loofah 2.10.0 → 2.13.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -0
- data/README.md +1 -2
- data/lib/loofah/html5/safelist.rb +9 -7
- data/lib/loofah/html5/scrub.rb +5 -2
- data/lib/loofah/instance_methods.rb +5 -1
- data/lib/loofah/version.rb +1 -1
- metadata +35 -49
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1d9193264008cab1a3f6b35a5b0c6862e781f99385a35d3f6c6714930bd18d3c
|
4
|
+
data.tar.gz: 0b8651064006fb2b5ac201b11e24e0bebc8ec4ab523a3b3d830514247d498e28
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a7929ae8c091cbf9930e9b8f0f5a16dbf3b02e9f3ab9606370dd205c1153a72b921e9d7878c96be2ad7b968273f6ebb1d297eb984fefa0ac8367140835f0a50d
|
7
|
+
data.tar.gz: d946f74bc710c3018f790a670290d94cc1d75d494a899d9116336a76a52e3f30ab1ba1122e18b45d22766c0e2c86a3b17c2ca0ab8dcdacf03323a80cfc493b46
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,33 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.13.0 / 2021-12-10
|
4
|
+
|
5
|
+
### Bug fixes
|
6
|
+
|
7
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
8
|
+
|
9
|
+
|
10
|
+
## 2.12.0 / 2021-08-11
|
11
|
+
|
12
|
+
### Features
|
13
|
+
|
14
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
15
|
+
|
16
|
+
|
17
|
+
## 2.11.0 / 2021-07-31
|
18
|
+
|
19
|
+
### Features
|
20
|
+
|
21
|
+
* Allow HTML5 element `wbr`.
|
22
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
23
|
+
|
24
|
+
|
25
|
+
### Changes
|
26
|
+
|
27
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
28
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
29
|
+
|
30
|
+
|
3
31
|
## 2.10.0 / 2021-06-06
|
4
32
|
|
5
33
|
### Features
|
data/README.md
CHANGED
@@ -6,8 +6,7 @@
|
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
[![
|
10
|
-
[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
11
10
|
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
12
11
|
|
13
12
|
|
@@ -140,6 +140,7 @@ module Loofah
|
|
140
140
|
"ul",
|
141
141
|
"var",
|
142
142
|
"video",
|
143
|
+
"wbr",
|
143
144
|
])
|
144
145
|
|
145
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -637,6 +638,8 @@ module Loofah
|
|
637
638
|
"green",
|
638
639
|
"groove",
|
639
640
|
"hidden",
|
641
|
+
"inherit",
|
642
|
+
"initial",
|
640
643
|
"inset",
|
641
644
|
"italic",
|
642
645
|
"left",
|
@@ -652,16 +655,19 @@ module Loofah
|
|
652
655
|
"pointer",
|
653
656
|
"purple",
|
654
657
|
"red",
|
658
|
+
"revert",
|
655
659
|
"ridge",
|
656
660
|
"right",
|
661
|
+
"separate",
|
657
662
|
"silver",
|
658
663
|
"solid",
|
659
664
|
"teal",
|
660
|
-
"thin",
|
661
665
|
"thick",
|
666
|
+
"thin",
|
662
667
|
"top",
|
663
668
|
"transparent",
|
664
669
|
"underline",
|
670
|
+
"unset",
|
665
671
|
"white",
|
666
672
|
"yellow",
|
667
673
|
])
|
@@ -788,18 +794,14 @@ module Loofah
|
|
788
794
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
789
795
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
790
796
|
|
797
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
798
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
791
799
|
VOID_ELEMENTS = Set.new([
|
792
800
|
"area",
|
793
|
-
"base",
|
794
801
|
"br",
|
795
|
-
"col",
|
796
|
-
"embed",
|
797
802
|
"hr",
|
798
803
|
"img",
|
799
804
|
"input",
|
800
|
-
"link",
|
801
|
-
"meta",
|
802
|
-
"param",
|
803
805
|
])
|
804
806
|
|
805
807
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -10,6 +10,7 @@ module Loofah
|
|
10
10
|
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
11
11
|
CSS_IMPORTANT = '!important'
|
12
12
|
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
13
|
+
DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
|
13
14
|
|
14
15
|
class << self
|
15
16
|
def allowed_element?(element_name)
|
@@ -25,7 +26,7 @@ module Loofah
|
|
25
26
|
attr_node.node_name
|
26
27
|
end
|
27
28
|
|
28
|
-
if attr_name =~
|
29
|
+
if attr_name =~ DATA_ATTRIBUTE_NAME
|
29
30
|
next
|
30
31
|
end
|
31
32
|
|
@@ -62,7 +63,9 @@ module Loofah
|
|
62
63
|
scrub_css_attribute(node)
|
63
64
|
|
64
65
|
node.attribute_nodes.each do |attr_node|
|
65
|
-
|
66
|
+
if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
|
67
|
+
node.remove_attribute(attr_node.name)
|
68
|
+
end
|
66
69
|
end
|
67
70
|
|
68
71
|
force_correct_attribute_escaping!(node)
|
@@ -93,7 +93,11 @@ module Loofah
|
|
93
93
|
# frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
|
94
94
|
#
|
95
95
|
def text(options = {})
|
96
|
-
result = serialize_root
|
96
|
+
result = if serialize_root
|
97
|
+
serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
|
98
|
+
else
|
99
|
+
""
|
100
|
+
end
|
97
101
|
if options[:encode_special_chars] == false
|
98
102
|
result # possibly dangerous if rendered in a browser
|
99
103
|
else
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.13.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,22 +9,8 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2021-
|
12
|
+
date: 2021-12-10 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
|
-
- !ruby/object:Gem::Dependency
|
15
|
-
name: nokogiri
|
16
|
-
requirement: !ruby/object:Gem::Requirement
|
17
|
-
requirements:
|
18
|
-
- - ">="
|
19
|
-
- !ruby/object:Gem::Version
|
20
|
-
version: 1.5.9
|
21
|
-
type: :runtime
|
22
|
-
prerelease: false
|
23
|
-
version_requirements: !ruby/object:Gem::Requirement
|
24
|
-
requirements:
|
25
|
-
- - ">="
|
26
|
-
- !ruby/object:Gem::Version
|
27
|
-
version: 1.5.9
|
28
14
|
- !ruby/object:Gem::Dependency
|
29
15
|
name: crass
|
30
16
|
requirement: !ruby/object:Gem::Requirement
|
@@ -40,47 +26,33 @@ dependencies:
|
|
40
26
|
- !ruby/object:Gem::Version
|
41
27
|
version: 1.0.2
|
42
28
|
- !ruby/object:Gem::Dependency
|
43
|
-
name:
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
45
|
-
requirements:
|
46
|
-
- - "~>"
|
47
|
-
- !ruby/object:Gem::Version
|
48
|
-
version: '13.0'
|
49
|
-
type: :development
|
50
|
-
prerelease: false
|
51
|
-
version_requirements: !ruby/object:Gem::Requirement
|
52
|
-
requirements:
|
53
|
-
- - "~>"
|
54
|
-
- !ruby/object:Gem::Version
|
55
|
-
version: '13.0'
|
56
|
-
- !ruby/object:Gem::Dependency
|
57
|
-
name: minitest
|
29
|
+
name: nokogiri
|
58
30
|
requirement: !ruby/object:Gem::Requirement
|
59
31
|
requirements:
|
60
|
-
- - "
|
32
|
+
- - ">="
|
61
33
|
- !ruby/object:Gem::Version
|
62
|
-
version:
|
63
|
-
type: :
|
34
|
+
version: 1.5.9
|
35
|
+
type: :runtime
|
64
36
|
prerelease: false
|
65
37
|
version_requirements: !ruby/object:Gem::Requirement
|
66
38
|
requirements:
|
67
|
-
- - "
|
39
|
+
- - ">="
|
68
40
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
41
|
+
version: 1.5.9
|
70
42
|
- !ruby/object:Gem::Dependency
|
71
|
-
name:
|
43
|
+
name: hoe-markdown
|
72
44
|
requirement: !ruby/object:Gem::Requirement
|
73
45
|
requirements:
|
74
46
|
- - "~>"
|
75
47
|
- !ruby/object:Gem::Version
|
76
|
-
version: 1.
|
48
|
+
version: '1.3'
|
77
49
|
type: :development
|
78
50
|
prerelease: false
|
79
51
|
version_requirements: !ruby/object:Gem::Requirement
|
80
52
|
requirements:
|
81
53
|
- - "~>"
|
82
54
|
- !ruby/object:Gem::Version
|
83
|
-
version: 1.
|
55
|
+
version: '1.3'
|
84
56
|
- !ruby/object:Gem::Dependency
|
85
57
|
name: json
|
86
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -96,33 +68,33 @@ dependencies:
|
|
96
68
|
- !ruby/object:Gem::Version
|
97
69
|
version: '2.2'
|
98
70
|
- !ruby/object:Gem::Dependency
|
99
|
-
name:
|
71
|
+
name: minitest
|
100
72
|
requirement: !ruby/object:Gem::Requirement
|
101
73
|
requirements:
|
102
74
|
- - "~>"
|
103
75
|
- !ruby/object:Gem::Version
|
104
|
-
version: '
|
76
|
+
version: '5.14'
|
105
77
|
type: :development
|
106
78
|
prerelease: false
|
107
79
|
version_requirements: !ruby/object:Gem::Requirement
|
108
80
|
requirements:
|
109
81
|
- - "~>"
|
110
82
|
- !ruby/object:Gem::Version
|
111
|
-
version: '
|
83
|
+
version: '5.14'
|
112
84
|
- !ruby/object:Gem::Dependency
|
113
|
-
name:
|
85
|
+
name: rake
|
114
86
|
requirement: !ruby/object:Gem::Requirement
|
115
87
|
requirements:
|
116
88
|
- - "~>"
|
117
89
|
- !ruby/object:Gem::Version
|
118
|
-
version: '
|
90
|
+
version: '13.0'
|
119
91
|
type: :development
|
120
92
|
prerelease: false
|
121
93
|
version_requirements: !ruby/object:Gem::Requirement
|
122
94
|
requirements:
|
123
95
|
- - "~>"
|
124
96
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
97
|
+
version: '13.0'
|
126
98
|
- !ruby/object:Gem::Dependency
|
127
99
|
name: rdoc
|
128
100
|
requirement: !ruby/object:Gem::Requirement
|
@@ -144,19 +116,33 @@ dependencies:
|
|
144
116
|
- !ruby/object:Gem::Version
|
145
117
|
version: '7'
|
146
118
|
- !ruby/object:Gem::Dependency
|
147
|
-
name:
|
119
|
+
name: rr
|
148
120
|
requirement: !ruby/object:Gem::Requirement
|
149
121
|
requirements:
|
150
122
|
- - "~>"
|
151
123
|
- !ruby/object:Gem::Version
|
152
|
-
version:
|
124
|
+
version: 1.2.0
|
153
125
|
type: :development
|
154
126
|
prerelease: false
|
155
127
|
version_requirements: !ruby/object:Gem::Requirement
|
156
128
|
requirements:
|
157
129
|
- - "~>"
|
158
130
|
- !ruby/object:Gem::Version
|
159
|
-
version:
|
131
|
+
version: 1.2.0
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: rubocop
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - "~>"
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '1.1'
|
139
|
+
type: :development
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '1.1'
|
160
146
|
description: |-
|
161
147
|
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
|
162
148
|
|
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
213
199
|
- !ruby/object:Gem::Version
|
214
200
|
version: '0'
|
215
201
|
requirements: []
|
216
|
-
rubygems_version: 3.2.
|
202
|
+
rubygems_version: 3.2.32
|
217
203
|
signing_key:
|
218
204
|
specification_version: 4
|
219
205
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|