sanitize 2.0.4 → 2.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 80fc1e1df6ce565080a348c635645027839d8fbf
-  data.tar.gz: ae3afc1372f0db565647ab7f46310531a0f8b940
+  metadata.gz: e5c69e88d2fe8117cf4ef82ff0d1469c67444b9d
+  data.tar.gz: 7708f7ca071901b213f06a542626e246c6d60409
 SHA512:
-  metadata.gz: fc144309e028fcc172f3e4066dd34789c1a1b7f8abd341009052daa12672710a1e6ca52befd7f0cf39308c56fca70317e11c459f4b086d10c071d744477da70d
-  data.tar.gz: 962f5668cf47a557cc17d3f6eca26bcee0df23f93f76d11014fb53f5650560a5a8bbc171b63ddb00d926fa847154958f27d93c9b2e0a46cd4cc585f27cf4a309
+  metadata.gz: 90de33c0a818467a0df40564c9230a111744bd7cb064b1c3f68a4403d605970f33af2f5604b87a2c6103e7fb847061227d196675a4089f9e7f29b1748611e2fa
+  data.tar.gz: 1ae481892f1a1b7dbcdd20f02eebad70d320bb1e8f8ec888c6da61b8274b931074ceea562c46c02d90955fcda5118f4b69aa7332ff042162a4e5ef23f6760623

data/HISTORY.md

@@ -1,188 +1,197 @@
 Sanitize History
 ================================================================================
 
+Version 2.0.5 (2013-07-10)
+--------------------------
+
+* Loosened the Nokogiri dependency back to >= 1.4.4 to allow Sanitize to coexist
+  in newer Rubies with other libraries that restrict Nokogiri to 1.5.x for 1.8.7
+  compatibility. Sanitize still no longer supports 1.8.7, but this should make
+  life easier for people who need those other libs.
+
+
 Version 2.0.4 (2013-06-12)
 --------------------------
 
-  * Added `Sanitize.clean_document`, which sanitizes a full HTML document rather
-    than just a fragment. [Ben Anderson]
+* Added `Sanitize.clean_document`, which sanitizes a full HTML document rather
+  than just a fragment. [Ben Anderson]
 
-  * Nokogiri dependency bumped to 1.6.x.
+* Nokogiri dependency bumped to 1.6.x.
 
-  * Dropped support for Ruby versions older than 1.9.2.
+* Dropped support for Ruby versions older than 1.9.2.
 
 
 Version 2.0.3 (2011-07-01)
 --------------------------
 
-  * Loosened the Nokogiri dependency to allow Nokogiri 1.5.x.
+* Loosened the Nokogiri dependency to allow Nokogiri 1.5.x.
 
 
 Version 2.0.2 (2011-05-21)
 --------------------------
 
-  * Fixed a bug in which a protocol like "java\script:" would be translated to
-    "java%5Cscript:" and allowed through the filter when relative URLs were
-    enabled. This didn't actually allow malicious code to run, but it is
-    undesired behavior.
+* Fixed a bug in which a protocol like "java\script:" would be translated to
+  "java%5Cscript:" and allowed through the filter when relative URLs were
+  enabled. This didn't actually allow malicious code to run, but it is
+  undesired behavior.
 
 
 Version 2.0.1 (2011-03-16)
 --------------------------
 
-  * Updated the protocol regex to anchor at the beginning of the string rather
-    than the beginning of a line. [Eaden McKee]
+* Updated the protocol regex to anchor at the beginning of the string rather
+  than the beginning of a line. [Eaden McKee]
 
 
 Version 2.0.0 (2011-01-15)
 --------------------------
 
-  * The environment data passed into transformers and the return values expected
-    from transformers have changed. Old transformers will need to be updated.
-    See the README for details.
-  * Transformers now receive nodes of all types, not just element nodes.
-  * Sanitize's own core filtering logic is now implemented as a set of always-on
-    transformers.
-  * The default value for the `:output` config is now `:html`. Previously it was
-    `:xhtml`.
-  * Added a `:whitespace_elements` config, which specifies elements (such as
-    `<br>` and `<p>`) that should be replaced with whitespace when removed in
-    order to preserve readability. See the README for the default list of
-    elements that will be replaced with whitespace when removed.
-  * Added a `:transformers_breadth` config, which may be used to specify
-    transformers that should traverse nodes in a breadth-first mode rather than
-    the default depth-first mode.
-  * Added the `abbr`, `dfn`, `kbd`, `mark`, `s`, `samp`, `time`, and `var`
-    elements to the whitelists for the basic and relaxed configs.
-  * Added the `bdo`, `del`, `figcaption`, `figure`, `hgroup`, `ins`, `rp`, `rt`,
-    `ruby`, and `wbr` elements to the whitelist for the relaxed config.
-  * The `dir`, `lang`, and `title` attributes are now whitelisted for all
-    elements in the relaxed config.
-  * Bumped minimum Nokogiri version to 1.4.4 to avoid a bug in 1.4.2+
-    (issue #315) that caused `</body></html>` to be appended to the CDATA inside
-    unterminated script and style elements.
+* The environment data passed into transformers and the return values expected
+  from transformers have changed. Old transformers will need to be updated.
+  See the README for details.
+* Transformers now receive nodes of all types, not just element nodes.
+* Sanitize's own core filtering logic is now implemented as a set of always-on
+  transformers.
+* The default value for the `:output` config is now `:html`. Previously it was
+  `:xhtml`.
+* Added a `:whitespace_elements` config, which specifies elements (such as
+  `<br>` and `<p>`) that should be replaced with whitespace when removed in
+  order to preserve readability. See the README for the default list of
+  elements that will be replaced with whitespace when removed.
+* Added a `:transformers_breadth` config, which may be used to specify
+  transformers that should traverse nodes in a breadth-first mode rather than
+  the default depth-first mode.
+* Added the `abbr`, `dfn`, `kbd`, `mark`, `s`, `samp`, `time`, and `var`
+  elements to the whitelists for the basic and relaxed configs.
+* Added the `bdo`, `del`, `figcaption`, `figure`, `hgroup`, `ins`, `rp`, `rt`,
+  `ruby`, and `wbr` elements to the whitelist for the relaxed config.
+* The `dir`, `lang`, and `title` attributes are now whitelisted for all
+  elements in the relaxed config.
+* Bumped minimum Nokogiri version to 1.4.4 to avoid a bug in 1.4.2+
+  (issue #315) that caused `</body></html>` to be appended to the CDATA inside
+  unterminated script and style elements.
 
 
 Version 1.2.1 (2010-04-20)
 --------------------------
 
-  * Added a `:remove_contents` config setting. If set to `true`, Sanitize will
-    remove the contents of all non-whitelisted elements in addition to the
-    elements themselves. If set to an array of element names, Sanitize will
-    remove the contents of only those elements (when filtered), and leave the
-    contents of other filtered elements. [Thanks to Rafael Souza for the array
-    option]
-  * Added an `:output_encoding` config setting to allow the character encoding
-    for HTML output to be specified. The default is utf-8.
-  * The environment hash passed into transformers now includes a `:node_name`
-    item containing the lowercase name of the current HTML node (e.g. "div").
-  * Returning anything other than a Hash or nil from a transformer will now
-    raise a meaningful `Sanitize::Error` exception rather than an unintended
-    `NameError`.
+* Added a `:remove_contents` config setting. If set to `true`, Sanitize will
+  remove the contents of all non-whitelisted elements in addition to the
+  elements themselves. If set to an array of element names, Sanitize will
+  remove the contents of only those elements (when filtered), and leave the
+  contents of other filtered elements. [Thanks to Rafael Souza for the array
+  option]
+* Added an `:output_encoding` config setting to allow the character encoding
+  for HTML output to be specified. The default is utf-8.
+* The environment hash passed into transformers now includes a `:node_name`
+  item containing the lowercase name of the current HTML node (e.g. "div").
+* Returning anything other than a Hash or nil from a transformer will now
+  raise a meaningful `Sanitize::Error` exception rather than an unintended
+  `NameError`.
 
 
 Version 1.2.0 (2010-01-17)
 --------------------------
 
-  * Requires Nokogiri ~> 1.4.1.
-  * Added support for transformers, which allow you to filter and alter nodes
-    using your own custom logic, on top of (or instead of) Sanitize's core
-    filter. See the README for details and examples.
-  * Added `Sanitize.clean_node!`, which sanitizes a `Nokogiri::XML::Node` and
-    all its children.
-  * Added elements `<h1>` through `<h6>` to the Relaxed whitelist. [Suggested by
-    David Reese]
+* Requires Nokogiri ~> 1.4.1.
+* Added support for transformers, which allow you to filter and alter nodes
+  using your own custom logic, on top of (or instead of) Sanitize's core
+  filter. See the README for details and examples.
+* Added `Sanitize.clean_node!`, which sanitizes a `Nokogiri::XML::Node` and
+  all its children.
+* Added elements `<h1>` through `<h6>` to the Relaxed whitelist. [Suggested by
+  David Reese]
 
 
 Version 1.1.0 (2009-10-11)
 --------------------------
 
-  * Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 [Adam Hooper]
-  * Added an `:output` config setting to allow the output format to be
-    specified. Supported formats are `:xhtml` (the default) and `:html` (which
-    outputs HTML4).
-  * Changed protocol regex to ensure Sanitize doesn't kill URLs with colons in
-    path segments. [Peter Cooper]
+* Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 [Adam Hooper]
+* Added an `:output` config setting to allow the output format to be
+  specified. Supported formats are `:xhtml` (the default) and `:html` (which
+  outputs HTML4).
+* Changed protocol regex to ensure Sanitize doesn't kill URLs with colons in
+  path segments. [Peter Cooper]
 
 
 Version 1.0.8 (2009-04-23)
 --------------------------
 
-  * Added a workaround for an Hpricot bug that prevents attribute names from
-    being downcased in recent versions of Hpricot. This was exploitable to
-    prevent non-whitelisted protocols from being cleaned. [Reported by Ben
-    Wanicur]
+* Added a workaround for an Hpricot bug that prevents attribute names from
+  being downcased in recent versions of Hpricot. This was exploitable to
+  prevent non-whitelisted protocols from being cleaned. [Reported by Ben
+  Wanicur]
 
 
 Version 1.0.7 (2009-04-11)
 --------------------------
 
-  * Requires Hpricot 0.8.1+, which is finally compatible with Ruby 1.9.1.
-  * Fixed a bug that caused named character entities containing digits (like
-    `&sup2;`) to be escaped when they shouldn't have been. [Reported by
-    Sebastian Steinmetz]
+* Requires Hpricot 0.8.1+, which is finally compatible with Ruby 1.9.1.
+* Fixed a bug that caused named character entities containing digits (like
+  `&sup2;`) to be escaped when they shouldn't have been. [Reported by
+  Sebastian Steinmetz]
 
