whistler 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Daniel Neighman
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,26 @@
+Whistler 
+==============
+
+Whistler is a white listing markup filter based on the specifications of the rails plugin by Rick Olson, aka technoweenie.
+http://techno-weenie.net/
+Whistler relies on the Hpricot library http://code.whytheluckystiff.net/hpricot
+
+This is very alpha at the moment.  Please help make it great.
+ 
+Whistler strips, and or sanitizes arbitrary XML/HTML style markup of any tags not explicitly
+included in the white list.  It doesn't try to play catch-up with possible exploites such as black-listing systems do.
+
+Usage is very simple.
+
+=== Example
+# Applies the normal white list defaults
+
+Whistler.white_list( dodgy_markup ) 
+
+
+# Adds custom tags to allow
+Whistler.white_list(dodgy_markup, :add_tags => %w(news_tag my_tag other_tag))
+
+If Whistler is unable to read tags as "tags" it will instead sanitize potential XSS attempts in the text.
+Normal, non-malicious text should still appear correctly.
+

data/Rakefile

@@ -0,0 +1,44 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+
+PLUGIN = "whistler"
+NAME = "whistler"
+VERSION = "0.0.1"
+AUTHOR = "Daniel Neighman"
+EMAIL = "has.sox@gmail.com"
+HOMEPAGE = "http://github.com/hassox/whistler"
+SUMMARY = "Whistler == White Lister"
+
+spec = Gem::Specification.new do |s|
+  s.name = NAME
+  s.version = VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README", "LICENSE", 'TODO']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  s.add_dependency('hpricot')
+  s.require_path = 'lib'
+  s.autorequire = PLUGIN
+  s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,specs}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+task :install => [:package] do
+  sh %{sudo gem install pkg/#{NAME}-#{VERSION}}
+end
+
+namespace :jruby do
+
+  desc "Run :package and install the resulting .gem with jruby"
+  task :install => :package do
+    sh %{#{SUDO} jruby -S gem install pkg/#{NAME}-#{Merb::VERSION}.gem --no-rdoc --no-ri}
+  end
+  
+end

data/TODO

@@ -0,0 +1,5 @@
+TODO:
+Fix LICENSE with your name
+Fix Rakefile with your name and contact info
+Add your code to lib/merb_whitelist.rb
+Add your Merb rake tasks to lib/merb_whitelist/merbtasks.rb

data/lib/whistler.rb

@@ -0,0 +1 @@
+require File.join(File.dirname(__FILE__), "whistler", "white_list")

data/lib/whistler/merbtasks.rb

@@ -0,0 +1,6 @@
+namespace :whistler do
+  desc "Do something for merb_whitelist"
+  task :default do
+    puts "merb_whitelist doesn't do anything"
+  end
+end

data/lib/whistler/white_list.rb

@@ -0,0 +1,101 @@
+require 'hpricot'
+module Whistler
+  
+  def self.protocol_attributes
+    @_protocol_attributes = %w(src href)
+  end
+  
+  def self.protocol_separator
+    @_protocol_seperator = /:|(&#0*58)|(&#x70)|(%|%)3A/
+  end
+  
+  # An array of default allowed tags.
+  def self.white_tags
+    @_white_tags ||= %w(strong em b i p code pre tt output samp kbd var sub sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr acronym a img blockquote del ins fieldset legend)
+  end
+  
+  # An array of default allowed attributes
+  def self.white_attributes
+    @_white_attributes ||= %w(href src width height alt cite datetime title class name)
+  end
+  
+  # An array of default allowed protocols
+  def self.white_protocols
+    @_white_protocols ||= %w(ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto feed)
+  end
+  
+  
+  # This is the work horse of the Whistler gem.  It whitelists a string of Markup.
+  # *string* - The string to white list
+  # *opts* - A group of options to apply for this run
+  # === valid options
+  # * <tt>:tags</tt> - An array of allowed tags.  This list is exlusive of all others and only tags included in this list will be allowed
+  # * <tt>:add_tags</tt> - An array of extra allowed tags.  All normal tags are allowed, plus the ones specified in this array
+  # * <tt>:attributes</tt> - An array of allowed attributes.  This list is exlusive of all others and only attributes included will be allowed.
+  # 
+  # === Example
+  # {{{
+  #   Whistler.white_list(my_markup_string, :add_tags => %w(object param) )
+  # }}}
+  # Allows object and param tags in addition to normal allowed tags. 
+  def self.white_list(string, opts = {})
+    return nil if string.nil?
+    w_tags  = get_white_tags(opts)
+    w_attrs = get_white_attributes(opts)
+    
+    string = string.gsub("\000", "")
+    
+    doc = Hpricot(string)
+    doc.traverse_element do |elem|
+      if elem.elem?
+        if w_tags.include?(elem.name)
+          (elem.attributes.keys - w_attrs).each{|a| elem.remove_attribute(a)}
+          (elem.attributes.keys & Whistler.protocol_attributes).each{|a| elem.remove_attribute(a) if contains_bad_protocols?(elem[a])}
+          elem.raw_attributes.each{|a,v| elem.raw_attributes[a] = clean_attribute(v)}
+        else
+          elem.parent.children.delete(elem) 
+        end
+      elsif elem.text?
+        elem.parent.replace_child(elem, Hpricot::Text.new(escape_text(elem.to_s)))    
+      end
+    end
+    doc.to_html
+  end
+  
+  def white_list(string, opts = {} )
+    Whistler.white_list(string, opts)
+  end
+  
+  private
+  
+  def self.get_white_tags(opts)
+    return opts[:tags] if opts[:tags]
+      
+    if opts[:add_tags]
+      wtags = Whistler.white_tags.dup
+      wtags << opts[:add_tags]
+      wtags = wtags.flatten
+      return wtags
+    end
+    
+    return Whistler.white_tags
+  end
+  
+  def self.get_white_attributes(opts)
+    return opts[:attributes] if opts[:attributes]
+    return Whistler.white_attributes
+  end
+  
+  def self.contains_bad_protocols?(value)
+    value =~ Whistler.protocol_separator && !Whistler.white_protocols.include?(value.split(Whistler.protocol_separator).first)
+  end 
+  
+  def self.escape_text(string)
+    string.gsub(/</, "&lt;")
+  end
+  
+  def self.clean_attribute(a)
+    a.gsub(/</, "&lt;").gsub(/>/, "&gt;")
+  end
+end
+  

metadata

@@ -0,0 +1,70 @@
+--- !ruby/object:Gem::Specification 
+name: whistler
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Daniel Neighman
+autorequire: whistler
+bindir: bin
+cert_chain: []
+
+date: 2008-03-22 00:00:00 +11:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: hpricot
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: Whistler == White Lister
+email: has.sox@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- LICENSE
+- TODO
+files: 
+- LICENSE
+- README
+- Rakefile
+- TODO
+- lib/whistler
+- lib/whistler/merbtasks.rb
+- lib/whistler/white_list.rb
+- lib/whistler.rb
+has_rdoc: true
+homepage: http://github.com/hassox/whistler
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.0.1
+signing_key: 
+specification_version: 2
+summary: Whistler == White Lister
+test_files: []
+