Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #1 from xuanxu/master

return sanitized strings
  • Loading branch information...
commit 922ca9ae24f20437afa38c1db5a4f6493550ab4a 2 parents e665a25 + 589762b
Aaron Patterson authored
Showing with 35 additions and 17 deletions.
  1. +3 −3 Gemfile
  2. +5 −3 lib/rails_autolink.rb
  3. +27 −11 test/test_rails_autolink.rb
6 Gemfile
View
@@ -1,8 +1,8 @@
source 'http://rubygems.org'
-gem 'rails', :path => '/Users/aaron/git/rails'
-gem 'arel', :path => '/Users/aaron/git/arel'
-gem 'rack', :path => '/Users/aaron/git/rack'
+gem 'rails'
+gem 'arel'
+gem 'rack'
gem 'hoe'
gem 'minitest'
8 lib/rails_autolink.rb
View
@@ -14,7 +14,9 @@ module TextHelper
# will limit what should be linked. You can add HTML attributes to the links using
# <tt>:html</tt>. Possible values for <tt>:link</tt> are <tt>:all</tt> (default),
# <tt>:email_addresses</tt>, and <tt>:urls</tt>. If a block is given, each URL and
- # e-mail address is yielded and the result is used as the link text.
+ # e-mail address is yielded and the result is used as the link text. By default the
+ # text given is sanitized, you can override this behaviour setting the
+ # <tt>:sanitize</tt> option to false.
#
# ==== Examples
# auto_link("Go to http://www.rubyonrails.org and say hello to david@loudthinking.com")
@@ -48,7 +50,7 @@ module TextHelper
# # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
# Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
def auto_link(text, *args, &block)#link = :all, html = {}, &block)
- return '' if text.blank?
+ return ''.html_safe if text.blank?
options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
unless args.empty?
@@ -56,7 +58,7 @@ def auto_link(text, *args, &block)#link = :all, html = {}, &block)
options[:html] = args[1] || {}
end
options.reverse_merge!(:link => :all, :html => {})
-
+ text = sanitize(text) unless options[:sanitize] == false
case options[:link].to_sym
when :all then auto_link_email_addresses(auto_link_urls(text, options[:html], options, &block), options[:html], &block)
when :email_addresses then auto_link_email_addresses(text, options[:html], &block)
38 test/test_rails_autolink.rb
View
@@ -84,12 +84,17 @@ def test_auto_link_with_block_with_html
def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
link_raw = %{http://www.rubyonrails.com?id=1&num=2}
- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
+ malicious_script = '<script>alert("malicious!")</script>'
+ assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link("#{link_raw}#{malicious_script}")
+ assert auto_link("#{link_raw}#{malicious_script}").html_safe?
end
def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
link_raw = %{http://www.rubyonrails.com?id=1&num=2}
- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw, :sanitize => false)
+ malicious_script = '<script>alert("malicious!")</script>'
+
+ assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a><script>alert("malicious!")</script>}, auto_link("#{link_raw}#{malicious_script}", :sanitize => false)
+ assert !auto_link("#{link_raw}#{malicious_script}", :sanitize => false).html_safe?
end
def test_auto_link_other_protocols
@@ -114,7 +119,7 @@ def test_auto_link_already_linked
linked5 = %('<a href="#close">close</a> <a href="http://www.example.com"><b>www.example.com</b></a>')
assert_equal linked1, auto_link(linked1)
assert_equal linked2, auto_link(linked2)
- assert_equal linked3, auto_link(linked3)
+ assert_equal linked3, auto_link(linked3, :sanitize => false)
assert_equal linked4, auto_link(linked4)
assert_equal linked5, auto_link(linked5)
@@ -130,14 +135,25 @@ def test_auto_link_at_eol
assert_equal %(<p><a href="#{url1}">#{url1}</a><br /><a href="#{url2}">#{url2}</a><br /></p>), auto_link("<p>#{url1}<br />#{url2}<br /></p>")
end
- def test_auto_link_should_not_be_html_safe
- email_raw = 'santiago@wyeworks.com'
- link_raw = 'http://www.rubyonrails.org'
-
- assert !auto_link(nil).html_safe?, 'should not be html safe'
- assert !auto_link('').html_safe?, 'should not be html safe'
- assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
- assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+ def test_auto_link_should_be_html_safe
+ email_raw = 'santiago@wyeworks.com'
+ link_raw = 'http://www.rubyonrails.org'
+ malicious_script = '<script>alert("malicious!")</script>'
+
+ assert auto_link(nil).html_safe?, 'should be html safe'
+ assert auto_link('').html_safe?, 'should be html safe'
+ assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should be html safe'
+ assert auto_link("hello #{email_raw}").html_safe?, 'should be html safe'
+ assert auto_link("hello #{email_raw} #{malicious_script}").html_safe?, 'should be html safe'
+ end
+
+ def test_auto_link_should_not_be_html_safe_when_sanitize_option_false
+ email_raw = 'santiago@wyeworks.com'
+ link_raw = 'http://www.rubyonrails.org'
+
+ assert !auto_link("hello", :sanitize => false).html_safe?, 'should not be html safe'
+ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}", :sanitize => false).html_safe?, 'should not be html safe'
+ assert !auto_link("hello #{email_raw}", :sanitize => false).html_safe?, 'should not be html safe'
end
def test_auto_link_email_address
Please sign in to comment.
Something went wrong with that request. Please try again.