loofah 1.1.0 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (7) hide show
  1. data/CHANGELOG.rdoc +7 -0
  2. data/README.rdoc +2 -2
  3. data/lib/loofah.rb +1 -1
  4. data/lib/loofah/helpers.rb +63 -1
  5. data/test/integration/test_helpers.rb +12 -2
  6. data/test/unit/test_helpers.rb +49 -14
  7. metadata +15 -15
data/CHANGELOG.rdoc CHANGED
@@ -1,5 +1,12 @@
1
1
  = Changelog
2
2
 
3
+ == 1.2.0 (2011-08-08)
4
+
5
+ Enhancements:
6
+
7
+ * Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.
8
+ * Improving ActionView integration.
9
+
3
10
  == 1.1.0 (2011-08-08)
4
11
 
5
12
  Enhancements:
data/README.rdoc CHANGED
@@ -1,8 +1,8 @@
1
1
  = Loofah
2
2
 
3
3
  * http://github.com/flavorjones/loofah
4
- * http://loofah.rubyforge.org
5
- * http://rubyforge.org/projects/loofah
4
+ * http://rubydoc.info/github/flavorjones/loofah/master/frames
5
+ * http://librelist.com/browser/loofah
6
6
 
7
7
  == Description
8
8
 
data/lib/loofah.rb CHANGED
@@ -29,7 +29,7 @@ require 'loofah/helpers'
29
29
  #
30
30
  module Loofah
31
31
  # The version of Loofah you are using
32
- VERSION = '1.1.0'
32
+ VERSION = '1.2.0'
33
33
 
34
34
  class << self
35
35
  # Shortcut for Loofah::HTML::Document.parse
data/lib/loofah/helpers.rb CHANGED
@@ -16,7 +16,19 @@ module Loofah
16
16
  # Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
17
17
  #
18
18
  def sanitize(string_or_io)
19
- Loofah.scrub_fragment(string_or_io, :strip).to_s
19
+ loofah_fragment = Loofah.fragment(string_or_io)
20
+ loofah_fragment.scrub!(:strip)
21
+ loofah_fragment.xpath("./form").each { |form| form.remove }
22
+ loofah_fragment.to_s
23
+ end
24
+
25
+ #
26
+ # A replacement for Rails's built-in +sanitize_css+ helper.
27
+ #
28
+ # Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
29
+ #
30
+ def sanitize_css style_string
31
+ ::Loofah::HTML5::Scrub.scrub_css style_string
20
32
  end
21
33
 
22
34
  #
@@ -26,5 +38,55 @@ module Loofah
26
38
  string.gsub(/\n\s*\n\s*\n/,"\n\n")
27
39
  end
28
40
  end
41
+
42
+ module ActionView
43
+ module ClassMethods # :nodoc:
44
+ def full_sanitizer
45
+ @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
46
+ end
47
+
48
+ def white_list_sanitizer
49
+ @white_list_sanitizer ||= ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
50
+ end
51
+ end
52
+
53
+ #
54
+ # Replacement class for Rails's HTML::FullSanitizer.
55
+ #
56
+ # To use by default, call this in an application initializer:
57
+ #
58
+ # ActionView::Helpers::SanitizeHelper.full_sanitizer = ::Loofah::Helpers::ActionView::FullSanitizer.new
59
+ #
60
+ # Or, to generally opt-in to Loofah's view sanitizers:
61
+ #
62
+ # Loofah::Helpers::ActionView.set_as_default_sanitizer
63
+ #
64
+ class FullSanitizer
65
+ def sanitize html, *args
66
+ Loofah::Helpers.strip_tags html
67
+ end
68
+ end
69
+
70
+ #
71
+ # Replacement class for Rails's HTML::WhiteListSanitizer.
72
+ #
73
+ # To use by default, call this in an application initializer:
74
+ #
75
+ # ActionView::Helpers::SanitizeHelper.white_list_sanitizer = ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
76
+ #
77
+ # Or, to generally opt-in to Loofah's view sanitizers:
78
+ #
79
+ # Loofah::Helpers::ActionView.set_as_default_sanitizer
80
+ #
81
+ class WhiteListSanitizer
82
+ def sanitize html, *args
83
+ Loofah::Helpers.sanitize html
84
+ end
85
+
86
+ def sanitize_css style_string, *args
87
+ Loofah::Helpers.sanitize_css style_string
88
+ end
89
+ end
90
+ end
29
91
  end
30
92
  end
data/test/integration/test_helpers.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  require "helper"
2
2
 
3
3
  class IntegrationTestHelpers < Loofah::TestCase
4
- context "#strip_tags" do
4
+ context ".strip_tags" do
5
5
  context "on safe markup" do
6
6
  it "strip out tags" do
7
7
  assert_equal "omgwtfbbq!!1!", Loofah::Helpers.strip_tags("<div>omgwtfbbq</div><span>!!1!</span>")
@@ -16,7 +16,7 @@ class IntegrationTestHelpers < Loofah::TestCase
16
16
  end
17
17
  end
18
18
 
19
- context "#sanitize" do
19
+ context ".sanitize" do
20
20
  context "on safe markup" do
21
21
  it "render the safe html" do
22
22
  html = "<div>omgwtfbbq</div><span>!!1!</span>"
@@ -28,6 +28,16 @@ class IntegrationTestHelpers < Loofah::TestCase
28
28
  it "strip the unsafe tags" do
29
29
  assert_equal "alert('evil')<span>w00t</span>", Loofah::Helpers.sanitize("<script>alert('evil')</script><span>w00t</span>")
30
30
  end
31
+
32
+ it "strips form tags" do
33
+ assert_equal "alert('evil')<span>w00t</span>", Loofah::Helpers.sanitize("<script>alert('evil')</script><form action=\"/foo/bar\" method=\"post\"><input></form><span>w00t</span>")
34
+ end
35
+ end
36
+ end
37
+
38
+ context ".sanitize_css" do
39
+ it "removes unsafe css properties" do
40
+ assert_equal "display: block; background-color: blue;", Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg);background-color:blue")
31
41
  end
32
42
  end
33
43
  end
data/test/unit/test_helpers.rb CHANGED
@@ -4,24 +4,59 @@ class UnitTestHelpers < Loofah::TestCase
4
4
 
5
5
  HTML_STRING = "<div>omgwtfbbq</div>"
6
6
 
7
- context "#strip_tags" do
8
- it "invoke Loofah.fragment.text" do
9
- mock_doc = Object.new
10
- mock(Loofah).fragment(HTML_STRING) { mock_doc }
11
- mock(mock_doc).text
7
+ describe "Helpers" do
8
+ context ".strip_tags" do
9
+ it "invoke Loofah.fragment.text" do
10
+ mock_doc = Object.new
11
+ mock(Loofah).fragment(HTML_STRING) { mock_doc }
12
+ mock(mock_doc).text
12
13
 
13
- Loofah::Helpers.strip_tags HTML_STRING
14
+ Loofah::Helpers.strip_tags HTML_STRING
15
+ end
14
16
  end
15
- end
16
17
 
17
- context "#sanitize" do
18
- it "invoke Loofah.scrub_fragment(:strip).to_s" do
19
- mock_doc = Object.new
20
- mock(Loofah).fragment(HTML_STRING) { mock_doc }
21
- mock(mock_doc).scrub!(:strip) { mock_doc }
22
- mock(mock_doc).to_s
18
+ context ".sanitize" do
19
+ it "invoke Loofah.scrub_fragment(:strip).to_s" do
20
+ mock_doc = Object.new
21
+ mock_node = Object.new
22
+ mock(Loofah).fragment(HTML_STRING) { mock_doc }
23
+ mock(mock_doc).scrub!(:strip) { mock_doc }
24
+ mock(mock_doc).xpath("./form") { [mock_node] }
25
+ mock(mock_node).remove
26
+ mock(mock_doc).to_s
27
+
28
+ Loofah::Helpers.sanitize HTML_STRING
29
+ end
30
+ end
31
+
32
+ context ".sanitize_css" do
33
+ it "invokes HTML5lib's css scrubber" do
34
+ mock(Loofah::HTML5::Scrub).scrub_css("foobar")
35
+ Loofah::Helpers.sanitize_css("foobar")
36
+ end
37
+ end
38
+
39
+ describe "ActionView" do
40
+ describe "FullSanitizer#sanitize" do
41
+ it "calls .strip_tags" do
42
+ mock(Loofah::Helpers).strip_tags("foobar")
43
+ Loofah::Helpers::ActionView::FullSanitizer.new.sanitize "foobar"
44
+ end
45
+ end
46
+
47
+ describe "WhiteListSanitizer#sanitize" do
48
+ it "calls .sanitize" do
49
+ mock(Loofah::Helpers).sanitize("foobar")
50
+ Loofah::Helpers::ActionView::WhiteListSanitizer.new.sanitize "foobar"
51
+ end
52
+ end
23
53
 
