RubyGems - sanitize - Versions diffs - 2.0.3.dev.20110603 → 2.0.3 - Mend

sanitize 2.0.3.dev.20110603 → 2.0.3

Potentially problematic release.

This version of sanitize might be problematic. Click here for more details.

Files changed (4) hide show

data/HISTORY.md CHANGED Viewed

@@ -1,8 +1,8 @@
 Sanitize History
 ================================================================================
-Version 2.0.3 (git)
--------------------
+Version 2.0.3 (2011-07-01)
+--------------------------
  * Loosened the Nokogiri dependency to allow Nokogiri 1.5.x.

data/README.rdoc CHANGED Viewed

@@ -14,7 +14,7 @@ of fragile regular expressions, Sanitize has no trouble dealing with malformed
 or maliciously-formed HTML, and will always output valid HTML or XHTML.
 *Author*::    Ryan Grove (mailto:ryan@wonko.com)
-*Version*::   2.0.3 (git)
+*Version*::   2.0.3 (2011-07-01)
 *Copyright*:: Copyright (c) 2011 Ryan Grove. All rights reserved.
 *License*::   MIT License (http://opensource.org/licenses/mit-license.php)
 *Website*::   http://github.com/rgrove/sanitize
@@ -289,54 +289,36 @@ your own hands.
 The following example demonstrates how to create a depth-first Sanitize
 transformer that will safely whitelist valid YouTube video embeds without having
 to blindly allow other kinds of embedded content, which would be the case if you
-tried to do this by just whitelisting all <code><object></code>,
-<code><embed></code>, and <code><param></code> elements:
+tried to do this by just whitelisting all <iframe> elements:
   lambda do |env|
     node      = env[:node]
     node_name = env[:node_name]
     # Don't continue if this node is already whitelisted or is not an element.
     return if env[:is_whitelisted] || !node.element?
-    parent = node.parent
-    # Since the transformer receives the deepest nodes first, we look for a
-    # <param> element or an <embed> element whose parent is an <object>.
-    return unless (node_name == 'param' || node_name == 'embed') &&
-        parent.name.to_s.downcase == 'object'
-    if node_name == 'param'
-      # Quick XPath search to find the <param> node that contains the video URL.
-      return unless movie_node = parent.search('param[@name="movie"]')[0]
-      url = movie_node['value']
-    else
-      # Since this is an <embed>, the video URL is in the "src" attribute. No
-      # extra work needed.
-      url = node['src']
-    end
+    # Don't continue unless the node is an iframe.
+    return unless node_name == 'iframe'
     # Verify that the video URL is actually a valid YouTube video URL.
-    return unless url =~ /\Ahttp:\/\/(?:www\.)?youtube\.com\/v\//
+    return unless node['src'] =~ /\Ahttp:\/\/(?:www\.)?youtube\.com\//
     # We're now certain that this is a YouTube embed, but we still need to run
     # it through a special Sanitize step to ensure that no unwanted elements or
     # attributes that don't belong in a YouTube embed can sneak in.
-    Sanitize.clean_node!(parent, {
-      :elements => %w[embed object param],
+    Sanitize.clean_node!(node.parent, {
+      :elements => %w[iframe],
       :attributes => {
-        'embed'  => %w[allowfullscreen allowscriptaccess height src type width],
-        'object' => %w[height width],
-        'param'  => %w[name value]
+        'iframe'  => %w[allowfullscreen frameborder height src width]
       }
     })
     # Now that we're sure that this is a valid YouTube embed and that there are
     # no unwanted elements or attributes hidden inside it, we can tell Sanitize
-    # to whitelist the current node (<param> or <embed>) and its parent
-    # (<object>).
-    {:node_whitelist => [node, parent]}
+    # to whitelist the current node.
+    {:node_whitelist => [node]}
   end
 == Contributors

data/lib/sanitize/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 class Sanitize
-  VERSION = '2.0.3.dev.20110603'
+  VERSION = '2.0.3'
 end

metadata CHANGED Viewed

@@ -1,8 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  prerelease: 6
-  version: 2.0.3.dev.20110603
+  prerelease:
+  version: 2.0.3
 platform: ruby
 authors:
 - Ryan Grove
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-06-04 00:00:00 Z
+date: 2011-07-02 00:00:00 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -86,9 +86,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: "0"
 requirements: []
 rubyforge_project: riposte