sanitize 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. data/HISTORY +7 -0
  2. data/README.rdoc +1 -1
  3. data/lib/sanitize.rb +5 -5
  4. metadata +2 -2
data/HISTORY CHANGED
@@ -1,6 +1,13 @@
1
1
  Sanitize History
2
2
  ================================================================================
3
3
 
4
+ Version 1.0.5 (2009-02-05)
5
+ * Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
6
+ protocols from being cleaned when relative URLs were allowed. [Reported by
7
+ Dev Purkayastha]
8
+ * Fixed "undefined method `parent='" exceptions caused by parser changes in
9
+ edge Hpricot.
10
+
4
11
  Version 1.0.4 (2009-01-16)
5
12
  * Fixed a bug that made it possible to sneak a non-whitelisted element through
6
13
  by repeating it several times in a row. All versions of Sanitize prior to
data/README.rdoc CHANGED
@@ -15,7 +15,7 @@ or maliciously-formed HTML. When in doubt, Sanitize always errs on the side of
15
15
  caution.
16
16
 
17
17
  *Author*:: Ryan Grove (mailto:ryan@wonko.com)
18
- *Version*:: 1.0.4 (2009-01-16)
18
+ *Version*:: 1.0.5 (2009-02-05)
19
19
  *Copyright*:: Copyright (c) 2009 Ryan Grove. All rights reserved.
20
20
  *License*:: MIT License (http://opensource.org/licenses/mit-license.php)
21
21
  *Website*:: http://github.com/rgrove/sanitize
data/lib/sanitize.rb CHANGED
@@ -40,11 +40,11 @@ require 'sanitize/monkeypatch/hpricot'
40
40
  class Sanitize
41
41
 
42
42
  # Matches an attribute value that could be treated by a browser as a URL
43
- # with a protocol prefix, such as "http:" or "javascript:". Any string of one
43
+ # with a protocol prefix, such as "http:" or "javascript:". Any string of zero
44
44
  # or more characters followed by a colon is considered a match, even if the
45
45
  # colon is encoded as an entity and even if it's an incomplete entity (which
46
46
  # IE6 and Opera will still parse).
47
- REGEX_PROTOCOL = /^([^:]+)(?:\:|&#0*58|&#x0*3a)(?:[^0-9a-f]|$)/i
47
+ REGEX_PROTOCOL = /^([^:]*)(?:\:|&#0*58|&#x0*3a)/i
48
48
 
49
49
  #--
50
50
  # Class Methods
@@ -86,18 +86,18 @@ class Sanitize
86
86
 
87
87
  fragment.search('*') do |node|
88
88
  if node.bogusetag? || node.doctype? || node.procins? || node.xmldecl?
89
- node.swap('')
89
+ node.parent.replace_child(node, '')
90
90
  next
91
91
  end
92
92
 
93
93
  if node.comment?
94
- node.swap('') unless @config[:allow_comments]
94
+ node.parent.replace_child(node, '') unless @config[:allow_comments]
95
95
  elsif node.elem?
96
96
  name = node.name.to_s.downcase
97
97
 
98
98
  # Delete any element that isn't in the whitelist.
99
99
  unless @config[:elements].include?(name)
100
- node.parent.replace_child(node, node.children)
100
+ node.parent.replace_child(node, node.children || '')
101
101
  next
102
102
  end
103
103
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
11
 
12
- date: 2009-01-16 00:00:00 -08:00
12
+ date: 2009-02-05 00:00:00 -08:00
13
13
  default_executable:
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency