From 408c7729f8ac5a4fdf83c15dc6b2339151e59a0a Mon Sep 17 00:00:00 2001
From: Timothy N. Tsvetkov <timothy.tsvetkov@gmail.com>
Date: Wed, 24 Nov 2010 00:17:05 +0300
Subject: [PATCH] ActionController::Base.helpers.sanitize ignores case in protocol

---
 .../vendor/html-scanner/html/sanitizer.rb          |    2 +-
 .../test/fixtures/layout_tests/layouts/symlinked   |    1 -
 .../test/template/html-scanner/sanitizer_test.rb   |    7 +++++++
 3 files changed, 8 insertions(+), 2 deletions(-)
 delete mode 120000 actionpack/test/fixtures/layout_tests/layouts/symlinked

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 3e5d23b..09dd088 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -170,7 +170,7 @@ module HTML
 
     def contains_bad_protocols?(attr_name, value)
       uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
     end
   end
 end
diff --git a/actionpack/test/fixtures/layout_tests/layouts/symlinked b/actionpack/test/fixtures/layout_tests/layouts/symlinked
deleted file mode 120000
index 0ddc115..0000000
--- a/actionpack/test/fixtures/layout_tests/layouts/symlinked
+++ /dev/null
@@ -1 +0,0 @@
-../../symlink_parent
\ No newline at end of file
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb
index 3e80317..fcc3782 100644
--- a/actionpack/test/template/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -130,6 +130,13 @@ class SanitizerTest < ActionController::TestCase
       assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
     end
   end
+  
+  def test_should_accept_good_protocols_ignoring_case
+    sanitizer = HTML::WhiteListSanitizer.new
+    HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
+      assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
+    end
+  end
 
   def test_should_accept_good_protocols
     sanitizer = HTML::WhiteListSanitizer.new
-- 
1.7.1