loofah 2.10.0 → 2.14.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/README.md +5 -7
- data/lib/loofah/elements.rb +5 -2
- data/lib/loofah/html5/safelist.rb +9 -7
- data/lib/loofah/html5/scrub.rb +5 -2
- data/lib/loofah/instance_methods.rb +9 -5
- data/lib/loofah/scrubbers.rb +7 -2
- data/lib/loofah/version.rb +1 -1
- metadata +35 -49
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 95836cdfac672774704d62557836c319edf8c1ffd17323b61c749aabbb71f6b6
|
4
|
+
data.tar.gz: ddc0bc8f3dc588cc4a69651debacb404cedc02e047f585bde0758ec4186d6018
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 05b043ea1e8de851488dc084cae3f596816b54549cfc4f9a1d5fd675093d8dc06956e6880286adcdcffe5aca6d29e46a97052cc526cc7b3667277ff8a9575ba7
|
7
|
+
data.tar.gz: fd0fbee37a8150709ba178889d96532a4b2efdd402ccc2d922c2022a88f04188ebc221037d522cf7af67eaf3f1c4d74acba1de37ca2f70e1d0214afff69f6f85
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,40 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.14.0 / 2022-02-11
|
4
|
+
|
5
|
+
### Features
|
6
|
+
|
7
|
+
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
|
8
|
+
|
9
|
+
|
10
|
+
## 2.13.0 / 2021-12-10
|
11
|
+
|
12
|
+
### Bug fixes
|
13
|
+
|
14
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
15
|
+
|
16
|
+
|
17
|
+
## 2.12.0 / 2021-08-11
|
18
|
+
|
19
|
+
### Features
|
20
|
+
|
21
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
22
|
+
|
23
|
+
|
24
|
+
## 2.11.0 / 2021-07-31
|
25
|
+
|
26
|
+
### Features
|
27
|
+
|
28
|
+
* Allow HTML5 element `wbr`.
|
29
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
30
|
+
|
31
|
+
|
32
|
+
### Changes
|
33
|
+
|
34
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
35
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
36
|
+
|
37
|
+
|
3
38
|
## 2.10.0 / 2021-06-06
|
4
39
|
|
5
40
|
### Features
|
data/README.md
CHANGED
@@ -6,8 +6,7 @@
|
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
[![
|
10
|
-
[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
11
10
|
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
12
11
|
|
13
12
|
|
@@ -134,13 +133,12 @@ and `text` to return plain text:
|
|
134
133
|
doc.text # => "ohai! div is safe "
|
135
134
|
```
|
136
135
|
|
137
|
-
Also, `to_text` is available, which does the right thing with
|
138
|
-
whitespace around block-level elements.
|
136
|
+
Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
|
139
137
|
|
140
138
|
``` ruby
|
141
|
-
doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
|
142
|
-
doc.text # => "
|
143
|
-
doc.to_text # => "\nTitle\n\nContent\n"
|
139
|
+
doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
|
140
|
+
doc.text # => "TitleContentNext line" # probably not what you want
|
141
|
+
doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
|
144
142
|
```
|
145
143
|
|
146
144
|
### Loofah::XML::Document and Loofah::XML::DocumentFragment
|
data/lib/loofah/elements.rb
CHANGED
@@ -70,8 +70,6 @@ module Loofah
|
|
70
70
|
video
|
71
71
|
]
|
72
72
|
|
73
|
-
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
74
|
-
|
75
73
|
# The following elements may also be considered block-level
|
76
74
|
# elements since they may contain block-level elements
|
77
75
|
LOOSE_BLOCK_LEVEL = Set.new %w[dd
|
@@ -86,7 +84,12 @@ module Loofah
|
|
86
84
|
tr
|
87
85
|
]
|
88
86
|
|
87
|
+
# Elements that aren't block but should generate a newline in #to_text
|
88
|
+
INLINE_LINE_BREAK = Set.new(["br"])
|
89
|
+
|
90
|
+
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
89
91
|
BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
|
92
|
+
LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
|
90
93
|
end
|
91
94
|
|
92
95
|
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
|
@@ -140,6 +140,7 @@ module Loofah
|
|
140
140
|
"ul",
|
141
141
|
"var",
|
142
142
|
"video",
|
143
|
+
"wbr",
|
143
144
|
])
|
144
145
|
|
145
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -637,6 +638,8 @@ module Loofah
|
|
637
638
|
"green",
|
638
639
|
"groove",
|
639
640
|
"hidden",
|
641
|
+
"inherit",
|
642
|
+
"initial",
|
640
643
|
"inset",
|
641
644
|
"italic",
|
642
645
|
"left",
|
@@ -652,16 +655,19 @@ module Loofah
|
|
652
655
|
"pointer",
|
653
656
|
"purple",
|
654
657
|
"red",
|
658
|
+
"revert",
|
655
659
|
"ridge",
|
656
660
|
"right",
|
661
|
+
"separate",
|
657
662
|
"silver",
|
658
663
|
"solid",
|
659
664
|
"teal",
|
660
|
-
"thin",
|
661
665
|
"thick",
|
666
|
+
"thin",
|
662
667
|
"top",
|
663
668
|
"transparent",
|
664
669
|
"underline",
|
670
|
+
"unset",
|
665
671
|
"white",
|
666
672
|
"yellow",
|
667
673
|
])
|
@@ -788,18 +794,14 @@ module Loofah
|
|
788
794
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
789
795
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
790
796
|
|
797
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
798
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
791
799
|
VOID_ELEMENTS = Set.new([
|
792
800
|
"area",
|
793
|
-
"base",
|
794
801
|
"br",
|
795
|
-
"col",
|
796
|
-
"embed",
|
797
802
|
"hr",
|
798
803
|
"img",
|
799
804
|
"input",
|
800
|
-
"link",
|
801
|
-
"meta",
|
802
|
-
"param",
|
803
805
|
])
|
804
806
|
|
805
807
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -10,6 +10,7 @@ module Loofah
|
|
10
10
|
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
11
11
|
CSS_IMPORTANT = '!important'
|
12
12
|
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
13
|
+
DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
|
13
14
|
|
14
15
|
class << self
|
15
16
|
def allowed_element?(element_name)
|
@@ -25,7 +26,7 @@ module Loofah
|
|
25
26
|
attr_node.node_name
|
26
27
|
end
|
27
28
|
|
28
|
-
if attr_name =~
|
29
|
+
if attr_name =~ DATA_ATTRIBUTE_NAME
|
29
30
|
next
|
30
31
|
end
|
31
32
|
|
@@ -62,7 +63,9 @@ module Loofah
|
|
62
63
|
scrub_css_attribute(node)
|
63
64
|
|
64
65
|
node.attribute_nodes.each do |attr_node|
|
65
|
-
|
66
|
+
if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
|
67
|
+
node.remove_attribute(attr_node.name)
|
68
|
+
end
|
66
69
|
end
|
67
70
|
|
68
71
|
force_correct_attribute_escaping!(node)
|
@@ -93,7 +93,11 @@ module Loofah
|
|
93
93
|
# frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
|
94
94
|
#
|
95
95
|
def text(options = {})
|
96
|
-
result = serialize_root
|
96
|
+
result = if serialize_root
|
97
|
+
serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
|
98
|
+
else
|
99
|
+
""
|
100
|
+
end
|
97
101
|
if options[:encode_special_chars] == false
|
98
102
|
result # possibly dangerous if rendered in a browser
|
99
103
|
else
|
@@ -108,11 +112,11 @@ module Loofah
|
|
108
112
|
# Returns a plain-text version of the markup contained by the
|
109
113
|
# fragment, with HTML entities encoded.
|
110
114
|
#
|
111
|
-
# This method is slower than #
|
112
|
-
# whitespace around block elements.
|
115
|
+
# This method is slower than #text, but is clever about
|
116
|
+
# whitespace around block elements and line break elements.
|
113
117
|
#
|
114
|
-
# Loofah.document("<h1>Title</h1><div>Content</div>").to_text
|
115
|
-
# # => "\nTitle\n\nContent\n"
|
118
|
+
# Loofah.document("<h1>Title</h1><div>Content<br>Next line</div>").to_text
|
119
|
+
# # => "\nTitle\n\nContent\nNext line\n"
|
116
120
|
#
|
117
121
|
def to_text(options = {})
|
118
122
|
Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
|
data/lib/loofah/scrubbers.rb
CHANGED
@@ -240,8 +240,13 @@ module Loofah
|
|
240
240
|
end
|
241
241
|
|
242
242
|
def scrub(node)
|
243
|
-
return CONTINUE unless Loofah::Elements::
|
244
|
-
|
243
|
+
return CONTINUE unless Loofah::Elements::LINEBREAKERS.include?(node.name)
|
244
|
+
replacement = if Loofah::Elements::INLINE_LINE_BREAK.include?(node.name)
|
245
|
+
"\n"
|
246
|
+
else
|
247
|
+
"\n#{node.content}\n"
|
248
|
+
end
|
249
|
+
node.add_next_sibling Nokogiri::XML::Text.new(replacement, node.document)
|
245
250
|
node.remove
|
246
251
|
end
|
247
252
|
end
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.14.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,22 +9,8 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
|
-
- !ruby/object:Gem::Dependency
|
15
|
-
name: nokogiri
|
16
|
-
requirement: !ruby/object:Gem::Requirement
|
17
|
-
requirements:
|
18
|
-
- - ">="
|
19
|
-
- !ruby/object:Gem::Version
|
20
|
-
version: 1.5.9
|
21
|
-
type: :runtime
|
22
|
-
prerelease: false
|
23
|
-
version_requirements: !ruby/object:Gem::Requirement
|
24
|
-
requirements:
|
25
|
-
- - ">="
|
26
|
-
- !ruby/object:Gem::Version
|
27
|
-
version: 1.5.9
|
28
14
|
- !ruby/object:Gem::Dependency
|
29
15
|
name: crass
|
30
16
|
requirement: !ruby/object:Gem::Requirement
|
@@ -40,47 +26,33 @@ dependencies:
|
|
40
26
|
- !ruby/object:Gem::Version
|
41
27
|
version: 1.0.2
|
42
28
|
- !ruby/object:Gem::Dependency
|
43
|
-
name:
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
45
|
-
requirements:
|
46
|
-
- - "~>"
|
47
|
-
- !ruby/object:Gem::Version
|
48
|
-
version: '13.0'
|
49
|
-
type: :development
|
50
|
-
prerelease: false
|
51
|
-
version_requirements: !ruby/object:Gem::Requirement
|
52
|
-
requirements:
|
53
|
-
- - "~>"
|
54
|
-
- !ruby/object:Gem::Version
|
55
|
-
version: '13.0'
|
56
|
-
- !ruby/object:Gem::Dependency
|
57
|
-
name: minitest
|
29
|
+
name: nokogiri
|
58
30
|
requirement: !ruby/object:Gem::Requirement
|
59
31
|
requirements:
|
60
|
-
- - "
|
32
|
+
- - ">="
|
61
33
|
- !ruby/object:Gem::Version
|
62
|
-
version:
|
63
|
-
type: :
|
34
|
+
version: 1.5.9
|
35
|
+
type: :runtime
|
64
36
|
prerelease: false
|
65
37
|
version_requirements: !ruby/object:Gem::Requirement
|
66
38
|
requirements:
|
67
|
-
- - "
|
39
|
+
- - ">="
|
68
40
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
41
|
+
version: 1.5.9
|
70
42
|
- !ruby/object:Gem::Dependency
|
71
|
-
name:
|
43
|
+
name: hoe-markdown
|
72
44
|
requirement: !ruby/object:Gem::Requirement
|
73
45
|
requirements:
|
74
46
|
- - "~>"
|
75
47
|
- !ruby/object:Gem::Version
|
76
|
-
version: 1.
|
48
|
+
version: '1.3'
|
77
49
|
type: :development
|
78
50
|
prerelease: false
|
79
51
|
version_requirements: !ruby/object:Gem::Requirement
|
80
52
|
requirements:
|
81
53
|
- - "~>"
|
82
54
|
- !ruby/object:Gem::Version
|
83
|
-
version: 1.
|
55
|
+
version: '1.3'
|
84
56
|
- !ruby/object:Gem::Dependency
|
85
57
|
name: json
|
86
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -96,33 +68,33 @@ dependencies:
|
|
96
68
|
- !ruby/object:Gem::Version
|
97
69
|
version: '2.2'
|
98
70
|
- !ruby/object:Gem::Dependency
|
99
|
-
name:
|
71
|
+
name: minitest
|
100
72
|
requirement: !ruby/object:Gem::Requirement
|
101
73
|
requirements:
|
102
74
|
- - "~>"
|
103
75
|
- !ruby/object:Gem::Version
|
104
|
-
version: '
|
76
|
+
version: '5.14'
|
105
77
|
type: :development
|
106
78
|
prerelease: false
|
107
79
|
version_requirements: !ruby/object:Gem::Requirement
|
108
80
|
requirements:
|
109
81
|
- - "~>"
|
110
82
|
- !ruby/object:Gem::Version
|
111
|
-
version: '
|
83
|
+
version: '5.14'
|
112
84
|
- !ruby/object:Gem::Dependency
|
113
|
-
name:
|
85
|
+
name: rake
|
114
86
|
requirement: !ruby/object:Gem::Requirement
|
115
87
|
requirements:
|
116
88
|
- - "~>"
|
117
89
|
- !ruby/object:Gem::Version
|
118
|
-
version: '
|
90
|
+
version: '13.0'
|
119
91
|
type: :development
|
120
92
|
prerelease: false
|
121
93
|
version_requirements: !ruby/object:Gem::Requirement
|
122
94
|
requirements:
|
123
95
|
- - "~>"
|
124
96
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
97
|
+
version: '13.0'
|
126
98
|
- !ruby/object:Gem::Dependency
|
127
99
|
name: rdoc
|
128
100
|
requirement: !ruby/object:Gem::Requirement
|
@@ -144,19 +116,33 @@ dependencies:
|
|
144
116
|
- !ruby/object:Gem::Version
|
145
117
|
version: '7'
|
146
118
|
- !ruby/object:Gem::Dependency
|
147
|
-
name:
|
119
|
+
name: rr
|
148
120
|
requirement: !ruby/object:Gem::Requirement
|
149
121
|
requirements:
|
150
122
|
- - "~>"
|
151
123
|
- !ruby/object:Gem::Version
|
152
|
-
version:
|
124
|
+
version: 1.2.0
|
153
125
|
type: :development
|
154
126
|
prerelease: false
|
155
127
|
version_requirements: !ruby/object:Gem::Requirement
|
156
128
|
requirements:
|
157
129
|
- - "~>"
|
158
130
|
- !ruby/object:Gem::Version
|
159
|
-
version:
|
131
|
+
version: 1.2.0
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: rubocop
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - "~>"
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '1.1'
|
139
|
+
type: :development
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '1.1'
|
160
146
|
description: |-
|
161
147
|
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
|
162
148
|
|
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
213
199
|
- !ruby/object:Gem::Version
|
214
200
|
version: '0'
|
215
201
|
requirements: []
|
216
|
-
rubygems_version: 3.
|
202
|
+
rubygems_version: 3.3.5
|
217
203
|
signing_key:
|
218
204
|
specification_version: 4
|
219
205
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|