jets-html-sanitizer 1.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e9ab1d5a11318b93b5438b666e96563d7bf6b631dbd5735950af5f601311f3b4
+  data.tar.gz: 766430d915e2406a730c721d82c92f7cc7982e99c2d05474f293c4f784ae20ee
+SHA512:
+  metadata.gz: 7b9a8fcc55ca5f820637f470285f856f4bb6a7ec21c93ed3a768ad53278a1916696ce925542482fe3d91fcf331ff45b02c7e3e51a09e8a9b5f8e29fdfcecdff3
+  data.tar.gz: 42b089a1e9c5a7afb518554ef94dff8153e57a1f38f9ea97a04c5d947a39081de418e0a38817eb57a6c7b66616207db5ce977e8ed30ba6b71d93d02fe5eace36

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+## 1.0.1
+
+* Added support for Jets 4.2.0.beta2 and above
+
+## 1.0.0
+
+* First release.

data/MIT-LICENSE

@@ -0,0 +1,48 @@
+Copyright (c) 2019 Tung Nguyen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# Original Authors
+
+Copyright (c) 2013-2015 Rafael Mendonça França, Kasper Timm Hansen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,142 @@
+# Jets Html Sanitizers
+
+This is a fork of rails-html-sanitizer.  This is done so we can keep the namespace under `Jets` to avoid naming collisions with `Jets`. Credit for original work goes to the [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) authors.
+
+In Jets this gem will be responsible for sanitizing HTML fragments in Jets
+applications, i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
+
+Jets Html Sanitizer is only intended to be used with Jets applications. If you need similar functionality in non Jets apps consider using [Loofah](https://github.com/flavorjones/loofah) directly (that's what handles sanitization under the hood).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'jets-html-sanitizer'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install jets-html-sanitizer
+
+## Usage
+
+### Sanitizers
+
+All sanitizers respond to `sanitize`.
+
+#### FullSanitizer
+
+```ruby
+full_sanitizer = Jets::Html::FullSanitizer.new
+full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+# => Bold no more!  See more here...
+```
+
+#### LinkSanitizer
+
+```ruby
+link_sanitizer = Jets::Html::LinkSanitizer.new
+link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+# => Only the link text will be kept.
+```
+
+#### WhiteListSanitizer
+
+```ruby
+white_list_sanitizer = Jets::Html::WhiteListSanitizer.new
+
+# sanitize via an extensive white list of allowed elements
+white_list_sanitizer.sanitize(@article.body)
+
+# white list only the supplied tags and attributes
+white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
+
+# white list via a custom scrubber
+white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+
+# white list sanitizer can also sanitize css
+white_list_sanitizer.sanitize_css('background-color: #000;')
+```
+
+### Scrubbers
+
+Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.
+
+This gem includes two scrubbers `Jets::Html::PermitScrubber` and `Jets::Html::TargetScrubber`.
+
+#### `Jets::Html::PermitScrubber`
+
+This scrubber allows you to permit only the tags and attributes you want.
+
+```ruby
+scrubber = Jets::Html::PermitScrubber.new
+scrubber.tags = ['a']
+
+html_fragment = Loofah.fragment('<a><img/ ></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a></a>"
+```
+
+#### `Jets::Html::TargetScrubber`
+
+Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
+`Jets::Html::TargetScrubber` targets them for removal.
+
+
+```ruby
+scrubber = Jets::Html::TargetScrubber.new
+scrubber.tags = ['img']
+
+html_fragment = Loofah.fragment('<a><img/ ></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a></a>"
+```
+
+#### Custom Scrubbers
+
+You can also create custom scrubbers in your application if you want to.
+
+```ruby
+class CommentScrubber < Jets::Html::PermitScrubber
+  def initialize
+    super
+    self.tags = %w( form script comment blockquote )
+    self.attributes = %w( style )
+  end
+
+  def skip_node?(node)
+    node.text?
+  end
+end
+```
+
+See `Jets::Html::PermitScrubber` documentation to learn more about which methods can be overridden.
+
+#### Custom Scrubber in a Jets app
+
+Using the `CommentScrubber` from above, you can use this in a Jets view like so:
+
+```ruby
+<%= sanitize @comment, scrubber: CommentScrubber.new %>
+```
+
+## Read more
+
+Loofah is what underlies the sanitizers and scrubbers of jets-html-sanitizer.
+- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
+
+The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
+- [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
+- [Nokogiri](http://nokogiri.org)
+
+## Contributing to Jets Html Sanitizers
+
+Jets Html Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
+
+See [CONTRIBUTING](CONTRIBUTING.md).
+
+## License
+Jets Html Sanitizers is released under the [MIT License](MIT-LICENSE).

data/lib/jets-html-sanitizer.rb

@@ -0,0 +1,73 @@
+require "jets/html/sanitizer/version"
+require "loofah"
+require "jets/html/scrubbers"
+require "jets/html/sanitizer"
+
+module Jets
+  module Html
+    class Sanitizer
+      class << self
+        def full_sanitizer
+          Html::FullSanitizer
+        end
+
+        def link_sanitizer
+          Html::LinkSanitizer
+        end
+
+        def white_list_sanitizer
+          Html::WhiteListSanitizer
+        end
+      end
+    end
+  end
+end
+
+module ActionView
+  module Helpers
+    module SanitizeHelper
+      module ClassMethods
+        # Replaces the allowed tags for the +sanitize+ helper.
+        #
+        #   class Application < Jets::Application
+        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+        #   end
+        #
+        def sanitized_allowed_tags=(tags)
+          sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
+        end
+
+        # Replaces the allowed HTML attributes for the +sanitize+ helper.
+        #
+        #   class Application < Jets::Application
+        #     config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
+        #   end
+        #
+        def sanitized_allowed_attributes=(attributes)
+          sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
+        end
+
+        [:protocol_separator,
+         :uri_attributes,
+         :bad_tags,
+         :allowed_css_properties,
+         :allowed_css_keywords,
+         :shorthand_css_properties,
+         :allowed_protocols].each do |meth|
+          meth_name = "sanitized_#{meth}"
+
+          define_method(meth_name) { deprecate_option(meth_name) }
+          define_method("#{meth_name}=") { |_| deprecate_option("#{meth_name}=") }
+        end
+
+        private
+          def deprecate_option(name)
+            ActiveSupport::Deprecation.warn "The #{name} option is deprecated " \
+              "and has no effect. Until Jets 5 the old behavior can still be " \
+              "installed. To do this add the `jets-deprecated-sanitizer` to " \
+              "your Gemfile. Consult the Jets 4.2 upgrade guide for more information."
+          end
+      end
+    end
+  end
+end

