sanitize-url 0.1.3 → 0.1.4

data/.document

@@ -1,5 +1,5 @@
-README.rdoc
-lib/**/*.rb
-bin/*
-features/**/*.feature
-LICENSE
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -1,21 +1,21 @@
-## MAC OS
-.DS_Store
-
-## TEXTMATE
-*.tmproj
-tmtags
-
-## EMACS
-*~
-\#*
-.\#*
-
-## VIM
-*.swp
-
-## PROJECT::GENERAL
-coverage
-rdoc
-pkg
-
-## PROJECT::SPECIFIC
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -1,20 +1,20 @@
-Copyright (c) 2009 Jarrett Colby
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Copyright (c) 2009 Jarrett Colby
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -1,53 +1,53 @@
-require 'rubygems'
-require 'rake'
-
-begin
-  require 'jeweler'
-  Jeweler::Tasks.new do |gem|
-    gem.name = "sanitize-url"
-    gem.summary = %Q{Sanitizes untrusted URLs}
-    gem.description = %Q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
-    gem.email = "jarrett@uchicago.edu"
-    gem.homepage = "http://github.com/jarrett/sanitize-url"
-    gem.authors = ["jarrett"]
-    gem.add_development_dependency "rspec", ">= 1.3.0"
-    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
-  end
-  Jeweler::GemcutterTasks.new
-rescue LoadError
-  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
-end
-
-require 'rake/testtask'
-Rake::TestTask.new(:test) do |test|
-  test.libs << 'lib' << 'test'
-  test.pattern = 'test/**/test_*.rb'
-  test.verbose = true
-end
-
-begin
-  require 'rcov/rcovtask'
-  Rcov::RcovTask.new do |test|
-    test.libs << 'test'
-    test.pattern = 'test/**/test_*.rb'
-    test.verbose = true
-  end
-rescue LoadError
-  task :rcov do
-    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
-  end
-end
-
-task :test => :check_dependencies
-
-task :default => :test
-
-require 'rake/rdoctask'
-Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
-
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title = "sanitize-url #{version}"
-  rdoc.rdoc_files.include('README*')
-  rdoc.rdoc_files.include('lib/**/*.rb')
-end
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "sanitize-url"
+    gem.summary = %Q{Sanitizes untrusted URLs}
+    gem.description = %Q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
+    gem.email = "jarrett@uchicago.edu"
+    gem.homepage = "http://github.com/jarrett/sanitize-url"
+    gem.authors = ["jarrett"]
+    gem.add_development_dependency "rspec", ">= 1.3.0"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "sanitize-url #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -1 +1 @@
-0.1.3
+0.1.4

data/lib/sanitize-url.rb

@@ -4,11 +4,11 @@ module SanitizeUrl
 	ALPHANUMERIC_CHAR_CODES = (48..57).to_a + (65..90).to_a + (97..122).to_a
 	
 	VALID_OPAQUE_SPECIAL_CHARS = ['!', '*', "'", '(', ')', ';', ':', '@', '&', '=', '+', '$', ',', '/', '?', '%', '#', '[', ']', '-', '_', '.', '~']
-	VALID_OPAQUE_SPECIAL_CHAR_CODES = VALID_OPAQUE_SPECIAL_CHARS.collect { |c| c[0] }
+	VALID_OPAQUE_SPECIAL_CHAR_CODES = VALID_OPAQUE_SPECIAL_CHARS.collect { |c| c[0].is_a?(String) ? c.ord : c[0] }
 	VALID_OPAQUE_CHAR_CODES = ALPHANUMERIC_CHAR_CODES + VALID_OPAQUE_SPECIAL_CHAR_CODES
 	
 	VALID_SCHEME_SPECIAL_CHARS = ['+', '.', '-']
-	VALID_SCHEME_SPECIAL_CHAR_CODES = VALID_SCHEME_SPECIAL_CHARS.collect { |c| c[0] }
+	VALID_SCHEME_SPECIAL_CHAR_CODES = VALID_SCHEME_SPECIAL_CHARS.collect { |c| c[0].is_a?(String) ? c.ord : c[0] }
 	VALID_SCHEME_CHAR_CODES = ALPHANUMERIC_CHAR_CODES + VALID_SCHEME_SPECIAL_CHAR_CODES
 	