24
- Loofah::Helpers.sanitize HTML_STRING
54
+ describe "WhiteListSanitizer#sanitize_css" do
55
+ it "calls .sanitize_css" do
56
+ mock(Loofah::Helpers).sanitize_css("foobar")
57
+ Loofah::Helpers::ActionView::WhiteListSanitizer.new.sanitize_css "foobar"
58
+ end
59
+ end
25
60
  end
26
61
  end
27
62
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- hash: 19
4
+ hash: 31
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
- - 1
8
+ - 2
9
9
  - 0
10
- version: 1.1.0
10
+ version: 1.2.0
11
11
  platform: ruby
12
12
  authors:
13
13
  - Mike Dalessio
@@ -20,8 +20,6 @@ date: 2011-08-08 00:00:00 -04:00
20
20
  default_executable:
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency
23
- prerelease: false
24
- type: :runtime
25
23
  requirement: &id001 !ruby/object:Gem::Requirement
26
24
  none: false
27
25
  requirements:
@@ -35,9 +33,9 @@ dependencies:
35
33
  version: 1.4.4
36
34
  name: nokogiri
37
35
  version_requirements: *id001
38
- - !ruby/object:Gem::Dependency
39
36
  prerelease: false
40
- type: :development
37
+ type: :runtime
38
+ - !ruby/object:Gem::Dependency
41
39
  requirement: &id002 !ruby/object:Gem::Requirement
42
40
  none: false
43
41
  requirements:
@@ -50,9 +48,9 @@ dependencies:
50
48
  version: "0.8"
51
49
  name: rake
52
50
  version_requirements: *id002
53
- - !ruby/object:Gem::Dependency
54
51
  prerelease: false
55
52
  type: :development
53
+ - !ruby/object:Gem::Dependency
56
54
  requirement: &id003 !ruby/object:Gem::Requirement
57
55
  none: false
58
56
  requirements:
@@ -65,9 +63,9 @@ dependencies:
65
63
  version: "2.2"
66
64
  name: minitest
67
65
  version_requirements: *id003
68
- - !ruby/object:Gem::Dependency
69
66
  prerelease: false
70
67
  type: :development
68
+ - !ruby/object:Gem::Dependency
71
69
  requirement: &id004 !ruby/object:Gem::Requirement
72
70
  none: false
73
71
  requirements:
@@ -80,9 +78,9 @@ dependencies:
80
78
  version: "1.0"
81
79
  name: rr
82
80
  version_requirements: *id004
83
- - !ruby/object:Gem::Dependency
84
81
  prerelease: false
85
82
  type: :development
83
+ - !ruby/object:Gem::Dependency
86
84
  requirement: &id005 !ruby/object:Gem::Requirement
87
85
  none: false
88
86
  requirements:
@@ -94,9 +92,9 @@ dependencies:
94
92
  version: "0"
95
93
  name: json
96
94
  version_requirements: *id005
97
- - !ruby/object:Gem::Dependency
98
95
  prerelease: false
99
96
  type: :development
97
+ - !ruby/object:Gem::Dependency
100
98
  requirement: &id006 !ruby/object:Gem::Requirement
101
99
  none: false
102
100
  requirements:
@@ -108,9 +106,9 @@ dependencies:
108
106
  version: "0"
109
107
  name: hoe-gemspec
110
108
  version_requirements: *id006
111
- - !ruby/object:Gem::Dependency
112
109
  prerelease: false
113
110
  type: :development
111
+ - !ruby/object:Gem::Dependency
114
112
  requirement: &id007 !ruby/object:Gem::Requirement
115
113
  none: false
116
114
  requirements:
@@ -122,9 +120,9 @@ dependencies:
122
120
  version: "0"
123
121
  name: hoe-debugging
124
122
  version_requirements: *id007
125
- - !ruby/object:Gem::Dependency
126
123
  prerelease: false
127
124
  type: :development
125
+ - !ruby/object:Gem::Dependency
128
126
  requirement: &id008 !ruby/object:Gem::Requirement
129
127
  none: false
130
128
  requirements:
@@ -136,9 +134,9 @@ dependencies:
136
134
  version: "0"
137
135
  name: hoe-bundler
138
136
  version_requirements: *id008
139
- - !ruby/object:Gem::Dependency
140
137
  prerelease: false
141
138
  type: :development
139
+ - !ruby/object:Gem::Dependency
142
140
  requirement: &id009 !ruby/object:Gem::Requirement
143
141
  none: false
144
142
  requirements:
@@ -150,9 +148,9 @@ dependencies:
150
148
  version: "0"
151
149
  name: hoe-git
152
150
  version_requirements: *id009
153
- - !ruby/object:Gem::Dependency
154
151
  prerelease: false
155
152
  type: :development
153
+ - !ruby/object:Gem::Dependency
156
154
  requirement: &id010 !ruby/object:Gem::Requirement
157
155
  none: false
158
156
  requirements:
@@ -165,6 +163,8 @@ dependencies:
165
163
  version: "2.10"
166
164
  name: hoe
167
165
  version_requirements: *id010
166
+ prerelease: false
167
+ type: :development
168
168
  description: |-
169
169
  Loofah is a general library for manipulating and transforming HTML/XML
170
170
  documents and fragments. It's built on top of Nokogiri and libxml2, so