diff -Nru ruby-whitewash-1.0/ChangeLog ruby-whitewash-2.0/ChangeLog
--- ruby-whitewash-1.0/ChangeLog	2011-09-14 14:25:43.000000000 +0000
+++ ruby-whitewash-2.0/ChangeLog	2011-12-25 14:28:54.000000000 +0000
@@ -1,64 +1,179 @@
------------------------------------------------------------------
-Revision: 43067aa79f57dfb92165fd94da151d45f56ed87c
-Ancestor: 3a0dff129b6a5408055b65dd804f3831d8d16f15
-Author: angdraug@debian.org
-Date: 2009-08-22T12:36:05
-Branch: whitewash-head
+commit 256dd59efc4cc0997e401c842134685efc838f1f (HEAD, tag: v2.0, origin/master, bejbus/master, master)
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Sun Nov 13 21:23:34 2011 +0300
 
-Modified files:
-        lib/whitewash.rb
+    Add new <bdi> and rehabilitated <u> to html5 whitelist
 
-ChangeLog: 
+ data/whitewash/html5_whitelist.yaml |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
 
-wrap global variables handling in Thread.exclusive
+commit 705380b4a6a3ee70f3847125a0ee56399f015951
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Thu Nov 10 18:34:35 2011 +0300
 
------------------------------------------------------------------
-Revision: 3a0dff129b6a5408055b65dd804f3831d8d16f15
-Ancestor: b544d3c9fe594e3862cf518ae51421e1f3816cc9
-Author: angdraug@debian.org
-Date: 2009-08-13T11:01:26
-Branch: whitewash-head
+    Remove dead code.
+    
+    This code will never be reached without config.strict, so remove it.
 
-Modified files:
-        README.rdoc lib/whitewash.rb
+ lib/whitewash.rb |    8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
 
-ChangeLog: 
+commit bb6fe4ad5478867995b8248481d8761f93f733e3
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Tue Nov 8 22:25:06 2011 +0300
 
-made it easier to override tidypath
+    Nokogiri::NodeSet has to_xhtml too
 
- * made default_whitelist a public class method so that it can be used
-   in Whitewash.new() invokation
- * documented the way Whitewash looks for Tidy
+ lib/whitewash.rb |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
 
------------------------------------------------------------------
-Revision: b544d3c9fe594e3862cf518ae51421e1f3816cc9
-Ancestor: c6398a8b6433921353ec5b0a1cf616804a550961
-Author: angdraug@debian.org
-Date: 2009-07-28T11:25:34
-Branch: whitewash-head
+commit 901cad794ab3072c2edf872276d5b38b14686408
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Mon Nov 7 00:25:41 2011 +0300
 
-Modified files:
-        lib/whitewash.rb
+    use Syck to parse the whitelist
+    
+    As of ruby 1.9.3, Psych is the default YAML engine, but it's unable to
+    correctly handle aliased !ruby/regexp nodes in the Whitewash whitelist:
+    https://github.com/tenderlove/psych/issues/36
 
-ChangeLog: 
+ lib/whitewash.rb |   21 ++++++++++++++++++++-
+ 1 files changed, 20 insertions(+), 1 deletions(-)
 
-require rbconfig for access to Config::CONFIG
+commit 28f1649b419db704b645e8faa0f68fc10d6fe103
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Sun Nov 6 22:03:01 2011 +0300
 
------------------------------------------------------------------
-Revision: c6398a8b6433921353ec5b0a1cf616804a550961
-Ancestor: 
-Author: angdraug@debian.org
-Date: 2009-07-27T16:21:20
-Branch: whitewash-head
+    block protocol resolution bypass in uri attributes
 
-Added files:
-        COPYING README.rdoc data/whitewash/whitelist.yaml
-        lib/whitewash.rb lib/whitewash_rexml_attribute_patch.rb
-        setup.rb
-Added directories:
-        . data data/whitewash lib
+ data/whitewash/whitelist.yaml |    2 +-
+ lib/whitewash.rb              |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
 
-ChangeLog: 
+commit 83de10fdf87e5ae9fd1781cba27330c514b67004
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Thu Oct 27 17:45:45 2011 +0300
 
-initial checkin: Whitewash is a spin-off of sanitize.rb from Samizdat project
+    fix typo in html5_whitelist.yaml
 