 
 Version 1.0.6 (2009-02-23)
 --------------------------
 
-  * Removed htmlentities gem dependency.
-  * Existing well-formed character entity references in the input string are now
-    preserved rather than being decoded and re-encoded.
-  * The `'` character is now encoded as `&#39;` instead of `&apos;` to prevent
-    problems in IE6.
-  * You can now specify the symbol `:all` in place of an element name in the
-    attributes config hash to allow certain attributes on all elements. [Thanks
-    to Mutwin Kraus]
+* Removed htmlentities gem dependency.
+* Existing well-formed character entity references in the input string are now
+  preserved rather than being decoded and re-encoded.
+* The `'` character is now encoded as `&#39;` instead of `&apos;` to prevent
+  problems in IE6.
+* You can now specify the symbol `:all` in place of an element name in the
+  attributes config hash to allow certain attributes on all elements. [Thanks
+  to Mutwin Kraus]
 
 
 Version 1.0.5 (2009-02-05)
 --------------------------
 
-  * Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
-    protocols from being cleaned when relative URLs were allowed. [Reported by
-    Dev Purkayastha]
-  * Fixed "undefined method `parent='" exceptions caused by parser changes in
-    edge Hpricot.
+* Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
+  protocols from being cleaned when relative URLs were allowed. [Reported by
+  Dev Purkayastha]
+* Fixed "undefined method `parent='" exceptions caused by parser changes in
+  edge Hpricot.
 
 
 Version 1.0.4 (2009-01-16)
 --------------------------
 
-  * Fixed a bug that made it possible to sneak a non-whitelisted element through
-    by repeating it several times in a row. All versions of Sanitize prior to
-    1.0.4 are vulnerable. [Reported by Cristobal]
+* Fixed a bug that made it possible to sneak a non-whitelisted element through
+  by repeating it several times in a row. All versions of Sanitize prior to
+  1.0.4 are vulnerable. [Reported by Cristobal]
 
 
 Version 1.0.3 (2009-01-15)
 --------------------------
 
-  * Fixed a bug whereby incomplete Unicode or hex entities could be used to
-    prevent non-whitelisted protocols from being cleaned. Since IE6 and Opera
-    still decode the incomplete entities, users of those browsers may be
-    vulnerable to malicious script injection on websites using versions of
-    Sanitize prior to 1.0.3.
+* Fixed a bug whereby incomplete Unicode or hex entities could be used to
+  prevent non-whitelisted protocols from being cleaned. Since IE6 and Opera
+  still decode the incomplete entities, users of those browsers may be
+  vulnerable to malicious script injection on websites using versions of
+  Sanitize prior to 1.0.3.
 
 
 Version 1.0.2 (2009-01-04)
 --------------------------
 
-  * Fixed a bug that caused an exception to be thrown when parsing a valueless
-    attribute that's expected to contain a URL.
+* Fixed a bug that caused an exception to be thrown when parsing a valueless
+  attribute that's expected to contain a URL.
 
 
 Version 1.0.1 (2009-01-01)
 --------------------------
 
-  * You can now specify `:relative` in a protocol config array to allow
-    attributes containing relative URLs with no protocol. The Basic and Relaxed
-    configs have been updated to allow relative URLs.
-  * Added a workaround for an Hpricot bug that causes HTML entities for
-    non-ASCII characters to be replaced by question marks, and all other
-    entities to be destructively decoded.
+* You can now specify `:relative` in a protocol config array to allow
+  attributes containing relative URLs with no protocol. The Basic and Relaxed
+  configs have been updated to allow relative URLs.
+* Added a workaround for an Hpricot bug that causes HTML entities for
+  non-ASCII characters to be replaced by question marks, and all other
+  entities to be destructively decoded.
 
 
 Version 1.0.0 (2008-12-25)
 --------------------------
 
-  * First release.
+* First release.

data/lib/sanitize.rb

@@ -26,6 +26,7 @@ require 'set'
 require 'nokogiri'
 require 'sanitize/version'
 require 'sanitize/config'
+require 'sanitize/config/default'
 require 'sanitize/config/restricted'
 require 'sanitize/config/basic'
 require 'sanitize/config/relaxed'

data/lib/sanitize/config.rb

@@ -22,64 +22,17 @@
 
 class Sanitize
   module Config
-    DEFAULT = {
 
-      # Whether or not to allow HTML comments. Allowing comments is strongly
-      # discouraged, since IE allows script execution within conditional
-      # comments.
-      :allow_comments => false,
+    # Deeply freeze and return a configuration Hash.
+    def self.freeze_config(config)
+      if Array === config
+        config.each { |c| freeze_config(c) }
+      elsif Hash === config
+        config.each_value { |c| freeze_config(c) }
+      end
 
-      # HTML attributes to add to specific elements. By default, no attributes
-      # are added.
-      :add_attributes => {},
+      config.freeze
+    end
 