 	HTTP_STYLE_SCHEMES = ['http', 'https', 'ftp', 'ftps', 'svn', 'svn+ssh', 'git'] # Common schemes whose format should be "scheme://" instead of "scheme:"
@@ -94,7 +94,8 @@ module SanitizeUrl
 	def self.char_or_url_encoded(code) #:nodoc:
 		if url_encode?(code)
 			utf_8_str = ([code.to_i].pack('U'))
-			'%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
+			length = utf_8_str.respond_to?(:bytes) ? utf_8_str.bytes.to_a.length : utf_8_str.length
+			'%' + utf_8_str.unpack('H2' * length).join('%').upcase
 		else
 			code.chr
 		end

data/sanitize-url.gemspec

@@ -1,55 +1,57 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in rakefile, and run the gemspec command
-# -*- encoding: utf-8 -*-
-
-Gem::Specification.new do |s|
-  s.name = %q{sanitize-url}
-  s.version = "0.1.3"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["jarrett"]
-  s.date = %q{2010-02-25}
-  s.description = %q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
-  s.email = %q{jarrett@uchicago.edu}
-  s.extra_rdoc_files = [
-    "LICENSE",
-     "README.markdown"
-  ]
-  s.files = [
-    ".document",
-     ".gitignore",
-     "LICENSE",
-     "README.markdown",
-     "Rakefile",
-     "VERSION",
-     "lib/sanitize-url.rb",
-     "sanitize-url.gemspec",
-     "spec/sanitize_url_spec.rb",
-     "spec/spec_helper.rb",
-     "test.rb"
-  ]
-  s.homepage = %q{http://github.com/jarrett/sanitize-url}
-  s.rdoc_options = ["--charset=UTF-8"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
-  s.summary = %q{Sanitizes untrusted URLs}
-  s.test_files = [
-    "spec/sanitize_url_spec.rb",
-     "spec/spec_helper.rb"
-  ]
-
-  if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
-    s.specification_version = 3
-
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_development_dependency(%q<rspec>, [">= 1.3.0"])
-    else
-      s.add_dependency(%q<rspec>, [">= 1.3.0"])
-    end
-  else
-    s.add_dependency(%q<rspec>, [">= 1.3.0"])
-  end
-end
-
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{sanitize-url}
+  s.version = "0.1.4"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["jarrett"]
+  s.date = %q{2010-03-21}
+  s.description = %q{This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found.}
+  s.email = %q{jarrett@uchicago.edu}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.markdown"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.markdown",
+     "Rakefile",
+     "VERSION",
+     "lib/sanitize-url.rb",
+     "sanitize-url.gemspec",
+     "spec/char_codes_spec.rb",
+     "spec/sanitize_url_spec.rb",
+     "spec/spec_helper.rb",
+     "test.rb"
+  ]
+  s.homepage = %q{http://github.com/jarrett/sanitize-url}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.6}
+  s.summary = %q{Sanitizes untrusted URLs}
+  s.test_files = [
+    "spec/char_codes_spec.rb",
+     "spec/sanitize_url_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rspec>, [">= 1.3.0"])
+    else
+      s.add_dependency(%q<rspec>, [">= 1.3.0"])
+    end
+  else
+    s.add_dependency(%q<rspec>, [">= 1.3.0"])
+  end
+end
+

data/spec/char_codes_spec.rb

@@ -0,0 +1,32 @@
+	require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+	
+	describe 'Char codes' do
+		it 'counts a number as being in the range 48-57' do
+			(0..9).each do |num|
+				c = num.to_s
+				code = c[0].is_a?(String) ? c.ord : c[0]
+				code.should == 48 + num
+			end
+		end
+		
+		it 'counts an uppercase letter as being in the range 65-90' do
+			('A'..'Z').each_with_index do |c, offset|
+				code = c[0].is_a?(String) ? c.ord : c[0]
+				code.should == 65 + offset
+			end
+		end
+		
+		it 'counts a lowercase letter as being in the range 97-122' do
+			('a'..'z').each_with_index do |c, offset|
+				code = c[0].is_a?(String) ? c.ord : c[0]
+				code.should == 97 + offset
+			end
+		end
+		
+		['!', '*', "'", '(', ')', ';', ':', '@', '&', '=', '+', '$', ',', '/', '?', '%', '#', '[', ']', '-', '_', '.', '~'].each do |c|
+			it "counts #{c} as included in VALID_OPAQUE_CHAR_CODES" do
+				code = c[0].is_a?(String) ? c.ord : c[0]
+				SanitizeUrl::VALID_OPAQUE_CHAR_CODES.should include(code)
+			end
+		end
+	end