+ data/whitewash/html5_whitelist.yaml |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6a0534fd2f44122d6c09e53cd19103116d8a19d8
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Tue Nov 1 22:13:34 2011 +0300
+
+    mention Nokogiri and HTML5 whitelist in README, update copyright
+
+ README.rdoc      |   36 ++++++++----------------------------
+ lib/whitewash.rb |    2 +-
+ 2 files changed, 9 insertions(+), 29 deletions(-)
+
+commit 8ff06aea8821c2db26c9fd31056e4233cdd35882
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Tue Nov 1 22:03:11 2011 +0300
+
+    add rspec and make it pass
+    
+    * remove <meta> element from the whitelist
+    * sanitize <style> elements, not only style="" attributes
+    * return empty string if no valid elements are found
+    * drop <body> and join all its children
+
+ data/whitewash/whitelist.yaml |    5 --
+ lib/whitewash.rb              |   20 +++++---
+ spec/spec_helper.rb           |    8 +++
+ spec/whitewash_spec.rb        |   99 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 119 insertions(+), 13 deletions(-)
+
+commit 2acd92315e678a05b8c47dab2306f78010e93545
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Wed Oct 26 16:47:54 2011 +0300
+
+    promote html5 whitelist from contrib
+
+ contrib/html5_whitelist.yaml        |  390 -----------------------------------
+ data/whitewash/html5_whitelist.yaml |  390 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 390 insertions(+), 390 deletions(-)
+
+commit 933e9b9486056931b27283355ae1e5de3273b1d1
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Tue Oct 18 20:02:44 2011 +0300
+
+    add html5 whitelist to contrib
+
+ contrib/html5_whitelist.yaml |  390 ++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 390 insertions(+), 0 deletions(-)
+
+commit 889508495f4c64ad2c1fafceddd96cd3c91f5e74
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Tue Oct 18 20:02:19 2011 +0300
+
+    don't remove incorrect elements, replace them with their content
+
+ lib/whitewash.rb |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit b6ca2f5e651f164e80874b04ec42c08f7845c1c3
+Author: anonymous <not-a-mail@noreply.org>
+Date:   Mon Oct 17 22:50:15 2011 +0300
+
+    use nokogiri
+
+ lib/whitewash.rb                       |  167 ++++---------------------------
+ lib/whitewash_rexml_attribute_patch.rb |    9 --
+ 2 files changed, 22 insertions(+), 154 deletions(-)
+
+commit 4c2c6ea4f81a578f816ecba1aeb4a21c208c4cec
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Sun Oct 9 14:44:26 2011 +0300
+
+    use RbConfig, Config is deprecated in ruby 1.9.3
+
+ lib/whitewash.rb |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dd5807ca52cfdfc9a9f68d06cf10e78146fd71c5
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Wed Sep 28 20:31:20 2011 +0300
+
+    Config::CONFIG is tainted in ruby 1.9
+
+ lib/whitewash.rb |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f55c88cbf2a3671bad4c9788d6862dca3377910c
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Fri Sep 16 22:16:46 2011 +0300
+
+    old Monotone changelog
+
+ ChangeLog.mtn |   64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 64 insertions(+), 0 deletions(-)
+
+commit 09c4d36528e39f8bacfa8d801e50770a4ead0d66
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Fri Sep 16 22:08:42 2011 +0300
+
+    require yaml
+
+ lib/whitewash.rb |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 26fa1591fe537485619d841899a91475cede681d
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Sat Jun 4 22:36:18 2011 +0300
+
+    rdoc doesn't grok trailing slashes in URLs
+
+ README.rdoc |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a88e509473b154e9966f8d185704ed013efc23e4
+Author: Dmitry Borodaenko <angdraug@debian.org>
+Date:   Sat Jun 4 22:34:48 2011 +0300
+
+    minor rdoc markup fix
+
+ README.rdoc |   10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
diff -Nru ruby-whitewash-1.0/ChangeLog.mtn ruby-whitewash-2.0/ChangeLog.mtn
--- ruby-whitewash-1.0/ChangeLog.mtn	1970-01-01 00:00:00.000000000 +0000
+++ ruby-whitewash-2.0/ChangeLog.mtn	2011-12-25 14:28:54.000000000 +0000
@@ -0,0 +1,64 @@
+-----------------------------------------------------------------
+Revision: 43067aa79f57dfb92165fd94da151d45f56ed87c
+Ancestor: 3a0dff129b6a5408055b65dd804f3831d8d16f15
+Author: angdraug@debian.org
+Date: 2009-08-22T12:36:05
+Branch: whitewash-head
+
+Modified files:
+        lib/whitewash.rb
+
+ChangeLog: 
+
+wrap global variables handling in Thread.exclusive
+
+-----------------------------------------------------------------
+Revision: 3a0dff129b6a5408055b65dd804f3831d8d16f15
+Ancestor: b544d3c9fe594e3862cf518ae51421e1f3816cc9
+Author: angdraug@debian.org
+Date: 2009-08-13T11:01:26
+Branch: whitewash-head
+
+Modified files:
+        README.rdoc lib/whitewash.rb
+
+ChangeLog: 
+
+made it easier to override tidypath
+
+ * made default_whitelist a public class method so that it can be used
+   in Whitewash.new() invokation
+ * documented the way Whitewash looks for Tidy
+
+-----------------------------------------------------------------
+Revision: b544d3c9fe594e3862cf518ae51421e1f3816cc9
+Ancestor: c6398a8b6433921353ec5b0a1cf616804a550961
+Author: angdraug@debian.org
+Date: 2009-07-28T11:25:34
+Branch: whitewash-head
+
+Modified files:
+        lib/whitewash.rb
+
+ChangeLog: 
+
+require rbconfig for access to Config::CONFIG
+
+-----------------------------------------------------------------
+Revision: c6398a8b6433921353ec5b0a1cf616804a550961
+Ancestor: 
+Author: angdraug@debian.org
+Date: 2009-07-27T16:21:20
+Branch: whitewash-head
+
+Added files:
+        COPYING README.rdoc data/whitewash/whitelist.yaml
+        lib/whitewash.rb lib/whitewash_rexml_attribute_patch.rb
+        setup.rb
+Added directories:
+        . data data/whitewash lib
+
+ChangeLog: 
+
