RubyGems - loofah - Versions diffs - 2.2.0 → 2.3.1 - Mend

loofah 2.2.0 → 2.3.1

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (20) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +105 -32
data/Gemfile +3 -3
data/Manifest.txt +5 -1
data/README.md +28 -26
data/Rakefile +23 -21
data/SECURITY.md +18 -0
data/lib/loofah.rb +15 -14
data/lib/loofah/helpers.rb +13 -3
data/lib/loofah/html5/libxml2_workarounds.rb +26 -0
data/lib/loofah/html5/safelist.rb +796 -0
data/lib/loofah/html5/scrub.rb +43 -16
data/lib/loofah/scrubbers.rb +1 -1
data/test/assets/msword.html +63 -0
data/test/html5/test_sanitizer.rb +36 -17
data/test/html5/test_scrub.rb +10 -0
data/test/integration/test_ad_hoc.rb +105 -78
data/test/unit/test_helpers.rb +4 -4
metadata +55 -39
data/lib/loofah/html5/whitelist.rb +0 -186

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6656f9e5edc815b2c5ee676d1c4fb818b2dc03f4
-  data.tar.gz: 7bea1d04f8af479fd825c7adf687f0ca0c624830
+SHA256:
+  metadata.gz: 1196afab25d29644d1961e4516ac317a2c38dee3295f35354c468e6a9318fa55
+  data.tar.gz: 2e07ff641edb37d2b0dce2933288da4667d4b680a586912af9c171db7dfb0a63
 SHA512:
-  metadata.gz: 42f030b7228867ebf322c9d8e286349e1288ef3d60f90fe404b0d9250cc626ea6fad84ff1325cd2754ea4a7fdf80802a4bdae5a9b7121ac312e56d96c280d1a3
-  data.tar.gz: 8a67c56281a65b6e89d8623f40423ae41ed2628eeb0a90193196cfb87aeb4efccbe23c961b05ab26a247bac0117a55b68dea97ab6b67076e272ebad8471e33cb
+  metadata.gz: 37ac2cdb0d136da417cff62e3845c5b71769f044d8150c636a549dc9ca4cf98bcef4c6d2b6e653eff56922b95d812ed39310a406c49366c14791456ca905e8fe
+  data.tar.gz: 0fa3cdd75a3d2950801a1cfe7f8d4cad6bb73bbec67d24ba25980c09a565f6c95c5d664c1789ccd62486d1917c685a5b0f762cc073a054bbb0f02fb0222688f0

