loofah 0.2.0

data/test/test_active_record.rb

@@ -0,0 +1,71 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+require 'loofah/active_record'
+
+class TestActiveRecord < Test::Unit::TestCase
+
+  HTML_STRING = "<div>omgwtfbbq</div>"
+  PLAIN_TEXT = "vanilla text"
+
+  context "with a Post model" do
+
+    setup do
+      ActsAsFu.build_model(:posts) do
+        string :plain_text
+        string :html_string
+      end
+    end
+
+    context "scrubbing field as a fragment" do
+      setup do
+        Post.html_fragment :html_string, :scrub => :prune
+        @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
+      end
+
+      should "scrub the specified field" do
+        Loofah.expects(:scrub_fragment).with(HTML_STRING, :prune).once
+        Loofah.expects(:scrub_fragment).with(PLAIN_TEXT, :prune).never
+        @post.save
+      end
+    end
+
+    context "scrubbing field as a document" do
+      setup do
+        Post.html_document :html_string, :scrub => :strip
+        @post = Post.new :html_string => HTML_STRING, :plain_text => PLAIN_TEXT
+      end
+
+      should "scrub the specified field, but not other fields" do
+        Loofah.expects(:scrub_document).with(HTML_STRING, :strip).once
+        Loofah.expects(:scrub_document).with(PLAIN_TEXT, :strip).never
+        @post.save
+      end
+    end
+
+    context "not passing any options" do
+      should "raise ArgumentError" do
+        assert_raises(ArgumentError) {
+          Post.html_fragment :foo
+        }
+      end
+    end
+
+    context "not passing :scrub option" do
+      should "raise ArgumentError" do
+        assert_raise(ArgumentError) {
+          Post.html_fragment :foo, :bar => :quux
+        }
+      end
+    end
+
+    context "passing a :scrub option" do
+      should "not raise ArgumentError" do
+        assert_nothing_raised {
+          Post.html_fragment :foo, :scrub => :quux
+        }
+      end
+    end
+
+  end
+
+end

data/test/test_api.rb

@@ -0,0 +1,51 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+class TestApi < Test::Unit::TestCase
+
+  HTML = "<div>a</div>\n<div>b</div>"
+
+  def test_loofah_document
+    doc = Loofah.document(HTML)
+    assert_html_documentish doc
+  end
+
+  def test_loofah_fragment
+    doc = Loofah.fragment(HTML)
+    assert_html_fragmentish doc
+  end
+
+  def test_loofah_html_document_parse_method
+    doc = Loofah::HTML::Document.parse(HTML)
+    assert_html_documentish doc
+  end
+
+  def test_loofah_html_document_fragment_parse_method
+    doc = Loofah::HTML::DocumentFragment.parse(HTML)
+    assert_html_fragmentish doc
+  end
+
+  def test_loofah_document_scrub!
+    doc = Loofah.document(HTML).scrub!(:strip)
+    assert_html_documentish doc
+  end
+
+  def test_loofah_fragment_scrub!
+    doc = Loofah.fragment(HTML).scrub!(:strip)
+    assert_html_fragmentish doc
+  end
+
+  private
+
+  def assert_html_documentish(doc)
+    assert_kind_of Nokogiri::HTML::Document, doc
+    assert_kind_of Loofah::HTML::Document,   doc
+    assert_equal HTML, doc.xpath("/html/body").inner_html
+  end
+
+  def assert_html_fragmentish(doc)
+    assert_kind_of Nokogiri::HTML::DocumentFragment, doc
+    assert_kind_of Loofah::HTML::DocumentFragment,   doc
+    assert_equal HTML, doc.inner_html
+  end
+
+end