+initial checkin: Whitewash is a spin-off of sanitize.rb from Samizdat project
+
diff -Nru ruby-whitewash-1.0/data/whitewash/html5_whitelist.yaml ruby-whitewash-2.0/data/whitewash/html5_whitelist.yaml
--- ruby-whitewash-1.0/data/whitewash/html5_whitelist.yaml	1970-01-01 00:00:00.000000000 +0000
+++ ruby-whitewash-2.0/data/whitewash/html5_whitelist.yaml	2011-12-25 14:28:54.000000000 +0000
@@ -0,0 +1,392 @@
+---
+# html5_whitelist.yaml
+#
+# Allowed HTML5 tags and attributes.
+# HTML5 is still under development, and this file
+# definition is actual for 2011, October.
+
+# _common defines attributes that can be present in any tag
+_common:
+  accesskey: !ruby/regexp /\A[:alnum:]\z/
+  class: &name !ruby/regexp /\A[a-z0-9 .:_-]+\z/i
+  contenteditable: !ruby/regexp /\Ztrue|false|inherit\z/
+  contextmenu: *name
+  dir: !ruby/regexp /\Altr|rtl|auto\z/
+  draggable: !ruby/regexp /\Atrue|false|auto\z/
+  dropzone: !ruby/regexp /\Acopy|move|link\z/
+  hidden: "hidden"
+  id: *name
+  lang: &lang !ruby/regexp /\A[a-z]+(-[a-z]*)?\z/i
+  spellcheck: !ruby/regexp /\Atrue|false\z/
+  style: &cdata !ruby/regexp /\A[^'"]*\z/
+  tabindex: &number !ruby/regexp /\A[0-9]+\z/
+  title: *cdata
+
+# _css lists CSS properties allowed inside "style" attribute
+_css: [ animation, animation-name, animation-duration,
+animation-timing-function, animation-delay, animation-iteration-count,
+animation-direction, animation-play-state, background, background-attachment,
+background-color, background-image, background-position, background-repeat,
+background-clip, background-origin, background-size, border, border-bottom,
+border-bottom-color, border-bottom-style, border-bottom-width, border-color,
+border-left, border-left-color, border-left-style, border-left-width,
+border-right, border-right-color, border-right-style, border-right-width,
+border-style, border-top, border-top-color, border-top-style, border-top-width,
+border-width, outline, outline-color, outline-style, outline-width,
+border-bottom-left-radius, border-bottom-right-radius, border-image,
+border-image-outset, border-image-repeat, border-image-slice,
+border-image-source, border-image-width, border-radius, border-top-left-radius,
+border-top-right-radius, box-decoration-break, box-shadow, overflow-x,
+overflow-y, overflow-style, rotation, rotation-point, color-profile, opacity,
+rendering-intent, bookmark-label, bookmark-level, bookmark-target,
+float-offset, hyphenate-after, hyphenate-before, hyphenate-character,
+hyphenate-lines, hyphenate-resource, hyphens, image-resolution, marks,
+string-set, height, max-height, max-width, min-height, min-width, width,
+box-align, box-direction, box-flex, box-flex-group, box-lines,
+box-ordinal-group, box-orient, box-pack, font, font-family, font-size,
+font-style, font-variant, font-weight, font-size-adjust, font-stretch, content,
+counter-increment, counter-reset, quotes, crop, move-to, page-policy,
+grid-columns, grid-rows, target, target-name, target-new, target-position,
+alignment-adjust, alignment-baseline, baseline-shift, dominant-baseline,
+drop-initial-after-adjust, drop-initial-after-align,
+drop-initial-before-adjust, drop-initial-before-align, drop-initial-size,
+drop-initial-value, inline-box-align, line-stacking, line-stacking-ruby,
+line-stacking-shift, line-stacking-strategy, text-height, list-style,
+list-style-image, list-style-position, list-style-type, margin, margin-bottom,
+margin-left, margin-right, margin-top, marquee-direction, marquee-play-count,
+marquee-speed, marquee-style, column-count, column-fill, column-gap,
+column-rule, column-rule-color, column-rule-style, column-rule-width,
+column-span, column-width, columns, padding, padding-bottom, padding-left,
+padding-right, padding-top, fit, fit-position, image-orientation, page, size,
+bottom, clear, clip, cursor, display, float, left, overflow, position, right,
+top, visibility, z-index, orphans, page-break-after, page-break-before,
+page-break-inside, widows, ruby-align, ruby-overhang, ruby-position, ruby-span,
+mark, mark-after, mark-before, phonemes, rest, rest-after, rest-before,
+voice-balance, voice-duration, voice-pitch, voice-pitch-range, voice-rate,
+voice-stress, voice-volume, border-collapse, border-spacing, caption-side,
+empty-cells, table-layout, color, direction, letter-spacing, line-height,
+text-align, text-decoration, text-indent, text-transform, unicode-bidi,
+vertical-align, white-space, word-spacing, hanging-punctuation,
+punctuation-trim, text-align-last, text-justify, text-outline, text-overflow,
+text-shadow, text-wrap, word-break, word-wrap, transform, transform-origin,
+transform-style, perspective, perspective-origin, backface-visibility,
+transition, transition-property, transition-duration,
+transition-timing-function, transition-delay, appearance, box-sizing, icon,
+nav-down, nav-index, nav-left, nav-right, nav-up, outline-offset, resize ]
+
+a:
+  href: &uri !ruby/regexp /\A((http|https|ftp|mailto):[^"\s]+|[^:\s]+)\z/i
+  hreflang: *lang
+  media: &keyword !ruby/regexp /\A[a-z ]+\z/i
+  rel: *keyword
+  target: *keyword
+  type: &type !ruby/regexp /\A[ ,a-z0-9\/+-]+\z/i
+abbr:
+address:
+area:
+  alt: *cdata
+  coords: !ruby/regexp /\A[0-9,]+\z/i
+  href: *uri
+  media: *keyword
+  rel: *keyword
+  target: *keyword
+  type: *type
+article:
+aside:
+audio:
+  autoplay: "autoplay"
+  controls: "controls"
+  loop: "loop"
+  preload: *keyword
+  src: *uri
+b:
+base:
+  href: *uri
+  target: *keyword
+bdi:
+bdo:
+  dir: *keyword
+blockquote:
+  cite: *uri
+body:
+br:
+button:
+  autofocus: "autofocus"
+  disabled: "disabled"
+  form: *name
+  formaction: *uri
+  formenctype: *type
+  formmethod: &method !ruby/regexp /\Aget|post\z/i
+  formnovalidate: "formnovalidate"
+  formtarget: *keyword
+  name: *cdata
+  type: *keyword
+  value: *cdata
+canvas:
+  width: &length !ruby/regexp /\A[0-9]+(%|px)?\z/
+  height: *length
+caption:
+cite:
+code:
+col:
+  span: *number
+colgroup:
+  span: *number
+command:
+  checked: "checked"
+  disabled: "disabled"
+  icon: *uri
+  label: *cdata
+  radiogroup: *name
+  type: *keyword
+datalist:
+dd:
+del:
+  cite: *uri
+  datetime: &datetime !ruby/regexp /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[A-Z]+\z/i
+details:
+  open: "open"
+dfn:
+div:
+dl:
+dt:
+em:
+embed:
+  height: *length
+  src: *uri
+  type: *type
+  width: *length
+fieldset:
+ disabled: "disabled"
+ form: *name
+ name: *cdata
+figcaption:
+figure:
+footer:
+form:
+  action: *uri
+  "accept-charset": *cdata
+  autocomplete : &onoff !ruby/regexp /\Aon|off\z/
+  enctype: *type
+  method: *method
+  name: *cdata
+  novalidate: "novalidate"
+  target: *keyword
+h1:
+h2:
+h3:
+h4:
+h5:
+h6:
+head:
+header:
+hgroup:
+hr:
+html:
+  manifest: *uri
+  xmlns: "http://www.w3.org/1999/xhtml"
+i:
+iframe:
+  height: *length
+  name: *name
+  sandbox: *keyword
+  seamless: "seamless"
+  src: *uri
+  srcdoc: *cdata
+  width: *length
+img:
+  alt: *cdata
+  src: *uri
+  height: *length
+  usemap: &usemap !ruby/regexp /\A#[a-z0-9 .:_-]+\z/i
+  ismap: "ismap"
+  width: *length
+input:
+  accept: *type
+  alt: *cdata
+  autocomplete: *onoff
+  autofocus: "autofocus"
+  checked: "checked"
+  disabled: "disabled"
+  form: *name
+  formaction: *uri
+  formenctype: *type
+  formmethod: *method
+  formnovalidate: "formnovalidate"
+  formtarget: *keyword
+  height: *length
+  list: *name
+  max: *number # date
+  multiple: "multiple"
+  name: *cdata
+  pattern: *cdata
+  placeholder: *cdata
+  readonly: "readonly"
+  required: "required"
+  size: *number
+  src: *uri
+  step: *number
+  type: *keyword
+  value: *cdata
+  width: *length
+ins:
+  cite: *uri
+  datetime: *datetime
+keygen:
+  autofocus: "disabled"
+  challenge: "challenge"
+  disabled: "disabled"
+  form: *name
+  keytype: *keyword
+  name: *name
+kbd:
+label:
+  for: *name
+  form: *name
+legend:
+li:
+  value: *cdata
+link:
+  href: *uri
+  hreflang: *lang
+  media: *keyword
+  rel: *keyword
+  sizes: &sizes !ruby/regexp /\A[0-9]+x[0-9]+|any\z/
+  target: *keyword
+  type: *type
+map:
+  name: *name
+mark:
+menu:
+  label: *cdata
+  type: *keyword
+meta:
+  charset: *cdata
+  name: *name
+  "http-equiv": *name
+  content: *cdata
+meter:
+  form: *name
+  high: &float !ruby/regexp /\A[0-9]+(\.[0-9]+)?\z/
+  low: *float
+  max: *float
+  min: *float
+  optimun: *float
+  value: *float
+nav:
+noscript:
+object:
+  data: *uri
+  form: *name
+  height: *number
+  hspace: *number
+  name: *name
+  standby: *cdata
+  type: *type
+  usemap: *usemap
+  width: *number
+ol:
+  reversed: "reversed"
+  start: *number
+  type: &listtype !ruby/regexp /\A[1AaIi]\z/
+optgroup:
+  label: *cdata
+  disabled: "disabled"
+option:
+  label: *cdata
+  value: *cdata
+  selected: "selected"
+  disabled: "disabled"
+output:
+  for: *name
+  form: *name
+  name: *name
+p:
+param:
+  name: *name
+  value: *cdata
+pre:
+progress:
+  max: *float
+  value: *float
+q:
+  cite: *uri
+rp:
+rt:
+ruby:
+s:
+samp:
+script:
+  async: "async"
+  defer: "defer"
+  type: *type
+  charset: *cdata
+  src: *uri
+section:
+select:
+  autofocus: "autofocus"
+  disabled: "disabled"
+  form: *name
+  multiple: "multiple"
+  name: *name
+  size: *number
+small:
+source:
+  media: *keyword
+  src: *uri
+  type: *type
+span:
+strong:
+style:
+  type: "text/css"
+  media: *keyword
+  scoped: "scoped"
+sub:
+summary:
+sup:
+table:
+  border: !ruby/regexp /\A1?\z/
+tbody:
+td:
+  colspan: *number
+  headers: &idrefs !ruby/regexp /\A[a-z0-9 ,#.:_-]+\z/i
+  rowspan: *number
+textarea:
+  autofocus: "autofocus"
+  cols: *number
+  disabled: "disabled"
+  dirname: *name
+  form: *name
+  maxlenght: *number
+  name: *name
+  placeholder: *cdata
+  readonly: "readonly"
+  required: "required"
+  rows: *number
+  wrap: &wrap !ruby/regexp /\Ahard|soft\z/i
+tfoot:
+th:
+  colspan: *number
+  headers: *idrefs
+  rowspan: *number
+  scope: *keyword
+thead:
+time:
+  datetime: *datetime
+  pubdate: "pubdate"
+title:
+tr:
+u:
+ul:
+var:
+video:
+  audio: "muted"
+  autoplay: "autoplay"
+  controls: "controls"
+  height: *number
+  loop: "loop"
+  poster: *uri
+  preload: !ruby/regexp /\Aauto|metadata|none\z/
+  src: *uri
+  width: *number
+wbr:
diff -Nru ruby-whitewash-1.0/data/whitewash/whitelist.yaml ruby-whitewash-2.0/data/whitewash/whitelist.yaml
--- ruby-whitewash-1.0/data/whitewash/whitelist.yaml	2011-09-14 14:25:43.000000000 +0000
+++ ruby-whitewash-2.0/data/whitewash/whitelist.yaml	2011-12-25 14:28:54.000000000 +0000
@@ -9,7 +9,7 @@
   id: *name
   title: &cdata !ruby/regexp /\A[^'"]*\z/
   dir: !ruby/regexp /\A(ltr|rtl)\z/i
-  xmlns: &uri !ruby/regexp /\A((http|https|ftp|mailto):[^"\s]+|[^:\s]+)\z/i
+  xmlns: &uri !ruby/regexp /\A((http|https|ftp|mailto):[^'"\s]+|(?!//)[^'":\s]+)\z/i
   lang: &lang !ruby/regexp /\A[a-z]+(-[a-z]*)?\z/i
   "xml:lang": *lang
   style: *cdata
@@ -133,11 +133,6 @@
   media: *keyword
 map:
   name: *cdata
-meta:
-  name: *name
-  "http-equiv": *name
-  content: *cdata
-  scheme: *cdata
 ol:
 optgroup:
   label: *cdata
diff -Nru ruby-whitewash-1.0/debian/changelog ruby-whitewash-2.0/debian/changelog
--- ruby-whitewash-1.0/debian/changelog	2011-09-14 15:31:07.000000000 +0000
+++ ruby-whitewash-2.0/debian/changelog	2011-12-25 15:11:49.000000000 +0000
@@ -1,3 +1,15 @@
+ruby-whitewash (2.0-1) unstable; urgency=low
+
+  * New upstream release:
+    - use Nokogiri instead of REXML and Tidy
+    - compatibility fixes for Ruby 1.9.3
+    - RSpec tests added.
+  * Depends updated: tidy dropped, ruby-nokogiri added.
+  * Run RSpec tests during build.
+  * require-yaml.patch dropped, merged upstream.
+
+ -- Dmitry Borodaenko <angdraug@debian.org>  Sun, 25 Dec 2011 17:32:34 +0300
+
 ruby-whitewash (1.0-1) unstable; urgency=low
 