data/lib/jets/html/sanitizer.rb

@@ -0,0 +1,152 @@
+module Jets
+  module Html
+    XPATHS_TO_REMOVE = %w{.//script .//form comment()}
+
+    class Sanitizer # :nodoc:
+      def sanitize(html, options = {})
+        raise NotImplementedError, "subclasses must implement sanitize method."
+      end
+
+      private
+
+      def remove_xpaths(node, xpaths)
+        node.xpath(*xpaths).remove
+        node
+      end
+
+      def properly_encode(fragment, options)
+        fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
+      end
+    end
+
+    # === Jets::Html::FullSanitizer
+    # Removes all tags but strips out scripts, forms and comments.
+    #
+    # full_sanitizer = Jets::Html::FullSanitizer.new
+    # full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+    # # => Bold no more!  See more here...
+    class FullSanitizer < Sanitizer
+      def sanitize(html, options = {})
+        return unless html
+        return html if html.empty?
+
+        loofah_fragment = Loofah.fragment(html)
+
+        remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
+        loofah_fragment.scrub!(TextOnlyScrubber.new)
+
+        properly_encode(loofah_fragment, encoding: 'UTF-8')
+      end
+    end
+
+    # === Jets::Html::LinkSanitizer
+    # Removes a tags and href attributes leaving only the link text
+    #
+    # link_sanitizer = Jets::Html::LinkSanitizer.new
+    # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    # # => Only the link text will be kept.
+    class LinkSanitizer < Sanitizer
+      def initialize
+        @link_scrubber = TargetScrubber.new
+        @link_scrubber.tags = %w(a href)
+        @link_scrubber.attributes = %w(href)
+      end
+
+      def sanitize(html, options = {})
+        Loofah.scrub_fragment(html, @link_scrubber).to_s
+      end
+    end
+
+    # === Jets::Html::WhiteListSanitizer
+    # Sanitizes html and css from an extensive white list (see link further down).
+    #
+    # === Whitespace
+    # We can't make any guarantees about whitespace being kept or stripped.
+    # Loofah uses Nokogiri, which wraps either a C or Java parser for the
+    # respective Ruby implementation.
+    # Those two parsers determine how whitespace is ultimately handled.
+    #
+    # When the stripped markup will be rendered the users browser won't take
+    # whitespace into account anyway. It might be better to suggest your users
+    # wrap their whitespace sensitive content in pre tags or that you do
+    # so automatically.
+    #
+    # === Options
+    # Sanitizes both html and css via the white lists found here:
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    #
+    # WhiteListSanitizer also accepts options to configure
+    # the white list used when sanitizing html.
+    # There's a class level option:
+    # Jets::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
+    # Jets::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
+    #
+    # Tags and attributes can also be passed to +sanitize+.
+    # Passed options take precedence over the class level options.
+    #
+    # === Examples
+    # white_list_sanitizer = Jets::Html::WhiteListSanitizer.new
+    #
+    # Sanitize css doesn't take options
+    # white_list_sanitizer.sanitize_css('background-color: #000;')
+    #
+    # Default: sanitize via a extensive white list of allowed elements
+    # white_list_sanitizer.sanitize(@article.body)
+    #
+    # White list via the supplied tags and attributes
+    # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
+    # attributes: %w(id class style))
+    #
+    # White list via a custom scrubber
+    # white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+    class WhiteListSanitizer < Sanitizer
+      class << self
+        attr_accessor :allowed_tags
+        attr_accessor :allowed_attributes
+      end
+      self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub
+        sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
+        acronym a img blockquote del ins))
+      self.allowed_attributes = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
+
+      def initialize
+        @permit_scrubber = PermitScrubber.new
+      end
+
+      def sanitize(html, options = {})
+        return unless html
+        return html if html.empty?
+
+        loofah_fragment = Loofah.fragment(html)
+
+        if scrubber = options[:scrubber]
+          # No duck typing, Loofah ensures subclass of Loofah::Scrubber
+          loofah_fragment.scrub!(scrubber)
+        elsif allowed_tags(options) || allowed_attributes(options)
+          @permit_scrubber.tags = allowed_tags(options)
+          @permit_scrubber.attributes = allowed_attributes(options)
+          loofah_fragment.scrub!(@permit_scrubber)
+        else
+          remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
+          loofah_fragment.scrub!(:strip)
+        end
+
+        properly_encode(loofah_fragment, encoding: 'UTF-8')
+      end
+
+      def sanitize_css(style_string)
+        Loofah::HTML5::Scrub.scrub_css(style_string)
+      end
+
+      private
+
+      def allowed_tags(options)
+        options[:tags] || self.class.allowed_tags
+      end
+
+      def allowed_attributes(options)
+        options[:attributes] || self.class.allowed_attributes
+      end
+    end
+  end
+end

data/lib/jets/html/sanitizer/version.rb

@@ -0,0 +1,7 @@
+module Jets
+  module Html
+    class Sanitizer
+      VERSION = "1.0.4"
+    end
+  end
+end

