twitter-text 1.1.5 → 1.1.6

data/Rakefile

@@ -9,7 +9,7 @@ require 'digest'
 
 spec = Gem::Specification.new do |s|
   s.name = "twitter-text"
-  s.version = "1.1.5"
+  s.version = "1.1.6"
   s.authors = ["Matt Sanford", "Patrick Ewing", "Ben Cherry", "Britt Selvitelle", "Raffi Krikorian"]
   s.email = ["matt@twitter.com", "patrick.henry.ewing@gmail.com", "bcherry@gmail.com", "bs@brittspace.com", "raffi@twitter.com"]
   s.homepage = "http://twitter.com"

data/lib/regex.rb

@@ -52,15 +52,16 @@ module Twitter
     REGEXEN[:valid_preceding_chars] = /(?:[^\/"':!=]|^|\:)/
     REGEXEN[:valid_domain] = /(?:[^[:punct:]\s][\.-](?=[^[:punct:]\s])|[^[:punct:]\s]){1,}\.[a-z]{2,}(?::[0-9]+)?/i
 
+    REGEXEN[:valid_general_url_path_chars] = /[a-z0-9!\*';:=\+\$\/%#\[\]\-_,~]/i
     # Allow URL paths to contain balanced parens
     #  1. Used in Wikipedia URLs like /Primer_(film)
     #  2. Used in IIS sessions like /S(dfd346)/
-    REGEXEN[:wikipedia_disambiguation] = /(?:\([^\)]+\))/i
+    REGEXEN[:wikipedia_disambiguation] = /(?:\(#{REGEXEN[:valid_general_url_path_chars]}+\))/i
     # Allow @ in a url, but only in the middle. Catch things like http://example.com/@user
     REGEXEN[:valid_url_path_chars] = /(?:
       #{REGEXEN[:wikipedia_disambiguation]}|
       @[^\/]+\/|
-      [\.\,]?[a-z0-9!\*';:=\+\$\/%#\[\]\-_,~]
+      [\.\,]?#{REGEXEN[:valid_general_url_path_chars]}
     )/ix
     # Valid end-of-path chracters (so /foo. does not gobble the period).
     #   1. Allow =&# for empty URL parameters and other URL-join artifacts

data/spec/autolinking_spec.rb

@@ -385,6 +385,22 @@ describe Twitter::Autolink do
             @autolinked_text.should have_autolinked_url("http://example.com/i_has_a_")
           end
         end
+
+        context "balanced parens with a double quote inside" do
+          def url; "http://foo.bar/foo_(\")_bar" end
+
+          it "should be linked" do
+            @autolinked_text.should have_autolinked_url("http://foo.bar/foo_")
+          end
+        end
+
+        context "balanced parens hiding XSS" do
+          def url; 'http://x.xx/("style="color:red"onmouseover="alert(1)' end
+
+          it "should be linked" do
+            @autolinked_text.should have_autolinked_url("http://x.xx/")
+          end
+        end
       end
 
       context "when preceded by a :" do
@@ -471,7 +487,7 @@ describe Twitter::Autolink do
       end
 
     end
-    
+
   end
 
 end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: twitter-text
 version: !ruby/object:Gem::Version 
+  hash: 31
   prerelease: false
   segments: 
   - 1
   - 1
-  - 5
-  version: 1.1.5
+  - 6
+  version: 1.1.6
 platform: ruby
 authors: 
 - Matt Sanford
@@ -18,16 +19,18 @@ autorequire: ""
 bindir: bin
 cert_chain: []
 
-date: 2010-07-22 00:00:00 -07:00
+date: 2010-08-10 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: actionpack
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
         segments: 
         - 0
         version: "0"
@@ -76,23 +79,27 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Twitter text handling library