-      # HTML attributes to allow in specific elements. By default, no attributes
-      # are allowed.
-      :attributes => {},
-
-      # HTML elements to allow. By default, no elements are allowed (which means
-      # that all HTML will be stripped).
-      :elements => [],
-
-      # Output format. Supported formats are :html and :xhtml. Default is :html.
-      :output => :html,
-
-      # Character encoding to use for HTML output. Default is 'utf-8'.
-      :output_encoding => 'utf-8',
-
-      # URL handling protocols to allow in specific attributes. By default, no
-      # protocols are allowed. Use :relative in place of a protocol if you want
-      # to allow relative URLs sans protocol.
-      :protocols => {},
-
-      # If this is true, Sanitize will remove the contents of any filtered
-      # elements in addition to the elements themselves. By default, Sanitize
-      # leaves the safe parts of an element's contents behind when the element
-      # is removed.
-      #
-      # If this is an Array of element names, then only the contents of the
-      # specified elements (when filtered) will be removed, and the contents of
-      # all other filtered elements will be left behind.
-      :remove_contents => false,
-
-      # Transformers allow you to filter or alter nodes using custom logic. See
-      # README.rdoc for details and examples.
-      :transformers => [],
-
-      # By default, transformers perform depth-first traversal (deepest node
-      # upward). This setting allows you to specify transformers that should
-      # perform breadth-first traversal (top node downward).
-      :transformers_breadth => [],
-
-      # Elements which, when removed, should have their contents surrounded by
-      # space characters to preserve readability. For example,
-      # `foo<div>bar</div>baz` will become 'foo bar baz' when the <div> is
-      # removed.
-      :whitespace_elements => %w[
-        address article aside blockquote br dd div dl dt footer h1 h2 h3 h4 h5
-        h6 header hgroup hr li nav ol p pre section ul
-      ]
-
-    }
   end
 end

data/lib/sanitize/config/basic.rb

@@ -22,7 +22,7 @@
 
 class Sanitize
   module Config
-    BASIC = {
+    BASIC = freeze_config(
       :elements => %w[
         a abbr b blockquote br cite code dd dfn dl dt em i kbd li mark ol p pre
         q s samp small strike strong sub sup time u ul var
@@ -46,6 +46,6 @@ class Sanitize
         'blockquote' => {'cite' => ['http', 'https', :relative]},
         'q'          => {'cite' => ['http', 'https', :relative]}
       }
-    }
+    )
   end
 end

data/lib/sanitize/config/default.rb

@@ -0,0 +1,85 @@
+#--
+# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the 'Software'), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#++
+
+class Sanitize
+  module Config
+    DEFAULT = freeze_config(
+
+      # Whether or not to allow HTML comments. Allowing comments is strongly
+      # discouraged, since IE allows script execution within conditional
+      # comments.
+      :allow_comments => false,
+
+      # HTML attributes to add to specific elements. By default, no attributes
+      # are added.
+      :add_attributes => {},
+
+      # HTML attributes to allow in specific elements. By default, no attributes
+      # are allowed.
+      :attributes => {},
+
+      # HTML elements to allow. By default, no elements are allowed (which means
+      # that all HTML will be stripped).
+      :elements => [],
+
+      # Output format. Supported formats are :html and :xhtml. Default is :html.
+      :output => :html,
+
+      # Character encoding to use for HTML output. Default is 'utf-8'.
+      :output_encoding => 'utf-8',
+
+      # URL handling protocols to allow in specific attributes. By default, no
+      # protocols are allowed. Use :relative in place of a protocol if you want
+      # to allow relative URLs sans protocol.
+      :protocols => {},
+
+      # If this is true, Sanitize will remove the contents of any filtered
+      # elements in addition to the elements themselves. By default, Sanitize
+      # leaves the safe parts of an element's contents behind when the element
+      # is removed.
+      #
+      # If this is an Array of element names, then only the contents of the
+      # specified elements (when filtered) will be removed, and the contents of
+      # all other filtered elements will be left behind.
+      :remove_contents => false,
+
+      # Transformers allow you to filter or alter nodes using custom logic. See
+      # README.rdoc for details and examples.
+      :transformers => [],
+
+      # By default, transformers perform depth-first traversal (deepest node
+      # upward). This setting allows you to specify transformers that should
+      # perform breadth-first traversal (top node downward).
+      :transformers_breadth => [],
+
+      # Elements which, when removed, should have their contents surrounded by
+      # space characters to preserve readability. For example,
+      # `foo<div>bar</div>baz` will become 'foo bar baz' when the <div> is
+      # removed.
+      :whitespace_elements => %w[
+        address article aside blockquote br dd div dl dt footer h1 h2 h3 h4 h5
+        h6 header hgroup hr li nav ol p pre section ul
+      ]
+
+    )
+  end
+end

data/lib/sanitize/config/relaxed.rb

@@ -22,7 +22,7 @@
 
 class Sanitize
   module Config
-    RELAXED = {
+    RELAXED = freeze_config(
       :elements => %w[
         a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
         dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
@@ -56,6 +56,6 @@ class Sanitize
         'ins'        => {'cite' => ['http', 'https', :relative]},
         'q'          => {'cite' => ['http', 'https', :relative]}
       }
-    }
+    )
   end
 end

data/lib/sanitize/config/restricted.rb

@@ -22,8 +22,8 @@
 
 class Sanitize
   module Config
-    RESTRICTED = {
+    RESTRICTED = freeze_config(
       :elements => %w[b em i strong u]
-    }
+    )
   end
 end

data/lib/sanitize/version.rb

@@ -1,3 +1,3 @@
 class Sanitize
-  VERSION = '2.0.4'
+  VERSION = '2.0.5'
 end

data/test/test_sanitize.rb

@@ -0,0 +1,623 @@
+# encoding: utf-8
+#--
+# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the 'Software'), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#++
+
+require 'rubygems'
+gem 'minitest'
+
+require 'minitest/autorun'
+require 'sanitize'
+
+strings = {
+  :basic => {
+    :html       => '<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script>',
+    :default    => 'Lorem ipsum dolor sit amet alert("hello world");',
+    :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet alert("hello world");',
+    :basic      => '<b>Lorem</b> <a href="pants" rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");',
+    :relaxed    => '<b>Lorem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet alert("hello world");'
+  },
+
+  :malformed => {
+    :html       => 'Lo<!-- comment -->rem</b> <a href=pants title="foo>ipsum <a href="http://foo.com/"><strong>dolor</a></strong> sit<br/>amet <script>alert("hello world");',
+    :default    => 'Lorem dolor sit amet alert("hello world");',
+    :restricted => 'Lorem <strong>dolor</strong> sit amet alert("hello world");',
+    :basic      => 'Lorem <a href="pants" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");',
+    :relaxed    => 'Lorem <a href="pants" title="foo&gt;ipsum &lt;a href="><strong>dolor</strong></a> sit<br>amet alert("hello world");',
+    :document   => ' Lorem dolor sit amet alert("hello world"); '
+  },
+
+  :unclosed => {
+    :html       => '<p>a</p><blockquote>b',
+    :default    => ' a  b ',
+    :restricted => ' a  b ',
+    :basic      => '<p>a</p><blockquote>b</blockquote>',
+    :relaxed    => '<p>a</p><blockquote>b</blockquote>'
+  },
+
+  :malicious => {
+    :html       => '<b>Lo<!-- comment -->rem</b> <a href="javascript:pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <<foo>script>alert("hello world");</script>',
+    :default    => 'Lorem ipsum dolor sit amet script&gt;alert("hello world");',
+    :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet script&gt;alert("hello world");',
+    :basic      => '<b>Lorem</b> <a rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet script&gt;alert("hello world");',
+    :relaxed    => '<b>Lorem</b> <a title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet script&gt;alert("hello world");'
+  },
+
+  :raw_comment => {
+    :html       => '<!-- comment -->Hello',
+    :default    => 'Hello',
+    :restricted => 'Hello',
+    :basic      => 'Hello',
+    :relaxed    => 'Hello',
+    :document   => ' Hello ',
+  }
+}
+
+tricky = {
+  'protocol-based JS injection: simple, no spaces' => {
+    :html       => '<a href="javascript:alert(\'XSS\');">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: simple, spaces before' => {
+    :html       => '<a href="javascript    :alert(\'XSS\');">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: simple, spaces after' => {
+    :html       => '<a href="javascript:    alert(\'XSS\');">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: simple, spaces before and after' => {
+    :html       => '<a href="javascript    :   alert(\'XSS\');">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: preceding colon' => {
+    :html       => '<a href=":javascript:alert(\'XSS\');">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: UTF-8 encoding' => {
+    :html       => '<a href="javascript&#58;">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: long UTF-8 encoding' => {
+    :html       => '<a href="javascript&#0058;">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: long UTF-8 encoding without semicolons' => {
+    :html       => '<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: hex encoding' => {
+    :html       => '<a href="javascript&#x3A;">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: long hex encoding' => {
+    :html       => '<a href="javascript&#x003A;">foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: hex encoding without semicolons' => {
+    :html       => '<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>foo</a>',
+    :default    => 'foo',
+    :restricted => 'foo',
+    :basic      => '<a rel="nofollow">foo</a>',
+    :relaxed    => '<a>foo</a>'
+  },
+
+  'protocol-based JS injection: null char' => {
+    :html       => "<img src=java\0script:alert(\"XSS\")>",
+    :default    => '',
+    :restricted => '',
+    :basic      => '',
+    :relaxed    => '<img src="java">' # everything following the null char gets stripped, and URL is considered relative
+  },
+
+  'protocol-based JS injection: invalid URL char' => {
+    :html       => '<img src=java\script:alert("XSS")>',
+    :default    => '',
+    :restricted => '',
+    :basic      => '',
+    :relaxed    => '<img>'
+  },
+
+  'protocol-based JS injection: spaces and entities' => {
+    :html       => '<img src=" &#14;  javascript:alert(\'XSS\');">',
+    :default    => '',
+    :restricted => '',
+    :basic      => '',
+    :relaxed    => '<img src="">'
+  }
+}
+
+describe 'Config::DEFAULT' do
+  it 'should translate valid HTML entities' do
+    Sanitize.clean("Don&apos;t tas&eacute; me &amp; bro!").must_equal("Don't tasé me &amp; bro!")
