ActionController::Base.helpers.sanitize ignores case in protocol

[#6044 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>

actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

@@ -170,7 +170,7 @@ module HTML
 
     def contains_bad_protocols?(attr_name, value)
       uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
     end
   end
 end

actionpack/test/fixtures/layout_tests/layouts/symlinked

@@ -1 +0,0 @@
-../../symlink_parent

actionpack/test/template/html-scanner/sanitizer_test.rb

@@ -131,6 +131,13 @@ class SanitizerTest < ActionController::TestCase
     end
   end
   
+  def test_should_accept_good_protocols_ignoring_case
+    sanitizer = HTML::WhiteListSanitizer.new
+    HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
+      assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
+    end
+  end
+
   def test_should_accept_good_protocols
     sanitizer = HTML::WhiteListSanitizer.new
     HTML::WhiteListSanitizer.allowed_protocols.each do |proto|