loofah 1.0.0 → 2.19.1

data/lib/loofah.rb

@@ -1,23 +1,24 @@
+# frozen_string_literal: true
 $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__))) unless $LOAD_PATH.include?(File.expand_path(File.dirname(__FILE__)))
 
-require 'nokogiri'
+require "nokogiri"
 
-require 'loofah/metahelpers'
-require 'loofah/elements'
+require_relative "loofah/version"
+require_relative "loofah/metahelpers"
+require_relative "loofah/elements"
 
-require 'loofah/html5/whitelist'
-require 'loofah/html5/scrub'
+require_relative "loofah/html5/safelist"
+require_relative "loofah/html5/libxml2_workarounds"
+require_relative "loofah/html5/scrub"
 
-require 'loofah/scrubber'
-require 'loofah/scrubbers'
+require_relative "loofah/scrubber"
+require_relative "loofah/scrubbers"
 
-require 'loofah/instance_methods'
-require 'loofah/xml/document'
-require 'loofah/xml/document_fragment'
-require 'loofah/html/document'
-require 'loofah/html/document_fragment'
-
-require 'loofah/helpers'
+require_relative "loofah/instance_methods"
+require_relative "loofah/xml/document"
+require_relative "loofah/xml/document_fragment"
+require_relative "loofah/html/document"
+require_relative "loofah/html/document_fragment"
 
 # == Strings and IO Objects as Input
 #
@@ -28,17 +29,11 @@ require 'loofah/helpers'
 # quantities of docs.
 #
 module Loofah
-  # The version of Loofah you are using
-  VERSION = '1.0.0'
-
-  # The minimum required version of Nokogiri
-  REQUIRED_NOKOGIRI_VERSION = '1.3.3'
-
   class << self
     # Shortcut for Loofah::HTML::Document.parse
     # This method accepts the same parameters as Nokogiri::HTML::Document.parse
     def document(*args, &block)
-      Loofah::HTML::Document.parse(*args, &block)
+      remove_comments_before_html_element Loofah::HTML::Document.parse(*args, &block)
     end
 
     # Shortcut for Loofah::HTML::DocumentFragment.parse
@@ -79,9 +74,27 @@ module Loofah
       Loofah.xml_document(string_or_io).scrub!(method)
     end
 
-  end
-end
+    # A helper to remove extraneous whitespace from text-ified HTML
+    def remove_extraneous_whitespace(string)
+      string.gsub(/\n\s*\n\s*\n/, "\n\n")
+    end
 
-if Nokogiri::VERSION < Loofah::REQUIRED_NOKOGIRI_VERSION
-  raise RuntimeError, "Loofah requires Nokogiri #{Loofah::REQUIRED_NOKOGIRI_VERSION} or later (currently #{Nokogiri::VERSION})"
+    private
+
+    # remove comments that exist outside of the HTML element.
+    #
+    # these comments are allowed by the HTML spec:
+    #
+    #    https://www.w3.org/TR/html401/struct/global.html#h-7.1
+    #
+    # but are not scrubbed by Loofah because these nodes don't meet
+    # the contract that scrubbers expect of a node (e.g., it can be
+    # replaced, sibling and children nodes can be created).
+    def remove_comments_before_html_element(doc)
+      doc.children.each do |child|
+        child.unlink if child.comment?
+      end
+      doc
+    end
+  end
 end

metadata

@@ -1,220 +1,207 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: loofah
-version: !ruby/object:Gem::Version 
-  hash: 23
-  prerelease: false
-  segments: 
-  - 1
-  - 0
-  - 0
-  version: 1.0.0
+version: !ruby/object:Gem::Version
+  version: 2.19.1
 platform: ruby
-authors: 
+authors:
 - Mike Dalessio
 - Bryan Helmkamp
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2010-10-26 00:00:00 -04:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: nokogiri
+date: 2022-12-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: crass
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
   prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 29
-        segments: 
-        - 1
-        - 3
-        - 3
-        version: 1.3.3
+      - !ruby/object:Gem::Version
+        version: 1.5.9
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: rubyforge
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 7
-        segments: 
-        - 2
-        - 0
-        - 4
-        version: 2.0.4
+      - !ruby/object:Gem::Version
+        version: 1.5.9
+- !ruby/object:Gem::Dependency
+  name: hoe-markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: mocha
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 25
-        segments: 
-        - 0
-        - 9
-        version: "0.9"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: shoulda
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 23
-        segments: 
-        - 2
-        - 10
-        version: "2.10"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
   name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 27
-        segments: 
-        - 0
-        - 8
-        version: "0.8"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: hoe
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 21
-        segments: 
-        - 2
-        - 6
-        - 1
-        version: 2.6.1
+      - !ruby/object:Gem::Version
+        version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+- !ruby/object:Gem::Dependency
+  name: rr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
   type: :development
-  version_requirements: *id006
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 description: |-
-  Loofah is a general library for manipulating and transforming HTML/XML
-  documents and fragments. It's built on top of Nokogiri and libxml2, so
-  it's fast and has a nice API.
-  
-  Loofah excels at HTML sanitization (XSS prevention). It includes some
-  nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-  most likely won't make your codes less secure. (These statements have
-  not been evaluated by Netexperts.)
-  
-  ActiveRecord extensions for sanitization are available in the
-  `loofah-activerecord` gem (see
-  http://github.com/flavorjones/loofah-activerecord).
-email: 
+  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
+
+  Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
+
+  ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
-- MIT-LICENSE.txt
-- Manifest.txt
-- CHANGELOG.rdoc
-- README.rdoc
-files: 
-- CHANGELOG.rdoc
-- Gemfile
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
 - MIT-LICENSE.txt
-- Manifest.txt
-- README.rdoc
-- Rakefile
-- benchmark/benchmark.rb
-- benchmark/fragment.html
-- benchmark/helper.rb
-- benchmark/www.slashdot.com.html
+- README.md
+- SECURITY.md
 - lib/loofah.rb
 - lib/loofah/elements.rb
 - lib/loofah/helpers.rb
 - lib/loofah/html/document.rb
 - lib/loofah/html/document_fragment.rb
+- lib/loofah/html5/libxml2_workarounds.rb
+- lib/loofah/html5/safelist.rb
 - lib/loofah/html5/scrub.rb
-- lib/loofah/html5/whitelist.rb
 - lib/loofah/instance_methods.rb
 - lib/loofah/metahelpers.rb
 - lib/loofah/scrubber.rb
 - lib/loofah/scrubbers.rb
+- lib/loofah/version.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
-- test/helper.rb
-- test/html5/test_sanitizer.rb
-- test/integration/test_ad_hoc.rb
-- test/integration/test_helpers.rb
-- test/integration/test_html.rb
-- test/integration/test_scrubbers.rb
-- test/integration/test_xml.rb
-- test/unit/test_api.rb
-- test/unit/test_helpers.rb
-- test/unit/test_scrubber.rb
-- test/unit/test_scrubbers.rb
-has_rdoc: true
-homepage: http://github.com/flavorjones/loofah
-licenses: []
-
+homepage: https://github.com/flavorjones/loofah
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/flavorjones/loofah
+  source_code_uri: https://github.com/flavorjones/loofah
+  bug_tracker_uri: https://github.com/flavorjones/loofah/issues
+  changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/loofah/
 post_install_message: 
-rdoc_options: 
-- --main
-- README.rdoc
-require_paths: 
+rdoc_options: []
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
-rubyforge_project: loofah
-rubygems_version: 1.3.7
+rubygems_version: 3.3.7
 signing_key: 
-specification_version: 3
-summary: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments
-test_files: 
-- test/integration/test_html.rb
-- test/integration/test_ad_hoc.rb
-- test/integration/test_helpers.rb
-- test/integration/test_scrubbers.rb
-- test/integration/test_xml.rb
-- test/html5/test_sanitizer.rb
-- test/unit/test_scrubber.rb
-- test/unit/test_helpers.rb
-- test/unit/test_scrubbers.rb
-- test/unit/test_api.rb
+specification_version: 4
+summary: Loofah is a general library for manipulating and transforming HTML/XML documents
+  and fragments, built on top of Nokogiri
+test_files: []

data/CHANGELOG.rdoc

@@ -1,134 +0,0 @@
-= Changelog
-
-== 1.0.0 (2010-10-26)
-
-Notes:
-
-* Moved ActiveRecord functionality into `loofah-activerecord` gem.
-* Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
-
-== 0.4.7 (2010-03-09)
-
-Enhancements:
-
-* New methods Loofah::HTML::Document#to_text and
-  Loofah::HTML::DocumentFragment#to_text do the right thing with
-  whitespace. Note that these methods are significantly slower than
-  #text. GH #12
-* Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
-* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
-  will return unescaped HTML entities by passing :encode_special_chars => false.
-
-== 0.4.4, 0.4.5, 0.4.6 (2010-02-01)
-
-Enhancements:
-
-* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
-
-Bug fixes:
-
-* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
-
-== 0.4.3 (2010-01-29)
-
-Enhancements:
-
-* All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
-* Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
-
-Miscellaneous:
-
-* Modified documentation for bootstrapping XssFoliate in a Rails app,
-  since the use of Bundler breaks the previously-documented method. To
-  be safe, always use an initializer file.
-
-== 0.4.2 (2010-01-22)
-
-Enhancements:
-
-* Implemented Node#scrub! for scrubbing subtrees.
-* Implemented NodeSet#scrub! for scrubbing a set of subtrees.
-* Document.text now only serializes <body> contents (ignores <head>)
-* <head>, <html> and <body> added to the HTML5lib whitelist.
-
-Bug fixes:
-
-* Supporting Rails apps that aren't loading ActiveRecord. GH #10
-
-Miscellaneous:
-
-* Mailing list is now loofah@librelist.com / http://librelist.com
-* IRC channel is now \#loofah on freenode.
-
-== 0.4.1 (2009-11-23)
-
-Bugfix:
-
-* Manifest fixed. Whoops.
-
-== 0.4.0 (2009-11-21)
-
-Enhancements:
-
-* Scrubber class introduced, allowing development of custom scrubbers.
-* Added support for XML documents and fragments.
-* Added :nofollow HTML scrubber (thanks Luke Melia!)
-* Built-in scrubbing methods refactored to use Scrubber.
-
-== 0.3.1 (2009-10-12)
-
-Bug fixes:
-
-* Scrubbed Documents properly render html, head and body tags when serialized.
-
-== 0.3.0 (2009-10-06)
-
-Enhancements:
-
-* New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master].
-* Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
-* Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
-
-Deprecations:
-
-* The methods strip_tags, whitewash, whitewash_document, sanitize, and
-  sanitize_document have been deprecated. See DEPRECATED.rdoc for
-  details on the equivalent calls with the post-0.2 API.
-
-== 0.2.2 (2009-09-30)
-
-Enhancements:
-
-* ActiveRecord extension scrubs fields in a before_validation callback
-  (was previously in a before_save)
-
-== 0.2.1 (2009-09-19)
-
-Enhancements:
-
-* when loaded in a Rails app, automatically extend ActiveRecord::Base
-  with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
-
-Bugfixes:
-
-* ActiveRecord scrubbing should generate strings instead of Document or
-  DocumentFragment objects. GH #5
-* init.rb fixed to support installation as a Rails plugin. GH #6
-  (Thanks Josh Nichols!)
-
-== 0.2.0 (2009-09-11)
-
-* Swank new API.
-* ActiveRecord extension.
-* Uses Nokogiri's Document and DocumentFragment for parsing.
-* Updated html5lib codes and tests to revision 1384:b9d3153d7be7.
-* Deprecated the Dryopteris sanitization methods. Will be removed in 0.3.0.
-* Documentation! Hey!
-
-== 0.1.2 (2009-04-30)
-
-* Added whitewashing -- removal of all attributes and namespaced nodes. You know, for microsofty HTML.
-
-== 0.1.0 (2009-02-10)
-
-* Birthday!

data/Gemfile

@@ -1 +0,0 @@
-gemspec

data/Manifest.txt

@@ -1,34 +0,0 @@
-CHANGELOG.rdoc
-Gemfile
-MIT-LICENSE.txt
-Manifest.txt
-README.rdoc
-Rakefile
-benchmark/benchmark.rb
-benchmark/fragment.html
-benchmark/helper.rb
-benchmark/www.slashdot.com.html
-lib/loofah.rb
-lib/loofah/elements.rb
-lib/loofah/helpers.rb
-lib/loofah/html/document.rb
-lib/loofah/html/document_fragment.rb
-lib/loofah/html5/scrub.rb
-lib/loofah/html5/whitelist.rb
-lib/loofah/instance_methods.rb
-lib/loofah/metahelpers.rb
-lib/loofah/scrubber.rb
-lib/loofah/scrubbers.rb
-lib/loofah/xml/document.rb
-lib/loofah/xml/document_fragment.rb
-test/helper.rb
-test/html5/test_sanitizer.rb
-test/integration/test_ad_hoc.rb
-test/integration/test_helpers.rb
-test/integration/test_html.rb
-test/integration/test_scrubbers.rb
-test/integration/test_xml.rb
-test/unit/test_api.rb
-test/unit/test_helpers.rb
-test/unit/test_scrubber.rb
-test/unit/test_scrubbers.rb