   * Initial release. Closes: #573967 (ITP).
diff -Nru ruby-whitewash-1.0/debian/control ruby-whitewash-2.0/debian/control
--- ruby-whitewash-1.0/debian/control	2011-09-14 15:31:07.000000000 +0000
+++ ruby-whitewash-2.0/debian/control	2011-12-25 15:11:49.000000000 +0000
@@ -4,7 +4,7 @@
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
 Uploaders: Dmitry Borodaenko <angdraug@debian.org>
 DM-Upload-Allowed: yes
-Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.8~)
+Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.8~), ruby-rspec, ruby-nokogiri
 Standards-Version: 3.9.2
 Vcs-Git: git://github.com/angdraug/whitewash.git
 Vcs-Browser: https://github.com/angdraug/whitewash
@@ -14,7 +14,7 @@
 Package: ruby-whitewash
 Architecture: all
 XB-Ruby-Versions: ${ruby:Versions}
-Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter, tidy
+Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter, ruby-nokogiri
 Description: Whitelist-based HTML filter for Ruby
  This module allows Ruby programs to clean up any HTML document or fragment
  coming from an untrusted source and to remove all dangerous constructs that
diff -Nru ruby-whitewash-1.0/debian/patches/0001-rename-data-dir-to-ruby-whitewash.patch ruby-whitewash-2.0/debian/patches/0001-rename-data-dir-to-ruby-whitewash.patch
--- ruby-whitewash-1.0/debian/patches/0001-rename-data-dir-to-ruby-whitewash.patch	2011-09-14 15:31:07.000000000 +0000
+++ ruby-whitewash-2.0/debian/patches/0001-rename-data-dir-to-ruby-whitewash.patch	2011-12-25 15:11:49.000000000 +0000
@@ -7,20 +7,20 @@
  1 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/lib/whitewash.rb b/lib/whitewash.rb
-index 268ef54..ba81b66 100644
+index 1446894..45e383e 100644
 --- a/lib/whitewash.rb
 +++ b/lib/whitewash.rb
-@@ -140,9 +140,9 @@ class Whitewash
+@@ -120,9 +120,9 @@ class Whitewash
  
