHNjcmlwdD5hbGVydCgnNicpPC9zY3JpcHQ+',
+				'Data:text/html;base64,PHNjcmlwdD5hbGVydCgnNycpPC9zY3JpcHQ+',
+				"da\nta:text/html;base64,PHNjcmlwdD5hbGVydCgnOCcpPC9zY3JpcHQ+",
+				"da\rta:text/html;base64,PHNjcmlwdD5hbGVydCgnOScpPC9zY3JpcHQ+",
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		context 'with :schemes whitelist' do
+			it 'kills anything not on the list' do
+				[
+					'https://example.com',
+					'https:example.com',
+					'ftp://example.com',
+					'ftp:example.com',
+					'data://example.com',
+					'data:example.com',
+					'javascript://example.com',
+					'javascript:example.com',
+				].each do |evil_url|
+					sanitize_url(evil_url, :schemes => ['http'], :replace_evil_with => 'replaced')
+				end
+			end
+			
+			it 'allows anything on the list' do
+				[
+					'http://example.com',
+					'https://example.com'
+				].each do |good_url|
+					sanitize_url(good_url, :schemes => ['http', 'https']).should == good_url
+				end
+			end
+		end
+		
+		it 'prepends http:// if no scheme is given' do
+			sanitize_url('www.example.com').should == 'http://www.example.com'
+		end
+		
+		it 'replaces evil URLs that are encoded with Unicode numerical character references' do
+			[
+				'javascript:alert('1')',
+				'javascript:alert('2')'
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		it 'replaces evil URLs that are URL-encoded (hex with %)' do
+			sanitize_url('%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+		
+		it 'does not try to fix broken schemes after the start of the string' do
+			sanitize_url('http://example.com/http/foo').should == 'http://example.com/http/foo'
+		end
+		
+		it 'does not prepend an extra http:// if a valid scheme is given' do
+			sanitize_url('http://www.example.com').should == 'http://www.example.com'
+			sanitize_url('https://www.example.com').should == 'https://www.example.com'
+			sanitize_url('ftp://www.example.com').should == 'ftp://www.example.com'
+		end
+		
+		it 'dereferences URL-encoded characters in the scheme' do
+			sanitize_url('h%74tp://example.com').should == 'http://example.com'
+		end
+		
+		it 'dereferences decimal numeric character references in the scheme' do
+			sanitize_url('http://example.com').should == 'http://example.com'
+		end
+		
+		it 'dereferences hex numeric character references in the scheme' do
+			sanitize_url('http://example.com').should == 'http://example.com'
+		end
+		
+		it 'retains URL-encoded characters in the opaque portion' do
+			sanitize_url('http://someone%40gmail.com:password@example.com').should == 'http://someone%40gmail.com:password@example.com'
+		end
+		
+		it 'URL-encodes code points outside ASCII' do
+			# Percent-encoding should be in UTF-8 (RFC 3986).
+			# http://en.wikipedia.org/wiki/Percent-encoding#Current_standard
+			sanitize_url('http://Д').should == 'http://%D0%94'
+			sanitize_url('http://Д').should == 'http://%D0%94'
+			sanitize_url("http://\xD0\x94").should == 'http://%D0%94' # UTF-8 version of the same.
+		end
+		
+		it 'replaces URLs without the opaque portion' do
+			sanitize_url('http://', :replace_evil_with => 'replaced').should == 'replaced'
+			sanitize_url('mailto:', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+		
+		it 'adds the two slashes for known schemes that require it' do
+			sanitize_url('http:example.com').should == 'http://example.com'
+			sanitize_url('ftp:example.com').should == 'ftp://example.com'
+			sanitize_url('svn+ssh:example.com').should == 'svn+ssh://example.com'
+		end
+		
+		it 'does not add slashes for schemes that do not require it' do
+			sanitize_url('mailto:someone@example.com').should == 'mailto:someone@example.com'
+		end
+		
+		it 'strips invalid characters from the scheme and then evaluates the scheme according to the normal rules' do
+			sanitize_url("ht\xD0\x94tp://example.com").should == 'http://example.com'
+			sanitize_url('htt$p://example.com').should == 'http://example.com'
+			sanitize_url('j%avascript:alert("XSS")', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+	end
+		
+	
+	describe '.dereference_numerics' do				
+		it 'decodes short-form decimal UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes short-form decimal UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#106').should == 'j'
+		end
+		
+		it 'decodes long-form decimal UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes long-form decimal UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#0000106').should == 'j'
+		end
+		
+		it 'decodes hex UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes hex UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#x6A').should == 'j'
+		end
+	end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'test/unit'
+require 'spec'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'sanitize-url'

data/test.rb

@@ -0,0 +1,16 @@
+# Copyright sign
+
+#def decimal_code_point_to_url_encoded(code_point)
+#	utf_8_str = ([code_point.to_i].pack('U'))
+#	'%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
+#end
+
+hex_code_point = 'A9'
+decimal_code_point = '169'
+hex_utf_8_bytes = '%C2%A9'
+
+#puts 'Expected: ' + hex_utf_8_bytes
+#puts 'Actual:   ' + decimal_code_point_to_url_encoded(decimal_code_point)
+
+evil = 'javascript:alert("XSS")'
+puts evil.unpack('H2' * evil.length).join('%').upcase

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification 
+name: sanitize-url
+version: !ruby/object:Gem::Version 
+  version: 0.1.1
+platform: ruby
+authors: 
+- jarrett
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-02-25 00:00:00 -06:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: thoughtbot-shoulda
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: "This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found."
+email: jarrett@uchicago.edu
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.markdown
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.markdown
+- Rakefile
+- VERSION
+- lib/sanitize-url.rb
+- sanitize-url.gemspec
+- spec/sanitize_url_spec.rb
+- spec/spec_helper.rb
+- test.rb
+has_rdoc: true
+homepage: http://github.com/jarrett/sanitize-url
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Sanitizes untrusted URLs
+test_files: 
+- spec/sanitize_url_spec.rb
+- spec/spec_helper.rb