return sanitized strings

jamis · May 5, 2011 · 589762b · 589762b
1 parent ef07771
commit 589762b
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 14 deletions.
diff --git a/lib/rails_autolink.rb b/lib/rails_autolink.rb
@@ -14,7 +14,9 @@ module TextHelper
       # will limit what should be linked. You can add HTML attributes to the links using
       # <tt>:html</tt>. Possible values for <tt>:link</tt> are <tt>:all</tt> (default),
       # <tt>:email_addresses</tt>, and <tt>:urls</tt>. If a block is given, each URL and
-      # e-mail address is yielded and the result is used as the link text.
+      # e-mail address is yielded and the result is used as the link text. By default the 
+      # text given is sanitized, you can override this behaviour setting the
+      # <tt>:sanitize</tt> option to false.
       #
       # ==== Examples
       #   auto_link("Go to http://www.rubyonrails.org and say hello to david@loudthinking.com")
@@ -48,15 +50,15 @@ module TextHelper
       #   # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
       #         Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
       def auto_link(text, *args, &block)#link = :all, html = {}, &block)
-        return '' if text.blank?
+        return ''.html_safe if text.blank?
 
         options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
         unless args.empty?
           options[:link] = args[0] || :all
           options[:html] = args[1] || {}
         end
         options.reverse_merge!(:link => :all, :html => {})
-
+        text = sanitize(text) unless options[:sanitize] == false
         case options[:link].to_sym
           when :all                         then auto_link_email_addresses(auto_link_urls(text, options[:html], options, &block), options[:html], &block)
           when :email_addresses             then auto_link_email_addresses(text, options[:html], &block)

diff --git a/test/test_rails_autolink.rb b/test/test_rails_autolink.rb
@@ -84,12 +84,17 @@ def test_auto_link_with_block_with_html
 
   def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
     link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
-    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
+    malicious_script  = '<script>alert("malicious!")</script>'
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link("#{link_raw}#{malicious_script}")
+    assert auto_link("#{link_raw}#{malicious_script}").html_safe?
   end
 
   def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
     link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
-    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw, :sanitize => false)
+    malicious_script  = '<script>alert("malicious!")</script>'
+
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a><script>alert("malicious!")</script>}, auto_link("#{link_raw}#{malicious_script}", :sanitize => false)
+    assert !auto_link("#{link_raw}#{malicious_script}", :sanitize => false).html_safe?
   end
 
   def test_auto_link_other_protocols
@@ -114,7 +119,7 @@ def test_auto_link_already_linked
     linked5 = %('<a href="#close">close</a> <a href="http://www.example.com"><b>www.example.com</b></a>')
     assert_equal linked1, auto_link(linked1)
     assert_equal linked2, auto_link(linked2)
-    assert_equal linked3, auto_link(linked3)
+    assert_equal linked3, auto_link(linked3, :sanitize => false)
     assert_equal linked4, auto_link(linked4)
     assert_equal linked5, auto_link(linked5)
 
@@ -130,14 +135,25 @@ def test_auto_link_at_eol
     assert_equal %(<p><a href="#{url1}">#{url1}</a><br /><a href="#{url2}">#{url2}</a><br /></p>), auto_link("<p>#{url1}<br />#{url2}<br /></p>")
   end
 
-  def test_auto_link_should_not_be_html_safe
-    email_raw    = 'santiago@wyeworks.com'
-    link_raw     = 'http://www.rubyonrails.org'
-
-    assert !auto_link(nil).html_safe?, 'should not be html safe'
-    assert !auto_link('').html_safe?, 'should not be html safe'
-    assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
-    assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+  def test_auto_link_should_be_html_safe
+    email_raw         = 'santiago@wyeworks.com'
+    link_raw          = 'http://www.rubyonrails.org'
+    malicious_script  = '<script>alert("malicious!")</script>'
+
+    assert auto_link(nil).html_safe?, 'should be html safe'
+    assert auto_link('').html_safe?, 'should be html safe'
+    assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should be html safe'
+    assert auto_link("hello #{email_raw}").html_safe?, 'should be html safe'
+    assert auto_link("hello #{email_raw} #{malicious_script}").html_safe?, 'should be html safe'
+  end
+
+  def test_auto_link_should_not_be_html_safe_when_sanitize_option_false
+    email_raw         = 'santiago@wyeworks.com'
+    link_raw          = 'http://www.rubyonrails.org'
+
+    assert !auto_link("hello", :sanitize => false).html_safe?, 'should not be html safe'
+    assert !auto_link("#{link_raw} #{link_raw} #{link_raw}", :sanitize => false).html_safe?, 'should not be html safe'
+    assert !auto_link("hello #{email_raw}", :sanitize => false).html_safe?, 'should not be html safe'
   end
 
   def test_auto_link_email_address