data/spec/sanitize_url_spec.rb

@@ -1,169 +1,169 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-
-describe SanitizeUrl do
-	include SanitizeUrl
-	
-	describe '#sanitize_url' do
-		it 'replaces JavaScript URLs with options[:replace_evil_with]' do
-			urls = [
-				'javascript:alert("1");',
-				'javascript//:alert("2");',
-				'javascript://alert("3");',
-				'javascript/:/alert("4");',
-				'j a v a script:alert("5");',
-				' javascript:alert("6");',
-				'JavaScript:alert("7");',
-				"java\nscript:alert(\"8\");",
-				"java\rscript:alert(\"9\");"
-			].each do |evil_url|
-				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
-			end
-		end
-		
-		it 'replaces data: URLs with options[:replace_evil_with]' do
-			urls = [
-				'data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+',
-				'data://text/html;base64,PHNjcmlwdD5hbGVydCgnMicpPC9zY3JpcHQ+',
-				'data//:text/html;base64,PHNjcmlwdD5hbGVydCgnMycpPC9zY3JpcHQ+',
-				'data/:/text/html;base64,PHNjcmlwdD5hbGVydCgnNCcpPC9zY3JpcHQ+',
-				' data:text/html;base64,PHNjcmlwdD5hbGVydCgnNScpPC9zY3JpcHQ+',
-				'da ta:text/html;base64,PHNjcmlwdD5hbGVydCgnNicpPC9zY3JpcHQ+',
-				'Data:text/html;base64,PHNjcmlwdD5hbGVydCgnNycpPC9zY3JpcHQ+',
-				"da\nta:text/html;base64,PHNjcmlwdD5hbGVydCgnOCcpPC9zY3JpcHQ+",
-				"da\rta:text/html;base64,PHNjcmlwdD5hbGVydCgnOScpPC9zY3JpcHQ+",
-			].each do |evil_url|
-				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
-			end
-		end
-		
-		context 'with :schemes whitelist' do
-			it 'kills anything not on the list' do
-				[
-					'https://example.com',
-					'https:example.com',
-					'ftp://example.com',
-					'ftp:example.com',
-					'data://example.com',
-					'data:example.com',
-					'javascript://example.com',
-					'javascript:example.com',
-				].each do |evil_url|
-					sanitize_url(evil_url, :schemes => ['http'], :replace_evil_with => 'replaced')
-				end
-			end
-			
-			it 'allows anything on the list' do
-				[
-					'http://example.com',
-					'https://example.com'
-				].each do |good_url|
-					sanitize_url(good_url, :schemes => ['http', 'https']).should == good_url
-				end
-			end
-			
-			it 'works with schemes given as symbols' do
-				sanitize_url('ftp://example.com', :schemes => [:http, :https], :replace_evil_with => 'replaced').should == 'replaced'
-				sanitize_url('ftp://example.com', :schemes => [:http, :https, :ftp]).should == 'ftp://example.com'
-			end
-		end
-		
-		it 'prepends http:// if no scheme is given' do
-			sanitize_url('www.example.com').should == 'http://www.example.com'
-		end
-		
-		it 'replaces evil URLs that are encoded with Unicode numerical character references' do
-			[
-				'javascript:alert('1')',
-				'javascript:alert('2')'
-			].each do |evil_url|
-				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
-			end
-		end
-		
-		it 'replaces evil URLs that are URL-encoded (hex with %)' do
-			sanitize_url('%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29', :replace_evil_with => 'replaced').should == 'replaced'
-		end
-		
-		it 'does not try to fix broken schemes after the start of the string' do
-			sanitize_url('http://example.com/http/foo').should == 'http://example.com/http/foo'
-		end
-		
-		it 'does not prepend an extra http:// if a valid scheme is given' do
-			sanitize_url('http://www.example.com').should == 'http://www.example.com'
-			sanitize_url('https://www.example.com').should == 'https://www.example.com'
-			sanitize_url('ftp://www.example.com').should == 'ftp://www.example.com'
-		end
-		
-		it 'dereferences URL-encoded characters in the scheme' do
-			sanitize_url('h%74tp://example.com').should == 'http://example.com'
-		end
-		
-		it 'dereferences decimal numeric character references in the scheme' do
-			sanitize_url('http://example.com').should == 'http://example.com'
-		end
-		
-		it 'dereferences hex numeric character references in the scheme' do
-			sanitize_url('http://example.com').should == 'http://example.com'
-		end
-		
-		it 'retains URL-encoded characters in the opaque portion' do
-			sanitize_url('http://someone%40gmail.com:password@example.com').should == 'http://someone%40gmail.com:password@example.com'
-		end
-		
-		it 'URL-encodes code points outside ASCII' do
