sanitize 2.0.3.dev.20110603 → 2.0.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sanitize might be problematic. Click here for more details.

Files changed (4) hide show
  1. data/HISTORY.md +2 -2
  2. data/README.rdoc +13 -31
  3. data/lib/sanitize/version.rb +1 -1
  4. metadata +5 -5
data/HISTORY.md CHANGED
@@ -1,8 +1,8 @@
1
1
  Sanitize History
2
2
  ================================================================================
3
3
 
4
- Version 2.0.3 (git)
5
- -------------------
4
+ Version 2.0.3 (2011-07-01)
5
+ --------------------------
6
6
 
7
7
  * Loosened the Nokogiri dependency to allow Nokogiri 1.5.x.
8
8
 
data/README.rdoc CHANGED
@@ -14,7 +14,7 @@ of fragile regular expressions, Sanitize has no trouble dealing with malformed
14
14
  or maliciously-formed HTML, and will always output valid HTML or XHTML.
15
15
 
16
16
  *Author*:: Ryan Grove (mailto:ryan@wonko.com)
17
- *Version*:: 2.0.3 (git)
17
+ *Version*:: 2.0.3 (2011-07-01)
18
18
  *Copyright*:: Copyright (c) 2011 Ryan Grove. All rights reserved.
19
19
  *License*:: MIT License (http://opensource.org/licenses/mit-license.php)
20
20
  *Website*:: http://github.com/rgrove/sanitize
@@ -289,54 +289,36 @@ your own hands.
289
289
  The following example demonstrates how to create a depth-first Sanitize
290
290
  transformer that will safely whitelist valid YouTube video embeds without having
291
291
  to blindly allow other kinds of embedded content, which would be the case if you
292
- tried to do this by just whitelisting all <code><object></code>,
293
- <code><embed></code>, and <code><param></code> elements:
292
+ tried to do this by just whitelisting all <iframe> elements:
294
293
 
295
294
  lambda do |env|
296
295
  node = env[:node]
297
296
  node_name = env[:node_name]
298
-
297
+
299
298
  # Don't continue if this node is already whitelisted or is not an element.
300
299
  return if env[:is_whitelisted] || !node.element?
301
300
 
302
- parent = node.parent
303
-
304
- # Since the transformer receives the deepest nodes first, we look for a
305
- # <param> element or an <embed> element whose parent is an <object>.
306
- return unless (node_name == 'param' || node_name == 'embed') &&
307
- parent.name.to_s.downcase == 'object'
308
-
309
- if node_name == 'param'
310
- # Quick XPath search to find the <param> node that contains the video URL.
311
- return unless movie_node = parent.search('param[@name="movie"]')[0]
312
- url = movie_node['value']
313
- else
314
- # Since this is an <embed>, the video URL is in the "src" attribute. No
315
- # extra work needed.
316
- url = node['src']
317
- end
318
-
301
+ # Don't continue unless the node is an iframe.
302
+ return unless node_name == 'iframe'
303
+
319
304
  # Verify that the video URL is actually a valid YouTube video URL.
320
- return unless url =~ /\Ahttp:\/\/(?:www\.)?youtube\.com\/v\//
321
-
305
+ return unless node['src'] =~ /\Ahttp:\/\/(?:www\.)?youtube\.com\//
306
+
322
307
  # We're now certain that this is a YouTube embed, but we still need to run
323
308
  # it through a special Sanitize step to ensure that no unwanted elements or
324
309
  # attributes that don't belong in a YouTube embed can sneak in.
325
- Sanitize.clean_node!(parent, {
326
- :elements => %w[embed object param],
310
+ Sanitize.clean_node!(node.parent, {
311
+ :elements => %w[iframe],
327
312
 
328
313
  :attributes => {
329
- 'embed' => %w[allowfullscreen allowscriptaccess height src type width],
330
- 'object' => %w[height width],
331
- 'param' => %w[name value]
314
+ 'iframe' => %w[allowfullscreen frameborder height src width]
332
315
  }
333
316
  })
334
317
 
335
318
  # Now that we're sure that this is a valid YouTube embed and that there are
336
319
  # no unwanted elements or attributes hidden inside it, we can tell Sanitize
337
- # to whitelist the current node (<param> or <embed>) and its parent
338
- # (<object>).
339
- {:node_whitelist => [node, parent]}
320
+ # to whitelist the current node.
321
+ {:node_whitelist => [node]}
340
322
  end
341
323
 
342
324
  == Contributors
@@ -1,3 +1,3 @@
1
1
  class Sanitize
2
- VERSION = '2.0.3.dev.20110603'
2
+ VERSION = '2.0.3'
3
3
  end
metadata CHANGED
@@ -1,8 +1,8 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- prerelease: 6
5
- version: 2.0.3.dev.20110603
4
+ prerelease:
5
+ version: 2.0.3
6
6
  platform: ruby
7
7
  authors:
8
8
  - Ryan Grove
@@ -10,7 +10,7 @@ autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
12
 
13
- date: 2011-06-04 00:00:00 Z
13
+ date: 2011-07-02 00:00:00 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: nokogiri
@@ -86,9 +86,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
86
86
  required_rubygems_version: !ruby/object:Gem::Requirement
87
87
  none: false
88
88
  requirements:
89
- - - ">"
89
+ - - ">="
90
90
  - !ruby/object:Gem::Version
91
- version: 1.3.1
91
+ version: "0"
92
92
  requirements: []
93
93
 
94
94
  rubyforge_project: riposte