+  end
+
+  it 'should translate valid HTML entities while encoding unencoded ampersands' do
+    Sanitize.clean("cookies&sup2; & &frac14; cr&eacute;me").must_equal("cookies² &amp; ¼ créme")
+  end
+
+  it 'should never output &apos;' do
+    Sanitize.clean("<a href='&apos;' class=\"' &#39;\">IE6 isn't a real browser</a>").wont_match(/&apos;/)
+  end
+
+  it 'should not choke on several instances of the same element in a row' do
+    Sanitize.clean('<img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif">').must_equal('')
+  end
+
+  it 'should surround the contents of :whitespace_elements with space characters when removing the element' do
+    Sanitize.clean('foo<div>bar</div>baz').must_equal('foo bar baz')
+    Sanitize.clean('foo<br>bar<br>baz').must_equal('foo bar baz')
+    Sanitize.clean('foo<hr>bar<hr>baz').must_equal('foo bar baz')
+  end
+
+  strings.each do |name, data|
+    it "should clean #{name} HTML" do
+      Sanitize.clean(data[:html]).must_equal(data[:default])
+    end
+  end
+
+  tricky.each do |name, data|
+    it "should not allow #{name}" do
+      Sanitize.clean(data[:html]).must_equal(data[:default])
+    end
+  end
+end
+
+describe 'Config::RESTRICTED' do
+  before { @s = Sanitize.new(Sanitize::Config::RESTRICTED) }
+
+  strings.each do |name, data|
+    it "should clean #{name} HTML" do
+      @s.clean(data[:html]).must_equal(data[:restricted])
+    end
+  end
+
+  tricky.each do |name, data|
+    it "should not allow #{name}" do
+      @s.clean(data[:html]).must_equal(data[:restricted])
+    end
+  end
+end
+
+describe 'Config::BASIC' do
+  before { @s = Sanitize.new(Sanitize::Config::BASIC) }
+
+  it 'should not choke on valueless attributes' do
+    @s.clean('foo <a href>foo</a> bar').must_equal('foo <a href rel="nofollow">foo</a> bar')
+  end
+
+  it 'should downcase attribute names' do
+    @s.clean('<a HREF="javascript:alert(\'foo\')">bar</a>').must_equal('<a rel="nofollow">bar</a>')
+  end
+
+  strings.each do |name, data|
+    it "should clean #{name} HTML" do
+      @s.clean(data[:html]).must_equal(data[:basic])
+    end
+  end
+
+  tricky.each do |name, data|
+    it "should not allow #{name}" do
+      @s.clean(data[:html]).must_equal(data[:basic])
+    end
+  end
+end
+
+describe 'Config::RELAXED' do
+  before { @s = Sanitize.new(Sanitize::Config::RELAXED) }
+
+  it 'should encode special chars in attribute values' do
+    input  = '<a href="http://example.com" title="<b>&eacute;xamples</b> & things">foo</a>'
+    output = Nokogiri::HTML.fragment('<a href="http://example.com" title="&lt;b&gt;éxamples&lt;/b&gt; &amp; things">foo</a>').to_xhtml(:encoding => 'utf-8', :indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XHTML)
+    @s.clean(input).must_equal(output)
+  end
+
+  strings.each do |name, data|
+    it "should clean #{name} HTML" do
+      @s.clean(data[:html]).must_equal(data[:relaxed])
+    end
+  end
+
+  tricky.each do |name, data|
+    it "should not allow #{name}" do
+      @s.clean(data[:html]).must_equal(data[:relaxed])
+    end
+  end
+end
+
+describe 'Full Document parser (using clean_document)' do
+  before {
+    @s = Sanitize.new({:elements => %w[!DOCTYPE html]})
+    @default_doctype = "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" \"http://www.w3.org/TR/REC-html40/loose.dtd\">"
+  }
+
+  it 'should require HTML element is whitelisted to prevent parser errors' do
+    assert_raises(RuntimeError, 'You must have the HTML element whitelisted') {
+      Sanitize.clean_document!('', {:elements => [], :remove_contents => false})
+    }
+  end
+
+  it 'should NOT require HTML element to be whitelisted if remove_contents is true' do
+    output = '<!DOCTYPE html><html>foo</html>'
+    Sanitize.clean_document!(output, {:remove_contents => true}).must_equal "<!DOCTYPE html>\n\n"
+  end
+
+  it 'adds a doctype tag if not included' do
+    @s.clean_document('').must_equal("#{@default_doctype}\n\n")
+  end
+
+  it 'should apply whitelist filtering to HTML element' do
+    output = "<!DOCTYPE html>\n<html anything='false'></html>\n\n"
+    @s.clean_document(output).must_equal("<!DOCTYPE html>\n<html></html>\n")
+  end
+
+  strings.each do |name, data|
+    it "should wrap #{name} with DOCTYPE and HTML tag" do
+      output = data[:document] || data[:default]
+      @s.clean_document(data[:html]).must_equal("#{@default_doctype}\n<html>#{output}</html>\n")
+    end
+  end
+
+  tricky.each do |name, data|
+    it "should wrap #{name} with DOCTYPE and HTML tag" do
+      @s.clean_document(data[:html]).must_equal("#{@default_doctype}\n<html>#{data[:default]}</html>\n")
+    end
+  end
+end
+
+describe 'Custom configs' do
+  it 'should allow attributes on all elements if whitelisted under :all' do
+    input = '<p class="foo">bar</p>'
+
+    Sanitize.clean(input).must_equal(' bar ')
+    Sanitize.clean(input, {:elements => ['p'], :attributes => {:all => ['class']}}).must_equal(input)
+    Sanitize.clean(input, {:elements => ['p'], :attributes => {'div' => ['class']}}).must_equal('<p>bar</p>')
+    Sanitize.clean(input, {:elements => ['p'], :attributes => {'p' => ['title'], :all => ['class']}}).must_equal(input)
+  end
+
