sanitize 1.2.1.dev.20100124 → 1.2.1.dev.20100329

data/HISTORY

@@ -2,11 +2,14 @@ Sanitize History
 ================================================================================
 
 Version 1.2.1 (git)
-  * Added an :escape_only config setting. If set to true, Sanitize will escape
-    non-whitelisted elements and their contents instead of removing them.
   * Added a :remove_contents config setting. If set to true, Sanitize will
-    remove the contents of non-whitelisted elements in addition to the elements
-    themselves.
+    remove the contents of all non-whitelisted elements in addition to the
+    elements themselves. If set to an Array of element names, Sanitize will
+    remove the contents of only those elements (when filtered), and leave the
+    contents of other filtered elements. [Thanks to Rafael Souza for the Array
+    option]
+  * Added an :output_encoding config setting to allow the character encoding for
+    HTML output to be specified. The default is 'utf-8'.
   * The environment hash passed into transformers now includes a :node_name item
     containing the lowercase name of the current HTML node (e.g. "div").
   * Returning anything other than a Hash or nil from a transformer will now

data/README.rdoc

@@ -133,16 +133,15 @@ Array of element names to allow. Specify all names in lowercase.
     'sup', 'u', 'ul'
   ]
 
-==== :escape_only (boolean)
-
-If set to +true+, Sanitize will escape non-whitelisted elements and their
-contents rather than removing them.
-
 ==== :output (Symbol)
 
 Output format. Supported formats are <code>:html</code> and <code>:xhtml</code>,
 defaulting to <code>:xhtml</code>.
 
+==== :output_encoding (String)
+
+Character encoding to use for HTML output. Default is <code>'utf-8'</code>.
+
 ==== :protocols (Hash)
 
 URL protocols to allow in specific attributes. If an attribute is listed here
@@ -161,14 +160,17 @@ include the symbol <code>:relative</code> in the protocol array:
     'a' => {'href' => ['http', 'https', :relative]}
   }
 
-==== :remove_contents (boolean)
+==== :remove_contents (boolean or Array)
 
 If set to +true+, Sanitize will remove the contents of any non-whitelisted
 elements in addition to the elements themselves. By default, Sanitize leaves the
 safe parts of an element's contents behind when the element is removed.
 
-If both <code>:escape_only</code> and <code>:remove_contents</code> are enabled,
-<code>:remove_contents</code> will take precedence.
+If set to an Array of element names, then only the contents of the specified
+elements (when filtered) will be removed, and the contents of all other filtered
+elements will be left behind.
+
+The default value is <code>false</code>.
 
 ==== :transformers
 
@@ -306,6 +308,7 @@ or ideas that later became code:
 * Mutwin Kraus <mutle@blogage.de>
 * Dev Purkayastha <dev.purkayastha@gmail.com>
 * David Reese <work@whatcould.com>
+* Rafael Souza <me@rafaelss.com>
 * Ben Wanicur <bwanicur@verticalresponse.com>
 
 == License

data/lib/sanitize.rb

@@ -70,17 +70,22 @@ class Sanitize
   def initialize(config = {})
     # Sanitize configuration.
     @config = Config::DEFAULT.merge(config)
-    @config[:transformers] = Array(@config[:transformers])
-
-    # :remove_contents takes precedence over :escape_only.
-    if @config[:remove_contents] && @config[:escape_only]
-      @config[:escape_only] = false
-    end
+    @config[:transformers] = Array(@config[:transformers].dup)
 
     # Convert the list of allowed elements to a Hash for faster lookup.
     @allowed_elements = {}
     @config[:elements].each {|el| @allowed_elements[el] = true }
 
+    # Convert the list of :remove_contents elements to a Hash for faster lookup.
+    @remove_all_contents     = false
+    @remove_element_contents = {}
+
+    if @config[:remove_contents].is_a?(Array)
+      @config[:remove_contents].each {|el| @remove_element_contents[el] = true }
+    else
+      @remove_all_contents = !!@config[:remove_contents]
+    end
+
     # Specific nodes to whitelist (along with all their attributes). This array
     # is generated at runtime by transformers, and is cleared before and after
     # a fragment is cleaned (so it applies only to a specific fragment).
@@ -99,7 +104,7 @@ class Sanitize
     fragment = Nokogiri::HTML::DocumentFragment.parse(html)
     clean_node!(fragment)
 
-    output_method_params = {:encoding => 'utf-8', :indent => 0}
+    output_method_params = {:encoding => @config[:output_encoding], :indent => 0}
 
     if @config[:output] == :xhtml
       output_method = fragment.method(:to_xhtml)
@@ -112,10 +117,6 @@ class Sanitize
 
     result = output_method.call(output_method_params)
 
-    # Ensure that the result is always a UTF-8 string in Ruby 1.9, no matter
-    # what. Nokogiri seems to return empty strings as ASCII for some reason.
-    result.force_encoding('utf-8') if RUBY_VERSION >= '1.9'
-
     return result == html ? nil : html[0, html.length] = result
   end
 
@@ -129,13 +130,7 @@ class Sanitize
       if child.element?
         clean_element!(child)
       elsif child.comment?
-        unless @config[:allow_comments]
-          if @config[:escape_only]
-            child.replace(Nokogiri::XML::Text.new(child.to_s, child.document))
-          else
-            child.unlink
-          end
-        end
+        child.unlink unless @config[:allow_comments]
       elsif child.cdata?
         child.replace(Nokogiri::XML::Text.new(child.text, child.document))
       end
@@ -160,16 +155,12 @@ class Sanitize
 
     # Delete any element that isn't in the whitelist.
     unless transform[:whitelist] || @allowed_elements[name]
-      if @config[:escape_only]
-        node.replace(Nokogiri::XML::Text.new(node.to_s, node.document))
-      else
-        unless @config[:remove_contents]
-          node.children.each { |n| node.add_previous_sibling(n) }
-        end
-
-        node.unlink
+      unless @remove_all_contents || @remove_element_contents[name]
+        node.children.each { |n| node.add_previous_sibling(n) }
       end
 
+      node.unlink
+
       return
     end
 

data/lib/sanitize/config.rb

@@ -40,14 +40,13 @@ class Sanitize
       # that all HTML will be stripped).
       :elements => [],
 
-      # If this is true, Sanitize will escape non-whitelisted elements and their
-      # contents rather than removing them.
-      :escape_only => false,
-
       # Output format. Supported formats are :html and :xhtml (which is the
       # default).
       :output => :xhtml,
 
+      # Character encoding to use for HTML output. Default is 'utf-8'.
+      :output_encoding => 'utf-8',
+
       # URL handling protocols to allow in specific attributes. By default, no
       # protocols are allowed. Use :relative in place of a protocol if you want
       # to allow relative URLs sans protocol.
@@ -58,8 +57,9 @@ class Sanitize
       # leaves the safe parts of an element's contents behind when the element
       # is removed.
       #
-      # If both :escape_only and :remove_contents are true, :remove_contents
-      # will take precedence.
+      # If this is an Array of element names, then only the contents of the
+      # specified elements (when filtered) will be removed, and the contents of
+      # all other filtered elements will be left behind.
       :remove_contents => false,
 
       # Transformers allow you to filter or alter nodes using custom logic. See

data/lib/sanitize/version.rb

@@ -1,3 +1,3 @@
 class Sanitize
-  VERSION = '1.2.1.dev.20100124'
+  VERSION = '1.2.1.dev.20100329'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: sanitize
 version: !ruby/object:Gem::Version 
-  version: 1.2.1.dev.20100124
+  version: 1.2.1.dev.20100329
 platform: ruby
 authors: 
 - Ryan Grove
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-01-24 00:00:00 -08:00
+date: 2010-03-29 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency