Permalink
Browse files

Handle leading spaces in protocol while sanitizing

  • Loading branch information...
1 parent 838d30f commit e7e4deec117154d34db1b18341c00c497e65e089 @j-manu j-manu committed Jan 12, 2012
@@ -171,7 +171,7 @@ def process_attributes_for(node, options)
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
- (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
+ (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
@@ -138,14 +138,21 @@ def test_should_flag_bad_protocols
assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
end
end
-
+
def test_should_accept_good_protocols_ignoring_case
sanitizer = HTML::WhiteListSanitizer.new
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
end
end
+ def test_should_accept_good_protocols_ignoring_space
+ sanitizer = HTML::WhiteListSanitizer.new
+ HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
+ assert !sanitizer.send(:contains_bad_protocols?, 'src', " #{proto}://good")
+ end
+ end
+
def test_should_accept_good_protocols
sanitizer = HTML::WhiteListSanitizer.new
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|

0 comments on commit e7e4dee

Please sign in to comment.