Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

New option: sanitized_options

  • Loading branch information...
commit 11df6e309f96618ed51770236868fa2cedd91269 1 parent 8c9a5e9
@xuanxu xuanxu authored
Showing with 24 additions and 5 deletions.
  1. +7 −5 lib/rails_autolink/helpers.rb
  2. +17 −0 test/test_rails_autolink.rb
View
12 lib/rails_autolink/helpers.rb
@@ -13,7 +13,8 @@ module TextHelper
# <tt>:email_addresses</tt>, and <tt>:urls</tt>. If a block is given, each URL and
# e-mail address is yielded and the result is used as the link text. By default the
# text given is sanitized, you can override this behaviour setting the
- # <tt>:sanitize</tt> option to false.
+ # <tt>:sanitize</tt> option to false, or you can add options to the sanitization of
+ # the text using the <tt>:sanitize_options</tt> option hash.
#
# ==== Examples
# auto_link("Go to http://www.rubyonrails.org and say hello to david@loudthinking.com")
@@ -55,8 +56,9 @@ def auto_link(text, *args, &block)#link = :all, html = {}, &block)
options[:html] = args[1] || {}
end
options.reverse_merge!(:link => :all, :html => {})
- sanitize = (options[:sanitize] != false)
- text = conditional_sanitize(text, sanitize).to_str
+ sanitize = (options[:sanitize] != false)
+ sanitize_options = options[:sanitize_options] || {}
+ text = conditional_sanitize(text, sanitize, sanitize_options).to_str
case options[:link].to_sym
when :all then conditional_html_safe(auto_link_email_addresses(auto_link_urls(text, options[:html], options, &block), options[:html], &block), sanitize)
when :email_addresses then conditional_html_safe(auto_link_email_addresses(text, options[:html], &block), sanitize)
@@ -137,8 +139,8 @@ def auto_linked?(left, right)
(left.rindex(AUTO_LINK_CRE[2]) and $' !~ AUTO_LINK_CRE[3])
end
- def conditional_sanitize(target, condition)
- condition ? sanitize(target) : target
+ def conditional_sanitize(target, condition, sanitize_options = {})
+ condition ? sanitize(target, sanitize_options) : target
end
def conditional_html_safe(target, condition)
View
17 test/test_rails_autolink.rb
@@ -88,6 +88,21 @@ def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link("#{link_raw}#{malicious_script}")
assert auto_link("#{link_raw}#{malicious_script}").html_safe?
end
+
+ def test_auto_link_should_sanitize_input_with_sanitize_options
+ link_raw = %{http://www.rubyonrails.com?id=1&num=2}
+ malicious_script = '<script>alert("malicious!")</script>'
+ text_with_attributes = %{<a href="http://ruby-lang-org" target="_blank" data-malicious="inject">Ruby</a>}
+
+ text_result = %{<a class="big" href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a><a href="http://ruby-lang-org" target="_blank">Ruby</a>}
+ assert_equal text_result, auto_link("#{link_raw}#{malicious_script}#{text_with_attributes}",
+ :sanitize_options => {:attributes => ["target", "href"]},
+ :html => {:class => 'big'})
+
+ assert auto_link("#{link_raw}#{malicious_script}#{text_with_attributes}",
+ :sanitize_options => {:attributes => ["target", "href"]},
+ :html => {:class => 'big'}).html_safe?
+ end
def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
link_raw = %{http://www.rubyonrails.com?id=1&num=2}
@@ -117,11 +132,13 @@ def test_auto_link_already_linked
linked3 = %('<a href="http://www.example.com" rel="nofollow">www.example.com</a>')
linked4 = %('<a href="http://www.example.com"><b>www.example.com</b></a>')
linked5 = %('<a href="#close">close</a> <a href="http://www.example.com"><b>www.example.com</b></a>')
+ linked6 = %('<a href="#close">close</a> <a href="http://www.example.com" target="_blank" data-ruby="ror"><b>www.example.com</b></a>')
assert_equal linked1, auto_link(linked1)
assert_equal linked2, auto_link(linked2)
assert_equal linked3, auto_link(linked3, :sanitize => false)
assert_equal linked4, auto_link(linked4)
assert_equal linked5, auto_link(linked5)
+ assert_equal linked6, auto_link(linked6, :sanitize_options => {:attributes => ["href", "target", "data-ruby"]})
linked_email = %Q(<a href="mailto:david@loudthinking.com">Mail me</a>)
assert_equal linked_email, auto_link(linked_email)
Please sign in to comment.
Something went wrong with that request. Please try again.