    private
  
 -  PATH = [ '/etc/whitewash',
--           File.join(Config::CONFIG['datadir'], 'whitewash'),
+-           File.join(RbConfig::CONFIG['datadir'].untaint, 'whitewash'),
 -           '/usr/local/share/whitewash/' ]
 +  PATH = [ '/etc/ruby-whitewash',
-+           File.join(Config::CONFIG['datadir'], 'ruby-whitewash'),
++           File.join(RbConfig::CONFIG['datadir'].untaint, 'ruby-whitewash'),
 +           '/usr/local/share/ruby-whitewash/' ]
  
    WHITELIST = 'whitelist.yaml'
- 
+ end
 -- 
diff -Nru ruby-whitewash-1.0/debian/patches/0002-require-yaml.patch ruby-whitewash-2.0/debian/patches/0002-require-yaml.patch
--- ruby-whitewash-1.0/debian/patches/0002-require-yaml.patch	2011-09-14 15:31:07.000000000 +0000
+++ ruby-whitewash-2.0/debian/patches/0002-require-yaml.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-From: Dmitry Borodaenko <angdraug@debian.org>
-Date: Wed, 14 Sep 2011 18:15:34 +0300
-Subject: require yaml
-
----
- lib/whitewash.rb |    1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/lib/whitewash.rb b/lib/whitewash.rb
-index ba81b66..396b5d2 100644
---- a/lib/whitewash.rb
-+++ b/lib/whitewash.rb
-@@ -11,6 +11,7 @@
- 
- require 'rbconfig'
- require 'rexml/document'
-+require 'yaml'
- require 'whitewash_rexml_attribute_patch'
- 
- class WhitewashError < RuntimeError; end
--- 
diff -Nru ruby-whitewash-1.0/debian/patches/series ruby-whitewash-2.0/debian/patches/series
--- ruby-whitewash-1.0/debian/patches/series	2011-09-14 15:31:07.000000000 +0000
+++ ruby-whitewash-2.0/debian/patches/series	2011-12-25 15:11:49.000000000 +0000
@@ -1,2 +1 @@
 0001-rename-data-dir-to-ruby-whitewash.patch
-0002-require-yaml.patch
diff -Nru ruby-whitewash-1.0/debian/ruby-tests.rb ruby-whitewash-2.0/debian/ruby-tests.rb
--- ruby-whitewash-1.0/debian/ruby-tests.rb	1970-01-01 00:00:00.000000000 +0000
+++ ruby-whitewash-2.0/debian/ruby-tests.rb	2011-12-25 15:11:49.000000000 +0000
@@ -0,0 +1,3 @@
+$: << 'lib' << '.'
+require 'rspec'
+Dir['spec/**/*_spec.rb'].each {|f| require f }
diff -Nru ruby-whitewash-1.0/lib/whitewash.rb ruby-whitewash-2.0/lib/whitewash.rb
--- ruby-whitewash-1.0/lib/whitewash.rb	2011-09-14 14:25:43.000000000 +0000
+++ ruby-whitewash-2.0/lib/whitewash.rb	2011-12-25 14:28:54.000000000 +0000
@@ -1,7 +1,7 @@
 # Whitewash: whitelist-based HTML validator for Ruby
 # (originally written for Samizdat project)
 #
-#   Copyright (c) 2002-2009  Dmitry Borodaenko <angdraug@debian.org>
+#   Copyright (c) 2002-2011  Dmitry Borodaenko <angdraug@debian.org>
 #
 #   This program is free software.
 #   You can distribute/modify this program under the terms of
@@ -10,47 +10,43 @@
 # vim: et sw=2 sts=2 ts=8 tw=0
 
 require 'rbconfig'
-require 'rexml/document'
-require 'whitewash_rexml_attribute_patch'
+require 'nokogiri'
+require 'yaml'
 
 class WhitewashError < RuntimeError; end
 
 class Whitewash
-  begin
-    FORMATTER = REXML::Formatters::Default.new(true)   # enable IE hack
 
-  rescue LoadError, NameError
+  if RUBY_VERSION < '1.9.3'
+    def Whitewash.load(string)
+      YAML.load(string)
+    end
 
-    # backwards compatibility for Ruby versions without REXML::Formatters
+  else
+    # use Syck to parse the whitelist until Psych issue #36 is fixed
     #
-    class LegacyFormatter
-      def write(node, output)
-        return unless node.respond_to?(:write)
-        node.write(output, -1, false, true)
+    def Whitewash.load(string)
+      Mutex.new.synchronize do
+        yamler = YAML::ENGINE.yamler
+        YAML::ENGINE.yamler = 'syck'
+        whitelist = YAML.load(string)
+        YAML::ENGINE.yamler = yamler
+        whitelist
       end
     end
-
-    FORMATTER = LegacyFormatter.new
   end
 
   def Whitewash.default_whitelist
     unless found = PATH.find {|dir| File.readable?(File.join(dir, WHITELIST)) }
       raise RuntimeError, "Can't find default whitelist"
     end
-    File.open(File.join(found, WHITELIST)) {|f| YAML.load(f.read.untaint) }
+    File.open(File.join(found, WHITELIST)) {|f| Whitewash.load(f.read.untaint) }
   end
 
   # _whitelist_ is expected to be loaded from xhtml.yaml.
   #
-  # _tidypath_ is a file path to a binary or library of HTMLtidy. If it points
-  # to a library (detected by .so in the file name), Ruby/Tidy DL-based wrapper
-  # library will be used. If it's a binary, pipe will be used to filter HTML
-  # through it. If none is supplied, known binary and library locations will be
-  # tried, with preference given to the binary if both are found.
-  #
-  def initialize(whitelist = Whitewash.default_whitelist, tidypath = nil)
+  def initialize(whitelist = Whitewash.default_whitelist)
     @whitelist = whitelist
-    set_tidy(tidypath)
   end
 
   attr_reader :xhtml
@@ -62,7 +58,8 @@
     \s*\z
   }xi).freeze
 
-  def check_style(css, style)
+  def check_style(whitelist, style)
+    css = whitelist['_css'] or return true
     style.split(';').each do |s|
       return false unless
         s =~ CSS and css.include? $1
@@ -74,157 +71,58 @@
   #
   def sanitize_element(xml, whitelist = @whitelist, &p)
     if xml.name =~ /^_/ or not whitelist.keys.include?(xml.name)
-      # doesn't work without xpath
-      xml.document.delete_element(xml.xpath)
+      xml.element_children.each {|e| sanitize_element(e, whitelist, &p) }
+      xml.replace(xml.children)
       return
     end
 
-    if xml.has_attributes?
-      attrs = whitelist['_common'].merge((whitelist[xml.name] or {}))
-      xml.attributes.each_attribute do |a|
-        unless attrs[a.name] === a.to_s
-          xml.delete_attribute(a.name)
-          next
-        end
-
-        # sanitize CSS in style="" attributes
-        if 'style' == a.name and whitelist['_css'] and
-          not check_style(whitelist['_css'], a.value)
-
-          xml.delete_attribute(a.name)
-          next
-        end
-      end
+    # sanitize CSS in <style> elements
+    if 'style' == xml.name and not check_style(whitelist, xml.content)
+      xml.remove
+      return
     end
 