data/test/test_deprecated_basic.rb

@@ -0,0 +1,68 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+class TestDeprecatedBasic < Test::Unit::TestCase
+
+  def test_empty_string
+    assert_equal "", Loofah.sanitize("")
+  end
+
+  def test_removal_of_illegal_tag
+    html = <<-HTML
+      following this there should be no jim tag
+      <jim>jim</jim>
+      was there?
+    HTML
+    sane = Nokogiri::HTML(Loofah.sanitize(html))
+    assert sane.xpath("//jim").empty?
+  end
+  
+  def test_removal_of_illegal_attribute
+    html = "<p class=bar foo=bar abbr=bar />"
+    sane = Nokogiri::HTML(Loofah.sanitize(html))
+    node = sane.xpath("//p").first
+    assert node.attributes['class']
+    assert node.attributes['abbr']
+    assert_nil node.attributes['foo']
+  end
+  
+  def test_removal_of_illegal_url_in_href
+    html = <<-HTML
+      <a href='jimbo://jim.jim/'>this link should have its href removed because of illegal url</a>
+      <a href='http://jim.jim/'>this link should be fine</a>
+    HTML
+    sane = Nokogiri::HTML(Loofah.sanitize(html))
+    nodes = sane.xpath("//a")
+    assert_nil nodes.first.attributes['href']
+    assert nodes.last.attributes['href']
+  end
+  
+  def test_css_sanitization
+    html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
+    sane = Nokogiri::HTML(Loofah.sanitize(html))
+    assert_match(/#000/, sane.inner_html)
+    assert_no_match(/foo\.com/, sane.inner_html)
+  end
+
+  def test_fragment_with_no_tags
+    assert_equal "This fragment has no tags.", Loofah.sanitize("This fragment has no tags.")
+  end
+
+  def test_fragment_in_p_tag
+    assert_equal "<p>This fragment is in a p.</p>", Loofah.sanitize("<p>This fragment is in a p.</p>")
+  end
+
+  def test_fragment_in_p_tag_plus_stuff
+    assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", Loofah.sanitize("<p>This fragment is in a p.</p>foo<strong>bar</strong>")
+  end
+
+  def test_fragment_with_text_nodes_leading_and_trailing
+    assert_equal "text<p>fragment</p>text", Loofah.sanitize("text<p>fragment</p>text")
+  end
+  
+  def test_whitewash_on_fragment
+    html = "safe<frameset rows=\"*\"><frame src=\"http://example.com\"></frameset> <b>description</b>"
+    whitewashed = Loofah.whitewash_document(html)
+    assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
+  end
+
+end

data/test/test_microsofty.rb

@@ -0,0 +1,91 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+class TestMicrosofty < Test::Unit::TestCase
+
+  MSWORD_HTML = <<-EOHTML
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
+<w:WordDocument>
+ <w:View>Normal</w:View>
+ <w:Zoom>0</w:Zoom>
+ <w:PunctuationKerning/>
+ <w:ValidateAgainstSchemas/>
+ <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
+ <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
+ <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
+ <w:Compatibility>
+  <w:BreakWrappedTables/>
+  <w:SnapToGridInCell/>
+  <w:WrapTextWithPunct/>
+  <w:UseAsianBreakRules/>
+  <w:DontGrowAutofit/>
+ </w:Compatibility>
+ <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
+</w:WordDocument>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
+</w:LatentStyles>
+</xml><![endif]--><style>
+<!--
+/* Style Definitions */
+p.MsoNormal, li.MsoNormal, div.MsoNormal
+{mso-style-parent:"";
+margin:0in;
+margin-bottom:.0001pt;
+mso-pagination:widow-orphan;
+font-size:12.0pt;
+font-family:"Times New Roman";
+mso-fareast-font-family:"Times New Roman";}
+@page Section1
+{size:8.5in 11.0in;
+margin:1.0in 1.25in 1.0in 1.25in;
+mso-header-margin:.5in;
+mso-footer-margin:.5in;
+mso-paper-source:0;}
+div.Section1
+{page:Section1;}
+-->
+</style><!--[if gte mso 10]>
+<style>
+/* Style Definitions */
+table.MsoNormalTable
+{mso-style-name:"Table Normal";
+mso-tstyle-rowband-size:0;
+mso-tstyle-colband-size:0;
+mso-style-noshow:yes;
+mso-style-parent:"";
+mso-padding-alt:0in 5.4pt 0in 5.4pt;
+mso-para-margin:0in;
+mso-para-margin-bottom:.0001pt;
+mso-pagination:widow-orphan;
+font-size:10.0pt;
+font-family:"Times New Roman";
+mso-ansi-language:#0400;
+mso-fareast-language:#0400;
+mso-bidi-language:#0400;}
+</style>
+<![endif]-->
+
+<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>
+  EOHTML
+
+  def test_deprecated_whitewash_fragment_on_microsofty_markup
+    whitewashed = Loofah.whitewash(MSWORD_HTML.chomp)
+    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed
+  end
+
+  def test_deprecated_whitewash_on_microsofty_markup
+    whitewashed = Loofah.whitewash_document(MSWORD_HTML)
+    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed
+  end
+
+  def test_fragment_whitewash_on_microsofty_markup
+    whitewashed = Loofah.fragment(MSWORD_HTML.chomp).scrub!(:whitewash)
+    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s
+  end
+
+  def test_document_whitewash_on_microsofty_markup
+    whitewashed = Loofah.document(MSWORD_HTML.chomp).scrub!(:whitewash)
+    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s
+  end
+
+end

