Greetings,
Since Ruby 1.8.7-p72, I get the following error when using Ruby/Tidy:
SecurityError: Insecure operation - call
Backtrace:
(eval):5:in call' (eval):5:in
tidySetErrorBuffer’
/usr/lib/ruby/1.8/tidy/tidylib.rb:102:in set_error_buffer' /usr/lib/ruby/1.8/tidy/tidyobj.rb:31:in
initialize’
/usr/lib/ruby/1.8/tidy.rb:36:in new' /usr/lib/ruby/1.8/tidy.rb:36:in
new’
/usr/lib/ruby/1.8/tidy.rb:56:in open' /usr/lib/ruby/1.8/samizdat/sanitize.rb:106:in
tidy’
The code that calls tidy is as follows:
def tidy(html)
xml = Tidy.open(:output_xhtml => true, :literal_attributes => true,
:tidy_mark => false, :wrap => 0, :char_encoding => ‘utf8’
) {|tidy| tidy.clean(html.to_s.untaint) }
xml.taint
end
Is it Ruby/Tidy that is doing something wrong, or is the security fix
in Ruby 1.8.7-p72 (SVN r17872 [0] would be prime suspect) getting
over-zealous?
[0] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17872
Here are the relevant (or so I think) bits of Ruby/Tidy code:
class Tidyobj
. . .
def initialize(options=nil)
@diagnostics = Array.new
@doc = Tidylib.create
@errors = Array.new
@errbuf = Tidybuf.new
@outbuf = Tidybuf.new
@options = Tidyopt.new(@doc)
rc = Tidylib.set_error_buffer(@doc, @errbuf.struct)
verify_severe(rc)
unless options.nil?
options.each { |name, value| Tidylib.opt_parse_value(@doc, name,
value) }
end
end
. . .
end
class Tidybuf
extend DL::Importable
attr_reader(:struct)
TidyBuffer = struct [
“TidyAllocator* allocator”,
“byte* bp”,
“uint size”,
“uint allocated”,
“uint next”
]
def initialize
@struct = TidyBuffer.malloc
end
. . .
end