sanitize 1.0.4 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/HISTORY +7 -0
- data/README.rdoc +1 -1
- data/lib/sanitize.rb +5 -5
- metadata +2 -2
data/HISTORY
CHANGED
|
@@ -1,6 +1,13 @@
|
|
|
1
1
|
Sanitize History
|
|
2
2
|
================================================================================
|
|
3
3
|
|
|
4
|
+
Version 1.0.5 (2009-02-05)
|
|
5
|
+
* Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
|
|
6
|
+
protocols from being cleaned when relative URLs were allowed. [Reported by
|
|
7
|
+
Dev Purkayastha]
|
|
8
|
+
* Fixed "undefined method `parent='" exceptions caused by parser changes in
|
|
9
|
+
edge Hpricot.
|
|
10
|
+
|
|
4
11
|
Version 1.0.4 (2009-01-16)
|
|
5
12
|
* Fixed a bug that made it possible to sneak a non-whitelisted element through
|
|
6
13
|
by repeating it several times in a row. All versions of Sanitize prior to
|
data/README.rdoc
CHANGED
|
@@ -15,7 +15,7 @@ or maliciously-formed HTML. When in doubt, Sanitize always errs on the side of
|
|
|
15
15
|
caution.
|
|
16
16
|
|
|
17
17
|
*Author*:: Ryan Grove (mailto:ryan@wonko.com)
|
|
18
|
-
*Version*:: 1.0.
|
|
18
|
+
*Version*:: 1.0.5 (2009-02-05)
|
|
19
19
|
*Copyright*:: Copyright (c) 2009 Ryan Grove. All rights reserved.
|
|
20
20
|
*License*:: MIT License (http://opensource.org/licenses/mit-license.php)
|
|
21
21
|
*Website*:: http://github.com/rgrove/sanitize
|
data/lib/sanitize.rb
CHANGED
|
@@ -40,11 +40,11 @@ require 'sanitize/monkeypatch/hpricot'
|
|
|
40
40
|
class Sanitize
|
|
41
41
|
|
|
42
42
|
# Matches an attribute value that could be treated by a browser as a URL
|
|
43
|
-
# with a protocol prefix, such as "http:" or "javascript:". Any string of
|
|
43
|
+
# with a protocol prefix, such as "http:" or "javascript:". Any string of zero
|
|
44
44
|
# or more characters followed by a colon is considered a match, even if the
|
|
45
45
|
# colon is encoded as an entity and even if it's an incomplete entity (which
|
|
46
46
|
# IE6 and Opera will still parse).
|
|
47
|
-
REGEX_PROTOCOL = /^([^:]
|
|
47
|
+
REGEX_PROTOCOL = /^([^:]*)(?:\:|�*58|�*3a)/i
|
|
48
48
|
|
|
49
49
|
#--
|
|
50
50
|
# Class Methods
|
|
@@ -86,18 +86,18 @@ class Sanitize
|
|
|
86
86
|
|
|
87
87
|
fragment.search('*') do |node|
|
|
88
88
|
if node.bogusetag? || node.doctype? || node.procins? || node.xmldecl?
|
|
89
|
-
node.
|
|
89
|
+
node.parent.replace_child(node, '')
|
|
90
90
|
next
|
|
91
91
|
end
|
|
92
92
|
|
|
93
93
|
if node.comment?
|
|
94
|
-
node.
|
|
94
|
+
node.parent.replace_child(node, '') unless @config[:allow_comments]
|
|
95
95
|
elsif node.elem?
|
|
96
96
|
name = node.name.to_s.downcase
|
|
97
97
|
|
|
98
98
|
# Delete any element that isn't in the whitelist.
|
|
99
99
|
unless @config[:elements].include?(name)
|
|
100
|
-
node.parent.replace_child(node, node.children)
|
|
100
|
+
node.parent.replace_child(node, node.children || '')
|
|
101
101
|
next
|
|
102
102
|
end
|
|
103
103
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-
|
|
12
|
+
date: 2009-02-05 00:00:00 -08:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|