Sanitizer should recognize HTML elements
and attributes.
New Allowed Elements:
article aside audio canvas command details
dialog figcaption figure footer header
hgroup mark meter nav progress rp rt ruby
section source summary time video war
(OK, audio and video were already there)
New Allowed Attributes:
autocomplete contenteditable contextmenu
draggable formaction icon low max min
open optimum pattern placeholder preload
pubdate required reversed spellcheck step
wrap
Attributes removed:
abbr charset loopcount loopend loopstart
noshade nowrap rev rules
Maruku supports @start and @reversed on
ordered lists. It doesn't seem to support
IALs on li elements, so you still can't
attach @value to an li.
This gets around a dreaded
in `load_missing_constant': Rack
is not missing constant Handler! (ArgumentError)
error in latest Ruby 1.9.2-dev. (Ruby
1.8.x doesn't seem to care.)
Support Marhdown Extra's fenced code blocks. [From Jason Blevins]
Fortran syntax colouring. [From Jason Blevins]
Turn on Syntax colouring, by default.
Point to Michel Fortin's Markdown Extra page.
Add a patch (from Passenger 2.2.8) to
vendored Rack, which works around a bug
in Ruby 1.9.1. This patch to Rack has been
floating around the intertubes for a while.
In Rbuy 1.8, ?c returns an integer.
In Ruby 1.9, it returns a 1-character
string. This was causing one of our
LaTeX conversion functional tests to
fail.
Fixed.
Completely removed the html5lib sanitizer.
Fixed the string-handling to work in both
Ruby 1.8.x and 1.9.2. There are still,
inexplicably, two functional tests that
fail. But the rest seems to work quite well.
Previously, if the user tried to submit content which was
malformed utf-8, Instiki would complain loudly to him.
A slightly more user-friendly approach was suggested by
the latest Rails 2.3.4, and a conversation with Sam Ruby
(who suggested some improvements).
Now, instead of complaining, we remove the offending bytes,
leaving a well-formed utf-8 string, which we pretend is what
the user meant to submit.
This release upgrades Instiki to Rails 2.3.4, which
patches two security holes in Rails. See
http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4
There are also some new features, and the usual boatload
of bugfixes. See the CHANGELOG for details.
The Regexp, used in Maruku to detect "email"
headers (used, e.g., for S5 slideshow metadata)
could, for some inputs, interact badly with
Instiki's Chunk Handler.
Fixed.
1) WEBrick should respond to TERM signals
(needed by MacOSX and, perhaps, others).
2) HTTP redirects for redirected pages should be 301's.
3) Add a flash message for redirection to "new" page
when the target of "show" action is not found.
Maruku uses greedy Regexps in a number of places, which,
in unfavourable circumstances, can lead to exponential
slowdowns (an apparent hang).
We worked around one such bug in Revision 355. Recently,
Toby Bartels found another (in Table Header parsing).
The "real" solution seems to be to make sure the Regexps
are not greedy. (Thanks to Sam Ruby for spotting the problem!)
Reverted the workaround in Revision 355, fixed Toby's
bug, and several other similar Regexps.
Using <object> and <embed> were forbidden for obvious
security reasons. Instiki now permits embedding video
via the HTML5 <video> element (Ogg/Theora encoded videos
only, with .ogg or .ogv extensions). You can even upload
videos with
[[foo.ogg:video]]
Instiki now support x-sendfile. See the Proxying page for
configuring Apache (with the x-sendfile module). Lighttpd
should work similarly.
Update Rails to latest Edge (hopefully converging on RC2!).
Dunno why this was buggered again. ":back" doesn't seem to function as it used to.
Also, when uploading a file from page "foo", it's important to return to "foo" after
a successful upload, rather than redirecting to the HomePage.
Finally, a favicon tweak.
A Maruku-syntax <div> with an unclosed IAL (and, it seems, at least one equation)
would cause Instiki to hang. Badly. Requiring a 'kill -9' to terminate it.
Reverting the OpenDiv and CloseDiv Regexps to my, more simple-minded, versions
fixes the problem.
Instiki now runs on the Rails 2.3.0 Candidate Release.
Among other improvements, this means that it now
automagically selects between WEBrick and Mongrel.
Just run
./instiki --daemon
Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.
Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.
Update dnsbl_check plugin to latest version.
Update Maruku to latest version.
In the wiki_controller, only apply the dnsbl_check before_filter
to the :edit, :new, and :save actions, instead of all actions.
This makes mundane "show" requests faster, but does not
compromise spam-fighting ability.