-			# Percent-encoding should be in UTF-8 (RFC 3986).
-			# http://en.wikipedia.org/wiki/Percent-encoding#Current_standard
-			sanitize_url('http://Д').should == 'http://%D0%94'
-			sanitize_url('http://Д').should == 'http://%D0%94'
-			sanitize_url("http://\xD0\x94").should == 'http://%D0%94' # UTF-8 version of the same.
-		end
-		
-		it 'replaces URLs without the opaque portion' do
-			sanitize_url('http://', :replace_evil_with => 'replaced').should == 'replaced'
-			sanitize_url('mailto:', :replace_evil_with => 'replaced').should == 'replaced'
-		end
-		
-		it 'adds the two slashes for known schemes that require it' do
-			sanitize_url('http:example.com').should == 'http://example.com'
-			sanitize_url('ftp:example.com').should == 'ftp://example.com'
-			sanitize_url('svn+ssh:example.com').should == 'svn+ssh://example.com'
-		end
-		
-		it 'does not add slashes for schemes that do not require it' do
-			sanitize_url('mailto:someone@example.com').should == 'mailto:someone@example.com'
-		end
-		
-		it 'strips invalid characters from the scheme and then evaluates the scheme according to the normal rules' do
-			sanitize_url("ht\xD0\x94tp://example.com").should == 'http://example.com'
-			sanitize_url('htt$p://example.com').should == 'http://example.com'
-			sanitize_url('j%avascript:alert("XSS")', :replace_evil_with => 'replaced').should == 'replaced'
-		end
-	end
-		
-	
-	describe '.dereference_numerics' do				
-		it 'decodes short-form decimal UTF-8 character references with a semicolon' do
-			SanitizeUrl.dereference_numerics('j').should == 'j'
-		end
-		
-		it 'decodes short-form decimal UTF-8 character references without a semicolon' do
-			SanitizeUrl.dereference_numerics('&#106').should == 'j'
-		end
-		
-		it 'decodes long-form decimal UTF-8 character references with a semicolon' do
-			SanitizeUrl.dereference_numerics('j').should == 'j'
-		end
-		
-		it 'decodes long-form decimal UTF-8 character references without a semicolon' do
-			SanitizeUrl.dereference_numerics('&#0000106').should == 'j'
-		end
-		
-		it 'decodes hex UTF-8 character references with a semicolon' do
-			SanitizeUrl.dereference_numerics('j').should == 'j'
-		end
-		
-		it 'decodes hex UTF-8 character references without a semicolon' do
-			SanitizeUrl.dereference_numerics('&#x6A').should == 'j'
-		end
-	end
-end
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe SanitizeUrl do
+	include SanitizeUrl
+	
+	describe '#sanitize_url' do
+		it 'replaces JavaScript URLs with options[:replace_evil_with]' do
+			urls = [
+				'javascript:alert("1");',
+				'javascript//:alert("2");',
+				'javascript://alert("3");',
+				'javascript/:/alert("4");',
+				'j a v a script:alert("5");',
+				' javascript:alert("6");',
+				'JavaScript:alert("7");',
+				"java\nscript:alert(\"8\");",
+				"java\rscript:alert(\"9\");"
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		it 'replaces data: URLs with options[:replace_evil_with]' do
+			urls = [
+				'data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+',
+				'data://text/html;base64,PHNjcmlwdD5hbGVydCgnMicpPC9zY3JpcHQ+',
+				'data//:text/html;base64,PHNjcmlwdD5hbGVydCgnMycpPC9zY3JpcHQ+',
+				'data/:/text/html;base64,PHNjcmlwdD5hbGVydCgnNCcpPC9zY3JpcHQ+',
+				' data:text/html;base64,PHNjcmlwdD5hbGVydCgnNScpPC9zY3JpcHQ+',
+				'da ta:text/html;base64,PHNjcmlwdD5hbGVydCgnNicpPC9zY3JpcHQ+',
+				'Data:text/html;base64,PHNjcmlwdD5hbGVydCgnNycpPC9zY3JpcHQ+',
+				"da\nta:text/html;base64,PHNjcmlwdD5hbGVydCgnOCcpPC9zY3JpcHQ+",
+				"da\rta:text/html;base64,PHNjcmlwdD5hbGVydCgnOScpPC9zY3JpcHQ+",
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		context 'with :schemes whitelist' do
+			it 'kills anything not on the list' do
+				[
+					'https://example.com',
+					'https:example.com',
+					'ftp://example.com',
+					'ftp:example.com',
+					'data://example.com',
+					'data:example.com',
+					'javascript://example.com',
+					'javascript:example.com',
+				].each do |evil_url|
+					sanitize_url(evil_url, :schemes => ['http'], :replace_evil_with => 'replaced')
+				end
+			end
+			
+			it 'allows anything on the list' do
+				[
+					'http://example.com',
+					'https://example.com'
+				].each do |good_url|