-    if xml.has_elements?   # recurse
-      xml.elements.each {|e| sanitize_element(e, whitelist, &p) }
+    xml.attribute_nodes.each do |a|
+      attrs ||= whitelist['_common'].merge((whitelist[xml.name] or {}))
+      unless attrs[a.name] === a.to_s
+        xml.remove_attribute(a.name)
+        next
+      end
+
+      # sanitize CSS in style="" attributes
+      if 'style' == a.name and not check_style(whitelist, a.value)
+        xml.remove_attribute(a.name)
+        next
+      end
     end
 
+    # recurse
+    xml.element_children.each {|e| sanitize_element(e, whitelist, &p) }
+
     if block_given?
       yield xml
     end
   end
 
-  # filter HTML through Tidy
-  #
-  def tidy(html)
-    @tidy_binary ? tidy_pipe(html) : tidy_dl(html)
-  end
-
   # Return sanitized HTML.
   #
-  # If block is supplied, it will be invoked for each REXML::Element in the
-  # sanitized HTML.
+  # If block is supplied, it will be invoked for each Nokogiri::XML::Element
+  # in the sanitized HTML.
   #
   def sanitize(html, whitelist = @whitelist, &p)
-    html = tidy(html)
-    (html.nil? or html.empty?) and raise WhitewashError,
-      "Invalid HTML detected"
-
-    begin
-      xml = REXML::Document.new(html).root
-      xml = xml.elements['//html/body']
-    rescue REXML::ParseException
-      raise WhitewashError, "Invalid XHTML detected: " +
-        $!.continued_exception.to_s.gsub(/\n.*/, '')
-    end
+    xml = Nokogiri::HTML(html) {|config| config.noblanks }
+    xml = xml.xpath('//html/body').first
+    return '' if xml.nil?
 
     sanitize_element(xml, whitelist, &p)
-
-    html = ''
-    xml.each {|child| FORMATTER.write(child, html) }
-
-    html
+    xml.children.to_xhtml
   end
 
   private
 
   PATH = [ '/etc/whitewash',
-           File.join(Config::CONFIG['datadir'], 'whitewash'),
+           File.join(RbConfig::CONFIG['datadir'].untaint, 'whitewash'),
            '/usr/local/share/whitewash/' ]
 
   WHITELIST = 'whitelist.yaml'
-
-  SO_PATH_PATTERN = Regexp.new(/\.so(?:\..+)?\z/).freeze
-
-  def is_so?(path)
-    path =~ SO_PATH_PATTERN and File.readable?(path)
-  end
-
-  def set_tidy(tidypath)
-    if tidypath.nil?
-      [ '/usr/bin/tidy',
-        '/usr/local/bin/tidy',
-        '/usr/lib/libtidy.so',
-        '/usr/local/lib/libtidy.so'
-      ].each {|path|
-        if File.exists?(path)
-          tidypath = path
-          break
-        end
-      }
-    end
-
-    if is_so?(tidypath)
-      require 'tidy'
-
-      # workaround for memory leak in Tidy.path=
-      Thread.exclusive do
-        if not defined?(@@tidysopath) or tidypath != @@tidysopath
-          Tidy.path = @@tidysopath = tidypath
-        end
-      end
-
-      @tidy_binary = nil
-
-    elsif File.executable?(tidypath)
-      @tidy_binary = tidypath
-    end
-
-    require 'open3' if @tidy_binary
-  end
-
-  def tidy_dl(html)
-    xml = Tidy.open(:quiet => true,
-                    :show_warnings => false,
-                    :show_errors => 1,
-                    :output_xhtml => true,
-                    :literal_attributes => true,
-                    :preserve_entities => true,
-                    :tidy_mark => false,
-                    :wrap => 0,
-                    :char_encoding => 'utf8'
-    ) {|tidy| tidy.clean(html.to_s.untaint) }
-
-    xml.taint
-  end
-
-  def tidy_pipe(html)
-    stdin, stdout, stderr =
-      Open3.popen3(@tidy_binary +
-                   ' --quiet yes' +
-                   ' --show-warnings no' +
-                   ' --show-errors 1' +
-                   ' --output-xhtml yes' +
-                   ' --literal-attributes yes' +
-                   ' --preserve-entities yes' +
-                   ' --tidy-mark no' +
-                   ' --wrap 0' +
-                   ' --char-encoding utf8')
-
-    stdin.write(html.to_s.untaint)
-    stdin.close
-
-    errors = stderr.read
-    stderr.close
-
-    xhtml = stdout.read
-    stdout.close
-
-    errors.nil? or errors.empty? or raise WhitewashError,
-      "Invalid HTML detected: " + errors
-
-    xhtml
-  end
 end
diff -Nru ruby-whitewash-1.0/lib/whitewash_rexml_attribute_patch.rb ruby-whitewash-2.0/lib/whitewash_rexml_attribute_patch.rb
--- ruby-whitewash-1.0/lib/whitewash_rexml_attribute_patch.rb	2011-09-14 14:25:43.000000000 +0000
+++ ruby-whitewash-2.0/lib/whitewash_rexml_attribute_patch.rb	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-# Monkey patch for REXML: use (") instead of (') in XML attributes, escape both.
-
-module REXML
-  class Attribute
-    def to_string
-      %{#@expanded_name="#{to_s().gsub(/"/, '&quot;').gsub(/'/, '&apos;')}"}
-    end
-  end
-end
diff -Nru ruby-whitewash-1.0/README.rdoc ruby-whitewash-2.0/README.rdoc
--- ruby-whitewash-1.0/README.rdoc	2011-09-14 14:25:43.000000000 +0000
+++ ruby-whitewash-2.0/README.rdoc	2011-12-25 14:28:54.000000000 +0000
@@ -28,42 +28,22 @@
 anything exploitable through, please report it as a bug to Whitewash
 developers.
 
+An alternative whitelist is provided for HTML5 in html5_whitelist.yaml.
+This whitelist is as much a work in progress as HTML5 standard itself,
+use at your own risk.
 