data/lib/jets/html/scrubbers.rb

@@ -0,0 +1,201 @@
+module Jets
+  module Html
+    # === Jets::Html::PermitScrubber
+    #
+    # Jets::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
+    #
+    # Jets::Html::PermitScrubber can be subclassed to determine:
+    # - When a node should be skipped via +skip_node?+.
+    # - When a node is allowed via +allowed_node?+.
+    # - When an attribute should be scrubbed via +scrub_attribute?+.
+    #
+    # Subclasses don't need to worry if tags or attributes are set or not.
+    # If tags or attributes are not set, Loofah's behavior will be used.
+    # If you override +allowed_node?+ and no tags are set, it will not be called.
+    # Instead Loofahs behavior will be used.
+    # Likewise for +scrub_attribute?+ and attributes respectively.
+    #
+    # Text and CDATA nodes are skipped by default.
+    # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
+    # Supplied tags and attributes should be Enumerables.
+    #
+    # +tags=+
+    # If set, elements excluded will be stripped.
+    # If not, elements are stripped based on Loofahs +HTML5::Scrub.allowed_element?+.
+    #
+    # +attributes=+
+    # If set, attributes excluded will be removed.
+    # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
+    #
+    # class CommentScrubber < Html::PermitScrubber
+    #   def initialize
+    #     super
+    #     self.tags = %w(form script comment blockquote)
+    #   end
+    #
+    #   def skip_node?(node)
+    #     node.text?
+    #   end
+    #
+    #   def scrub_attribute?(name)
+    #     name == "style"
+    #   end
+    # end
+    #
+    # See the documentation for Nokogiri::XML::Node to understand what's possible
+    # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
+    class PermitScrubber < Loofah::Scrubber
+      attr_reader :tags, :attributes
+
+      def initialize
+        @direction = :bottom_up
+        @tags, @attributes = nil, nil
+      end
+
+      def tags=(tags)
+        @tags = validate!(tags, :tags)
+      end
+
+      def attributes=(attributes)
+        @attributes = validate!(attributes, :attributes)
+      end
+
+      def scrub(node)
+        if node.cdata?
+          text = node.document.create_text_node node.text
+          node.replace text
+          return CONTINUE
+        end
+        return CONTINUE if skip_node?(node)
+
+        unless keep_node?(node)
+          return STOP if scrub_node(node) == STOP
+        end
+
+        scrub_attributes(node)
+      end
+
+      protected
+
+      def allowed_node?(node)
+        @tags.include?(node.name)
+      end
+
+      def skip_node?(node)
+        node.text?
+      end
+
+      def scrub_attribute?(name)
+        !@attributes.include?(name)
+      end
+
+      def keep_node?(node)
+        if @tags
+          allowed_node?(node)
+        else
+          Loofah::HTML5::Scrub.allowed_element?(node.name)
+        end
+      end
+
+      def scrub_node(node)
+        node.before(node.children) # strip
+        node.remove
+      end
+
+      def scrub_attributes(node)
+        if @attributes
+          node.attribute_nodes.each do |attr|
+            attr.remove if scrub_attribute?(attr.name)
+            scrub_attribute(node, attr)
+          end
+
+          scrub_css_attribute(node)
+        else
+          Loofah::HTML5::Scrub.scrub_attributes(node)
+        end
+      end
+
+      def scrub_css_attribute(node)
+        if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
+          Loofah::HTML5::Scrub.scrub_css_attribute(node)
+        else
+          style = node.attributes['style']
+          style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
+        end
+      end
+
+      def validate!(var, name)
+        if var && !var.is_a?(Enumerable)
+          raise ArgumentError, "You should pass :#{name} as an Enumerable"
+        end
+        var
+      end
+
+      def scrub_attribute(node, attr_node)
+        attr_name = if attr_node.namespace
+                      "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+                    else
+                      attr_node.node_name
+                    end
+
+        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+          # this block lifted nearly verbatim from HTML5 sanitization
+          val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+            attr_node.remove
+          end
+        end
+        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+        end
+        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+          attr_node.remove
+        end
+
+        node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+
+        Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
+      end
+    end
+
+    # === Jets::Html::TargetScrubber
+    #
+    # Where Jets::Html::PermitScrubber picks out tags and attributes to permit in
+    # sanitization, Jets::Html::TargetScrubber targets them for removal.
+    #
+    # +tags=+
+    # If set, elements included will be stripped.
+    #
+    # +attributes=+
+    # If set, attributes included will be removed.
+    class TargetScrubber < PermitScrubber
+      def allowed_node?(node)
+        !super
+      end
+
+      def scrub_attribute?(name)
+        !super
+      end
+    end
+
+    # === Jets::Html::TextOnlyScrubber
+    #
+    # Jets::Html::TextOnlyScrubber allows you to permit text nodes.
+    #
+    # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
+    class TextOnlyScrubber < Loofah::Scrubber
+      def initialize
+        @direction = :bottom_up
+      end
+
+      def scrub(node)
+        if node.text?
+          CONTINUE
+        else
+          node.before node.children
+          node.remove
+        end
+      end
+    end
+  end
+end