sanitize-url 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.markdown +0 -1
- data/VERSION +1 -1
- data/lib/sanitize-url.rb +8 -4
- data/sanitize-url.gemspec +1 -1
- data/spec/sanitize_url_spec.rb +5 -0
- metadata +1 -1
data/README.markdown
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.3
|
data/lib/sanitize-url.rb
CHANGED
|
@@ -13,6 +13,10 @@ module SanitizeUrl
|
|
|
13
13
|
|
|
14
14
|
HTTP_STYLE_SCHEMES = ['http', 'https', 'ftp', 'ftps', 'svn', 'svn+ssh', 'git'] # Common schemes whose format should be "scheme://" instead of "scheme:"
|
|
15
15
|
|
|
16
|
+
# Sanitize the URL. Example usage:
|
|
17
|
+
# sanitize_url('javascript:alert("XSS")')
|
|
18
|
+
# sanitize_url('javascript:alert("XSS")', :replace_evil_with => 'Replaced')
|
|
19
|
+
# sanitize_url('ftp://example.com', :schemes => ['http', 'https'])
|
|
16
20
|
def sanitize_url(url, options = {})
|
|
17
21
|
raise(ArgumentError, 'options[:schemes] must be an array') if options.has_key?(:schemes) and !options[:schemes].is_a?(Array)
|
|
18
22
|
options = {
|
|
@@ -59,7 +63,7 @@ module SanitizeUrl
|
|
|
59
63
|
end
|
|
60
64
|
end
|
|
61
65
|
|
|
62
|
-
if options[:schemes].include?(scheme.downcase)
|
|
66
|
+
if options[:schemes].collect { |s| s.to_s }.include?(scheme.downcase)
|
|
63
67
|
if HTTP_STYLE_SCHEMES.include?(scheme.downcase) and !opaque.match(/^\/\//)
|
|
64
68
|
# It's an HTTP-like scheme, but the two slashes are missing. We'll fix that as a courtesy.
|
|
65
69
|
url = scheme + '://' + opaque
|
|
@@ -73,7 +77,7 @@ module SanitizeUrl
|
|
|
73
77
|
end
|
|
74
78
|
end
|
|
75
79
|
|
|
76
|
-
def self.dereference_numerics(str)
|
|
80
|
+
def self.dereference_numerics(str) #:nodoc:
|
|
77
81
|
# Decimal code points, e.g. j j j j
|
|
78
82
|
str = str.gsub(/&#([a-fA-f0-9]+);?/) do
|
|
79
83
|
char_or_url_encoded($1.to_i)
|
|
@@ -87,7 +91,7 @@ module SanitizeUrl
|
|
|
87
91
|
# Return either the literal char or the URL-encoded equivalent,
|
|
88
92
|
# depending on our normalization rules. Requires a decimal
|
|
89
93
|
# code point. Code point can be outside the single-byte range.
|
|
90
|
-
def self.char_or_url_encoded(code)
|
|
94
|
+
def self.char_or_url_encoded(code) #:nodoc:
|
|
91
95
|
if url_encode?(code)
|
|
92
96
|
utf_8_str = ([code.to_i].pack('U'))
|
|
93
97
|
'%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
|
|
@@ -98,7 +102,7 @@ module SanitizeUrl
|
|
|
98
102
|
|
|
99
103
|
# Should we URL-encode the byte?
|
|
100
104
|
# Must receive an integer code point
|
|
101
|
-
def self.url_encode?(code)
|
|
105
|
+
def self.url_encode?(code) #:nodoc:
|
|
102
106
|
!(
|
|
103
107
|
(code >= 48 and code <= 57) or # Numbers
|
|
104
108
|
(code >= 65 and code <= 90) or # Uppercase
|
data/sanitize-url.gemspec
CHANGED
data/spec/sanitize_url_spec.rb
CHANGED
|
@@ -60,6 +60,11 @@ describe SanitizeUrl do
|
|
|
60
60
|
sanitize_url(good_url, :schemes => ['http', 'https']).should == good_url
|
|
61
61
|
end
|
|
62
62
|
end
|
|
63
|
+
|
|
64
|
+
it 'works with schemes given as symbols' do
|
|
65
|
+
sanitize_url('ftp://example.com', :schemes => [:http, :https], :replace_evil_with => 'replaced').should == 'replaced'
|
|
66
|
+
sanitize_url('ftp://example.com', :schemes => [:http, :https, :ftp]).should == 'ftp://example.com'
|
|
67
|
+
end
|
|
63
68
|
end
|
|
64
69
|
|
|
65
70
|
it 'prepends http:// if no scheme is given' do
|