This project is archived and is in readonly mode.

#6044 ✓committed
Tom

The Rails sanitizer incorrectly remove hrefs that contain capitalized URLs

Reported by Tom | November 23rd, 2010 @ 04:37 AM

[Dev]> ActionController::Base.helpers.sanitize('test')

=> '<a href="http://google.com">test</a>'
[Dev]>   ActionController::Base.helpers.sanitize('<a href="Http://google.com">test</a>')
=> '<a>test</a>'

This seems to be a bug in the method contains_bad_protocols? in action_controller/vendor/html-scanner/html/sanitizer.rb. This method is defined as:

def contains_bad_protocols?(attr_name, value)
    uri_attributes.include?(attr_name) && 
    (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ 
        && !allowed_protocols.include?(value.split(protocol_separator).first))
end

And allowed_protocols as:

self.allowed_protocols = Set.new(%w(ed2k ftp http https irc mailto news gopher nntp
    telnet webcal xmpp callto feed svn urn aim rsync tag ssh sftp rtsp afs))

Thus:

allowed_protocols.include? 'http' => true
allowed_protocols.include? 'Http' => false

SEE ALSO: http://stackoverflow.com/posts/4240994

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Referenced by

Pages