loofah 0.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (31) hide show
  1. data.tar.gz.sig +0 -0
  2. data/CHANGELOG.rdoc +18 -0
  3. data/MIT-LICENSE.txt +21 -0
  4. data/Manifest.txt +28 -0
  5. data/README.rdoc +110 -0
  6. data/Rakefile +16 -0
  7. data/TODO.rdoc +9 -0
  8. data/benchmark/benchmark.rb +72 -0
  9. data/benchmark/fragment.html +96 -0
  10. data/benchmark/www.slashdot.com.html +2560 -0
  11. data/init.rb +2 -0
  12. data/lib/loofah.rb +197 -0
  13. data/lib/loofah/active_record.rb +44 -0
  14. data/lib/loofah/deprecated.rb +38 -0
  15. data/lib/loofah/html/document.rb +19 -0
  16. data/lib/loofah/html/document_fragment.rb +30 -0
  17. data/lib/loofah/html5/scrub.rb +70 -0
  18. data/lib/loofah/html5/whitelist.rb +170 -0
  19. data/lib/loofah/scrubber.rb +108 -0
  20. data/test/helper.rb +8 -0
  21. data/test/html5/test_deprecated_sanitizer.rb +185 -0
  22. data/test/html5/test_sanitizer.rb +245 -0
  23. data/test/html5/testdata/tests1.dat +501 -0
  24. data/test/test_active_record.rb +71 -0
  25. data/test/test_api.rb +51 -0
  26. data/test/test_deprecated_basic.rb +68 -0
  27. data/test/test_microsofty.rb +91 -0
  28. data/test/test_scrubber.rb +100 -0
  29. data/test/test_strip_tags.rb +36 -0
  30. metadata +148 -0
  31. metadata.gz.sig +0 -0
data/test/html5/testdata/tests1.dat ADDED
@@ -0,0 +1,501 @@
1
+ [
2
+ {
3
+ "name": "IE_Comments",
4
+ "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
5
+ "output": ""
6
+ },
7
+
8
+ {
9
+ "name": "IE_Comments_2",
10
+ "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
11
+ "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
12
+ "rexml": "Ill-formed XHTML!"
13
+ },
14
+
15
+ {
16
+ "name": "allow_colons_in_path_component",
17
+ "input": "<a href=\"./this:that\">foo</a>",
18
+ "output": "<a href='./this:that'>foo</a>"
19
+ },
20
+
21
+ {
22
+ "name": "background_attribute",
23
+ "input": "<div background=\"javascript:alert('XSS')\"></div>",
24
+ "output": "<div/>",
25
+ "xhtml": "<div></div>",
26
+ "rexml": "<div></div>"
27
+ },
28
+
29
+ {
30
+ "name": "bgsound",
31
+ "input": "<bgsound src=\"javascript:alert('XSS');\" />",
32
+ "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
33
+ "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
34
+ },
35
+
36
+ {
37
+ "name": "div_background_image_unicode_encoded",
38
+ "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
39
+ "output": "<div style=''>foo</div>"
40
+ },
41
+
42
+ {
43
+ "name": "div_expression",
44
+ "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
45
+ "output": "<div style=''>foo</div>"
46
+ },
47
+
48
+ {
49
+ "name": "double_open_angle_brackets",
50
+ "input": "<img src=http://ha.ckers.org/scriptlet.html <",
51
+ "output": "<img src='http://ha.ckers.org/scriptlet.html'/>",
52
+ "rexml": "Ill-formed XHTML!"
53
+ },
54
+
55
+ {
56
+ "name": "double_open_angle_brackets_2",
57
+ "input": "<script src=http://ha.ckers.org/scriptlet.html <",
58
+ "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
59
+ "rexml": "Ill-formed XHTML!"
60
+ },
61
+
62
+ {
63
+ "name": "grave_accents",
64
+ "input": "<img src=`javascript:alert('XSS')` />",
65
+ "output": "<img/>",
66
+ "rexml": "Ill-formed XHTML!"
67
+ },
68
+
69
+ {
70
+ "name": "img_dynsrc_lowsrc",
71
+ "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
72
+ "output": "<img/>",
73
+ "rexml": "<img />"
74
+ },
75
+
76
+ {
77
+ "name": "img_vbscript",
78
+ "input": "<img src='vbscript:msgbox(\"XSS\")' />",
79
+ "output": "<img/>",
80
+ "rexml": "<img />"
81
+ },
82
+
83
+ {
84
+ "name": "input_image",
85
+ "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
86
+ "output": "<input type='image'/>",
87
+ "rexml": "<input type='image' />"
88
+ },
89
+
90
+ {
91
+ "name": "link_stylesheets",
92
+ "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
93
+ "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/&gt;",
94
+ "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
95
+ },
96
+
97
+ {
98
+ "name": "link_stylesheets_2",
99
+ "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
100
+ "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/&gt;",
101
+ "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
102
+ },
103
+
104
+ {
105
+ "name": "list_style_image",
106
+ "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
107
+ "output": "<li style=''>foo</li>"
108
+ },
109
+
110
+ {
111
+ "name": "no_closing_script_tags",
112
+ "input": "<script src=http://ha.ckers.org/xss.js?<b>",
113
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
114
+ "rexml": "Ill-formed XHTML!"
115
+ },
116
+
117
+ {
118
+ "name": "non_alpha_non_digit",
119
+ "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
120
+ "output": "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
121
+ "rexml": "Ill-formed XHTML!"
122
+ },
123
+
124
+ {
125
+ "name": "non_alpha_non_digit_2",
126
+ "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
127
+ "output": "<a>foo</a>",
128
+ "rexml": "Ill-formed XHTML!"
129
+ },
130
+
131
+ {
132
+ "name": "non_alpha_non_digit_3",
133
+ "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
134
+ "output": "<img src='http://ha.ckers.org/xss.js'/>",
135
+ "rexml": "Ill-formed XHTML!"
136
+ },
137
+
138
+ {
139
+ "name": "non_alpha_non_digit_II",
140
+ "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
141
+ "output": "<a>foo</a>",
142
+ "rexml": "Ill-formed XHTML!"
143
+ },
144
+
145
+ {
146
+ "name": "non_alpha_non_digit_III",
147
+ "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
148
+ "output": "<a>foo</a>",
149
+ "rexml": "Ill-formed XHTML!"
150
+ },
151
+
152
+ {
153
+ "name": "platypus",
154
+ "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
155
+ "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>"
156
+ },
157
+
158
+ {
159
+ "name": "protocol_resolution_in_script_tag",
160
+ "input": "<script src=//ha.ckers.org/.j></script>",
161
+ "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
162
+ "rexml": "Ill-formed XHTML!"
163
+ },
164
+
165
+ {
166
+ "name": "should_allow_anchors",
167
+ "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
168
+ "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
169
+ },
170
+
171
+ {
172
+ "name": "should_allow_image_alt_attribute",
173
+ "input": "<img alt='foo' onclick='bar' />",
174
+ "output": "<img alt='foo'/>",
175
+ "rexml": "<img alt='foo' />"
176
+ },
177
+
178
+ {
179
+ "name": "should_allow_image_height_attribute",
180
+ "input": "<img height='foo' onclick='bar' />",
181
+ "output": "<img height='foo'/>",
182
+ "rexml": "<img height='foo' />"
183
+ },
184
+
185
+ {
186
+ "name": "should_allow_image_src_attribute",
187
+ "input": "<img src='foo' onclick='bar' />",
188
+ "output": "<img src='foo'/>",
189
+ "rexml": "<img src='foo' />"
190
+ },
191
+
192
+ {
193
+ "name": "should_allow_image_width_attribute",
194
+ "input": "<img width='foo' onclick='bar' />",
195
+ "output": "<img width='foo'/>",
196
+ "rexml": "<img width='foo' />"
197
+ },
198
+
199
+ {
200
+ "name": "should_handle_blank_text",
201
+ "input": "",
202
+ "output": ""
203
+ },
204
+
205
+ {
206
+ "name": "should_handle_malformed_image_tags",
207
+ "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
208
+ "output": "<img/>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
209
+ "rexml": "Ill-formed XHTML!"
210
+ },
211
+
212
+ {
213
+ "name": "should_handle_non_html",
214
+ "input": "abc",
215
+ "output": "abc"
216
+ },
217
+
218
+ {
219
+ "name": "should_not_fall_for_ridiculous_hack",
220
+ "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
221
+ "output": "<img/>",
222
+ "rexml": "<img />"
223
+ },
224
+
225
+ {
226
+ "name": "should_not_fall_for_xss_image_hack_0",
227
+ "input": "<img src=\"javascript:alert('XSS');\" />",
228
+ "output": "<img/>",
229
+ "rexml": "<img />"
230
+ },
231
+
232
+ {
233
+ "name": "should_not_fall_for_xss_image_hack_1",
234
+ "input": "<img src=javascript:alert('XSS') />",
235
+ "output": "<img/>",
236
+ "rexml": "Ill-formed XHTML!"
237
+ },
238
+
239
+ {
240
+ "name": "should_not_fall_for_xss_image_hack_10",
241
+ "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
242
+ "output": "<img/>",
243
+ "rexml": "<img />"
244
+ },
245
+
246
+ {
247
+ "name": "should_not_fall_for_xss_image_hack_11",
248
+ "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
249
+ "output": "<img/>",
250
+ "rexml": "<img />"
251
+ },
252
+
253
+ {
254
+ "name": "should_not_fall_for_xss_image_hack_12",
255
+ "input": "<img src=\" &#14; javascript:alert('XSS');\" />",
256
+ "output": "<img/>",
257
+ "rexml": "<img />"
258
+ },
259
+
260
+ {
261
+ "name": "should_not_fall_for_xss_image_hack_13",
262
+ "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
263
+ "output": "<img/>",
264
+ "rexml": "<img />"
265
+ },
266
+
267
+ {
268
+ "name": "should_not_fall_for_xss_image_hack_14",
269
+ "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
270
+ "output": "<img/>",
271
+ "rexml": "<img />"
272
+ },
273
+
274
+ {
275
+ "name": "should_not_fall_for_xss_image_hack_2",
276
+ "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
277
+ "output": "<img/>",
278
+ "rexml": "<img />"
279
+ },
280
+
281
+ {
282
+ "name": "should_not_fall_for_xss_image_hack_3",
283
+ "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
284
+ "output": "<img/>",
285
+ "rexml": "<img />"
286
+ },
287
+
288
+ {
289
+ "name": "should_not_fall_for_xss_image_hack_4",
290
+ "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
291
+ "output": "<img/>",
292
+ "rexml": "<img />"
293
+ },
294
+
295
+ {
296
+ "name": "should_not_fall_for_xss_image_hack_5",
297
+ "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
298
+ "output": "<img/>",
299
+ "rexml": "<img />"
300
+ },
301
+
302
+ {
303
+ "name": "should_not_fall_for_xss_image_hack_6",
304
+ "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
305
+ "output": "<img/>",
306
+ "rexml": "<img />"
307
+ },
308
+
309
+ {
310
+ "name": "should_not_fall_for_xss_image_hack_7",
311
+ "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
312
+ "output": "<img/>",
313
+ "rexml": "<img />"
314
+ },
315
+
316
+ {
317
+ "name": "should_not_fall_for_xss_image_hack_8",
318
+ "input": "<img src=\"jav\tascript:alert('XSS');\" />",
319
+ "output": "<img/>",
320
+ "rexml": "<img />"
321
+ },
322
+
323
+ {
324
+ "name": "should_not_fall_for_xss_image_hack_9",
325
+ "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
326
+ "output": "<img/>",
327
+ "rexml": "<img />"
328
+ },
329
+
330
+ {
331
+ "name": "should_sanitize_half_open_scripts",
332
+ "input": "<img src=\"javascript:alert('XSS')\"",
333
+ "output": "<img/>",
334
+ "rexml": "Ill-formed XHTML!"
335
+ },
336
+
337
+ {
338
+ "name": "should_sanitize_invalid_script_tag",
339
+ "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
340
+ "output": "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
341
+ "rexml": "Ill-formed XHTML!"
342
+ },
343
+
344
+ {
345
+ "name": "should_sanitize_script_tag_with_multiple_open_brackets",
346
+ "input": "<<script>alert(\"XSS\");//<</script>",
347
+ "output": "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;",
348
+ "rexml": "Ill-formed XHTML!"
349
+ },
350
+
351
+ {
352
+ "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
353
+ "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
354
+ "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;",
355
+ "rexml": "Ill-formed XHTML!"
356
+ },
357
+
358
+ {
359
+ "name": "should_sanitize_tag_broken_up_by_null",
360
+ "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
361
+ "output": "&lt;scr\ufffdipt&gt;alert(\"XSS\")&lt;/scr\ufffdipt&gt;",
362
+ "rexml": "Ill-formed XHTML!"
363
+ },
364
+
365
+ {
366
+ "name": "should_sanitize_unclosed_script",
367
+ "input": "<script src=http://ha.ckers.org/xss.js?<b>",
368
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;",
369
+ "rexml": "Ill-formed XHTML!"
