trust_html 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
data/README.rdoc CHANGED
@@ -1,16 +1,17 @@
1
1
  = trust_html
2
2
 
3
+ == Usage
4
+ Pass HTML to:
5
+ * TrustHtml.sanitize("<div onclick=\"alert('hi';)\">Hello world</div><img src=\"javascript:alert('xss');\"/><SCRIPT>alert(\"xss\");</SCRIPT><body background=\"javascript:alert('xss')\">")
3
6
 
7
+ == Configuration
8
+ So far you can only customize the methods for processing URL's and DOM ID's that are in the HTML provided. These methods are in JS and are passed local variables 'url' and 'id' respectively for you to decide whether to allow/rewrite/deny the value.
9
+ * TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY
10
+ * TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY
4
11
 
5
- == Contributing to trust_html
6
-
7
- * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
8
- * Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
9
- * Fork the project
10
- * Start a feature/bugfix branch
11
- * Commit and push until you are happy with your contribution
12
- * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
13
- * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
12
+ You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:
13
+ * TrustHtml::Sanitizer::HTML_SANITIZER_PATH
14
+ * TrustHtml::Sanitizer::HTML_DEFS_PATH
14
15
 
15
16
  == Copyright
16
17
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.0
1
+ 0.1.1
@@ -503,8 +503,7 @@ function html_sanitize(htmlText, opt_uriPolicy, opt_nmTokenPolicy) {
503
503
  value = null;
504
504
  break;
505
505
  case html4.atype.STYLE:
506
- // Commented out to support 'style' tag CYD 2011-04-03
507
- //value = null;
506
+ value = null;
508
507
  break;
509
508
  case html4.atype.ID:
510
509
  case html4.atype.IDREF:
@@ -16,7 +16,10 @@ module TrustHtml
16
16
  # 'id' is local to the method
17
17
  ID_SANITIZER_METHOD_BODY = "return id;"
18
18
 
19
- def self.sanitize_html(html_to_sanitize)
19
+ HTML_SANITIZER_PATH = File.expand_path("../../../assets/html-sanitizer.js", __FILE__)
20
+ HTML_DEFS_PATH = File.expand_path("../../../assets/html4-defs.js", __FILE__)
21
+
22
+ def self.sanitize(html_to_sanitize)
20
23
  sanitizer_js = "function urlX(url) {#{URL_SANITIZER_METHOD_BODY}};" +
21
24
  "function idX(id) {#{ID_SANITIZER_METHOD_BODY}};" +
22
25
  # Look at #escape_javascript as well...
@@ -24,8 +27,8 @@ module TrustHtml
24
27
  "html_sanitize('#{html_to_sanitize.escape_single_quotes.remove_nonprintable}', urlX, idX);"
25
28
 
26
29
  cxt = V8::Context.new
27
- cxt.load(File.expand_path("../../../assets/html4-defs.js", __FILE__))
28
- cxt.load(File.expand_path("../../../assets/html-sanitizer.js", __FILE__))
30
+ cxt.load(HTML_DEFS_PATH)
31
+ cxt.load(HTML_SANITIZER_PATH)
29
32
  cxt.eval(sanitizer_js)
30
33
  end
31
34
  end
data/trust_html.gemspec CHANGED
@@ -5,7 +5,7 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{trust_html}
8
- s.version = "0.1.0"
8
+ s.version = "0.1.1"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = [%q{Cary Dunn}]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: trust_html
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -13,7 +13,7 @@ date: 2011-07-15 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: better
16
- requirement: &2152453300 !ruby/object:Gem::Requirement
16
+ requirement: &2152272220 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *2152453300
24
+ version_requirements: *2152272220
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: therubyracer
27
- requirement: &2152451820 !ruby/object:Gem::Requirement
27
+ requirement: &2152257680 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: '0'
33
33
  type: :runtime
34
34
  prerelease: false
35
- version_requirements: *2152451820
35
+ version_requirements: *2152257680
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: shoulda
38
- requirement: &2152449900 !ruby/object:Gem::Requirement
38
+ requirement: &2152249880 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '0'
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *2152449900
46
+ version_requirements: *2152249880
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: bundler
49
- requirement: &2152447400 !ruby/object:Gem::Requirement
49
+ requirement: &2152247140 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: 1.0.0
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *2152447400
57
+ version_requirements: *2152247140
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: jeweler
60
- requirement: &2152444300 !ruby/object:Gem::Requirement
60
+ requirement: &2152244460 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ~>
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: 1.6.4
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *2152444300
68
+ version_requirements: *2152244460
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rcov
71
- requirement: &2152443180 !ruby/object:Gem::Requirement
71
+ requirement: &2152218160 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,7 +76,7 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *2152443180
79
+ version_requirements: *2152218160
80
80
  description: Make HTML trustworthy for rendering within your web app via Google HTML
81
81
  sanitizers. This is _not_ about stripping HTML but rather about cleaning it of javascript
82
82
  (onclicks, etc.) as well as CSS.
@@ -117,7 +117,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
117
117
  version: '0'
118
118
  segments:
119
119
  - 0
120
- hash: 4343116667519934222
120
+ hash: -3766334305255440814
121
121
  required_rubygems_version: !ruby/object:Gem::Requirement
122
122
  none: false
123
123
  requirements: