loofah 2.19.1 → 2.24.0

data/lib/loofah/concerns.rb

@@ -0,0 +1,207 @@
+# frozen_string_literal: true
+
+module Loofah
+  #
+  #  Mixes +scrub!+ into Document, DocumentFragment, Node and NodeSet.
+  #
+  #  Traverse the document or fragment, invoking the +scrubber+ on each node.
+  #
+  #  +scrubber+ must either be one of the symbols representing the built-in scrubbers (see
+  #  Scrubbers), or a Scrubber instance.
+  #
+  #    span2div = Loofah::Scrubber.new do |node|
+  #      node.name = "div" if node.name == "span"
+  #    end
+  #    Loofah.html5_fragment("<span>foo</span><p>bar</p>").scrub!(span2div).to_s
+  #    # => "<div>foo</div><p>bar</p>"
+  #
+  #  or
+  #
+  #    unsafe_html = "ohai! <div>div is safe</div> <script>but script is not</script>"
+  #    Loofah.html5_fragment(unsafe_html).scrub!(:strip).to_s
+  #    # => "ohai! <div>div is safe</div> "
+  #
+  #  Note that this method is called implicitly from the shortcuts Loofah.scrub_html5_fragment et
+  #  al.
+  #
+  #  Please see Scrubber for more information on implementation and traversal, and README.rdoc for
+  #  more example usage.
+  #
+  module ScrubBehavior
+    module Node # :nodoc:
+      def scrub!(scrubber)
+        #
+        #  yes. this should be three separate methods. but nokogiri decorates (or not) based on
+        #  whether the module name has already been included. and since documents get decorated just
+        #  like their constituent nodes, we need to jam all the logic into a single module.
+        #
+        scrubber = ScrubBehavior.resolve_scrubber(scrubber)
+        case self
+        when Nokogiri::XML::Document
+          scrubber.traverse(root) if root
+        when Nokogiri::XML::DocumentFragment
+          children.scrub!(scrubber)
+        else
+          scrubber.traverse(self)
+        end
+        self
+      end
+    end
+
+    module NodeSet # :nodoc:
+      def scrub!(scrubber)
+        each { |node| node.scrub!(scrubber) }
+        self
+      end
+    end
+
+    class << self
+      def resolve_scrubber(scrubber) # :nodoc:
+        scrubber = Scrubbers::MAP[scrubber].new if Scrubbers::MAP[scrubber]
+        unless scrubber.is_a?(Loofah::Scrubber)
+          raise Loofah::ScrubberNotFound, "not a Scrubber or a scrubber name: #{scrubber.inspect}"
+        end
+
+        scrubber
+      end
+    end
+  end
+
+  #
+  #  Overrides +text+ in Document and DocumentFragment classes, and mixes in +to_text+.
+  #
+  module TextBehavior
+    #
+    #  Returns a plain-text version of the markup contained by the document, with HTML entities
+    #  encoded.
+    #
+    #  This method is significantly faster than #to_text, but isn't clever about whitespace around
+    #  block elements.
+    #
+    #    Loofah.html5_document("<h1>Title</h1><div>Content</div>").text
+    #    # => "TitleContent"
+    #
+    #  By default, the returned text will have HTML entities escaped. If you want unescaped
+    #  entities, and you understand that the result is unsafe to render in a browser, then you can
+    #  pass an argument as shown:
+    #
+    #    frag = Loofah.html5_fragment("&lt;script&gt;alert('EVIL');&lt;/script&gt;")
+    #    # ok for browser:
+    #    frag.text                                 # => "&lt;script&gt;alert('EVIL');&lt;/script&gt;"
+    #    # decidedly not ok for browser:
+    #    frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
+    #
+    def text(options = {})
+      result = if serialize_root
+        serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
+      else
+        ""
+      end
+      if options[:encode_special_chars] == false
+        result # possibly dangerous if rendered in a browser
+      else
+        encode_special_chars(result)
+      end
+    end
+
+    alias_method :inner_text, :text
+    alias_method :to_str, :text
+
+    #
+    #  Returns a plain-text version of the markup contained by the fragment, with HTML entities
+    #  encoded.
+    #
+    #  This method is slower than #text, but is clever about whitespace around block elements and
+    #  line break elements.
+    #
+    #    Loofah.html5_document("<h1>Title</h1><div>Content<br>Next line</div>").to_text
+    #    # => "\nTitle\n\nContent\nNext line\n"
+    #
+    def to_text(options = {})
+      Loofah.remove_extraneous_whitespace(dup.scrub!(:newline_block_elements).text(options))
+    end
+  end
+
+  module DocumentDecorator # :nodoc:
+    def initialize(*args, &block)
+      super
+      decorators(Nokogiri::XML::Node) << ScrubBehavior::Node
+      decorators(Nokogiri::XML::NodeSet) << ScrubBehavior::NodeSet
+    end
+  end
+
+  module HtmlDocumentBehavior # :nodoc:
+    module ClassMethods
+      def parse(*args, &block)
+        remove_comments_before_html_element(super)
+      end
+
+      private
+
+      # remove comments that exist outside of the HTML element.
+      #
+      # these comments are allowed by the HTML spec:
+      #
+      #    https://www.w3.org/TR/html401/struct/global.html#h-7.1
+      #
+      # but are not scrubbed by Loofah because these nodes don't meet
+      # the contract that scrubbers expect of a node (e.g., it can be
+      # replaced, sibling and children nodes can be created).
+      def remove_comments_before_html_element(doc)
+        doc.children.each do |child|
+          child.unlink if child.comment?
+        end
+        doc
+      end
+    end
+
+    class << self
+      def included(base)
+        base.extend(ClassMethods)
+      end
+    end
+
+    def serialize_root
+      at_xpath("/html/body")
+    end
+  end
+
+  module HtmlFragmentBehavior # :nodoc:
+    module ClassMethods
+      def parse(tags, encoding = nil)
+        doc = document_klass.new
+
+        encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
+        doc.encoding = encoding
+
+        new(doc, tags)
+      end
+
+      def document_klass
+        @document_klass ||= if Loofah.html5_support? && self == Loofah::HTML5::DocumentFragment
+          Loofah::HTML5::Document
+        elsif self == Loofah::HTML4::DocumentFragment
+          Loofah::HTML4::Document
+        else
+          raise ArgumentError, "unexpected class: #{self}"
+        end
+      end
+    end
+
+    class << self
+      def included(base)
+        base.extend(ClassMethods)
+      end
+    end
+
+    def to_s
+      serialize_root.children.to_s
+    end
+
+    alias_method :serialize, :to_s
+
+    def serialize_root
+      at_xpath("./body") || self
+    end
+  end
+end

data/lib/loofah/elements.rb

@@ -1,88 +1,90 @@
 # frozen_string_literal: true
+
 require "set"
 
 module Loofah
   module Elements
-    STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-                                         address
-                                         blockquote
-                                         center
-                                         dir
-                                         div
-                                         dl
-                                         fieldset
-                                         form
-                                         h1
-                                         h2
-                                         h3
-                                         h4
-                                         h5
-                                         h6
-                                         hr
-                                         isindex
-                                         menu
-                                         noframes
-                                         noscript
-                                         ol
-                                         p
-                                         pre
-                                         table
-                                         ul
-                                       ]
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new([
+      "address",
+      "blockquote",
+      "center",
+      "dir",
+      "div",
+      "dl",
+      "fieldset",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "hr",
+      "isindex",
+      "menu",
+      "noframes",
+      "noscript",
+      "ol",
+      "p",
+      "pre",
+      "table",
+      "ul",
+    ])
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
-    STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-                                         address
-                                         article
-                                         aside
-                                         blockquote
-                                         canvas
-                                         dd
-                                         div
-                                         dl
-                                         dt
-                                         fieldset
-                                         figcaption
-                                         figure
-                                         footer
-                                         form
-                                         h1
-                                         h2
-                                         h3
-                                         h4
-                                         h5
-                                         h6
-                                         header
-                                         hgroup
-                                         hr
-                                         li
-                                         main
-                                         nav
-                                         noscript
-                                         ol
-                                         output
-                                         p
-                                         pre
-                                         section
-                                         table
-                                         tfoot
-                                         ul
-                                         video
-                                       ]
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new([
+      "address",
+      "article",
+      "aside",
+      "blockquote",
+      "canvas",
+      "dd",
+      "div",
+      "dl",
+      "dt",
+      "fieldset",
+      "figcaption",
+      "figure",
+      "footer",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "header",
+      "hgroup",
+      "hr",
+      "li",
+      "main",
+      "nav",
+      "noscript",
+      "ol",
+      "output",
+      "p",
+      "pre",
+      "section",
+      "table",
+      "tfoot",
+      "ul",
+      "video",
+    ])
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
-    LOOSE_BLOCK_LEVEL = Set.new %w[dd
-                                   dt
-                                   frameset
-                                   li
-                                   tbody
-                                   td
-                                   tfoot
-                                   th
-                                   thead
-                                   tr
-                                ]
+    LOOSE_BLOCK_LEVEL = Set.new([
+      "dd",
+      "dt",
+      "frameset",
+      "li",
+      "tbody",
+      "td",
+      "tfoot",
+      "th",
+      "thead",
+      "tr",
+    ])
 
