loofah 2.10.0 → 2.13.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of loofah might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c72ce5ed9c2a65db0a32b4bcdc141b9bf30caded7ee60d180c7872691246cafd
4
- data.tar.gz: 953c1316bd83c03ded6eae4ca754a0b3d9dd1cc1f1f22a6e4c4fc2762de6aed7
3
+ metadata.gz: 1d9193264008cab1a3f6b35a5b0c6862e781f99385a35d3f6c6714930bd18d3c
4
+ data.tar.gz: 0b8651064006fb2b5ac201b11e24e0bebc8ec4ab523a3b3d830514247d498e28
5
5
  SHA512:
6
- metadata.gz: e0c876928b0ec84a84e38e66f5318a1d0539996d75ef96c07b7cceb953565e2d1f9409b1bbae7e10b94e5dc1e98959cd9d67397c1a83c4f622a9f3d5b5d61f09
7
- data.tar.gz: 507b03b508b1725f8c2a67397e4b3b9e7c337e92b519c93cd8687bf371df844dfe3f15fdb3efd5e4f9bfd70b19842b7eec48cf27d888c1552a084f33fab37db0
6
+ metadata.gz: a7929ae8c091cbf9930e9b8f0f5a16dbf3b02e9f3ab9606370dd205c1153a72b921e9d7878c96be2ad7b968273f6ebb1d297eb984fefa0ac8367140835f0a50d
7
+ data.tar.gz: d946f74bc710c3018f790a670290d94cc1d75d494a899d9116336a76a52e3f30ab1ba1122e18b45d22766c0e2c86a3b17c2ca0ab8dcdacf03323a80cfc493b46
data/CHANGELOG.md CHANGED
@@ -1,5 +1,33 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.13.0 / 2021-12-10
4
+
5
+ ### Bug fixes
6
+
7
+ * Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
8
+
9
+
10
+ ## 2.12.0 / 2021-08-11
11
+
12
+ ### Features
13
+
14
+ * Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
15
+
16
+
17
+ ## 2.11.0 / 2021-07-31
18
+
19
+ ### Features
20
+
21
+ * Allow HTML5 element `wbr`.
22
+ * Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
23
+
24
+
25
+ ### Changes
26
+
27
+ * Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
28
+ * Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
29
+
30
+
3
31
  ## 2.10.0 / 2021-06-06
4
32
 
5
33
  ### Features
data/README.md CHANGED
@@ -6,8 +6,7 @@
6
6
 
7
7
  ## Status
8
8
 
9
- [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-3.0/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah)
10
- [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
9
+ [![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
11
10
  [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
12
11
 
13
12
 
@@ -140,6 +140,7 @@ module Loofah
140
140
  "ul",
141
141
  "var",
142
142
  "video",
143
+ "wbr",
143
144
  ])
144
145
 
145
146
  MATHML_ELEMENTS = Set.new([
@@ -637,6 +638,8 @@ module Loofah
637
638
  "green",
638
639
  "groove",
639
640
  "hidden",
641
+ "inherit",
642
+ "initial",
640
643
  "inset",
641
644
  "italic",
642
645
  "left",
@@ -652,16 +655,19 @@ module Loofah
652
655
  "pointer",
653
656
  "purple",
654
657
  "red",
658
+ "revert",
655
659
  "ridge",
656
660
  "right",
661
+ "separate",
657
662
  "silver",
658
663
  "solid",
659
664
  "teal",
660
- "thin",
661
665
  "thick",
666
+ "thin",
662
667
  "top",
663
668
  "transparent",
664
669
  "underline",
670
+ "unset",
665
671
  "white",
666
672
  "yellow",
667
673
  ])
@@ -788,18 +794,14 @@ module Loofah
788
794
  ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
789
795
  ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
790
796
 
797
+ # TODO: remove VOID_ELEMENTS in a future major release
798
+ # and put it in the tests (it is used only for testing, not for functional behavior)
791
799
  VOID_ELEMENTS = Set.new([
792
800
  "area",
793
- "base",
794
801
  "br",
795
- "col",
796
- "embed",
797
802
  "hr",
798
803
  "img",
799
804
  "input",
800
- "link",
801
- "meta",
802
- "param",
803
805
  ])
804
806
 
805
807
  # additional tags we should consider safe since we have libxml2 fixing up our documents.
@@ -10,6 +10,7 @@ module Loofah
10
10
  CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
11
11
  CSS_IMPORTANT = '!important'
12
12
  CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
13
+ DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
13
14
 
14
15
  class << self
15
16
  def allowed_element?(element_name)
@@ -25,7 +26,7 @@ module Loofah
25
26
  attr_node.node_name
26
27
  end
27
28
 
28
- if attr_name =~ /\Adata-[\w-]+\z/
29
+ if attr_name =~ DATA_ATTRIBUTE_NAME
29
30
  next
30
31
  end
31
32
 
@@ -62,7 +63,9 @@ module Loofah
62
63
  scrub_css_attribute(node)
63
64
 
64
65
  node.attribute_nodes.each do |attr_node|
65
- node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
66
+ if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
67
+ node.remove_attribute(attr_node.name)
68
+ end
66
69
  end
67
70
 
68
71
  force_correct_attribute_escaping!(node)
@@ -93,7 +93,11 @@ module Loofah
93
93
  # frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
94
94
  #
95
95
  def text(options = {})
96
- result = serialize_root.children.inner_text rescue ""
96
+ result = if serialize_root
97
+ serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
98
+ else
99
+ ""
100
+ end
97
101
  if options[:encode_special_chars] == false
98
102
  result # possibly dangerous if rendered in a browser
99
103
  else
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
  module Loofah
3
3
  # The version of Loofah you are using
4
- VERSION = "2.10.0"
4
+ VERSION = "2.13.0"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.10.0
4
+ version: 2.13.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Dalessio
@@ -9,22 +9,8 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-06-06 00:00:00.000000000 Z
12
+ date: 2021-12-10 00:00:00.000000000 Z
13
13
  dependencies:
14
- - !ruby/object:Gem::Dependency
15
- name: nokogiri
16
- requirement: !ruby/object:Gem::Requirement
17
- requirements:
18
- - - ">="
19
- - !ruby/object:Gem::Version
20
- version: 1.5.9
21
- type: :runtime
22
- prerelease: false
23
- version_requirements: !ruby/object:Gem::Requirement
24
- requirements:
25
- - - ">="
26
- - !ruby/object:Gem::Version
27
- version: 1.5.9
28
14
  - !ruby/object:Gem::Dependency
29
15
  name: crass
30
16
  requirement: !ruby/object:Gem::Requirement
@@ -40,47 +26,33 @@ dependencies:
40
26
  - !ruby/object:Gem::Version
41
27
  version: 1.0.2
42
28
  - !ruby/object:Gem::Dependency
43
- name: rake
44
- requirement: !ruby/object:Gem::Requirement
45
- requirements:
46
- - - "~>"
47
- - !ruby/object:Gem::Version
48
- version: '13.0'
49
- type: :development
50
- prerelease: false
51
- version_requirements: !ruby/object:Gem::Requirement
52
- requirements:
53
- - - "~>"
54
- - !ruby/object:Gem::Version
55
- version: '13.0'
56
- - !ruby/object:Gem::Dependency
57
- name: minitest
29
+ name: nokogiri
58
30
  requirement: !ruby/object:Gem::Requirement
59
31
  requirements:
60
- - - "~>"
32
+ - - ">="
61
33
  - !ruby/object:Gem::Version
62
- version: '5.14'
63
- type: :development
34
+ version: 1.5.9
35
+ type: :runtime
64
36
  prerelease: false
65
37
  version_requirements: !ruby/object:Gem::Requirement
66
38
  requirements:
67
- - - "~>"
39
+ - - ">="
68
40
  - !ruby/object:Gem::Version
69
- version: '5.14'
41
+ version: 1.5.9
70
42
  - !ruby/object:Gem::Dependency
71
- name: rr
43
+ name: hoe-markdown
72
44
  requirement: !ruby/object:Gem::Requirement
73
45
  requirements:
74
46
  - - "~>"
75
47
  - !ruby/object:Gem::Version
76
- version: 1.2.0
48
+ version: '1.3'
77
49
  type: :development
78
50
  prerelease: false
79
51
  version_requirements: !ruby/object:Gem::Requirement
80
52
  requirements:
81
53
  - - "~>"
82
54
  - !ruby/object:Gem::Version
83
- version: 1.2.0
55
+ version: '1.3'
84
56
  - !ruby/object:Gem::Dependency
85
57
  name: json
86
58
  requirement: !ruby/object:Gem::Requirement
@@ -96,33 +68,33 @@ dependencies:
96
68
  - !ruby/object:Gem::Version
97
69
  version: '2.2'
98
70
  - !ruby/object:Gem::Dependency
99
- name: concourse
71
+ name: minitest
100
72
  requirement: !ruby/object:Gem::Requirement
101
73
  requirements:
102
74
  - - "~>"
103
75
  - !ruby/object:Gem::Version
104
- version: '0.33'
76
+ version: '5.14'
105
77
  type: :development
106
78
  prerelease: false
107
79
  version_requirements: !ruby/object:Gem::Requirement
108
80
  requirements:
109
81
  - - "~>"
110
82
  - !ruby/object:Gem::Version
111
- version: '0.33'
83
+ version: '5.14'
112
84
  - !ruby/object:Gem::Dependency
113
- name: rubocop
85
+ name: rake
114
86
  requirement: !ruby/object:Gem::Requirement
115
87
  requirements:
116
88
  - - "~>"
117
89
  - !ruby/object:Gem::Version
118
- version: '1.1'
90
+ version: '13.0'
119
91
  type: :development
120
92
  prerelease: false
121
93
  version_requirements: !ruby/object:Gem::Requirement
122
94
  requirements:
123
95
  - - "~>"
124
96
  - !ruby/object:Gem::Version
125
- version: '1.1'
97
+ version: '13.0'
126
98
  - !ruby/object:Gem::Dependency
127
99
  name: rdoc
128
100
  requirement: !ruby/object:Gem::Requirement
@@ -144,19 +116,33 @@ dependencies:
144
116
  - !ruby/object:Gem::Version
145
117
  version: '7'
146
118
  - !ruby/object:Gem::Dependency
147
- name: hoe-markdown
119
+ name: rr
148
120
  requirement: !ruby/object:Gem::Requirement
149
121
  requirements:
150
122
  - - "~>"
151
123
  - !ruby/object:Gem::Version
152
- version: '1.3'
124
+ version: 1.2.0
153
125
  type: :development
154
126
  prerelease: false
155
127
  version_requirements: !ruby/object:Gem::Requirement
156
128
  requirements:
157
129
  - - "~>"
158
130
  - !ruby/object:Gem::Version
159
- version: '1.3'
131
+ version: 1.2.0
132
+ - !ruby/object:Gem::Dependency
133
+ name: rubocop
134
+ requirement: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - "~>"
137
+ - !ruby/object:Gem::Version
138
+ version: '1.1'
139
+ type: :development
140
+ prerelease: false
141
+ version_requirements: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - "~>"
144
+ - !ruby/object:Gem::Version
145
+ version: '1.1'
160
146
  description: |-
161
147
  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
162
148
 
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
213
199
  - !ruby/object:Gem::Version
214
200
  version: '0'
215
201
  requirements: []
216
- rubygems_version: 3.2.15
202
+ rubygems_version: 3.2.32
217
203
  signing_key:
218
204
  specification_version: 4
219
205
  summary: Loofah is a general library for manipulating and transforming HTML/XML documents