+  it 'should allow comments when :allow_comments == true' do
+    input = 'foo <!-- bar --> baz'
+    Sanitize.clean(input).must_equal('foo  baz')
+    Sanitize.clean(input, :allow_comments => true).must_equal(input)
+  end
+
+  it 'should allow relative URLs containing colons where the colon is not in the first path segment' do
+    input = '<a href="/wiki/Special:Random">Random Page</a>'
+    Sanitize.clean(input, { :elements => ['a'], :attributes => {'a' => ['href']}, :protocols => { 'a' => { 'href' => [:relative] }} }).must_equal(input)
+  end
+
+  it 'should output HTML when :output == :html' do
+    input = 'foo<br/>bar<br>baz'
+    Sanitize.clean(input, :elements => ['br'], :output => :html).must_equal('foo<br>bar<br>baz')
+  end
+
+  it 'should remove the contents of filtered nodes when :remove_contents == true' do
+    Sanitize.clean('foo bar <div>baz<span>quux</span></div>', :remove_contents => true).must_equal('foo bar   ')
+  end
+
+  it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as strings' do
+    Sanitize.clean('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', :remove_contents => ['script', 'span']).must_equal('foo bar  baz ')
+  end
+
+  it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as symbols' do
+    Sanitize.clean('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', :remove_contents => [:script, :span]).must_equal('foo bar  baz ')
+  end
+
+  it 'should support encodings other than utf-8' do
+    html = 'foo&nbsp;bar'
+    Sanitize.clean(html).must_equal("foo\302\240bar")
+    Sanitize.clean(html, :output_encoding => 'ASCII').must_equal("foo&#160;bar")
+  end
+end
+
+describe 'Sanitize.clean' do
+  it 'should not modify the input string' do
+    input = '<b>foo</b>'
+    Sanitize.clean(input)
+    input.must_equal('<b>foo</b>')
+  end
+
+  it 'should return a new string' do
+    input = '<b>foo</b>'
+    Sanitize.clean(input).must_equal('foo')
+  end
+end
+
+describe 'Sanitize.clean!' do
+  it 'should modify the input string' do
+    input = '<b>foo</b>'
+    Sanitize.clean!(input)
+    input.must_equal('foo')
+  end
+
+  it 'should return the string if it was modified' do
+    input = '<b>foo</b>'
+    Sanitize.clean!(input).must_equal('foo')
+  end
+
+  it 'should return nil if the string was not modified' do
+    input = 'foo'
+    Sanitize.clean!(input).must_equal(nil)
+  end
+end
+
+describe 'Sanitize.clean_document' do
+  before { @config = { :elements => ['html', 'p'] } }
+
+  it 'should be idempotent' do
+    input = '<!DOCTYPE html><html><p>foo</p></html>'
+    first = Sanitize.clean_document(input, @config)
+    second = Sanitize.clean_document(first, @config)
+    second.must_equal first
+    second.wont_be_nil
+  end
+
+  it 'should handle nil without raising' do
+    Sanitize.clean_document(nil).must_equal nil
+  end
+
+  it 'should not modify the input string' do
+    input = '<!DOCTYPE html><b>foo</b>'
+    Sanitize.clean_document(input, @config)
+    input.must_equal('<!DOCTYPE html><b>foo</b>')
+  end
+
+  it 'should return a new string' do
+    input = '<!DOCTYPE html><b>foo</b>'
+    Sanitize.clean_document(input, @config).must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
+  end
+end
+
+describe 'Sanitize.clean_document!' do
+  before { @config = { :elements => ['html'] } }
+
+  it 'should modify the input string' do
+    input = '<!DOCTYPE html><html><body><b>foo</b></body></html>'
+    Sanitize.clean_document!(input, @config)
+    input.must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
+  end
+
+  it 'should return the string if it was modified' do
+    input = '<!DOCTYPE html><html><body><b>foo</b></body></html>'
+    Sanitize.clean_document!(input, @config).must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
+  end
+
+  it 'should return nil if the string was not modified' do
+    input = "<!DOCTYPE html>\n<html></html>\n"
+    Sanitize.clean_document!(input, @config).must_equal(nil)
+  end
+end
+
+describe 'transformers' do
+  # YouTube embed transformer.
+  youtube = lambda do |env|
+    node      = env[:node]
+    node_name = env[:node_name]
+
+    # Don't continue if this node is already whitelisted or is not an element.
+    return if env[:is_whitelisted] || !node.element?
+
+    # Don't continue unless the node is an iframe.
+    return unless node_name == 'iframe'
+
+    # Verify that the video URL is actually a valid YouTube video URL.
+    return unless node['src'] =~ /\Ahttps?:\/\/(?:www\.)?youtube(?:-nocookie)?\.com\//
+
+    # We're now certain that this is a YouTube embed, but we still need to run
+    # it through a special Sanitize step to ensure that no unwanted elements or
+    # attributes that don't belong in a YouTube embed can sneak in.
+    Sanitize.clean_node!(node, {
+      :elements => %w[iframe],
+
+      :attributes => {
+        'iframe'  => %w[allowfullscreen frameborder height src width]
+      }
+    })
+
+    # Now that we're sure that this is a valid YouTube embed and that there are
+    # no unwanted elements or attributes hidden inside it, we can tell Sanitize
+    # to whitelist the current node.
+    {:node_whitelist => [node]}
+  end
+
+  it 'should receive a complete env Hash as input' do
+    Sanitize.clean!('<SPAN>foo</SPAN>', :foo => :bar, :transformers => lambda {|env|
+      return unless env[:node].element?
+
+      env[:config][:foo].must_equal(:bar)
+      env[:is_whitelisted].must_equal(false)
+      env[:node].must_be_kind_of(Nokogiri::XML::Node)
+      env[:node_name].must_equal('span')
+      env[:node_whitelist].must_be_kind_of(Set)
+      env[:node_whitelist].must_be_empty
+    })
+  end
+
+  it 'should traverse all node types, including the fragment itself' do
+    nodes = []
+
+    Sanitize.clean!('<div>foo</div><!--bar--><script>cdata!</script>', :transformers => proc {|env|
+      nodes << env[:node_name]
+    })
+
+    nodes.must_equal(%w[
+      text div comment #cdata-section script #document-fragment
+    ])
+  end
+
+  it 'should traverse in depth-first mode by default' do
+    nodes = []
+
+    Sanitize.clean!('<div><span>foo</span></div><p>bar</p>', :transformers => proc {|env|
+      env[:traversal_mode].must_equal(:depth)
+      nodes << env[:node_name] if env[:node].element?
+    })
+
+    nodes.must_equal(['span', 'div', 'p'])
+  end
+
+  it 'should traverse in breadth-first mode when using :transformers_breadth' do
+    nodes = []
+
+    Sanitize.clean!('<div><span>foo</span></div><p>bar</p>', :transformers_breadth => proc {|env|
+      env[:traversal_mode].must_equal(:breadth)
+      nodes << env[:node_name] if env[:node].element?
+    })
+
+    nodes.must_equal(['div', 'span', 'p'])
+  end
+
+  it 'should whitelist nodes in the node whitelist' do
+    Sanitize.clean!('<div class="foo">foo</div><span>bar</span>', :transformers => [
+      proc {|env|
+        {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
+      },
+
+      proc {|env|
+        env[:is_whitelisted].must_equal(false) unless env[:node_name] == 'div'
+        env[:is_whitelisted].must_equal(true) if env[:node_name] == 'div'
+        env[:node_whitelist].must_include(env[:node]) if env[:node_name] == 'div'
+      }
+    ]).must_equal('<div class="foo">foo</div>bar')
+  end
+
+  it 'should clear the node whitelist after each fragment' do
+    called = false
+
+    Sanitize.clean!('<div>foo</div>', :transformers => proc {|env|
+      {:node_whitelist => [env[:node]]}
+    })
+
+    Sanitize.clean!('<div>foo</div>', :transformers =>  proc {|env|
+      called = true
+      env[:is_whitelisted].must_equal(false)
+      env[:node_whitelist].must_be_empty
+    })
+
+    called.must_equal(true)
+  end
+
+  it 'should allow youtube video embeds via the youtube transformer' do
+    input  = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
+
+    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
+  end
+
+  it 'should allow https youtube video embeds via the youtube transformer' do
+    input  = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
+
+    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
+  end
+
+  it 'should allow privacy-enhanced youtube video embeds via the youtube transformer' do
+    input  = '<iframe width="420" height="315" src="http://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="http://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
+
+    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
+  end
+
+  it 'should not allow non-youtube video embeds via the youtube transformer' do
+    input  = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
+    output = ''
+
+    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
+  end
+end
+
+describe 'bugs' do
+  it 'should not have Nokogiri 1.4.2+ unterminated script/style element bug' do
+    Sanitize.clean!('foo <script>bar').must_equal('foo bar')
+    Sanitize.clean!('foo <style>bar').must_equal('foo bar')
+  end
+end
+
+describe "default configurations" do
+  def assert_deep_frozen(config)
+    if Hash === config
+      config.each_value { |c| assert_deep_frozen(c) }
+      config.frozen?.must_equal(true)
+    elsif Array === config
+      config.each { |c| assert_deep_frozen(c) }
+      config.frozen?.must_equal(true)
+    end
+  end
+
+  {
+    "DEFAULT" => Sanitize::Config::DEFAULT,
+    "RESTRICTED" => Sanitize::Config::RESTRICTED,
+    "BASIC" => Sanitize::Config::BASIC,
+    "RELAXED" => Sanitize::Config::RELAXED,
+  }.each do |name, config|
+    describe name do
+      it "should be frozen" do
+        assert_deep_frozen(config)
+      end
+    end
+  end
+
+  it "cannot be modified" do
+    assert_raises(RuntimeError, "can't modify frozen") {
+      Sanitize::Config::RESTRICTED.dup[:elements].push("script")
+    }
+  end
+end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.0.5
 platform: ruby
 authors:
 - Ryan Grove
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-12 00:00:00.000000000 Z
+date: 2013-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.4.4
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -62,6 +62,7 @@ files:
 - LICENSE
 - README.rdoc
 - lib/sanitize/config/basic.rb
+- lib/sanitize/config/default.rb
 - lib/sanitize/config/relaxed.rb
 - lib/sanitize/config/restricted.rb
 - lib/sanitize/config.rb
@@ -70,6 +71,7 @@ files:
 - lib/sanitize/transformers/clean_element.rb
 - lib/sanitize/version.rb
 - lib/sanitize.rb
+- test/test_sanitize.rb
 homepage: https://github.com/rgrove/sanitize/
 licenses: []
 metadata: {}