-== External Dependencies
-
-Whitewash relies on REXML to parse HTML and put it back together, and
-uses HTML Tidy to transform arbitrary HTML into valid XHTML that REXML
-can understand.
-
- * REXML:
-
-   * http://www.germane-software.com/software/rexml
 
- * HTML Tidy:
-
-   * http://tidy.sf.net/
-   * http://rubyforge.org/projects/tidy/
-
-REXML is a part of standard Ruby library, so it is available on any
-system that has Ruby. HTML Tidy needs to be installed separately.
-
-By default, Whitewash looks first for tidy binary under /usr/bin and
-/usr/local/bin, then for libtidy.so shared library under /usr/lib and
-/usr/local/lib. Using the binary is slower, but safer: Ruby/Tidy uses DL
-library to connect to libtidy.so and doesn't work properly when $SAFE is
-greater than 0. If you want to use the library anyway, or if you have
-Tidy installed in a non-standard location, you can override it like
-this:
+== External Dependencies
 
-  whitewash = Whitewash.new(Whitewash.default_whitelist, './tidy')
+Whitewash relies on Nokogiri to parse arbitrary HTML and put it back
+together as valid XHTML:
 
-If there's no .so in the file name, Whitewash will assume that it's a
-binary that can be invoked with popen3.
+  * http://nokogiri.org/
 
 
 == Copying
 
-  Copyright (c) 2002-2009  Dmitry Borodaenko <angdraug@debian.org>
+  Copyright (c) 2002-2011  Dmitry Borodaenko <angdraug@debian.org>
 
   This program is free software.
   You can distribute/modify this program under the terms of the GNU
diff -Nru ruby-whitewash-1.0/spec/spec_helper.rb ruby-whitewash-2.0/spec/spec_helper.rb
--- ruby-whitewash-1.0/spec/spec_helper.rb	1970-01-01 00:00:00.000000000 +0000
+++ ruby-whitewash-2.0/spec/spec_helper.rb	2011-12-25 14:28:54.000000000 +0000
@@ -0,0 +1,8 @@
+require 'rspec'
+$LOAD_PATH.unshift(File.expand_path("../lib", File.dirname(__FILE__)))
+require 'whitewash'
+
+class Whitewash
+  remove_const :PATH
+  PATH = [ File.expand_path("../data/whitewash", File.dirname(__FILE__)) ]
+end
diff -Nru ruby-whitewash-1.0/spec/whitewash_spec.rb ruby-whitewash-2.0/spec/whitewash_spec.rb
--- ruby-whitewash-1.0/spec/whitewash_spec.rb	1970-01-01 00:00:00.000000000 +0000
+++ ruby-whitewash-2.0/spec/whitewash_spec.rb	2011-12-25 14:28:54.000000000 +0000
@@ -0,0 +1,99 @@
+require File.expand_path('spec/spec_helper')
+
+describe Whitewash do
+  it "loads default whitelist" do
+    whitelist = Whitewash.default_whitelist
+    whitelist.should be_a_kind_of Hash
+    whitelist.should include '_css'
+  end
+
+  it "drops <html> and <body> elements" do
+    w = Whitewash.new
+    input = '<html><head></head><body><p>test</p></body>'
+    output = w.sanitize(input)
+    output.should == '<p>test</p>'
+  end
+
+  it "understands fragments with multiple root elements" do
+    w = Whitewash.new
+    input = '<p>foo</p><p>bar</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo</p><p>bar</p>'
+  end
+
+  it "removes <script/> element" do
+    w = Whitewash.new
+    input = '<p>foo <script type="text/javascript" src="test.js">bar</script> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <![CDATA[bar]]> buzz</p>'
+  end
+
+  it "removes onclick attribute" do
+    w = Whitewash.new
+    input = '<p>foo <span onlick="test()">bar</span> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <span>bar</span> buzz</p>'
+  end
+
+  it "removes background CSS property" do
+    w = Whitewash.new
+    input = '<p>foo <span style="background: url(//test/t.js)">bar</span> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <span>bar</span> buzz</p>'
+  end
+
+  it "rewrites HTML when supplied with a block" do
+    w = Whitewash.new
+    input = '<p>foo <img src="in.jpg"/> buzz</p>'
+    output = w.sanitize(input) do |xml|
+      if xml.name == 'img'
+        xml['src'] = 'out.jpg'
+      end
+    end
+    output.should == '<p>foo <img src="out.jpg" /> buzz</p>'
+  end
+
+  it "fixes up invalid markup" do
+    w = Whitewash.new
+    input = '<p>foo <strong><em>bar</strong></em> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <strong><em>bar</em></strong> buzz</p>'
+  end
+
+  # http://ha.ckers.org/xss.html
+
+  it "catches javascript: in img/src" do
+    w = Whitewash.new
+    input = %q{<IMG SRC=JaVaScRiPt:alert('XSS')>}
+    output = w.sanitize(input)
+    output.should == %q{<img />}
+  end
+
+  it "handles strings with null in the middle" do
+    w = Whitewash.new
+    input = %q{<IMG SRC=java\0script:alert("XSS")>}
+    output = w.sanitize(input)
+    output.should == %q{<img />}
+  end
+
+  it "handles extra open brackets" do
+    w = Whitewash.new
+    input = %q{<<SCRIPT>alert("XSS");//<</SCRIPT>}
+    output = w.sanitize(input)
+    output.should == '<p>alert("XSS");//</p>'
+  end
+
+  it "removes remote stylesheet link" do
+    w = Whitewash.new
+    input = %q{<P><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></P>}
+    output = w.sanitize(input)
+    output.should == '<p></p>'
+  end
+
+  it "removes XML data island with CDATA obfuscation" do
+    w = Whitewash.new
+    input = %{<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>}
+    output = w.sanitize(input)
+    output.should == ']]&gt; <span></span>'
+  end
+end