data/test/test_scrubber.rb

@@ -0,0 +1,100 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+class TestScrubber < Test::Unit::TestCase
+
+  [ Loofah::HTML::Document, Loofah::HTML::DocumentFragment ].each do |klass|
+    define_method "test_#{klass}_bad_sanitize_method" do
+      doc = klass.parse "<p>foo</p>"
+      assert_raises(ArgumentError) { doc.scrub! :frippery }
+    end
+  end
+
+  INVALID_FRAGMENT = "<invalid>foo<p>bar</p>bazz</invalid><div>quux</div>"
+  INVALID_ESCAPED  = "&lt;invalid&gt;foo&lt;p&gt;bar&lt;/p&gt;bazz&lt;/invalid&gt;<div>quux</div>"
+  INVALID_PRUNED   = "<div>quux</div>"
+  INVALID_STRIPPED = "foo<p>bar</p>bazz<div>quux</div>"
+
+  WHITEWASH_FRAGMENT = "<o:div>no</o:div><div id='no'>foo</div><invalid>bar</invalid>"
+  WHITEWASH_RESULT   = "<div>foo</div>"
+
+  def test_document_escape_bad_tags
+    doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
+    result = doc.scrub! :escape
+
+    assert_equal INVALID_ESCAPED, doc.xpath('/html/body').inner_html
+    assert_equal doc, result
+  end
+
+  def test_fragment_escape_bad_tags
+    doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
+    result = doc.scrub! :escape
+
+    assert_equal INVALID_ESCAPED, doc.xpath("./div").inner_html
+    assert_equal doc, result
+  end
+
+  def test_document_prune_bad_tags
+    doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
+    result = doc.scrub! :prune
+
+    assert_equal INVALID_PRUNED, doc.xpath('/html/body').inner_html
+    assert_equal doc, result
+  end
+
+  def test_fragment_prune_bad_tags
+    doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
+    result = doc.scrub! :prune
+
+    assert_equal INVALID_PRUNED, doc.xpath("./div").inner_html
+    assert_equal doc, result
+  end
+
+  def test_document_strip_bad_tags
+    doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
+    result = doc.scrub! :strip
+
+    assert_equal INVALID_STRIPPED, doc.xpath('/html/body').inner_html
+    assert_equal doc, result
+  end
+
+  def test_fragment_strip_bad_tags
+    doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
+    result = doc.scrub! :strip
+
+    assert_equal INVALID_STRIPPED, doc.xpath("./div").inner_html
+    assert_equal doc, result
+  end
+
+  def test_document_whitewash
+    doc = Loofah::HTML::Document.parse "<html><body>#{WHITEWASH_FRAGMENT}</body></html>"
+    result = doc.scrub! :whitewash
+
+    assert_equal WHITEWASH_RESULT, doc.xpath('/html/body').inner_html
+    assert_equal doc, result
+  end
+
+  def test_fragment_whitewash
+    doc = Loofah::HTML::DocumentFragment.parse "<div>#{WHITEWASH_FRAGMENT}</div>"
+    result = doc.scrub! :whitewash
+
+    assert_equal WHITEWASH_RESULT, doc.xpath("./div").inner_html
+    assert_equal doc, result
+  end
+
+  def test_fragment_shortcut
+    doc = mock
+    Loofah.expects(:fragment).with(:string_or_io).returns(doc)
+    doc.expects(:scrub!).with(:method)
+
+    Loofah.scrub_fragment(:string_or_io, :method)
+  end
+
+  def test_document_shortcut
+    doc = mock
+    Loofah.expects(:document).with(:string_or_io).returns(doc)
+    doc.expects(:scrub!).with(:method)
+
+    Loofah.scrub_document(:string_or_io, :method)
+  end
+
+end

data/test/test_strip_tags.rb

@@ -0,0 +1,36 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
+
+class TestStripTags < Test::Unit::TestCase
+
+  def test_empty_string
+    assert_equal Loofah.strip_tags(""), ""
+  end
+  
+  def test_return_empty_string_when_nothing_left
+    assert_equal "", Loofah.strip_tags('<script>test</script>')
+  end
+  
+  def test_removal_of_all_tags
+    html = <<-HTML
+      What's up <strong>doc</strong>?
+    HTML
+    stripped = Loofah.strip_tags(html)
+    assert_equal "What's up doc?".strip, stripped.strip
+  end
+  
+  def test_dont_remove_whitespace
+    html = "Foo\nBar"
+    assert_equal html, Loofah.strip_tags(html)
+  end
+  
+  def test_dont_remove_whitespace_between_tags
+    html = "<p>Foo</p>\n<p>Bar</p>"
+    assert_equal "Foo\nBar", Loofah.strip_tags(html)
+  end
+  
+  def test_removal_of_entities
+    html = "<p>this is &lt; that &quot;&amp;&quot; the other &gt; boo&apos;ya</p>"
+    assert_equal 'this is < that "&" the other > boo\'ya', Loofah.strip_tags(html)
+  end
+  
+end

