Merge branch 'master' into dev-3.1.0

Conflicts: HISTORY.md lib/sanitize/version.rb
rgrove · Dec 12, 2014 · 39f06b3 · 39f06b3
2 parents 7c4fd37 + cd11ea0
commit 39f06b3
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,7 @@
 language: ruby
 rvm:
-  - 1.9.2
+  # - 1.9.2
   - 1.9.3
   - 2.0.0
-  - 2.1.2
+  - 2.1.5
   - ruby-head
diff --git a/HISTORY.md b/HISTORY.md
@@ -14,6 +14,16 @@ Version 3.1.0 (git)
 [120]:https://github.com/rgrove/sanitize/pull/120
 
 
+Version 3.0.4 (2014-12-12)
+--------------------------
+
+* Fixed: Harmless whitespace preceding a URL protocol (such as " http://")
+  caused the URL to be removed even when the protocol was whitelisted.
+  [@benubois - #126][126]
+
+[126]:https://github.com/rgrove/sanitize/pull/126
+
+
 Version 3.0.3 (2014-10-29)
 --------------------------
 

diff --git a/lib/sanitize.rb b/lib/sanitize.rb
@@ -24,7 +24,7 @@ class Sanitize
   # or more characters followed by a colon is considered a match, even if the
   # colon is encoded as an entity and even if it's an incomplete entity (which
   # IE6 and Opera will still parse).
-  REGEX_PROTOCOL = /\A([^\/#]*?)(?:\:|&#0*58|&#x0*3a)/i
+  REGEX_PROTOCOL = /\A\s*([^\/#]*?)(?:\:|&#0*58|&#x0*3a)/i
 
   # Matches Unicode characters that should be stripped from HTML before passing
   # it to the parser.

diff --git a/test/test_clean_element.rb b/test/test_clean_element.rb
@@ -154,6 +154,14 @@
       :restricted => '',
       :basic      => '',
       :relaxed    => '<img>'
+    },
+
+    'protocol whitespace' => {
+      :html       => '<a href=" http://example.com/"></a>',
+      :default    => '',
+      :restricted => '',
+      :basic      => '<a href="http://example.com/" rel="nofollow"></a>',
+      :relaxed    => '<a href="http://example.com/"></a>'
     }
   }