sanitize 1.0.4 → 1.0.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. data/HISTORY +7 -0
  2. data/README.rdoc +1 -1
  3. data/lib/sanitize.rb +5 -5
  4. metadata +2 -2
data/HISTORY CHANGED
@@ -1,6 +1,13 @@
1
1
  Sanitize History
2
2
  ================================================================================
3
3
 
4
+ Version 1.0.5 (2009-02-05)
5
+ * Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
6
+ protocols from being cleaned when relative URLs were allowed. [Reported by
7
+ Dev Purkayastha]
8
+ * Fixed "undefined method `parent='" exceptions caused by parser changes in
9
+ edge Hpricot.
10
+
4
11
  Version 1.0.4 (2009-01-16)
5
12
  * Fixed a bug that made it possible to sneak a non-whitelisted element through
6
13
  by repeating it several times in a row. All versions of Sanitize prior to
data/README.rdoc CHANGED
@@ -15,7 +15,7 @@ or maliciously-formed HTML. When in doubt, Sanitize always errs on the side of
15
15
  caution.
16
16
 
17
17
  *Author*:: Ryan Grove (mailto:ryan@wonko.com)
18
- *Version*:: 1.0.4 (2009-01-16)
18
+ *Version*:: 1.0.5 (2009-02-05)
19
19
  *Copyright*:: Copyright (c) 2009 Ryan Grove. All rights reserved.
20
20
  *License*:: MIT License (http://opensource.org/licenses/mit-license.php)
21
21
  *Website*:: http://github.com/rgrove/sanitize
data/lib/sanitize.rb CHANGED
@@ -40,11 +40,11 @@ require 'sanitize/monkeypatch/hpricot'
40
40
  class Sanitize
41
41
 
42
42
  # Matches an attribute value that could be treated by a browser as a URL
43
- # with a protocol prefix, such as "http:" or "javascript:". Any string of one
43
+ # with a protocol prefix, such as "http:" or "javascript:". Any string of zero
44
44
  # or more characters followed by a colon is considered a match, even if the
45
45
  # colon is encoded as an entity and even if it's an incomplete entity (which
46
46
  # IE6 and Opera will still parse).
47
- REGEX_PROTOCOL = /^([^:]+)(?:\:|&#0*58|&#x0*3a)(?:[^0-9a-f]|$)/i
47
+ REGEX_PROTOCOL = /^([^:]*)(?:\:|&#0*58|&#x0*3a)/i
48
48
 
49
49
  #--
50
50
  # Class Methods
@@ -86,18 +86,18 @@ class Sanitize
86
86
 
87
87
  fragment.search('*') do |node|
88
88
  if node.bogusetag? || node.doctype? || node.procins? || node.xmldecl?
89
- node.swap('')
89
+ node.parent.replace_child(node, '')
90
90
  next
91
91
  end
92
92
 
93
93
  if node.comment?
94
- node.swap('') unless @config[:allow_comments]
94
+ node.parent.replace_child(node, '') unless @config[:allow_comments]
95
95
  elsif node.elem?
96
96
  name = node.name.to_s.downcase
97
97
 
98
98
  # Delete any element that isn't in the whitelist.
99
99
  unless @config[:elements].include?(name)
100
- node.parent.replace_child(node, node.children)
100
+ node.parent.replace_child(node, node.children || '')
101
101
  next
102
102
  end
103
103
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
11
 
12
- date: 2009-01-16 00:00:00 -08:00
12
+ date: 2009-02-05 00:00:00 -08:00
13
13
  default_executable:
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency