sanitize-url 0.1.2 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. data/README.markdown +0 -1
  2. data/VERSION +1 -1
  3. data/lib/sanitize-url.rb +8 -4
  4. data/sanitize-url.gemspec +1 -1
  5. data/spec/sanitize_url_spec.rb +5 -0
  6. metadata +1 -1
data/README.markdown CHANGED
@@ -26,7 +26,6 @@ This gem uses a whitelist approach, killing any schemes that aren't in the list.
26
26
  https://
27
27
  ftp://
28
28
  ftps://
29
- mailto://
30
29
  svn://
31
30
  svn+ssh://
32
31
  git://
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.2
1
+ 0.1.3
data/lib/sanitize-url.rb CHANGED
@@ -13,6 +13,10 @@ module SanitizeUrl
13
13
 
14
14
  HTTP_STYLE_SCHEMES = ['http', 'https', 'ftp', 'ftps', 'svn', 'svn+ssh', 'git'] # Common schemes whose format should be "scheme://" instead of "scheme:"
15
15
 
16
+ # Sanitize the URL. Example usage:
17
+ # sanitize_url('javascript:alert("XSS")')
18
+ # sanitize_url('javascript:alert("XSS")', :replace_evil_with => 'Replaced')
19
+ # sanitize_url('ftp://example.com', :schemes => ['http', 'https'])
16
20
  def sanitize_url(url, options = {})
17
21
  raise(ArgumentError, 'options[:schemes] must be an array') if options.has_key?(:schemes) and !options[:schemes].is_a?(Array)
18
22
  options = {
@@ -59,7 +63,7 @@ module SanitizeUrl
59
63
  end
60
64
  end
61
65
 
62
- if options[:schemes].include?(scheme.downcase)
66
+ if options[:schemes].collect { |s| s.to_s }.include?(scheme.downcase)
63
67
  if HTTP_STYLE_SCHEMES.include?(scheme.downcase) and !opaque.match(/^\/\//)
64
68
  # It's an HTTP-like scheme, but the two slashes are missing. We'll fix that as a courtesy.
65
69
  url = scheme + '://' + opaque
@@ -73,7 +77,7 @@ module SanitizeUrl
73
77
  end
74
78
  end
75
79
 
76
- def self.dereference_numerics(str)
80
+ def self.dereference_numerics(str) #:nodoc:
77
81
  # Decimal code points, e.g. j &#106 j &#0000106
78
82
  str = str.gsub(/&#([a-fA-f0-9]+);?/) do
79
83
  char_or_url_encoded($1.to_i)
@@ -87,7 +91,7 @@ module SanitizeUrl
87
91
  # Return either the literal char or the URL-encoded equivalent,
88
92
  # depending on our normalization rules. Requires a decimal
89
93
  # code point. Code point can be outside the single-byte range.
90
- def self.char_or_url_encoded(code)
94
+ def self.char_or_url_encoded(code) #:nodoc:
91
95
  if url_encode?(code)
92
96
  utf_8_str = ([code.to_i].pack('U'))
93
97
  '%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
@@ -98,7 +102,7 @@ module SanitizeUrl
98
102
 
99
103
  # Should we URL-encode the byte?
100
104
  # Must receive an integer code point
101
- def self.url_encode?(code)
105
+ def self.url_encode?(code) #:nodoc:
102
106
  !(
103
107
  (code >= 48 and code <= 57) or # Numbers
104
108
  (code >= 65 and code <= 90) or # Uppercase
data/sanitize-url.gemspec CHANGED
@@ -5,7 +5,7 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{sanitize-url}
8
- s.version = "0.1.2"
8
+ s.version = "0.1.3"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["jarrett"]
data/spec/sanitize_url_spec.rb CHANGED
@@ -60,6 +60,11 @@ describe SanitizeUrl do
60
60
  sanitize_url(good_url, :schemes => ['http', 'https']).should == good_url
61
61
  end
62
62
  end
63
+
64
+ it 'works with schemes given as symbols' do
65
+ sanitize_url('ftp://example.com', :schemes => [:http, :https], :replace_evil_with => 'replaced').should == 'replaced'
66
+ sanitize_url('ftp://example.com', :schemes => [:http, :https, :ftp]).should == 'ftp://example.com'
67
+ end
63
68
  end
64
69
 
65
70
  it 'prepends http:// if no scheme is given' do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize-url
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - jarrett