+					sanitize_url(good_url, :schemes => ['http', 'https']).should == good_url
+				end
+			end
+			
+			it 'works with schemes given as symbols' do
+				sanitize_url('ftp://example.com', :schemes => [:http, :https], :replace_evil_with => 'replaced').should == 'replaced'
+				sanitize_url('ftp://example.com', :schemes => [:http, :https, :ftp]).should == 'ftp://example.com'
+			end
+		end
+		
+		it 'prepends http:// if no scheme is given' do
+			sanitize_url('www.example.com').should == 'http://www.example.com'
+		end
+		
+		it 'replaces evil URLs that are encoded with Unicode numerical character references' do
+			[
+				'javascript:alert('1')',
+				'javascript:alert('2')'
+			].each do |evil_url|
+				sanitize_url(evil_url, :replace_evil_with => 'replaced').should == 'replaced'
+			end
+		end
+		
+		it 'replaces evil URLs that are URL-encoded (hex with %)' do
+			sanitize_url('%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+		
+		it 'does not try to fix broken schemes after the start of the string' do
+			sanitize_url('http://example.com/http/foo').should == 'http://example.com/http/foo'
+		end
+		
+		it 'does not prepend an extra http:// if a valid scheme is given' do
+			sanitize_url('http://www.example.com').should == 'http://www.example.com'
+			sanitize_url('https://www.example.com').should == 'https://www.example.com'
+			sanitize_url('ftp://www.example.com').should == 'ftp://www.example.com'
+		end
+		
+		it 'dereferences URL-encoded characters in the scheme' do
+			sanitize_url('h%74tp://example.com').should == 'http://example.com'
+		end
+		
+		it 'dereferences decimal numeric character references in the scheme' do
+			sanitize_url('http://example.com').should == 'http://example.com'
+		end
+		
+		it 'dereferences hex numeric character references in the scheme' do
+			sanitize_url('http://example.com').should == 'http://example.com'
+		end
+		
+		it 'retains URL-encoded characters in the opaque portion' do
+			sanitize_url('http://someone%40gmail.com:password@example.com').should == 'http://someone%40gmail.com:password@example.com'
+		end
+		
+		it 'URL-encodes code points outside ASCII' do
+			# Percent-encoding should be in UTF-8 (RFC 3986).
+			# http://en.wikipedia.org/wiki/Percent-encoding#Current_standard
+			sanitize_url('http://Д').should == 'http://%D0%94'
+			sanitize_url('http://Д').should == 'http://%D0%94'
+			sanitize_url("http://\xD0\x94").should == 'http://%D0%94' # UTF-8 version of the same.
+		end
+		
+		it 'replaces URLs without the opaque portion' do
+			sanitize_url('http://', :replace_evil_with => 'replaced').should == 'replaced'
+			sanitize_url('mailto:', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+		
+		it 'adds the two slashes for known schemes that require it' do
+			sanitize_url('http:example.com').should == 'http://example.com'
+			sanitize_url('ftp:example.com').should == 'ftp://example.com'
+			sanitize_url('svn+ssh:example.com').should == 'svn+ssh://example.com'
+		end
+		
+		it 'does not add slashes for schemes that do not require it' do
+			sanitize_url('mailto:someone@example.com').should == 'mailto:someone@example.com'
+		end
+		
+		it 'strips invalid characters from the scheme and then evaluates the scheme according to the normal rules' do
+			sanitize_url("ht\xD0\x94tp://example.com").should == 'http://example.com'
+			sanitize_url('htt$p://example.com').should == 'http://example.com'
+			sanitize_url('j%avascript:alert("XSS")', :replace_evil_with => 'replaced').should == 'replaced'
+		end
+	end
+		
+	
+	describe '.dereference_numerics' do				
+		it 'decodes short-form decimal UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes short-form decimal UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#106').should == 'j'
+		end
+		
+		it 'decodes long-form decimal UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes long-form decimal UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#0000106').should == 'j'
+		end
+		
+		it 'decodes hex UTF-8 character references with a semicolon' do
+			SanitizeUrl.dereference_numerics('j').should == 'j'
+		end
+		
+		it 'decodes hex UTF-8 character references without a semicolon' do
+			SanitizeUrl.dereference_numerics('&#x6A').should == 'j'
+		end
+	end
+end