370
+ },
371
+
372
+ {
373
+ "name": "should_strip_href_attribute_in_a_with_bad_protocols",
374
+ "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
375
+ "output": "<a title='1'>boo</a>"
376
+ },
377
+
378
+ {
379
+ "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
380
+ "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
381
+ "output": "<a title='1'>boo</a>"
382
+ },
383
+
384
+ {
385
+ "name": "should_strip_src_attribute_in_img_with_bad_protocols",
386
+ "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
387
+ "output": "<img title='1'/>boo",
388
+ "rexml": "<img title='1' />"
389
+ },
390
+
391
+ {
392
+ "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
393
+ "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
394
+ "output": "<img title='1'/>boo",
395
+ "rexml": "<img title='1' />"
396
+ },
397
+
398
+ {
399
+ "name": "xml_base",
400
+ "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
401
+ "output": "<div>foo</div>"
402
+ },
403
+
404
+ {
405
+ "name": "xul",
406
+ "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
407
+ "output": "<p style=''>fubar</p>"
408
+ },
409
+
410
+ {
411
+ "name": "quotes_in_attributes",
412
+ "input": "<img src='foo' title='\"foo\" bar' />",
413
+ "rexml": "<img src='foo' title='\"foo\" bar' />",
414
+ "output": "<img title='&quot;foo&quot; bar' src='foo'/>"
415
+ },
416
+
417
+ {
418
+ "name": "uri_refs_in_svg_attributes",
419
+ "input": "<rect fill='url(#foo)' />",
420
+ "rexml": "<rect fill='url(#foo)'></rect>",
421
+ "xhtml": "<rect fill='url(#foo)'></rect>",
422
+ "output": "<rect fill='url(#foo)'/>"
423
+ },
424
+
425
+ {
426
+ "name": "absolute_uri_refs_in_svg_attributes",
427
+ "input": "<rect fill='url(http://bad.com/) #fff' />",
428
+ "rexml": "<rect fill=' #fff'></rect>",
429
+ "xhtml": "<rect fill=' #fff'></rect>",
430
+ "output": "<rect fill=' #fff'/>"
431
+ },
432
+
433
+ {
434
+ "name": "uri_ref_with_space_in svg_attribute",
435
+ "input": "<rect fill='url(\n#foo)' />",
436
+ "rexml": "<rect fill='url(\n#foo)'></rect>",
437
+ "xhtml": "<rect fill='url(\n#foo)'></rect>",
438
+ "output": "<rect fill='url(\n#foo)'/>"
439
+ },
440
+
441
+ {
442
+ "name": "absolute_uri_ref_with_space_in svg_attribute",
443
+ "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
444
+ "rexml": "<rect fill=' '></rect>",
445
+ "xhtml": "<rect fill=' '></rect>",
446
+ "output": "<rect fill=' '/>"
447
+ },
448
+
449
+ {
450
+ "name": "allow_html5_image_tag",
451
+ "input": "<image src='foo' />",
452
+ "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
453
+ "output": "&lt;image src=\"foo\"/&gt;"
454
+ },
455
+
456
+ {
457
+ "name": "style_attr_end_with_nothing",
458
+ "input": "<div style=\"color: blue\" />",
459
+ "output": "<div style='color: blue;'/>",
460
+ "xhtml": "<div style='color: blue;'></div>",
461
+ "rexml": "<div style='color: blue;'></div>"
462
+ },
463
+
464
+ {
465
+ "name": "style_attr_end_with_space",
466
+ "input": "<div style=\"color: blue \" />",
467
+ "output": "<div style='color: blue ;'/>",
468
+ "xhtml": "<div style='color: blue ;'></div>",
469
+ "rexml": "<div style='color: blue ;'></div>"
470
+ },
471
+
472
+ {
473
+ "name": "style_attr_end_with_semicolon",
474
+ "input": "<div style=\"color: blue;\" />",
475
+ "output": "<div style='color: blue;'/>",
476
+ "xhtml": "<div style='color: blue;'></div>",
477
+ "rexml": "<div style='color: blue;'></div>"
478
+ },
479
+
480
+ {
481
+ "name": "style_attr_end_with_semicolon_space",
482
+ "input": "<div style=\"color: blue; \" />",
483
+ "output": "<div style='color: blue;'/>",
484
+ "xhtml": "<div style='color: blue;'></div>",
485
+ "rexml": "<div style='color: blue;'></div>"
486
+ },
487
+
488
+ {
489
+ "name": "attributes_with_embedded_quotes",
490
+ "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
491
+ "output": "<img src='doesntexist.jpg&quot;&apos;onerror=&quot;alert(1)'/>",
492
+ "rexml": "Ill-formed XHTML!"
493
+ },
494
+
495
+ {
496
+ "name": "attributes_with_embedded_quotes_II",
497
+ "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
498
+ "output": "<img src='notthere.jpg&quot;&quot;onerror=&quot;alert(2)'/>",
499
+ "rexml": "Ill-formed XHTML!"
500
+ }
501
+ ]