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification 
+name: loofah
+version: !ruby/object:Gem::Version 
+  version: 0.2.0
+platform: ruby
+authors: 
+- Mike Dalessio
+- Bryan Helmkamp
+autorequire: 
+bindir: bin
+cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDPDCCAiSgAwIBAgIBADANBgkqhkiG9w0BAQUFADBEMRYwFAYDVQQDDA1taWtl
+  LmRhbGVzc2lvMRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJk/IsZAEZ
+  FgNjb20wHhcNMDkwODExMDU0MjQ5WhcNMTAwODExMDU0MjQ5WjBEMRYwFAYDVQQD
+  DA1taWtlLmRhbGVzc2lvMRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJ
+  k/IsZAEZFgNjb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDANjr7
+  lZ1DKtK8YvNp+5kBzIpwrpClHRrosqo01qmWfGBxZckQUtrJUwGPxpzvIHVq1VKp
+  a9FXU/QWYek/1S0vhkOf9XGmFBnVCtbJhwGeyzsQFFSoQIfs2hd5gO0dSRpuKdi3
+  slfJAXzFKg1u/7OCVPgrY/mkdh34MzL5p0gSDzPt7vLPibctHg0GoepYT5Fh1tMQ
+  luzgrN0weTw/QoEWTMQcNk6CyUpzv0pOe7d0qEPQ9Lx7Lz64gIym3f0pKFpWLfME
+  l7PFLeR95zw2zsuZQwCR5ma5zjXD3mo2jk1mVqiI8qplOL1u30FU7hRhTV5n/Qe9
+  elDQoZW9Xz0R5JGDAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0G
+  A1UdDgQWBBRXWlUJZXcR1jkZPE24+mjUTCqNxjANBgkqhkiG9w0BAQUFAAOCAQEA
+  jDh5M41sg1MZKG1DXzQmo/IADeWRmXyb3EZaED9lhFFpoQqaralgpgmvuc0GswvO
+  QIZijh03tPQz8lgp1U1OFZod2ZwbEVTtVZpxs1ssjMraOA6KzlsNROH0XonIiy6j
+  r2Q0UF35ax8pvr3D5Y6AKzIW1F3aeiREylUDJlb/i1dPQ2PVK0yRrSQoK2epwM9E
+  zoczlHTTJc/tRvH5Up3Agcv9y+J0U9a1Af9NRsnHPVBdo2H32MsJ99x5NRDWJmJg
+  ohH37UR7njcc6j4fo22IwTqXaaXJdtVdAWjXP/xs5B3cPYSP6uqFnR46Jf86Iqj1
+  FlqnTjy13J3nD30uxy9a1g==
+  -----END CERTIFICATE-----
+
+date: 2009-08-11 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: nokogiri
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.3.3
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 2.3.3
+    version: 
+description: |-
+  Loofah is an HTML sanitizer. It will *always* fix broken markup, but
+  can also sanitize unsafe tags in a few different ways, and transform
+  the markup for storage or display.
+  
+  It's built on top of Nokogiri and libxml2, so it's fast. And it uses
+  html5lib's whitelist, so it most likely won't make your codes less
+  secure.
+  
+  (These statements have not been evaluated by Internet Experts.)
+  
+  This library was formerly known as Dryopteris.
+email: 
+- mike.dalessio@gmail.com
+- bryan@brynary.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- MIT-LICENSE.txt
+- Manifest.txt
+- TODO.rdoc
+- CHANGELOG.rdoc
+- README.rdoc
+files: 
+- CHANGELOG.rdoc
+- MIT-LICENSE.txt
+- Manifest.txt
+- README.rdoc
+- Rakefile
+- TODO.rdoc
+- benchmark/benchmark.rb
+- benchmark/fragment.html
+- benchmark/www.slashdot.com.html
+- init.rb
+- lib/loofah.rb
+- lib/loofah/active_record.rb
+- lib/loofah/deprecated.rb
+- lib/loofah/html/document.rb
+- lib/loofah/html/document_fragment.rb
+- lib/loofah/html5/scrub.rb
+- lib/loofah/html5/whitelist.rb
+- lib/loofah/scrubber.rb
+- test/helper.rb
+- test/html5/test_deprecated_sanitizer.rb
+- test/html5/test_sanitizer.rb
+- test/html5/testdata/tests1.dat
+- test/test_active_record.rb
+- test/test_api.rb
+- test/test_deprecated_basic.rb
+- test/test_microsofty.rb
+- test/test_scrubber.rb
+- test/test_strip_tags.rb
+has_rdoc: true
+homepage: http://rubyforge.org/projects/loofah
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: loofah
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Loofah is an HTML sanitizer
+test_files: 
+- test/test_deprecated_basic.rb
+- test/test_scrubber.rb
+- test/test_strip_tags.rb
+- test/test_api.rb
+- test/html5/test_sanitizer.rb
+- test/html5/test_deprecated_sanitizer.rb
+- test/test_active_record.rb
+- test/test_microsofty.rb