Safely dup protocols by providing default hash

Simeon F. Willbanks · Simeon F. Willbanks · commit 707366792680 · 2014-01-16T22:36:06.000-08:00
diff --git a/lib/html/pipeline/sanitization_filter.rb b/lib/html/pipeline/sanitization_filter.rb
@@ -111,7 +111,7 @@ def call
       # hash to the filter but defaults to WHITELIST constant value above.
       def whitelist
         whitelist = (context[:whitelist] || WHITELIST).dup
-        whitelist[:protocols] = whitelist[:protocols].dup
+        whitelist[:protocols] = (whitelist[:protocols] || {}).dup
         whitelist[:protocols]['a'] = (whitelist[:protocols]['a'] || {}).merge('href' => anchor_schemes)
         whitelist
       end
diff --git a/test/html/pipeline/sanitization_filter_test.rb b/test/html/pipeline/sanitization_filter_test.rb
@@ -77,6 +77,13 @@ def test_anchor_schemes_are_merged_with_other_anchor_restrictions
     assert_equal '<a href="something-weird://heyyy">Wat</a> is this', html
   end
 
+  def test_whitelist_from_full_constant
+    stuff  = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
+    filter = SanitizationFilter.new(stuff, :whitelist => SanitizationFilter::FULL)
+    html   = filter.call.to_s
+    assert_equal 'Wat is this', html
+  end
+
   def test_script_contents_are_removed
     orig = '<script>JavaScript!</script>'
     assert_equal "", SanitizationFilter.call(orig).to_s
