loofah 1.2.1 → 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: fd62f1a9a9c2c83eb28fb849b22375ed149287df
+  data.tar.gz: 6672bfebfdf0af96d2351c408a4bc81a362ed029
+SHA512:
+  metadata.gz: 3e956204c9e823f5a1fb548b3f2a8edd6431b1398607b76b4d869db8f849311c9f2e7fa52934d1c16aca5e9093b319a59b620485bffb11d02a62dcd70cd9c2f6
+  data.tar.gz: 48e7e8ee165346437f19a082c0828074e090b113d65e80e52679122523417749cf153585047ae8d291bc343550176e0d38bd20085e81b9b6672985f28e6d921c

data/CHANGELOG.rdoc

@@ -1,5 +1,28 @@
 = Changelog
 
+== 2.0.0 / 2014-05-09
+
+Compatibility notes:
+
+* ActionView helpers now must be required explicitly: `require "loofah/helpers"`
+* Support for Ruby 1.8.7 and prior has been dropped
+
+Enhancements:
+
+* HTML5 whitelist allows the following ...
+  * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
+  * attributes: `data-*` (Thanks, Rafael Franca!)
+  * URI attributes: `poster` and `preload`
+* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
+* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
+* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
+
+Bug fixes:
+
+* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
+* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
+
+
 == 1.2.1 (2012-04-14)
 
 * Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)

data/Gemfile

@@ -2,18 +2,19 @@
 
 # DO NOT EDIT THIS FILE. Instead, edit Rakefile, and run `rake bundler:gemfile`.
 
-source :gemcutter
+source "https://rubygems.org/"
 
-gem "nokogiri", ">=1.4.4"
+gem "nokogiri", ">=1.5.9"
 
+gem "rdoc", "~>4.0", :group => [:development, :test]
 gem "rake", ">=0.8", :group => [:development, :test]
 gem "minitest", "~>2.2", :group => [:development, :test]
-gem "rr", "~>1.0", :group => [:development, :test]
+gem "rr", "~>1.1.0", :group => [:development, :test]
 gem "json", ">=0", :group => [:development, :test]
 gem "hoe-gemspec", ">=0", :group => [:development, :test]
 gem "hoe-debugging", ">=0", :group => [:development, :test]
 gem "hoe-bundler", ">=0", :group => [:development, :test]
 gem "hoe-git", ">=0", :group => [:development, :test]
-gem "hoe", ">=2.9.4", :group => [:development, :test]
+gem "hoe", "~>3.6", :group => [:development, :test]
 
 # vim: syntax=ruby

data/MIT-LICENSE.txt

@@ -1,6 +1,8 @@
 The MIT License
 
-Copyright (c) 2009, 2010 by Mike Dalessio, Bryan Helmkamp
+The MIT License
+
+Copyright (c) 2009 -- 2014 by Mike Dalessio, Bryan Helmkamp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.rdoc

@@ -1,4 +1,4 @@
-= Loofah
+= Loofah {<img src="https://travis-ci.org/flavorjones/loofah.png?branch=master" alt="Build Status" />}[https://travis-ci.org/flavorjones/loofah]
 
 * http://github.com/flavorjones/loofah
 * http://rubydoc.info/github/flavorjones/loofah/master/frames
@@ -198,6 +198,7 @@ whitelist algorithm:
 Loofah also comes with some common transformation tasks: 
 
   doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
+  doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
 
 See Loofah::Scrubbers for more details and example usage.
 
@@ -232,6 +233,7 @@ are the same thing as (and arguably semantically clearer than):
 Loofah has two "view helpers": Loofah::Helpers.sanitize and
 Loofah::Helpers.strip_tags, both of which are drop-in replacements for
 the Rails ActionView helpers of the same name.
+These are no longer required automatically. You must require `loofah/helpers`. 
 
 == Requirements
 
@@ -291,7 +293,7 @@ name that nobody could spell properly.
 
 The MIT License
 
-Copyright (c) 2009, 2010, 2011 by Mike Dalessio, Bryan Helmkamp
+Copyright (c) 2009 -- 2014 by Mike Dalessio, Bryan Helmkamp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/Rakefile

@@ -14,12 +14,13 @@ Hoe.spec "loofah" do
   self.extra_rdoc_files = FileList["*.rdoc"]
   self.history_file     = "CHANGELOG.rdoc"
   self.readme_file      = "README.rdoc"
+  self.license          "MIT"
 
-  extra_deps     << ["nokogiri", ">=1.4.4"]
+  extra_deps     << ["nokogiri", ">=1.5.9"]
 
   extra_dev_deps << ["rake", ">=0.8"]
   extra_dev_deps << ["minitest", "~>2.2"]
-  extra_dev_deps << ["rr", "~>1.0"]
+  extra_dev_deps << ["rr", "~>1.1.0"]
   extra_dev_deps << ["json", ">=0"]
   extra_dev_deps << ["hoe-gemspec", ">=0"]
   extra_dev_deps << ["hoe-debugging", ">=0"]
@@ -66,3 +67,8 @@ task :doc_upload_to_rubyforge => :docs do
     system "rsync -avz --delete * rubyforge.org:/var/www/gforge-projects/loofah/loofah"
   end
 end
+
+desc "generate whitelists from W3C specifications"
+task :generate_whitelists do
+  load "tasks/generate-whitelists"
+end

data/lib/loofah.rb

@@ -17,8 +17,6 @@ require 'loofah/xml/document_fragment'
 require 'loofah/html/document'
 require 'loofah/html/document_fragment'
 
-require 'loofah/helpers'
-
 # == Strings and IO Objects as Input
 #
 # Loofah.document and Loofah.fragment accept any IO object in addition
@@ -29,7 +27,7 @@ require 'loofah/helpers'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '1.2.1'
+  VERSION = '2.0.0'
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html/document_fragment.rb

@@ -14,10 +14,13 @@ module Loofah
         #  constructor. Applications should use Loofah.fragment to
         #  parse a fragment.
         #
-        def parse tags
+        def parse tags, encoding = nil
           doc = Loofah::HTML::Document.new
-          doc.encoding = tags.encoding.name if tags.respond_to?(:encoding)
-          self.new(doc, tags)
+
+          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
+          doc.encoding = encoding
+
+          new(doc, tags)
         end
       end
 

data/lib/loofah/html5/scrub.rb

@@ -6,11 +6,7 @@ module Loofah
   module HTML5 # :nodoc:
     module Scrub
 
-      CONTROL_CHARACTERS = if RUBY_VERSION =~ /^1\.8/
-                             /`|[\000-\040\177\s]+|\302[\200-\240]/
-                           else
-                             /[`\u0000-\u0020\u007F\s\u0080-\u0101]/
-                           end
+      CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
 
       class << self
 
@@ -26,14 +22,20 @@ module Loofah
                         else
                           attr_node.node_name
                         end
+
+            if attr_name =~ /\Adata-\w+\z/
+              next
+            end
+
             unless WhiteList::ALLOWED_ATTRIBUTES.include?(attr_name)
               attr_node.remove
               next
             end
+
             if WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
               # this block lifted nearly verbatim from HTML5 sanitization
               val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase
-              if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(':')[0])
+              if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[0])
                 attr_node.remove
                 next
               end
@@ -49,6 +51,10 @@ module Loofah
           if node.attributes['style']
             node['style'] = scrub_css node.attributes['style']
           end
+
+          node.attribute_nodes.each do |attr_node|
+            node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+          end
         end
 
         #  lifted nearly verbatim from html5lib
@@ -57,8 +63,8 @@ module Loofah
           style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
 
           # gauntlet
-          return '' unless style =~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/
-          return '' unless style =~ /^\s*([-\w]+\s*:[^:;]*(;\s*|$))*$/
+          return '' unless style =~ /\A([-:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
+          return '' unless style =~ /\A\s*([-\w]+\s*:[^:;]*(;\s*|$))*\z/
 
           clean = []
           style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop, val|
@@ -66,10 +72,10 @@ module Loofah
             prop.downcase!
             if WhiteList::ALLOWED_CSS_PROPERTIES.include?(prop)
               clean << "#{prop}: #{val};"
-            elsif %w[background border margin padding].include?(prop.split('-')[0])
+            elsif WhiteList::SHORTHAND_CSS_PROPERTIES.include?(prop.split('-')[0])
               clean << "#{prop}: #{val};" unless val.split().any? do |keyword|
-                WhiteList::ALLOWED_CSS_KEYWORDS.include?(keyword) &&
-                  keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+                !WhiteList::ALLOWED_CSS_KEYWORDS.include?(keyword) &&
+                  keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
               end
             elsif WhiteList::ALLOWED_SVG_PROPERTIES.include?(prop)
               clean << "#{prop}: #{val};"

data/lib/loofah/html5/whitelist.rb

@@ -45,12 +45,16 @@ module Loofah
     #
     # </html5_license>
     module WhiteList
-      ACCEPTABLE_ELEMENTS = Set.new %w[a abbr acronym address area audio b big blockquote br
-      button caption center cite code col colgroup dd del dfn dir div dl dt
-      em fieldset font form h1 h2 h3 h4 h5 h6 hr i img input ins kbd label
-      legend li map menu ol optgroup option p pre q s samp select small span
-      strike strong sub sup table tbody td textarea tfoot th thead tr tt u
-      ul var video]
+
+      ACCEPTABLE_ELEMENTS = Set.new %w[a abbr acronym address area
+      article aside audio b bdi bdo big blockquote br button canvas
+      caption center cite code col colgroup command datalist dd del
+      details dfn dir div dl dt em fieldset figcaption figure footer
+      font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
+      legend li map mark menu meter nav ol output optgroup option p
+      pre q s samp section select small span strike strong sub summary
+      sup table tbody td textarea tfoot th thead time tr tt u ul var
+      video]
 
       MATHML_ELEMENTS = Set.new %w[annotation annotation-xml maction math merror mfrac
       mfenced mi mmultiscripts mn mo mover mpadded mphantom mprescripts mroot mrow
@@ -70,7 +74,7 @@ module Loofah
       dir disabled enctype for frame headers height href hreflang hspace id
       ismap label lang longdesc loop loopcount loopend loopstart
       maxlength media method multiple name nohref
-      noshade nowrap poster prompt readonly rel rev rows rowspan rules scope
+      noshade nowrap poster preload prompt readonly rel rev rows rowspan rules scope
       selected shape size span src start style summary tabindex target title
       type usemap valign value vspace width xml:lang]
 
@@ -108,7 +112,7 @@ module Loofah
        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
        xmlns:xlink y y1 y2 zoomAndPan]
 
-      ATTR_VAL_IS_URI = Set.new %w[href src cite action longdesc xlink:href xml:base]
+      ATTR_VAL_IS_URI = Set.new %w[href src cite action longdesc xlink:href xml:base poster preload]
 
       SVG_ATTR_VAL_ALLOWS_REF = Set.new %w[clip-path color-profile cursor fill
       filter marker marker-start marker-mid marker-end mask stroke]
@@ -133,9 +137,13 @@ module Loofah
       purple red right solid silver teal top transparent underline white
       yellow]
 
+      SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
+
       ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
       stroke-width stroke-linecap stroke-linejoin stroke-opacity]
 
+      PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
+
       ACCEPTABLE_PROTOCOLS = Set.new %w[ed2k ftp http https irc mailto news gopher nntp
       telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs]
 
@@ -164,7 +172,7 @@ module Loofah
       # additional tags we should consider safe since we have libxml2 fixing up our documents.
       TAGS_SAFE_WITH_LIBXML2 = Set.new %w[html head body]
       ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
-    end      
+    end
 
     ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::HTML5::WhiteList
   end

data/lib/loofah/scrubbers.rb

@@ -58,6 +58,21 @@ module Loofah
   #     Loofah.fragment(link_farmers_markup).scrub!(:nofollow)
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
   #
+  #
+  #  === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
+  #
+  #  +:unprintable+ removes unprintable Unicode characters.
+  #
+  #     markup = "<p>Some text with an unprintable character at the end\u2028</p>"
+  #     Loofah.fragment(markup).scrub!(:unprintable)
+  #     => "<p>Some text with an unprintable character at the end</p>"
+  #
+  #  You may not be able to see the unprintable character in the above example, but there is a
+  #  U+2028 character right before the closing </p> tag. These characters can cause issues if
+  #  the content is ever parsed by JavaScript - more information here:
+  #
+  #     http://timelessrepo.com/json-isnt-a-javascript-subset
+  #
   module Scrubbers
     #
     #  === scrub!(:strip)
@@ -178,7 +193,7 @@ module Loofah
       def scrub(node)
         return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a')
         node.set_attribute('rel', 'nofollow')
-        return STOP        
+        return STOP
       end
     end
 
@@ -195,6 +210,34 @@ module Loofah
       end
     end
 
+    #
+    #  === scrub!(:unprintable)
+    #
+    #  +:unprintable+ removes unprintable Unicode characters.
+    #
+    #     markup = "<p>Some text with an unprintable character at the end\u2028</p>"
+    #     Loofah.fragment(markup).scrub!(:unprintable)
+    #     => "<p>Some text with an unprintable character at the end</p>"
+    #
+    #  You may not be able to see the unprintable character in the above example, but there is a
+    #  U+2028 character right before the closing </p> tag. These characters can cause issues if
+    #  the content is ever parsed by JavaScript - more information here:
+    #
+    #     http://timelessrepo.com/json-isnt-a-javascript-subset
+    #
+    class Unprintable < Scrubber
+      def initialize
+        @direction = :top_down
+      end
+
+      def scrub(node)
+        if node.type == Nokogiri::XML::Node::TEXT_NODE
+          node.content = node.content.gsub(/\u2028|\u2029/, '')
+        end
+        CONTINUE
+      end
+    end
+
     #
     #  A hash that maps a symbol (like +:prune+) to the appropriate Scrubber (Loofah::Scrubbers::Prune).
     #
@@ -204,7 +247,8 @@ module Loofah
       :whitewash => Whitewash,
       :strip     => Strip,
       :nofollow  => NoFollow,
-      :newline_block_elements => NewlineBlockElements
+      :newline_block_elements => NewlineBlockElements,
+      :unprintable => Unprintable
     }
 
     #

data/test/assets/testdata_sanitizer_tests1.dat

@@ -36,13 +36,13 @@
   {
     "name": "div_background_image_unicode_encoded",
     "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
-    "output": "<div style=''>foo</div>"
+    "output": "<div>foo</div>"
   },
 
   {
     "name": "div_expression",
     "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
-    "output": "<div style=''>foo</div>"
+    "output": "<div>foo</div>"
   },
 
   {
@@ -104,7 +104,7 @@
   {
     "name": "list_style_image",
     "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
-    "output": "<li style=''>foo</li>"
+    "output": "<li>foo</li>"
   },
 
   {
@@ -138,7 +138,7 @@
   {
     "name": "non_alpha_non_digit_II",
     "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
-    "output": "<a href>foo</a>",
+    "output": "<a>foo</a>",
     "rexml": "Ill-formed XHTML!"
   },
 
@@ -152,7 +152,7 @@
   {
     "name": "platypus",
     "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-repeat: repeat;'>never trust your upstream platypus</a>"
+    "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>"
   },
 
   {
@@ -253,7 +253,7 @@
   {
     "name": "should_not_fall_for_xss_image_hack_12",
     "input": "<img src=\" &#14;  javascript:alert('XSS');\" />",
-    "output": "<img src=''>",
+    "output": "<img>",
     "rexml": "<img />"
   },
 
@@ -404,7 +404,7 @@
   {
     "name": "xul",
     "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
-    "output": "<p style=''>fubar</p>"
+    "output": "<p>fubar</p>"
   },
 
   {
@@ -441,9 +441,9 @@
   {
     "name": "absolute_uri_ref_with_space_in svg_attribute",
     "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "rexml": "<rect fill=' '></rect>",
-    "xhtml": "<rect fill=' '></rect>",
-    "output": "<rect fill=' '/>"
+    "rexml": "<rect></rect>",
+    "xhtml": "<rect></rect>",
+    "output": "<rect/>"
   },
 
   {
@@ -484,14 +484,14 @@
     "xhtml": "<div style='color: blue;'></div>",
     "rexml": "<div style='color: blue;'></div>"
   },
-  
+
   {
    "name": "attributes_with_embedded_quotes",
    "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
    "output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
    "rexml": "Ill-formed XHTML!"
   },
-  
+
   {
    "name": "attributes_with_embedded_quotes_II",
    "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",

data/test/helper.rb

@@ -6,11 +6,12 @@ require 'minitest/autorun'
 
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah"))
 
+# require the ActionView helpers here, since they are no longer required automatically
+require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah", "helpers"))
+
 puts "=> testing with Nokogiri #{Nokogiri::VERSION_INFO.inspect}"
 
 class Loofah::TestCase < MiniTest::Spec
-  include RR::Adapters::TestUnit
-
   class << self
     alias_method :context, :describe
   end

data/test/html5/test_sanitizer.rb

@@ -88,6 +88,15 @@ class Html5TestSanitizer < Loofah::TestCase
     end
   end
 
+  def test_should_allow_data_attributes
+    input = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
+
+    output = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+    htmloutput = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+
+    check_sanitization(input, htmloutput, output, output)
+  end
+
   ##
   ##  libxml2 downcases attributes, so this is moot.
   ##
@@ -146,6 +155,11 @@ class Html5TestSanitizer < Loofah::TestCase
     end
   end
 
+  def test_figure_element_is_valid
+    fragment = Loofah.scrub_fragment("<span>hello</span> <figure>asd</figure>", :prune)
+    assert fragment.at_css("figure"), "<figure> tag was scrubbed"
+  end
+
   ##
   ##  as tenderlove says, "care < 0"
   ##
@@ -162,7 +176,7 @@ class Html5TestSanitizer < Loofah::TestCase
 # This affects only NS4. Is it worth fixing?
 #  def test_javascript_includes
 #    input = %(<div size="&{alert('XSS')}">foo</div>)
-#    output = "<div>foo</div>"    
+#    output = "<div>foo</div>"
 #    check_sanitization(input, output, output, output)
 #  end
 
@@ -187,7 +201,7 @@ class Html5TestSanitizer < Loofah::TestCase
   end
 
   ## added because we don't have any coverage above on SVG_ATTR_VAL_ALLOWS_REF
-  HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|  
+  HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|
     define_method "test_should_allow_uri_refs_in_svg_attribute_#{attr_name}" do
       input = "<rect fill='url(#foo)' />"
       output = "<rect fill='url(#foo)'></rect>"
@@ -200,6 +214,12 @@ class Html5TestSanitizer < Loofah::TestCase
       check_sanitization(input, output, output, output)
     end
   end
+
+  def test_css_negative_value_sanitization
+    html = "<span style=\"letter-spacing:-0.03em;\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+    assert_match %r/-0.03em/, sane.inner_html
+  end
 end
 
 # <html5_license>

data/test/integration/test_html.rb

@@ -29,6 +29,13 @@ class IntegrationTestHtml < Loofah::TestCase
         assert_equal "\ntweedle\n\nbeetle\n", html.to_text
       end
     end
+
+    context 'with an `encoding` arg' do
+      it "sets the parent document's encoding to accordingly" do
+        html = Loofah.fragment "<style>foo</style><div>bar</div>", 'US-ASCII'
+        assert_equal 'US-ASCII', html.document.encoding
+      end
+    end
   end
 
   context "html document" do

data/test/integration/test_scrubbers.rb

@@ -13,6 +13,9 @@ class IntegrationTestScrubbers < Loofah::TestCase
   NOFOLLOW_FRAGMENT = '<a href="http://www.example.com/">Click here</a>'
   NOFOLLOW_RESULT   = '<a href="http://www.example.com/" rel="nofollow">Click here</a>'
 
+  UNPRINTABLE_FRAGMENT = "<b>Lo\u2029ofah ro\u2028cks!</b>"
+  UNPRINTABLE_RESULT = "<b>Loofah rocks!</b>"
+
   ENTITY_FRAGMENT   = "<p>this is &lt; that &quot;&amp;&quot; the other &gt; boo&apos;ya</p><div>w00t</div>"
   ENTITY_TEXT       = %Q(this is < that "&" the other > boo\'yaw00t)
 
@@ -71,6 +74,16 @@ class IntegrationTestScrubbers < Loofah::TestCase
           assert_equal doc, result
         end
       end
+
+      context ":unprintable" do
+        it "removes unprintable unicode characters" do
+          doc = Loofah::HTML::Document.parse "<html><body>#{UNPRINTABLE_FRAGMENT}</body></html>"
+          result = doc.scrub! :unprintable
+
+          assert_equal UNPRINTABLE_RESULT, doc.xpath("/html/body").inner_html
+          assert_equal doc, result
+        end
+      end
     end
 
     context "#scrub_document" do
@@ -187,7 +200,7 @@ class IntegrationTestScrubbers < Loofah::TestCase
       end
     end
   end
-  
+
   context "DocumentFragment" do
     context "#scrub!" do
       context ":escape" do
@@ -239,6 +252,16 @@ class IntegrationTestScrubbers < Loofah::TestCase
           assert_equal doc, result
         end
       end
+
+      context ":unprintable" do
+        it "removes unprintable unicode characters" do
+          doc = Loofah::HTML::DocumentFragment.parse "<div>#{UNPRINTABLE_FRAGMENT}</div>"
+          result = doc.scrub! :unprintable
+
+          assert_equal UNPRINTABLE_RESULT, doc.xpath("./div").inner_html
+          assert_equal doc, result
+        end
+      end
     end
 
     context "#scrub_fragment" do

metadata

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 1.2.1
-  prerelease: 
+  version: 2.0.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -10,149 +9,185 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-14 00:00:00.000000000 Z
+date: 2014-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
-  requirement: &7093760 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
-        version: 1.4.4
+        version: 1.5.9
   type: :runtime
   prerelease: false
-  version_requirements: *7093760
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.5.9
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &7093180 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0.8'
   type: :development
   prerelease: false
-  version_requirements: *7093180
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0.8'
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &7107880 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.2'
   type: :development
   prerelease: false
-  version_requirements: *7107880
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rr
-  requirement: &7106860 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.1.0
   type: :development
   prerelease: false
-  version_requirements: *7106860
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
 - !ruby/object:Gem::Dependency
   name: json
-  requirement: &7103340 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7103340
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: hoe-gemspec
-  requirement: &7101160 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7101160
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: hoe-debugging
-  requirement: &7115900 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7115900
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: hoe-bundler
-  requirement: &7115180 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7115180
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: hoe-git
-  requirement: &7114520 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *7114520
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: hoe
-  requirement: &7113560 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '2.12'
+        version: '3.11'
   type: :development
   prerelease: false
-  version_requirements: *7113560
-description: ! 'Loofah is a general library for manipulating and transforming HTML/XML
-
-  documents and fragments. It''s built on top of Nokogiri and libxml2, so
-
-  it''s fast and has a nice API.
-
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.11'
+description: |-
+  Loofah is a general library for manipulating and transforming HTML/XML
+  documents and fragments. It's built on top of Nokogiri and libxml2, so
+  it's fast and has a nice API.
 
   Loofah excels at HTML sanitization (XSS prevention). It includes some
-
-  nice HTML sanitizers, which are based on HTML5lib''s whitelist, so it
-
-  most likely won''t make your codes less secure. (These statements have
-
+  nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
+  most likely won't make your codes less secure. (These statements have
   not been evaluated by Netexperts.)
 
-
   ActiveRecord extensions for sanitization are available in the
-
   `loofah-activerecord` gem (see
-
-  http://github.com/flavorjones/loofah-activerecord).'
+  http://github.com/flavorjones/loofah-activerecord).
 email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
 executables: []
 extensions: []
 extra_rdoc_files:
+- CHANGELOG.rdoc
 - MIT-LICENSE.txt
 - Manifest.txt
 - README.rdoc
-- CHANGELOG.rdoc
 files:
 - CHANGELOG.rdoc
 - Gemfile
@@ -192,7 +227,9 @@ files:
 - test/unit/test_scrubbers.rb
 - .gemtest
 homepage: http://github.com/flavorjones/loofah
-licenses: []
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options:
 - --main
@@ -200,33 +237,31 @@ rdoc_options:
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: loofah
-rubygems_version: 1.8.15
+rubyforge_project: 
+rubygems_version: 2.0.3
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents
   and fragments
 test_files:
 - test/html5/test_sanitizer.rb
-- test/integration/test_html.rb
-- test/integration/test_helpers.rb
-- test/integration/test_ad_hoc.rb
-- test/integration/test_scrubbers.rb
-- test/integration/test_xml.rb
-- test/unit/test_scrubber.rb
 - test/unit/test_helpers.rb
 - test/unit/test_scrubbers.rb
-- test/unit/test_api.rb
+- test/unit/test_scrubber.rb
 - test/unit/test_encoding.rb
+- test/unit/test_api.rb
+- test/integration/test_helpers.rb
+- test/integration/test_xml.rb
+- test/integration/test_ad_hoc.rb
+- test/integration/test_scrubbers.rb
+- test/integration/test_html.rb