     # Elements that aren't block but should generate a newline in #to_text
     INLINE_LINE_BREAK = Set.new(["br"])
@@ -92,5 +94,5 @@ module Loofah
     LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
   end
 
-  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
+  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::Elements)
 end

data/lib/loofah/helpers.rb

@@ -1,43 +1,47 @@
 # frozen_string_literal: true
+
 module Loofah
   module Helpers
     class << self
       #
       #  A replacement for Rails's built-in +strip_tags+ helper.
       #
-      #   Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
+      #    Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
       #
       def strip_tags(string_or_io)
-        Loofah.fragment(string_or_io).text
+        Loofah.html4_fragment(string_or_io).text
       end
 
       #
       #  A replacement for Rails's built-in +sanitize+ helper.
       #
-      #   Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+      #    Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>")
+      #    # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
       #
       def sanitize(string_or_io)
-        loofah_fragment = Loofah.fragment(string_or_io)
+        loofah_fragment = Loofah.html4_fragment(string_or_io)
         loofah_fragment.scrub!(:strip)
-        loofah_fragment.xpath("./form").each { |form| form.remove }
+        loofah_fragment.xpath("./form").each(&:remove)
         loofah_fragment.to_s
       end
 
       #
       #  A replacement for Rails's built-in +sanitize_css+ helper.
       #
-      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
+      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)")
+      #    # => "display: block;"
       #
       def sanitize_css(style_string)
-        ::Loofah::HTML5::Scrub.scrub_css style_string
+        ::Loofah::HTML5::Scrub.scrub_css(style_string)
       end
 
       #
-      #  A helper to remove extraneous whitespace from text-ified HTML
+      #  A helper to remove extraneous whitespace from text-ified HTML.
+      #
       #  TODO: remove this in a future major-point-release.
       #
       def remove_extraneous_whitespace(string)
-        Loofah.remove_extraneous_whitespace string
+        Loofah.remove_extraneous_whitespace(string)
       end
     end
 
@@ -52,7 +56,7 @@ module Loofah
         end
 
         def white_list_sanitizer
-          warn "warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead."
+          warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.")
           safe_list_sanitizer
         end
       end
@@ -62,7 +66,8 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = ::Loofah::Helpers::ActionView::FullSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = \
+      #      Loofah::Helpers::ActionView::FullSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
@@ -70,7 +75,7 @@ module Loofah
       #
       class FullSanitizer
         def sanitize(html, *args)
-          Loofah::Helpers.strip_tags html
+          Loofah::Helpers.strip_tags(html)
         end
       end
 
@@ -79,7 +84,8 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = ::Loofah::Helpers::ActionView::SafeListSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \
+      #      Loofah::Helpers::ActionView::SafeListSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
@@ -87,11 +93,11 @@ module Loofah
       #
       class SafeListSanitizer
         def sanitize(html, *args)
-          Loofah::Helpers.sanitize html
+          Loofah::Helpers.sanitize(html)
         end
 
         def sanitize_css(style_string, *args)
-          Loofah::Helpers.sanitize_css style_string
+          Loofah::Helpers.sanitize_css(style_string)
         end
       end
 

data/lib/loofah/{html → html4}/document.rb

@@ -1,19 +1,17 @@
 # frozen_string_literal: true
+
 module Loofah
-  module HTML # :nodoc:
+  module HTML4 # :nodoc:
     #
-    #  Subclass of Nokogiri::HTML::Document.
+    #  Subclass of Nokogiri::HTML4::Document.
     #
     #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
     #
-    class Document < Nokogiri::HTML::Document
+    class Document < Nokogiri::HTML4::Document
       include Loofah::ScrubBehavior::Node
       include Loofah::DocumentDecorator
       include Loofah::TextBehavior
-
-      def serialize_root
-        at_xpath("/html/body")
-      end
+      include Loofah::HtmlDocumentBehavior
     end
   end
 end

data/lib/loofah/html4/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML4 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML4::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML4::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::Document.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class Document < Nokogiri::HTML5::Document
+      include Loofah::ScrubBehavior::Node
+      include Loofah::DocumentDecorator
+      include Loofah::TextBehavior
+      include Loofah::HtmlDocumentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML5::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -1,5 +1,6 @@
 # coding: utf-8
 # frozen_string_literal: true
+
 require "set"
 
 module Loofah
@@ -16,12 +17,12 @@ module Loofah
     #
     #  see comments about CVE-2018-8048 within the tests for more information
     #
-    BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
-                                           href
-                                           action
-                                           src
-                                           name
-                                         ]
+    BROKEN_ESCAPING_ATTRIBUTES = Set.new([
+      "href",
+      "action",
+      "src",
+      "name",
+    ])
     BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
   end
 end