data_style_sanitizer 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3817b2ce8055b36be47116321a6e62265ae6fdcfbc7c12aa1882f084276bdc6e
-  data.tar.gz: b57bf6ca274a8e139379ff502b0958ac465183be180655fc3ef8edd0d1ffe0e7
+  metadata.gz: 92d2a1679e57bb4634ab85c0e4883314fde9f7380f0da02a81ef7939e7f7833c
+  data.tar.gz: 0a71f5c5c1ef2abf82d5630a055ff663d0597b663467b449a115119a3ac149f9
 SHA512:
-  metadata.gz: c0a0239a32f913f42e12604f34646e06c337daf2ea74d58189fb729dcb3346ccc823fdfcc8fafa87f2bbdc19069346fef48f68d17c85fe2169ad11e18d09c8ef
-  data.tar.gz: 2584f0c30cd3f3b0d7a63a6d10b73e2c38c5e103d0202d48d3f3ebdacff7c39dd3577344a060ad8b89693d1ae6604b81f588ab12ce149ad4c148ff4ac5e1ef6e
+  metadata.gz: bb8c460227b1839353264d939293563ed458b7e6546c306784d1c69e95e5fb925ebf5e33109272cd3720184d2fed2d4791158864ec695b828608038cc15b077f
+  data.tar.gz: cbedd72c8a7601e7ff045055e75519db982cb7a100aeb8253b041512f451cdae3a703e9d44ac52c3916a4f2b91350a515b660c9d1aa7d7142d4991c4d737a3cb

data/lib/data_style_sanitizer/middleware.rb

@@ -1,50 +1,38 @@
-# lib/data_style_sanitizer/middleware.rb
-require "nokogiri"
-require "digest"
+require_relative "data_style_sanitizer/processor"
 
-class DataStyleSanitizer
-  def initialize(app)
-    @app = app
-  end
+module DataStyleSanitizer
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
 
-  def call(env)
-    status, headers, response = @app.call(env)
+    def call(env)
+      status, headers, response = @app.call(env)
 
-    if html_response?(headers)
-      body = response.body.join
-      doc = Nokogiri::HTML(body)
-      style_map = {}
+      if html_response?(headers)
+        body = +""
+        response.each { |part| body << part }
 
-      doc.css("[data-style]").each do |el|
-        style = el["data-style"].strip
-        class_name = "ds-#{Digest::MD5.hexdigest(style)[0..6]}"
-        el.remove_attribute("data-style")
-        el["class"] = [el["class"], class_name].compact.join(" ")
-        style_map[class_name] ||= style
-      end
+        nonce = extract_nonce_from_env(env)
+        processed = Processor.new(body, nonce: nonce).process
 
-      if style_map.any?
-        nonce = extract_nonce(doc)
-        style_tag = Nokogiri::XML::Node.new("style", doc)
-        style_tag["nonce"] = nonce if nonce
-        style_tag.content = style_map.map { |klass, style| ".#{klass} { #{style} }" }.join("\n")
-        doc.at("head") << style_tag
+        headers["Content-Length"] = processed.bytesize.to_s
+        [status, headers, [processed]]
+      else
+        [status, headers, response]
       end
-
-      response = [doc.to_html]
     end
 
-    [status, headers, response]
-  end
-
-  private
+    private
 
-  def html_response?(headers)
-    headers["Content-Type"]&.include?("text/html")
-  end
+    def html_response?(headers)
+      headers["Content-Type"]&.include?("text/html")
+    end
 
-  def extract_nonce(doc)
-    meta = doc.at('meta[name="csp-nonce"]')
-    meta["content"] if meta
+    def extract_nonce_from_env(env)
+      if env["action_dispatch.content_security_policy_nonce"].respond_to?(:call)
+        env["action_dispatch.content_security_policy_nonce"].call(:style)
+      end
+    end
   end
 end

data/lib/data_style_sanitizer/processor.rb

@@ -19,8 +19,16 @@ module DataStyleSanitizer
     private
 
     def extract_styles
-      @doc.css("[data-style]").each_with_index do |node, i|
+      @doc.css("[data-style]").each do |node|
         style_string = node.get_attribute("data-style")
+        next if style_string.nil? || style_string.strip.empty? # Skip empty attributes
+
+        # Remove CSS comments and normalize spacing
+        style_string = style_string.gsub(/\/\*.*?\*\//, "").strip
+        style_string = style_string.split(";").map(&:strip).reject(&:empty?).join("; ")
+
+        next if style_string.empty? # Skip if the style becomes empty after cleaning
+
         class_name = generate_class_name(style_string)
 
         # Apply class and remove attribute
@@ -33,7 +41,7 @@ module DataStyleSanitizer
     end
 
     def generate_class_name(style_string)
-      hash = Digest::SHA256.hexdigest(style_string)[0..7]
+      hash = Digest::SHA256.hexdigest(style_string.downcase)[0..7] # Ensure case-insensitivity
       "ds-#{hash}"
     end
 
@@ -53,12 +61,17 @@ module DataStyleSanitizer
 
       style_tag.content = css_rules
 
-      # Add the <style> tag to the <head> if it exists, otherwise to the root
+      # Add the <style> tag to the <head> if it exists, otherwise to the <body> or fragment
       head = @doc.at_css("head")
       if head
         head.add_child(style_tag)
       else
-        @doc.add_child(style_tag)
+        body = @doc.at_css("body")
+        if body
+          body.add_child(style_tag)
+        else
+          @doc.add_child(style_tag) # Append directly to the fragment
+        end
       end
     end
   end

data/lib/data_style_sanitizer/rails/controller_integration.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module DataStyleSanitizer
+  module Rails
+    module ControllerIntegration
+      extend ActiveSupport::Concern
+
+      included do
+        after_action :inject_data_style_sanitizer_styles
+      end
+
+      private
+
+      def inject_data_style_sanitizer_styles
+        return unless html_response? && response.body.include?("data-style")
+
+        nonce = begin
+          content_security_policy_nonce(:style)
+        rescue
+          nil
+        end
+        style_block = DataStyleSanitizer::Renderer.generate_style_block(response.body, nonce: nonce)
+
+        # Inject into <head>
+        response.body.sub!("</head>", "#{style_block}</head>")
+      end
+
+      def html_response?
+        response.content_type == "text/html"
+      end
+    end
+  end
+end

data/lib/{railtie.rb → data_style_sanitizer/railtie.rb}

@@ -1,3 +1,5 @@
+require "rails/railtie"
+
 module DataStyleSanitizer
   class Railtie < Rails::Railtie
     initializer "data_style_sanitizer.middleware" do |app|
@@ -14,14 +16,13 @@ module DataStyleSanitizer
       status, headers, response = @app.call(env)
 
       if headers["Content-Type"]&.include?("text/html")
-        body = ""
+        body = +""
         response.each { |part| body << part }
 
-        nonce = env["secure_headers_nonce"] || extract_nonce(env)
+        nonce = extract_nonce(env)
+        new_body = DataStyleSanitizer.process(body, nonce: nonce)
 
-        new_body = DataStyleSanitizer.sanitize_html(body, nonce: nonce)
         headers["Content-Length"] = new_body.bytesize.to_s
-
         [status, headers, [new_body]]
       else
         [status, headers, response]
@@ -31,12 +32,7 @@ module DataStyleSanitizer
     private
 
     def extract_nonce(env)
-      # Customize based on how you expose CSP nonce
-      if env["action_dispatch.content_security_policy_nonce"]
-        env["action_dispatch.content_security_policy_nonce"].call
-      else
-        SecureRandom.base64(16) # fallback
-      end
+      env.dig("action_dispatch.content_security_policy_nonce", :style)
     end
   end
 end

data/lib/data_style_sanitizer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DataStyleSanitizer
-  VERSION = "0.1.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: data_style_sanitizer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - tedaford
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-04-07 00:00:00.000000000 Z
+date: 2025-04-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -53,8 +53,9 @@ files:
 - lib/data_style_sanitizer.rb
 - lib/data_style_sanitizer/middleware.rb
 - lib/data_style_sanitizer/processor.rb
+- lib/data_style_sanitizer/rails/controller_integration.rb
+- lib/data_style_sanitizer/railtie.rb
 - lib/data_style_sanitizer/version.rb
-- lib/railtie.rb
 homepage: https://github.com/tedaford/data_style_sanitizer
 licenses:
 - MIT