data/spec/spec_helper.rb

@@ -1,7 +1,7 @@
-require 'rubygems'
-require 'test/unit'
-require 'spec'
-
-$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rubygems'
+require 'test/unit'
+require 'spec'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'sanitize-url'

data/test.rb

@@ -1,16 +1,4 @@
-# Copyright sign
-
-#def decimal_code_point_to_url_encoded(code_point)
-#	utf_8_str = ([code_point.to_i].pack('U'))
-#	'%' + utf_8_str.unpack('H2' * utf_8_str.length).join('%').upcase
-#end
-
-hex_code_point = 'A9'
-decimal_code_point = '169'
-hex_utf_8_bytes = '%C2%A9'
-
-#puts 'Expected: ' + hex_utf_8_bytes
-#puts 'Actual:   ' + decimal_code_point_to_url_encoded(decimal_code_point)
-
-evil = 'javascript:alert("XSS")'
-puts evil.unpack('H2' * evil.length).join('%').upcase
+# encoding: UTF-8
+
+puts 'Д'
+puts 'Д'.unpack('H2' * 2).inspect

metadata

@@ -1,7 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: sanitize-url
 version: !ruby/object:Gem::Version 
-  version: 0.1.3
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 4
+  version: 0.1.4
 platform: ruby
 authors: 
 - jarrett
@@ -9,19 +14,23 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-02-25 00:00:00 -06:00
+date: 2010-03-21 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rspec
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 3
+        - 0
         version: 1.3.0
-    version: 
+  type: :development
+  version_requirements: *id001
 description: "This gem provides a module called SanitizeUrl, which you can mix-in anywhere you like. It provides a single method: sanitize_url, which accepts a URL and returns one with JavaScript removed. It also prepends the http:// scheme if no valid scheme is found."
 email: jarrett@uchicago.edu
 executables: []
@@ -40,6 +49,7 @@ files:
 - VERSION
 - lib/sanitize-url.rb
 - sanitize-url.gemspec
+- spec/char_codes_spec.rb
 - spec/sanitize_url_spec.rb
 - spec/spec_helper.rb
 - test.rb
@@ -56,21 +66,24 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.5
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Sanitizes untrusted URLs
 test_files: 
+- spec/char_codes_spec.rb
 - spec/sanitize_url_spec.rb
 - spec/spec_helper.rb