loofah 0.4.2 → 2.25.0

data/lib/loofah/elements.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require "set"
+
+module Loofah
+  module Elements
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new([
+      "address",
+      "blockquote",
+      "center",
+      "dir",
+      "div",
+      "dl",
+      "fieldset",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "hr",
+      "isindex",
+      "menu",
+      "noframes",
+      "noscript",
+      "ol",
+      "p",
+      "pre",
+      "table",
+      "ul",
+    ])
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new([
+      "address",
+      "article",
+      "aside",
+      "blockquote",
+      "canvas",
+      "dd",
+      "div",
+      "dl",
+      "dt",
+      "fieldset",
+      "figcaption",
+      "figure",
+      "footer",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "header",
+      "hgroup",
+      "hr",
+      "li",
+      "main",
+      "nav",
+      "noscript",
+      "ol",
+      "output",
+      "p",
+      "pre",
+      "section",
+      "table",
+      "tfoot",
+      "ul",
+      "video",
+    ])
+
+    # The following elements may also be considered block-level
+    # elements since they may contain block-level elements
+    LOOSE_BLOCK_LEVEL = Set.new([
+      "dd",
+      "dt",
+      "frameset",
+      "li",
+      "tbody",
+      "td",
+      "tfoot",
+      "th",
+      "thead",
+      "tr",
+    ])
+
+    # Elements that aren't block but should generate a newline in #to_text
+    INLINE_LINE_BREAK = Set.new(["br"])
+
+    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
+    BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
+    LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
+  end
+
+  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::Elements)
+end

data/lib/loofah/helpers.rb

@@ -1,22 +1,109 @@
+# frozen_string_literal: true
+
 module Loofah
   module Helpers
     class << self
       #
       #  A replacement for Rails's built-in +strip_tags+ helper.
       #
-      #   Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
+      #    Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
       #
       def strip_tags(string_or_io)
-        Loofah.fragment(string_or_io).text
+        Loofah.html4_fragment(string_or_io).text
       end
 
       #
       #  A replacement for Rails's built-in +sanitize+ helper.
       #
-      #   Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+      #    Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>")
+      #    # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
       #
       def sanitize(string_or_io)
-        Loofah.scrub_fragment(string_or_io, :strip).to_s
+        loofah_fragment = Loofah.html4_fragment(string_or_io)
+        loofah_fragment.scrub!(:strip)
+        loofah_fragment.xpath("./form").each(&:remove)
+        loofah_fragment.to_s
+      end
+
+      #
+      #  A replacement for Rails's built-in +sanitize_css+ helper.
+      #
+      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)")
+      #    # => "display: block;"
+      #
+      def sanitize_css(style_string)
+        ::Loofah::HTML5::Scrub.scrub_css(style_string)
+      end
+
+      #
+      #  A helper to remove extraneous whitespace from text-ified HTML.
+      #
+      #  TODO: remove this in a future major-point-release.
+      #
+      def remove_extraneous_whitespace(string)
+        Loofah.remove_extraneous_whitespace(string)
+      end
+    end
+
+    module ActionView
+      module ClassMethods # :nodoc:
+        def full_sanitizer
+          @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
+        end
+
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new
+        end
+
+        def white_list_sanitizer
+          warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.")
+          safe_list_sanitizer
+        end
+      end
+
+      #
+      #  Replacement class for Rails's HTML::FullSanitizer.
+      #
+      #  To use by default, call this in an application initializer:
+      #
+      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = \
+      #      Loofah::Helpers::ActionView::FullSanitizer.new
+      #
+      #  Or, to generally opt-in to Loofah's view sanitizers:
+      #
+      #    Loofah::Helpers::ActionView.set_as_default_sanitizer
+      #
+      class FullSanitizer
+        def sanitize(html, *args)
+          Loofah::Helpers.strip_tags(html)
+        end
+      end
+
+      #
+      #  Replacement class for Rails's HTML::WhiteListSanitizer.
+      #
+      #  To use by default, call this in an application initializer:
+      #
+      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \
+      #      Loofah::Helpers::ActionView::SafeListSanitizer.new
+      #
+      #  Or, to generally opt-in to Loofah's view sanitizers:
+      #
+      #    Loofah::Helpers::ActionView.set_as_default_sanitizer
+      #
+      class SafeListSanitizer
+        def sanitize(html, *args)
+          Loofah::Helpers.sanitize(html)
+        end
+
+        def sanitize_css(style_string, *args)
+          Loofah::Helpers.sanitize_css(style_string)
+        end
+      end
+
+      WhiteListSanitizer = SafeListSanitizer
+      if Object.respond_to?(:deprecate_constant)
+        deprecate_constant :WhiteListSanitizer
       end
     end
   end

data/lib/loofah/html4/document.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML4 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML4::Document.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class Document < Nokogiri::HTML4::Document
+      include Loofah::ScrubBehavior::Node
+      include Loofah::DocumentDecorator
+      include Loofah::TextBehavior
+      include Loofah::HtmlDocumentBehavior
+    end
+  end
+end

data/lib/loofah/html4/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML4 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML4::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML4::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::Document.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class Document < Nokogiri::HTML5::Document
+      include Loofah::ScrubBehavior::Node
+      include Loofah::DocumentDecorator
+      include Loofah::TextBehavior
+      include Loofah::HtmlDocumentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML5::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -0,0 +1,28 @@
+# coding: utf-8
+# frozen_string_literal: true
+
+require "set"
+
+module Loofah
+  #
+  #  constants related to working around unhelpful libxml2 behavior
+  #
+  #  ಠ_ಠ
+  #
+  module LibxmlWorkarounds
+    #
+    #  these attributes and qualifying parent tags are determined by the code at:
+    #
+    #    https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
+    #
+    #  see comments about CVE-2018-8048 within the tests for more information
+    #
+    BROKEN_ESCAPING_ATTRIBUTES = Set.new([
+      "href",
+      "action",
+      "src",
+      "name",
+    ])
+    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
+  end
+end