loofah 2.0.3 → 2.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1ede2fa4b15b118b6040d43ec57d90782e6a8234
-  data.tar.gz: e0e4ed5ebb391793549d27245834bb67189e83c3
+  metadata.gz: a709ec5b5b8064cd96fd216b5ac5ece3db3c2099
+  data.tar.gz: 212f9cb43700926714c873d2dd6ee661bcdb832a
 SHA512:
-  metadata.gz: ca75adb9b1dad4f99f7182767518a4a935bc960ec81db86eb848f30bb918089f570ab29bfa9f2973e0bd3608876cd47c8af1fcb01a6596e5e845307b21caffd9
-  data.tar.gz: 42fea8ec3d59389976f2613d4dd763f9f7c7260069f113d7044d55daeb83850750f2d5803354b0d431f2fef25e7a65c0e5cbe2b916d1e26072c6ccd531183d6a
+  metadata.gz: 31120a6cb665a25b264707c6a85aff7a14beab7269e20a3d4403a72ae0b2bf625b6942df6178e92e419b1859c7e48255f19c407003f031773426cf158a953d14
+  data.tar.gz: 21386a195c02a5faa3d52ff14f82534a087da91f009260d215bc07c8a46976803f424b2ddf4969756e7f63dec40ee0a270aac6d0549d9362fb87756da13b532d

data/CHANGELOG.rdoc

@@ -1,5 +1,16 @@
 = Changelog
 
+== 2.1.0.rc1 / 2015-08-17
+
+Notes:
+
+* Re-implemented CSS parsing and sanitization using the {crass}[https://github.com/rgrove/crass] library. #91
+
+Bug fixes:
+
+* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
+
+
 == 2.0.3 / 2015-08-17
 
 Bug fixes:

data/Gemfile

@@ -5,6 +5,7 @@
 source "https://rubygems.org/"
 
 gem "nokogiri", ">=1.5.9"
+gem "crass", "~>1.0.2"
 
 gem "rdoc", "~>4.0", :group => [:development, :test]
 gem "rake", ">=0.8", :group => [:development, :test]
@@ -15,6 +16,6 @@ gem "hoe-gemspec", ">=0", :group => [:development, :test]
 gem "hoe-debugging", ">=0", :group => [:development, :test]
 gem "hoe-bundler", ">=0", :group => [:development, :test]
 gem "hoe-git", ">=0", :group => [:development, :test]
-gem "hoe", "~>3.6", :group => [:development, :test]
+gem "hoe", "~>3.13", :group => [:development, :test]
 
 # vim: syntax=ruby

data/Rakefile

@@ -17,6 +17,7 @@ Hoe.spec "loofah" do
   self.license          "MIT"
 
   extra_deps     << ["nokogiri", ">=1.5.9"]
+  extra_deps     << ["crass", "~> 1.0.2"]
 
   extra_dev_deps << ["rake", ">=0.8"]
   extra_dev_deps << ["minitest", "~>2.2"]

data/lib/loofah.rb

@@ -27,7 +27,7 @@ require 'loofah/html/document_fragment'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '2.0.3'
+  VERSION = '2.1.0.rc1'
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html5/scrub.rb

@@ -1,12 +1,15 @@
 #encoding: US-ASCII
 
 require 'cgi'
+require 'crass'
 
 module Loofah
   module HTML5 # :nodoc:
     module Scrub
 
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
+      CSS_KEYWORDISH = /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+      CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
 
       class << self
 
@@ -61,36 +64,35 @@ module Loofah
           style.value = scrub_css(style.value) if style
         end
 
-        #  lifted nearly verbatim from html5lib
         def scrub_css style
-          # disallow urls
-          style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+          style_tree = Crass.parse_properties style
+          sanitized_tree = []
 
-          # gauntlet
-          return '' unless style =~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
-          return '' unless style =~ /\A\s*([-\w]+\s*:[^:;]*(;\s*|$))*\z/
-
-          clean = []
-          style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop, val|
-            next if val.empty?
-            prop.downcase!
-            if WhiteList::ALLOWED_CSS_PROPERTIES.include?(prop)
-              clean << "#{prop}: #{val};"
-            elsif WhiteList::SHORTHAND_CSS_PROPERTIES.include?(prop.split('-')[0])
-              clean << "#{prop}: #{val};" unless val.split().any? do |keyword|
-                !WhiteList::ALLOWED_CSS_KEYWORDS.include?(keyword) &&
-                  keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+          style_tree.each do |node|
+            next unless node[:node] == :property
+            next if node[:children].any? do |child|
+              [:url, :bad_url, :function].include? child[:node]
+            end
+            name = node[:name].downcase
+            if WhiteList::ALLOWED_CSS_PROPERTIES.include?(name) || WhiteList::ALLOWED_SVG_PROPERTIES.include?(name)
+              sanitized_tree << node << CRASS_SEMICOLON
+            elsif WhiteList::SHORTHAND_CSS_PROPERTIES.include?(name.split('-').first)
+              value = node[:value].split.map do |keyword|
+                if WhiteList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
+                  keyword
+                end
+              end.compact
+              unless value.empty?
+                propstring = sprintf "%s:%s", name, value.join(" ")
+                sanitized_node = Crass.parse_properties(propstring).first
+                sanitized_tree << sanitized_node << CRASS_SEMICOLON
               end
-            elsif WhiteList::ALLOWED_SVG_PROPERTIES.include?(prop)
-              clean << "#{prop}: #{val};"
             end
           end
 
-          style = clean.join(' ')
+          Crass::Parser.stringify sanitized_tree
         end
-
       end
-
     end
   end
 end

data/test/assets/testdata_sanitizer_tests1.dat

@@ -152,7 +152,7 @@
   {
     "name": "platypus",
     "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>"
+    "output": "<a href='http://www.ragingplatypus.com/' style='display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;'>never trust your upstream platypus</a>"
   },
 
   {

data/test/html5/test_sanitizer.rb

@@ -229,14 +229,12 @@ class Html5TestSanitizer < Loofah::TestCase
   end
 
   def test_css_negative_value_sanitization
-    skip "pending better CSS parsing, see https://github.com/flavorjones/loofah/issues/90"
     html = "<span style=\"letter-spacing:-0.03em;\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
     assert_match %r/-0.03em/, sane.inner_html
   end
 
   def test_css_negative_value_sanitization_shorthand_css_properties
-    skip "pending better CSS parsing, see https://github.com/flavorjones/loofah/issues/90"
     html = "<span style=\"margin-left:-0.05em;\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
     assert_match %r/-0.05em/, sane.inner_html
@@ -246,9 +244,34 @@ class Html5TestSanitizer < Loofah::TestCase
     html = %q{<span style="background: url('data:image/svg&#43;xml;charset=utf-8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%2232%22%20height%3D%2232%22%20viewBox%3D%220%200%2032%2032%22%3E%3Cpath%20fill%3D%22%23D4C8AE%22%20d%3D%22M0%200h32v32h-32z%22%2F%3E%3Cpath%20fill%3D%22%2383604B%22%20d%3D%22M0%200h31.99v11.75h-31.99z%22%2F%3E%3Cpath%20fill%3D%22%233D2319%22%20d%3D%22M0%2011.5h32v.5h-32z%22%2F%3E%3Cpath%20fill%3D%22%23F83651%22%20d%3D%22M5%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%23FCD050%22%20d%3D%22M6%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%2371C797%22%20d%3D%22M7%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%23509CF9%22%20d%3D%22M8%200h1v10.5h-1z%22%2F%3E%3ClinearGradient%20id%3D%22a%22%20gradientUnits%3D%22userSpaceOnUse%22%20x1%3D%2224.996%22%20y1%3D%2210.5%22%20x2%3D%2224.996%22%20y2%3D%224.5%22%3E%3Cstop%20offset%3D%220%22%20stop-color%3D%22%23796055%22%2F%3E%3Cstop%20offset%3D%22.434%22%20stop-color%3D%22%23614C43%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%233D2D28%22%2F%3E%3C%2FlinearGradient%3E%3Cpath%20fill%3D%22url(%23a)%22%20d%3D%22M28%208.5c0%201.1-.9%202-2%202h-2c-1.1%200-2-.9-2-2v-2c0-1.1.9-2%202-2h2c1.1%200%202%20.9%202%202v2z%22%2F%3E%3Cpath%20fill%3D%22%235F402E%22%20d%3D%22M28%208c0%201.1-.9%202-2%202h-2c-1.1%200-2-.9-2-2v-2c0-1.1.9-2%202-2h2c1.1%200%202%20.9%202%202v2z%22%2F%3E%3C');"></span>}
 
     assert_completes_in_reasonable_time {
-      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+      Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
     }
   end
+
+  def test_upper_case_css_property
+    html = "<div style=\"COLOR: BLUE; NOTAPROPERTY: RED;\">asdf</div>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_xml)
+    assert_match /COLOR:\s*BLUE/i, sane.at_css("div")["style"]
+    refute_match /NOTAPROPERTY/i, sane.at_css("div")["style"]
+  end
+
+  def test_many_properties_some_allowed
+    html = "<div style=\"background: bold notaproperty center alsonotaproperty 10px;\">asdf</div>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_xml)
+    assert_match /bold\s+center\s+10px/, sane.at_css("div")["style"]
+  end
+
+  def test_many_properties_non_allowed
+    html = "<div style=\"background: notaproperty alsonotaproperty;\">asdf</div>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_xml)
+    assert_nil sane.at_css("div")["style"]
+  end
+
+  def test_svg_properties
+    html = "<line style='stroke-width: 10px;'></line>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_xml)
+    assert_match /stroke-width:\s*10px/, sane.at_css("line")["style"]
+  end
 end
 
 # <html5_license>

data/test/integration/test_helpers.rb

@@ -37,7 +37,7 @@ class IntegrationTestHelpers < Loofah::TestCase
 
   context ".sanitize_css" do
     it "removes unsafe css properties" do
-      assert_equal "display: block; background-color: blue;", Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg);background-color:blue")
+      assert_match /display:\s*block;\s*background-color:\s*blue;/, Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg);background-color:blue")
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.0.rc1
 platform: ruby
 authors:
 - Mike Dalessio
@@ -25,6 +25,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.9
+- !ruby/object:Gem::Dependency
+  name: crass
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -243,9 +257,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.6