Remove attributes without a value.

[kaspth]

Changes elements like <img src=""></img> to <img></img>.

//@rafaelfranca

[kaspth]

What I'd really like is for Loofah to remove the attributes which have blank values.
For instance:

Loofah.fragment(%(<IMG SRC=" &#14;  javascript:alert('XSS');">))

Returns an element which have " " as the value for src. Which makes the current commit not remove the attribute.

[rafaelfranca]

Is not " ".empty? true?

[kaspth]

Nope.

irb(main):001:0> " ".empty?
=> false

[rafaelfranca]

Ah. Right. If we really need this we can reimplement blank? if we are not depending on active_support already

[kaspth]

There's no ActiveSupport dependency at the moment.

The above pasted snippet is from this test:
https://github.com/kaspth/rails/blob/loofah-integration/actionview/test/template/sanitizers_test.rb#L156-L175

That's the reason it's failing.
(Also number 4 in the list is failing.)

[kaspth]

@rafaelfranca, I changed it to reimplement blank? Hope that's okay.

[flavorjones]

Looks like this might introduce 1.8 support issues, since the ActiveSupport String#blank? implementation uses 0x3000 instead of :space: for 1.8.

I'm fine with it if we're leaving 1.8 behind, but then we should update the gemspec to explicitly only support 1.9.1 and above.

Thoughts?

[kaspth]

Rails requires 1.9.3+, so I definitely think moving along the same lines is a good idea.

You want me to update this PR and change the required version in the gemspec? Or in another PR?

[flavorjones]

I'll take care of the gemspec -- I just wanted to point out the implication on Ruby version support.

[kaspth]

Sounds good.