RubyGems - html-pipeline - Versions diffs - 1.4.0 → 1.5.0 - Mend

html-pipeline 1.4.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/html/pipeline/sanitization_filter.rb +18 -5
data/lib/html/pipeline/version.rb +1 -1
data/test/html/pipeline/sanitization_filter_test.rb +59 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 18ebd2d23ad0e2b826d0f799544324f75efad1c4
-  data.tar.gz: c052603aa7e7dd3af1b9b75f55a52ad4be278fbf
+  metadata.gz: 283d2eec685e3f57e423f5ef348389a7f5d29f90
+  data.tar.gz: a007485225e182efd0a158bf59c9e4df08da49f6
 SHA512:
-  metadata.gz: f5177792a0de9b78ccdfeb86c2b335ed25dcc83a2e10db7c8fa34236ec61e6746fb358c593fc156739c338144332e7e6f193300a6399485e1ea5210af3424ff2
-  data.tar.gz: 905067a669f37813c52858536ebda8af639ba6b3b1929b361acd4f9460d06881f922db57f40033f2eb15b7eb061a31b365d497e0b19b6863ebbf42401bc7dc35
+  metadata.gz: 98e70609b064b690455547da4f61f9746f36fd3fc2b06ea8e4e5a1cd15fb75b3294d466c2336f36b3c650c1cca298cabd430fb39a65cbbf92040e1adb8ef0815
+  data.tar.gz: 24ccfcf8af8ce40388ece52e15bfc0eb3a81b699f8d8043e420f050b1fdba8b1bae3b4df9ecc5c3181dcad4319b4e81bcca542ee3c87dce92ea8189a6e3eb960

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # CHANGELOG
+## 1.5.0
+  * More flexible whitelist configuration for SanitizationFilter #98 aroben
 ## 1.4.0
   * Fix CamoFilter double entity encoding. #101 josh

data/lib/html/pipeline/sanitization_filter.rb CHANGED Viewed

@@ -15,9 +15,13 @@ module HTML
     # https://github.com/rgrove/sanitize/#readme
     #
     # Context options:
-    #   :whitelist - The sanitizer whitelist configuration to use. This can be one
-    #                of the options constants defined in this class or a custom
-    #                sanitize options hash.
+    #   :whitelist      - The sanitizer whitelist configuration to use. This
+    #                     can be one of the options constants defined in this
+    #                     class or a custom sanitize options hash.
+    #   :anchor_schemes - The URL schemes to allow in <a href> attributes. The
+    #                     default set is provided in the ANCHOR_SCHEMES
+    #                     constant in this class. If passed, this overrides any
+    #                     schemes specified in the whitelist configuration.
     #
     # This filter does not write additional information to the context.
     class SanitizationFilter < Filter
@@ -32,6 +36,9 @@ module HTML
       TABLE = 'table'.freeze
       TABLE_SECTIONS = Set.new(%w(thead tbody tfoot).freeze)
+      # These schemes are the only ones allowed in <a href> attributes by default.
+      ANCHOR_SCHEMES = ['http', 'https', 'mailto', :relative, 'github-windows', 'github-mac'].freeze
       # The main sanitization whitelist. Only these elements and attributes are
       # allowed through by default.
       WHITELIST = {
@@ -64,7 +71,7 @@ module HTML
                     'vspace', 'width', 'itemprop']
         },
         :protocols => {
-          'a'   => {'href' => ['http', 'https', 'mailto', :relative, 'github-windows', 'github-mac']},
+          'a'   => {'href' => ANCHOR_SCHEMES},
           'img' => {'src'  => ['http', 'https', :relative]}
         },
         :transformers => [
@@ -104,7 +111,13 @@ module HTML
       # The whitelist to use when sanitizing. This can be passed in the context
       # hash to the filter but defaults to WHITELIST constant value above.
       def whitelist
-        context[:whitelist] || WHITELIST
+        whitelist = context[:whitelist] || WHITELIST
+        anchor_schemes = context[:anchor_schemes]
+        return whitelist unless anchor_schemes
+        whitelist = whitelist.dup
+        whitelist[:protocols] = (whitelist[:protocols] || {}).dup
+        whitelist[:protocols]['a'] = (whitelist[:protocols]['a'] || {}).merge('href' => anchor_schemes)
+        whitelist
       end
     end
   end

data/lib/html/pipeline/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module HTML
   class Pipeline
-    VERSION = "1.4.0"
+    VERSION = "1.5.0"
   end
 end

data/test/html/pipeline/sanitization_filter_test.rb CHANGED Viewed

@@ -45,6 +45,65 @@ class HTML::Pipeline::SanitizationFilterTest < Test::Unit::TestCase
     assert_equal stuff, SanitizationFilter.call(stuff).to_s
   end
+  def test_unknown_schemes_are_removed
+    stuff = '<a href="something-weird://heyyy">Wat</a> is this'
+    html  = SanitizationFilter.call(stuff).to_s
+    assert_equal '<a>Wat</a> is this', html
+  end
+  def test_standard_schemes_are_removed_if_not_specified_in_anchor_schemes
+    stuff  = '<a href="http://www.example.com/">No href for you</a>'
+    filter = SanitizationFilter.new(stuff, {:anchor_schemes => []})
+    html   = filter.call.to_s
+    assert_equal '<a>No href for you</a>', html
+  end
+  def test_custom_anchor_schemes_are_not_removed
+    stuff  = '<a href="something-weird://heyyy">Wat</a> is this'
+    filter = SanitizationFilter.new(stuff, {:anchor_schemes => ['something-weird']})
+    html   = filter.call.to_s
+    assert_equal stuff, html
+  end
+  def test_anchor_schemes_are_merged_with_other_anchor_restrictions
+    stuff  = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
+    whitelist = {
+      :elements   => ['a'],
+      :attributes => {'a' => ['href', 'ping']},
+      :protocols  => {'a' => {'ping' => ['http']}}
+    }
+    filter = SanitizationFilter.new(stuff, {:whitelist => whitelist, :anchor_schemes => ['something-weird']})
+    html   = filter.call.to_s
+    assert_equal '<a href="something-weird://heyyy">Wat</a> is this', html
+  end
+  def test_uses_anchor_schemes_from_whitelist_when_not_separately_specified
+    stuff  = '<a href="something-weird://heyyy">Wat</a> is this'
+    whitelist = {
+      :elements   => ['a'],
+      :attributes => {'a' => ['href']},
+      :protocols  => {'a' => {'href' => ['something-weird']}}
+    }
+    filter = SanitizationFilter.new(stuff, {:whitelist => whitelist})
+    html   = filter.call.to_s
+    assert_equal stuff, html
+  end
+  def test_whitelist_contains_default_anchor_schemes
+    assert_equal SanitizationFilter::WHITELIST[:protocols]['a']['href'], ['http', 'https', 'mailto', :relative, 'github-windows', 'github-mac']
+  end
+  def test_whitelist_from_full_constant
+    stuff  = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
+    filter = SanitizationFilter.new(stuff, :whitelist => SanitizationFilter::FULL)
+    html   = filter.call.to_s
+    assert_equal 'Wat is this', html
+  end
+  def test_exports_default_anchor_schemes
+    assert_equal SanitizationFilter::ANCHOR_SCHEMES, ['http', 'https', 'mailto', :relative, 'github-windows', 'github-mac']
+  end
   def test_script_contents_are_removed
     orig = '<script>JavaScript!</script>'
     assert_equal "", SanitizationFilter.call(orig).to_s

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: html-pipeline
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Ryan Tomayko
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-01-21 00:00:00.000000000 Z
+date: 2014-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri