loofah 2.1.0 → 2.2.0

data/lib/loofah/elements.rb

@@ -2,13 +2,88 @@ require 'set'
 
 module Loofah
   module Elements
-    # Block elements in HTML4
-    STRICT_BLOCK_LEVEL = Set.new %w[address blockquote center dir div dl
-      fieldset form h1 h2 h3 h4 h5 h6 hr isindex menu noframes
-      noscript ol p pre table ul]
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
+      address
+      blockquote
+      center
+      dir
+      div
+      dl
+      fieldset
+      form
+      h1
+      h2
+      h3
+      h4
+      h5
+      h6
+      hr
+      isindex
+      menu
+      noframes
+      noscript
+      ol
+      p
+      pre
+      table
+      ul
+    ]
 
-    # The following elements may also be considered block-level elements since they may contain block-level elements
-    LOOSE_BLOCK_LEVEL = Set.new %w[dd dt frameset li tbody td tfoot th thead tr]
+    # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
+      address
+      article
+      aside
+      blockquote
+      canvas
+      dd
+      div
+      dl
+      dt
+      fieldset
+      figcaption
+      figure
+      footer
+      form
+      h1
+      h2
+      h3
+      h4
+      h5
+      h6
+      header
+      hgroup
+      hr
+      li
+      main
+      nav
+      noscript
+      ol
+      output
+      p
+      pre
+      section
+      table
+      tfoot
+      ul
+      video
+    ]
+
+    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
+
+    # The following elements may also be considered block-level
+    # elements since they may contain block-level elements
+    LOOSE_BLOCK_LEVEL = Set.new %w[dd
+      dt
+      frameset
+      li
+      tbody
+      td
+      tfoot
+      th
+      thead
+      tr
+    ]
 
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
   end

data/lib/loofah/html5/scrub.rb

@@ -44,7 +44,7 @@ module Loofah
               elsif val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[0] == 'data'
                 # permit only allowed data mediatypes
                 mediatype = val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[1]
-                mediatype, base64 = mediatype.split(';')[0..1] if mediatype
+                mediatype, _ = mediatype.split(';')[0..1] if mediatype
                 if mediatype && !WhiteList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
                   attr_node.remove
                   next
@@ -79,7 +79,7 @@ module Loofah
           style_tree.each do |node|
             next unless node[:node] == :property
             next if node[:children].any? do |child|
-              [:url, :bad_url, :function].include? child[:node]
+              [:url, :bad_url].include?(child[:node]) || (child[:node] == :function && !WhiteList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase))
             end
             name = node[:name].downcase
             if WhiteList::ALLOWED_CSS_PROPERTIES.include?(name) || WhiteList::ALLOWED_SVG_PROPERTIES.include?(name)

data/lib/loofah/html5/whitelist.rb

@@ -51,7 +51,7 @@ module Loofah
       caption center cite code col colgroup command datalist dd del
       details dfn dir div dl dt em fieldset figcaption figure footer
       font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
-      legend li map mark menu meter nav ol output optgroup option p
+      legend li main map mark menu meter nav ol output optgroup option p
       pre q s samp section select small span strike strong sub summary
       sup table tbody td textarea tfoot th thead time tr tt u ul var
       video]
@@ -65,7 +65,7 @@ module Loofah
       circle clipPath defs desc ellipse feGaussianBlur filter font-face
       font-face-name font-face-src foreignObject
       g glyph hkern linearGradient line marker mask metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch
+      mpath path polygon polyline radialGradient rect set stop svg switch symbol
       text textPath title tspan use]
 
       ACCEPTABLE_ATTRIBUTES = Set.new %w[abbr accept accept-charset accesskey action
@@ -125,8 +125,8 @@ module Loofah
       border-bottom-color border-collapse border-color border-left-color
       border-right-color border-top-color clear color cursor direction
       display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height overflow
-      pause pause-after pause-before pitch pitch-range richness speak
+      font-variant font-weight height letter-spacing line-height list-style-type
+      overflow pause pause-after pause-before pitch pitch-range richness speak
       speak-header speak-numeral speak-punctuation speech-rate stress
       text-align text-decoration text-indent unicode-bidi vertical-align
       voice-family volume white-space width]
@@ -137,6 +137,8 @@ module Loofah
       purple red right solid silver teal top transparent underline white
       yellow]
 
+      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
+
       SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
 
       ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
@@ -155,6 +157,7 @@ module Loofah
       ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
       ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
       ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
+      ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
       ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES

data/lib/loofah/scrubbers.rb

@@ -99,7 +99,12 @@ module Loofah
 
       def scrub(node)
         return CONTINUE if html5lib_sanitize(node) == CONTINUE
-        node.before node.children
+        if node.children.length == 1 && node.children.first.cdata?
+          sanitized_text = Loofah.fragment(node.children.first.to_html).scrub!(:strip).to_html
+          node.before Nokogiri::XML::Text.new(sanitized_text, node.document)
+        else
+          node.before node.children
+        end
         node.remove
       end
     end

data/test/html5/test_sanitizer.rb

@@ -20,9 +20,9 @@ class Html5TestSanitizer < Loofah::TestCase
   def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
     ##  libxml uses double-quotes, so let's swappo-boppo our quotes before comparing.
     sane = sanitize_html(input).gsub('"',"'")
-    htmloutput.gsub!('"',"'")
-    xhtmloutput.gsub!('"',"'")
-    rexmloutput.gsub!('"',"'")
+    htmloutput = htmloutput.gsub('"',"'")
+    xhtmloutput = xhtmloutput.gsub('"',"'")
+    rexmloutput = rexmloutput.gsub('"',"'")
 
     ##  HTML5's parsers are shit. there's so much inconsistency with what has closing tags, etc, that
     ##  it would require a lot of manual hacking to make the tests match libxml's output.
@@ -136,7 +136,7 @@ class Html5TestSanitizer < Loofah::TestCase
       check_sanitization(input, output, output, output)
     end
   end
-  
+
   HTML5::WhiteList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
     define_method "test_should_allow_data_#{data_uri_type}_uris" do
       input = %(<a href="data:#{data_uri_type}">foo</a>)
@@ -275,6 +275,38 @@ class Html5TestSanitizer < Loofah::TestCase
     assert_match %r/-0.05em/, sane.inner_html
   end
 
+  def test_css_function_sanitization_leaves_whitelisted_functions_calc
+    html = "<span style=\"width:calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+
+    html = "<span style=\"width: calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_functions_rgb
+    html = '<span style="color: rgb(255, 0, 0)">'
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/rgb\(255, 0, 0\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_list_style_type
+    html = "<ol style='list-style-type:lower-greek;'></ol>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/list-style-type:lower-greek/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
+    html = "<span style=\"width:attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
+
+    html = "<span style=\"width: attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
+  end
+
   def test_issue_90_slow_regex
     skip("timing tests are hard to make pass and have little regression-testing value")
 

data/test/integration/test_ad_hoc.rb

@@ -16,66 +16,67 @@ class IntegrationTestAdHoc < Loofah::TestCase
     end
   end
 
-  def test_removal_of_illegal_tag
-    html = <<-HTML
+  context "tests" do
+    def test_removal_of_illegal_tag
+      html = <<-HTML
       following this there should be no jim tag
       <jim>jim</jim>
       was there?
     HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert sane.xpath("//jim").empty?
-  end
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      assert sane.xpath("//jim").empty?
+    end
 
-  def test_removal_of_illegal_attribute
-    html = "<p class=bar foo=bar abbr=bar />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    node = sane.xpath("//p").first
-    assert node.attributes['class']
-    assert node.attributes['abbr']
-    assert_nil node.attributes['foo']
-  end
+    def test_removal_of_illegal_attribute
+      html = "<p class=bar foo=bar abbr=bar />"
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      node = sane.xpath("//p").first
+      assert node.attributes['class']
+      assert node.attributes['abbr']
+      assert_nil node.attributes['foo']
+    end
 
-  def test_removal_of_illegal_url_in_href
-    html = <<-HTML
+    def test_removal_of_illegal_url_in_href
+      html = <<-HTML
       <a href='jimbo://jim.jim/'>this link should have its href removed because of illegal url</a>
       <a href='http://jim.jim/'>this link should be fine</a>
     HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    nodes = sane.xpath("//a")
-    assert_nil nodes.first.attributes['href']
-    assert nodes.last.attributes['href']
-  end
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      nodes = sane.xpath("//a")
+      assert_nil nodes.first.attributes['href']
+      assert nodes.last.attributes['href']
+    end
 
-  def test_css_sanitization
-    html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert_match %r/#000/,    sane.inner_html
-    refute_match %r/foo\.com/, sane.inner_html
-  end
+    def test_css_sanitization
+      html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      assert_match %r/#000/,    sane.inner_html
+      refute_match %r/foo\.com/, sane.inner_html
+    end
 
-  def test_fragment_with_no_tags
-    assert_equal "This fragment has no tags.", Loofah.scrub_fragment("This fragment has no tags.", :escape).to_xml
-  end
+    def test_fragment_with_no_tags
+      assert_equal "This fragment has no tags.", Loofah.scrub_fragment("This fragment has no tags.", :escape).to_xml
+    end
 
-  def test_fragment_in_p_tag
-    assert_equal "<p>This fragment is in a p.</p>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>", :escape).to_xml
-  end
+    def test_fragment_in_p_tag
+      assert_equal "<p>This fragment is in a p.</p>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>", :escape).to_xml
+    end
 
-  def test_fragment_in_p_tag_plus_stuff
-    assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>foo<strong>bar</strong>", :escape).to_xml
-  end
+    def test_fragment_in_p_tag_plus_stuff
+      assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>foo<strong>bar</strong>", :escape).to_xml
+    end
 
-  def test_fragment_with_text_nodes_leading_and_trailing
-    assert_equal "text<p>fragment</p>text", Loofah.scrub_fragment("text<p>fragment</p>text", :escape).to_xml
-  end
+    def test_fragment_with_text_nodes_leading_and_trailing
+      assert_equal "text<p>fragment</p>text", Loofah.scrub_fragment("text<p>fragment</p>text", :escape).to_xml
+    end
 
-  def test_whitewash_on_fragment
-    html = "safe<frameset rows=\"*\"><frame src=\"http://example.com\"></frameset> <b>description</b>"
-    whitewashed = Loofah.scrub_document(html, :whitewash).xpath("/html/body/*").to_s
-    assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
-  end
+    def test_whitewash_on_fragment
+      html = "safe<frameset rows=\"*\"><frame src=\"http://example.com\"></frameset> <b>description</b>"
+      whitewashed = Loofah.scrub_document(html, :whitewash).xpath("/html/body/*").to_s
+      assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
+    end
 
-  MSWORD_HTML = <<-EOHTML
+    MSWORD_HTML = <<-EOHTML
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
@@ -141,36 +142,52 @@ mso-bidi-language:#0400;}
 <p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>
   EOHTML
 
-  def test_fragment_whitewash_on_microsofty_markup
-    whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
-    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
-  end
+    def test_fragment_whitewash_on_microsofty_markup
+      whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
+      assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
+    end
 
-  def test_document_whitewash_on_microsofty_markup
-    whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
-    assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
-    assert_equal "<p>Foo <b>BOLD</b></p>",   whitewashed.xpath("/html/body/*").to_s
-  end
+    def test_document_whitewash_on_microsofty_markup
+      whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
+      assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
+      assert_equal "<p>Foo <b>BOLD</b></p>",   whitewashed.xpath("/html/body/*").to_s
+    end
 
-  def test_return_empty_string_when_nothing_left
-    assert_equal "", Loofah.scrub_document('<script>test</script>', :prune).text
-  end
+    def test_return_empty_string_when_nothing_left
+      assert_equal "", Loofah.scrub_document('<script>test</script>', :prune).text
+    end
+
+    def test_nested_script_cdata_tags_should_be_scrubbed
+      html = "<script><script src='malicious.js'></script>"
+      stripped = Loofah.fragment(html).scrub!(:strip)
+      assert_empty stripped.xpath("//script")
+      refute_match("<script", stripped.to_html)
+    end
 
-  def test_removal_of_all_tags
-    html = <<-HTML
+    def test_nested_script_cdata_tags_should_be_scrubbed_2
+      html = "<script><script>alert('a');</script></script>"
+      stripped = Loofah.fragment(html).scrub!(:strip)
+      assert_empty stripped.xpath("//script")
+      refute_match("<script", stripped.to_html)
+    end
+
+    def test_removal_of_all_tags
+      html = <<-HTML
       What's up <strong>doc</strong>?
     HTML
-    stripped = Loofah.scrub_document(html, :prune).text
-    assert_equal %Q(What\'s up doc?).strip, stripped.strip
-  end
+      stripped = Loofah.scrub_document(html, :prune).text
+      assert_equal %Q(What\'s up doc?).strip, stripped.strip
+    end
 
-  def test_dont_remove_whitespace
-    html = "Foo\nBar"
-    assert_equal html, Loofah.scrub_document(html, :prune).text
-  end
+    def test_dont_remove_whitespace
+      html = "Foo\nBar"
+      assert_equal html, Loofah.scrub_document(html, :prune).text
+    end
 
-  def test_dont_remove_whitespace_between_tags
-    html = "<p>Foo</p>\n<p>Bar</p>"
-    assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
+    def test_dont_remove_whitespace_between_tags
+      html = "<p>Foo</p>\n<p>Bar</p>"
+      assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
+    end
   end
 end
+

data/test/integration/test_html.rb

@@ -19,11 +19,16 @@ class IntegrationTestHtml < Loofah::TestCase
     end
 
     context "#to_text" do
-      it "add newlines before and after block elements" do
+      it "add newlines before and after html4 block elements" do
         html = Loofah.fragment "<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
         assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
       end
 
+      it "add newlines before and after html5 block elements" do
+        html = Loofah.fragment "<div>tweedle<section>beetle</section>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
+        assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
+      end
+
       it "remove extraneous whitespace" do
         html = Loofah.fragment "<div>tweedle\n\n\t\n\s\nbeetle</div>"
         assert_equal "\ntweedle\n\nbeetle\n", html.to_text
@@ -47,11 +52,16 @@ class IntegrationTestHtml < Loofah::TestCase
     end
 
     context "#to_text" do
-      it "add newlines before and after block elements" do
+      it "add newlines before and after html4 block elements" do
         html = Loofah.document "<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
         assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
       end
 
+      it "add newlines before and after html5 block elements" do
+        html = Loofah.document "<div>tweedle<section>beetle</section>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
+        assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
+      end
+
       it "remove extraneous whitespace" do
         html = Loofah.document "<div>tweedle\n\n\t\n\s\nbeetle</div>"
         assert_equal "\ntweedle\n\nbeetle\n", html.to_text