twitter-text 1.1.7 → 1.1.8

data/Rakefile

@@ -3,13 +3,15 @@ require 'rake/gempackagetask'
 require 'rake/rdoctask'
 require 'rubygems/specification'
 require 'date'
+
+gem 'rspec'
 require 'spec/rake/spectask'
 require 'spec/rake/verify_rcov'
 require 'digest'
 
 spec = Gem::Specification.new do |s|
   s.name = "twitter-text"
-  s.version = "1.1.7"
+  s.version = "1.1.8"
   s.authors = ["Matt Sanford", "Patrick Ewing", "Ben Cherry", "Britt Selvitelle", "Raffi Krikorian"]
   s.email = ["matt@twitter.com", "patrick.henry.ewing@gmail.com", "bcherry@gmail.com", "bs@brittspace.com", "raffi@twitter.com"]
   s.homepage = "http://twitter.com"

data/lib/regex.rb

@@ -35,7 +35,8 @@ module Twitter
     if major.to_i >= 1 && minor.to_i >= 9
       REGEXEN[:list_name] = /[a-zA-Z][a-zA-Z0-9_\-\u0080-\u00ff]{0,24}/
     else
-      REGEXEN[:list_name] = /[a-zA-Z][a-zA-Z0-9_\-\x80-\xff]{0,24}/
+      # This line barfs at compile time in Ruby 1.9.
+      REGEXEN[:list_name] = eval("/[a-zA-Z][a-zA-Z0-9_\\-\x80-\xff]{0,24}/")
     end
 
     # Latin accented characters (subtracted 0xD7 from the range, it's a confusable multiplication sign. Looks like "x")
@@ -60,7 +61,7 @@ module Twitter
     # Allow @ in a url, but only in the middle. Catch things like http://example.com/@user
     REGEXEN[:valid_url_path_chars] = /(?:
       #{REGEXEN[:wikipedia_disambiguation]}|
-      @[^\/]+\/|
+      @#{REGEXEN[:valid_general_url_path_chars]}+\/|
       [\.\,]?#{REGEXEN[:valid_general_url_path_chars]}
     )/ix
     # Valid end-of-path chracters (so /foo. does not gobble the period).

data/lib/twitter-text.rb

@@ -1,8 +1,15 @@
-raise("twitter-text requires the $KCODE variable be set to 'UTF8' or 'u'") unless ['u','UTF8'].include?($KCODE) || ''.respond_to?(:codepoints)
+
+major, minor, patch = RUBY_VERSION.split('.')
+
+if major == 1 && minor < 9
+  # Ruby 1.8 KCODE check. Not needed on 1.9 and later.
+  raise("twitter-text requires the $KCODE variable be set to 'UTF8' or 'u'") unless ['u','UTF8'].include?($KCODE)
+end
 
 require 'rubygems'
 
 # Needed for auto-linking
+gem 'actionpack'
 require 'action_view'
 
 require File.join(File.dirname(__FILE__), 'regex')

data/spec/autolinking_spec.rb

@@ -474,6 +474,14 @@ describe Twitter::Autolink do
         end
       end
 
+      context "with a @ in a URL" do
+        def original_text; 'http://x.xx/@"style="color:pink"onmouseover=alert(1)//'; end
+
+        it "should not allow XSS follwing @" do
+          @autolinked_text.should have_autolinked_url('http://x.xx/')
+        end
+      end
+
     end
 
     describe "Autolink all" do

metadata

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: twitter-text
 version: !ruby/object:Gem::Version 
-  hash: 29
   prerelease: false
   segments: 
   - 1
   - 1
-  - 7
-  version: 1.1.7
+  - 8
+  version: 1.1.8
 platform: ruby
 authors: 
 - Matt Sanford
@@ -19,18 +18,16 @@ autorequire: ""
 bindir: bin
 cert_chain: []
 
-date: 2010-08-19 00:00:00 -07:00
+date: 2010-08-23 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: actionpack
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 3
         segments: 
         - 0
         version: "0"
@@ -79,27 +76,23 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Twitter text handling library