loofah 2.19.1 → 2.21.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +48 -0
- data/README.md +97 -106
- data/lib/loofah/concerns.rb +207 -0
- data/lib/loofah/elements.rb +78 -76
- data/lib/loofah/helpers.rb +21 -15
- data/lib/loofah/{html → html4}/document.rb +5 -7
- data/lib/loofah/html4/document_fragment.rb +15 -0
- data/lib/loofah/html5/document.rb +17 -0
- data/lib/loofah/html5/document_fragment.rb +15 -0
- data/lib/loofah/html5/libxml2_workarounds.rb +7 -6
- data/lib/loofah/html5/safelist.rb +937 -924
- data/lib/loofah/html5/scrub.rb +31 -31
- data/lib/loofah/metahelpers.rb +10 -6
- data/lib/loofah/scrubber.rb +10 -8
- data/lib/loofah/scrubbers.rb +52 -43
- data/lib/loofah/version.rb +2 -1
- data/lib/loofah/xml/document.rb +1 -0
- data/lib/loofah/xml/document_fragment.rb +2 -6
- data/lib/loofah.rb +119 -43
- metadata +14 -116
- data/lib/loofah/html/document_fragment.rb +0 -42
- data/lib/loofah/instance_methods.rb +0 -133
data/lib/loofah/elements.rb
CHANGED
|
@@ -1,88 +1,90 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
|
+
|
|
2
3
|
require "set"
|
|
3
4
|
|
|
4
5
|
module Loofah
|
|
5
6
|
module Elements
|
|
6
|
-
STRICT_BLOCK_LEVEL_HTML4 = Set.new
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
7
|
+
STRICT_BLOCK_LEVEL_HTML4 = Set.new([
|
|
8
|
+
"address",
|
|
9
|
+
"blockquote",
|
|
10
|
+
"center",
|
|
11
|
+
"dir",
|
|
12
|
+
"div",
|
|
13
|
+
"dl",
|
|
14
|
+
"fieldset",
|
|
15
|
+
"form",
|
|
16
|
+
"h1",
|
|
17
|
+
"h2",
|
|
18
|
+
"h3",
|
|
19
|
+
"h4",
|
|
20
|
+
"h5",
|
|
21
|
+
"h6",
|
|
22
|
+
"hr",
|
|
23
|
+
"isindex",
|
|
24
|
+
"menu",
|
|
25
|
+
"noframes",
|
|
26
|
+
"noscript",
|
|
27
|
+
"ol",
|
|
28
|
+
"p",
|
|
29
|
+
"pre",
|
|
30
|
+
"table",
|
|
31
|
+
"ul",
|
|
32
|
+
])
|
|
32
33
|
|
|
33
34
|
# https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
|
|
34
|
-
STRICT_BLOCK_LEVEL_HTML5 = Set.new
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
35
|
+
STRICT_BLOCK_LEVEL_HTML5 = Set.new([
|
|
36
|
+
"address",
|
|
37
|
+
"article",
|
|
38
|
+
"aside",
|
|
39
|
+
"blockquote",
|
|
40
|
+
"canvas",
|
|
41
|
+
"dd",
|
|
42
|
+
"div",
|
|
43
|
+
"dl",
|
|
44
|
+
"dt",
|
|
45
|
+
"fieldset",
|
|
46
|
+
"figcaption",
|
|
47
|
+
"figure",
|
|
48
|
+
"footer",
|
|
49
|
+
"form",
|
|
50
|
+
"h1",
|
|
51
|
+
"h2",
|
|
52
|
+
"h3",
|
|
53
|
+
"h4",
|
|
54
|
+
"h5",
|
|
55
|
+
"h6",
|
|
56
|
+
"header",
|
|
57
|
+
"hgroup",
|
|
58
|
+
"hr",
|
|
59
|
+
"li",
|
|
60
|
+
"main",
|
|
61
|
+
"nav",
|
|
62
|
+
"noscript",
|
|
63
|
+
"ol",
|
|
64
|
+
"output",
|
|
65
|
+
"p",
|
|
66
|
+
"pre",
|
|
67
|
+
"section",
|
|
68
|
+
"table",
|
|
69
|
+
"tfoot",
|
|
70
|
+
"ul",
|
|
71
|
+
"video",
|
|
72
|
+
])
|
|
72
73
|
|
|
73
74
|
# The following elements may also be considered block-level
|
|
74
75
|
# elements since they may contain block-level elements
|
|
75
|
-
LOOSE_BLOCK_LEVEL = Set.new
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
76
|
+
LOOSE_BLOCK_LEVEL = Set.new([
|
|
77
|
+
"dd",
|
|
78
|
+
"dt",
|
|
79
|
+
"frameset",
|
|
80
|
+
"li",
|
|
81
|
+
"tbody",
|
|
82
|
+
"td",
|
|
83
|
+
"tfoot",
|
|
84
|
+
"th",
|
|
85
|
+
"thead",
|
|
86
|
+
"tr",
|
|
87
|
+
])
|
|
86
88
|
|
|
87
89
|
# Elements that aren't block but should generate a newline in #to_text
|
|
88
90
|
INLINE_LINE_BREAK = Set.new(["br"])
|
|
@@ -92,5 +94,5 @@ module Loofah
|
|
|
92
94
|
LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
|
|
93
95
|
end
|
|
94
96
|
|
|
95
|
-
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants
|
|
97
|
+
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::Elements)
|
|
96
98
|
end
|
data/lib/loofah/helpers.rb
CHANGED
|
@@ -1,43 +1,47 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
|
+
|
|
2
3
|
module Loofah
|
|
3
4
|
module Helpers
|
|
4
5
|
class << self
|
|
5
6
|
#
|
|
6
7
|
# A replacement for Rails's built-in +strip_tags+ helper.
|
|
7
8
|
#
|
|
8
|
-
#
|
|
9
|
+
# Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
|
|
9
10
|
#
|
|
10
11
|
def strip_tags(string_or_io)
|
|
11
|
-
Loofah.
|
|
12
|
+
Loofah.html4_fragment(string_or_io).text
|
|
12
13
|
end
|
|
13
14
|
|
|
14
15
|
#
|
|
15
16
|
# A replacement for Rails's built-in +sanitize+ helper.
|
|
16
17
|
#
|
|
17
|
-
#
|
|
18
|
+
# Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>")
|
|
19
|
+
# # => "<script src=\"http://ha.ckers.org/xss.js\"></script>"
|
|
18
20
|
#
|
|
19
21
|
def sanitize(string_or_io)
|
|
20
|
-
loofah_fragment = Loofah.
|
|
22
|
+
loofah_fragment = Loofah.html4_fragment(string_or_io)
|
|
21
23
|
loofah_fragment.scrub!(:strip)
|
|
22
|
-
loofah_fragment.xpath("./form").each
|
|
24
|
+
loofah_fragment.xpath("./form").each(&:remove)
|
|
23
25
|
loofah_fragment.to_s
|
|
24
26
|
end
|
|
25
27
|
|
|
26
28
|
#
|
|
27
29
|
# A replacement for Rails's built-in +sanitize_css+ helper.
|
|
28
30
|
#
|
|
29
|
-
# Loofah::Helpers.sanitize_css("display:block;background-image:url(http://
|
|
31
|
+
# Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)")
|
|
32
|
+
# # => "display: block;"
|
|
30
33
|
#
|
|
31
34
|
def sanitize_css(style_string)
|
|
32
|
-
::Loofah::HTML5::Scrub.scrub_css
|
|
35
|
+
::Loofah::HTML5::Scrub.scrub_css(style_string)
|
|
33
36
|
end
|
|
34
37
|
|
|
35
38
|
#
|
|
36
|
-
# A helper to remove extraneous whitespace from text-ified HTML
|
|
39
|
+
# A helper to remove extraneous whitespace from text-ified HTML.
|
|
40
|
+
#
|
|
37
41
|
# TODO: remove this in a future major-point-release.
|
|
38
42
|
#
|
|
39
43
|
def remove_extraneous_whitespace(string)
|
|
40
|
-
Loofah.remove_extraneous_whitespace
|
|
44
|
+
Loofah.remove_extraneous_whitespace(string)
|
|
41
45
|
end
|
|
42
46
|
end
|
|
43
47
|
|
|
@@ -52,7 +56,7 @@ module Loofah
|
|
|
52
56
|
end
|
|
53
57
|
|
|
54
58
|
def white_list_sanitizer
|
|
55
|
-
warn
|
|
59
|
+
warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.")
|
|
56
60
|
safe_list_sanitizer
|
|
57
61
|
end
|
|
58
62
|
end
|
|
@@ -62,7 +66,8 @@ module Loofah
|
|
|
62
66
|
#
|
|
63
67
|
# To use by default, call this in an application initializer:
|
|
64
68
|
#
|
|
65
|
-
# ActionView::Helpers::SanitizeHelper.full_sanitizer =
|
|
69
|
+
# ActionView::Helpers::SanitizeHelper.full_sanitizer = \
|
|
70
|
+
# Loofah::Helpers::ActionView::FullSanitizer.new
|
|
66
71
|
#
|
|
67
72
|
# Or, to generally opt-in to Loofah's view sanitizers:
|
|
68
73
|
#
|
|
@@ -70,7 +75,7 @@ module Loofah
|
|
|
70
75
|
#
|
|
71
76
|
class FullSanitizer
|
|
72
77
|
def sanitize(html, *args)
|
|
73
|
-
Loofah::Helpers.strip_tags
|
|
78
|
+
Loofah::Helpers.strip_tags(html)
|
|
74
79
|
end
|
|
75
80
|
end
|
|
76
81
|
|
|
@@ -79,7 +84,8 @@ module Loofah
|
|
|
79
84
|
#
|
|
80
85
|
# To use by default, call this in an application initializer:
|
|
81
86
|
#
|
|
82
|
-
# ActionView::Helpers::SanitizeHelper.safe_list_sanitizer =
|
|
87
|
+
# ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \
|
|
88
|
+
# Loofah::Helpers::ActionView::SafeListSanitizer.new
|
|
83
89
|
#
|
|
84
90
|
# Or, to generally opt-in to Loofah's view sanitizers:
|
|
85
91
|
#
|
|
@@ -87,11 +93,11 @@ module Loofah
|
|
|
87
93
|
#
|
|
88
94
|
class SafeListSanitizer
|
|
89
95
|
def sanitize(html, *args)
|
|
90
|
-
Loofah::Helpers.sanitize
|
|
96
|
+
Loofah::Helpers.sanitize(html)
|
|
91
97
|
end
|
|
92
98
|
|
|
93
99
|
def sanitize_css(style_string, *args)
|
|
94
|
-
Loofah::Helpers.sanitize_css
|
|
100
|
+
Loofah::Helpers.sanitize_css(style_string)
|
|
95
101
|
end
|
|
96
102
|
end
|
|
97
103
|
|
|
@@ -1,19 +1,17 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
|
+
|
|
2
3
|
module Loofah
|
|
3
|
-
module
|
|
4
|
+
module HTML4 # :nodoc:
|
|
4
5
|
#
|
|
5
|
-
# Subclass of Nokogiri::
|
|
6
|
+
# Subclass of Nokogiri::HTML4::Document.
|
|
6
7
|
#
|
|
7
8
|
# See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
|
|
8
9
|
#
|
|
9
|
-
class Document < Nokogiri::
|
|
10
|
+
class Document < Nokogiri::HTML4::Document
|
|
10
11
|
include Loofah::ScrubBehavior::Node
|
|
11
12
|
include Loofah::DocumentDecorator
|
|
12
13
|
include Loofah::TextBehavior
|
|
13
|
-
|
|
14
|
-
def serialize_root
|
|
15
|
-
at_xpath("/html/body")
|
|
16
|
-
end
|
|
14
|
+
include Loofah::HtmlDocumentBehavior
|
|
17
15
|
end
|
|
18
16
|
end
|
|
19
17
|
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Loofah
|
|
4
|
+
module HTML4 # :nodoc:
|
|
5
|
+
#
|
|
6
|
+
# Subclass of Nokogiri::HTML4::DocumentFragment.
|
|
7
|
+
#
|
|
8
|
+
# See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
|
|
9
|
+
#
|
|
10
|
+
class DocumentFragment < Nokogiri::HTML4::DocumentFragment
|
|
11
|
+
include Loofah::TextBehavior
|
|
12
|
+
include Loofah::HtmlFragmentBehavior
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Loofah
|
|
4
|
+
module HTML5 # :nodoc:
|
|
5
|
+
#
|
|
6
|
+
# Subclass of Nokogiri::HTML5::Document.
|
|
7
|
+
#
|
|
8
|
+
# See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
|
|
9
|
+
#
|
|
10
|
+
class Document < Nokogiri::HTML5::Document
|
|
11
|
+
include Loofah::ScrubBehavior::Node
|
|
12
|
+
include Loofah::DocumentDecorator
|
|
13
|
+
include Loofah::TextBehavior
|
|
14
|
+
include Loofah::HtmlDocumentBehavior
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Loofah
|
|
4
|
+
module HTML5 # :nodoc:
|
|
5
|
+
#
|
|
6
|
+
# Subclass of Nokogiri::HTML5::DocumentFragment.
|
|
7
|
+
#
|
|
8
|
+
# See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
|
|
9
|
+
#
|
|
10
|
+
class DocumentFragment < Nokogiri::HTML5::DocumentFragment
|
|
11
|
+
include Loofah::TextBehavior
|
|
12
|
+
include Loofah::HtmlFragmentBehavior
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# coding: utf-8
|
|
2
2
|
# frozen_string_literal: true
|
|
3
|
+
|
|
3
4
|
require "set"
|
|
4
5
|
|
|
5
6
|
module Loofah
|
|
@@ -16,12 +17,12 @@ module Loofah
|
|
|
16
17
|
#
|
|
17
18
|
# see comments about CVE-2018-8048 within the tests for more information
|
|
18
19
|
#
|
|
19
|
-
BROKEN_ESCAPING_ATTRIBUTES = Set.new
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
20
|
+
BROKEN_ESCAPING_ATTRIBUTES = Set.new([
|
|
21
|
+
"href",
|
|
22
|
+
"action",
|
|
23
|
+
"src",
|
|
24
|
+
"name",
|
|
25
|
+
])
|
|
25
26
|
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
|
|
26
27
|
end
|
|
27
28
|
end
|