New option: sanitized_options

Author: xuanxu

lib/rails_autolink/helpers.rb

@@ -13,7 +13,8 @@ module TextHelper
         # <tt>:email_addresses</tt>, and <tt>:urls</tt>. If a block is given, each URL and
         # e-mail address is yielded and the result is used as the link text. By default the
         # text given is sanitized, you can override this behaviour setting the
-        # <tt>:sanitize</tt> option to false.
+        # <tt>:sanitize</tt> option to false, or you can add options to the sanitization of 
+        # the text using the <tt>:sanitize_options</tt> option hash.
         #
         # ==== Examples
         #   auto_link("Go to http://www.rubyonrails.org and say hello to [email protected]")
@@ -55,8 +56,9 @@ def auto_link(text, *args, &block)#link = :all, html = {}, &block)
             options[:html] = args[1] || {}
           end
           options.reverse_merge!(:link => :all, :html => {})
-          sanitize = (options[:sanitize] != false)        
-          text = conditional_sanitize(text, sanitize).to_str
+          sanitize = (options[:sanitize] != false)
+          sanitize_options = options[:sanitize_options] || {}
+          text = conditional_sanitize(text, sanitize, sanitize_options).to_str
           case options[:link].to_sym
             when :all             then conditional_html_safe(auto_link_email_addresses(auto_link_urls(text, options[:html], options, &block), options[:html], &block), sanitize)
             when :email_addresses then conditional_html_safe(auto_link_email_addresses(text, options[:html], &block), sanitize)
@@ -137,8 +139,8 @@ def auto_linked?(left, right)
               (left.rindex(AUTO_LINK_CRE[2]) and $' !~ AUTO_LINK_CRE[3])
           end
 
-          def conditional_sanitize(target, condition)
-            condition ? sanitize(target) : target
+          def conditional_sanitize(target, condition, sanitize_options = {})
+            condition ? sanitize(target, sanitize_options) : target
           end
 
           def conditional_html_safe(target, condition)

test/test_rails_autolink.rb

@@ -88,6 +88,21 @@ def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
     assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link("#{link_raw}#{malicious_script}")
     assert auto_link("#{link_raw}#{malicious_script}").html_safe?
   end
+  
+  def test_auto_link_should_sanitize_input_with_sanitize_options
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    malicious_script  = '<script>alert("malicious!")</script>'
+    text_with_attributes = %{<a href="http://ruby-lang-org" target="_blank" data-malicious="inject">Ruby</a>}
+    
+    text_result = %{<a class="big" href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a><a href="http://ruby-lang-org" target="_blank">Ruby</a>}
+    assert_equal text_result, auto_link("#{link_raw}#{malicious_script}#{text_with_attributes}",
+                                        :sanitize_options => {:attributes => ["target", "href"]},
+                                        :html => {:class => 'big'})
+    
+    assert auto_link("#{link_raw}#{malicious_script}#{text_with_attributes}",
+                     :sanitize_options => {:attributes => ["target", "href"]},
+                     :html => {:class => 'big'}).html_safe?
+  end
 
   def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
     link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
@@ -117,11 +132,13 @@ def test_auto_link_already_linked
     linked3 = %('<a href="http://www.example.com" rel="nofollow">www.example.com</a>')
     linked4 = %('<a href="http://www.example.com"><b>www.example.com</b></a>')
     linked5 = %('<a href="#close">close</a> <a href="http://www.example.com"><b>www.example.com</b></a>')
+    linked6 = %('<a href="#close">close</a> <a href="http://www.example.com" target="_blank" data-ruby="ror"><b>www.example.com</b></a>')
     assert_equal linked1, auto_link(linked1)
     assert_equal linked2, auto_link(linked2)
     assert_equal linked3, auto_link(linked3, :sanitize => false)
     assert_equal linked4, auto_link(linked4)
     assert_equal linked5, auto_link(linked5)
+    assert_equal linked6, auto_link(linked6, :sanitize_options => {:attributes => ["href", "target", "data-ruby"]})
 
     linked_email = %Q(<a href="mailto:[email protected]">Mail me</a>)
     assert_equal linked_email, auto_link(linked_email)