data/CHANGELOG.md CHANGED

@@ -1,8 +1,81 @@
 # Changelog
+## 2.3.1 / 2019-10-22
+### Security
+Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
+## 2.3.0 / 2019-09-28
+### Features
+* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
+* Expand set of allowed CSS functions. [related to #122]
+* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
+* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
+* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
+* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
+### Bug fixes
+* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)
+### Deprecations / Name Changes
+The following method and constants are hereby deprecated, and will be completely removed in a future release:
+* Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
+* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
+* Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
+Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
+## 2.2.3 / 2018-10-30
+### Security
+Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+## Meta / 2018-10-27
+The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
+This change was made because librelist no longer appears to be maintained.
+## 2.2.2 / 2018-03-22
+Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
+which was previously a private method. This is so that downstream gems
+(like rails-html-sanitizer) can use this logic directly for their own
+attribute scrubbers should they need to address CVE-2018-8048.
+## 2.2.1 / 2018-03-19
+### Security
+Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ## 2.2.0 / 2018-02-11
-Features:
+### Features:
 * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
 * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
@@ -10,32 +83,32 @@ Features:
 * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
 * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
-Bugfixes:
+### Bugfixes:
 * Properly handle nested `script` tags. #127.
 ## 2.1.1 / 2017-09-24
-Bugfixes:
+### Bugfixes:
 * Removed warning for unused variable. #124 (Thanks, @y-yagi!)
 ## 2.1.0 / 2017-09-24
-Notes:
+### Notes:
 * Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
-Features:
+### Features:
 * Added :noopener HTML scrubber (Thanks, @tastycode!)
 * Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
-Bugfixes:
+### Bugfixes:
 * The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
 * Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
@@ -43,14 +116,14 @@ Bugfixes:
 ## 2.0.3 / 2015-08-17
-Bug fixes:
+### Bug fixes:
 * Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
 ## 2.0.2 / 2015-05-05
-Bug fixes:
+### Bug fixes:
 * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
 * Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
@@ -59,24 +132,24 @@ Bug fixes:
 ## 2.0.1 / 2014-08-21
-Bug fixes:
+### Bug fixes:
 * Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
-Notes:
+### Notes:
 * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
 ## 2.0.0 / 2014-05-09
-Compatibility notes:
+### Compatibility notes:
 * ActionView helpers now must be required explicitly: `require "loofah/helpers"`
 * Support for Ruby 1.8.7 and prior has been dropped
-Enhancements:
+### Enhancements:
 * HTML5 whitelist allows the following ...
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
@@ -86,7 +159,7 @@ Enhancements:
 * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
-Bug fixes:
+### Bug fixes:
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
 * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
@@ -99,7 +172,7 @@ Bug fixes:
 ## 1.2.0 (2011-08-08)
-Enhancements:
+### Enhancements:
 * Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.
 * Improving ActionView integration.
@@ -107,7 +180,7 @@ Enhancements:
 ## 1.1.0 (2011-08-08)
-Enhancements:
+### Enhancements:
 * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
   Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
@@ -117,7 +190,7 @@ Enhancements:
 ## 1.0.0 (2010-10-26)
-Notes:
+### Notes:
 * Moved ActiveRecord functionality into `loofah-activerecord` gem.
 * Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
@@ -125,7 +198,7 @@ Notes:
 ## 0.4.7 (2010-03-09)
-Enhancements:
+### Enhancements:
 * New methods Loofah::HTML::Document#to_text and
   Loofah::HTML::DocumentFragment#to_text do the right thing with
@@ -138,23 +211,23 @@ Enhancements:
 ## 0.4.4, 0.4.5, 0.4.6 (2010-02-01)
-Enhancements:
+### Enhancements:
 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
-Bug fixes:
+### Bug fixes:
 * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
 ## 0.4.3 (2010-01-29)
-Enhancements:
+### Enhancements:
 * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
 * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
-Miscellaneous:
+### Miscellaneous:
 * Modified documentation for bootstrapping XssFoliate in a Rails app,
   since the use of Bundler breaks the previously-documented method. To
@@ -163,18 +236,18 @@ Miscellaneous:
 ## 0.4.2 (2010-01-22)
-Enhancements:
+### Enhancements:
 * Implemented Node#scrub! for scrubbing subtrees.
 * Implemented NodeSet#scrub! for scrubbing a set of subtrees.
 * Document.text now only serializes <body> contents (ignores <head>)
 * <head>, <html> and <body> added to the HTML5lib whitelist.
-Bug fixes:
+### Bug fixes:
 * Supporting Rails apps that aren't loading ActiveRecord. GH #10
-Miscellaneous:
+### Miscellaneous:
 * Mailing list is now loofah@librelist.com / http://librelist.com
 * IRC channel is now \#loofah on freenode.
@@ -182,14 +255,14 @@ Miscellaneous:
 ## 0.4.1 (2009-11-23)
-Bugfix:
+### Bugfix:
 * Manifest fixed. Whoops.
 ## 0.4.0 (2009-11-21)
-Enhancements:
+### Enhancements:
 * Scrubber class introduced, allowing development of custom scrubbers.
 * Added support for XML documents and fragments.
@@ -200,20 +273,20 @@ Enhancements:
 ## 0.3.1 (2009-10-12)
-Bug fixes:
+### Bug fixes:
 * Scrubbed Documents properly render html, head and body tags when serialized.
 ## 0.3.0 (2009-10-06)
-Enhancements:
+### Enhancements:
 * New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master].
 * Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
 * Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
-Deprecations:
+### Deprecations:
 * The methods strip_tags, whitewash, whitewash_document, sanitize, and
   sanitize_document have been deprecated. See DEPRECATED.rdoc for
@@ -222,7 +295,7 @@ Deprecations:
 ## 0.2.2 (2009-09-30)
-Enhancements:
+### Enhancements:
 * ActiveRecord extension scrubs fields in a before_validation callback
   (was previously in a before_save)
@@ -230,12 +303,12 @@ Enhancements:
 ## 0.2.1 (2009-09-19)
-Enhancements:
+### Enhancements:
 * when loaded in a Rails app, automatically extend ActiveRecord::Base
   with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
-Bugfixes:
+### Bugfixes:
 * ActiveRecord scrubbing should generate strings instead of Document or
   DocumentFragment objects. GH #5

data/Gemfile CHANGED

@@ -15,8 +15,8 @@ gem "hoe-gemspec", ">=0", :group => [:development, :test]
 gem "hoe-debugging", ">=0", :group => [:development, :test]
 gem "hoe-bundler", ">=0", :group => [:development, :test]
 gem "hoe-git", ">=0", :group => [:development, :test]
-gem "concourse", ">=0.15.0", :group => [:development, :test]
-gem "rdoc", "~>4.0", :group => [:development, :test]
-gem "hoe", "~>3.16", :group => [:development, :test]
+gem "concourse", ">=0.26.0", :group => [:development, :test]
+gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
+gem "hoe", "~>3.17", :group => [:development, :test]
 # vim: syntax=ruby

data/Manifest.txt CHANGED

@@ -5,6 +5,7 @@ MIT-LICENSE.txt
 Manifest.txt
 README.md
 Rakefile
+SECURITY.md
 benchmark/benchmark.rb
 benchmark/fragment.html
 benchmark/helper.rb
@@ -14,17 +15,20 @@ lib/loofah/elements.rb
 lib/loofah/helpers.rb
 lib/loofah/html/document.rb
 lib/loofah/html/document_fragment.rb
+lib/loofah/html5/libxml2_workarounds.rb
+lib/loofah/html5/safelist.rb
 lib/loofah/html5/scrub.rb
-lib/loofah/html5/whitelist.rb
 lib/loofah/instance_methods.rb
 lib/loofah/metahelpers.rb
 lib/loofah/scrubber.rb
 lib/loofah/scrubbers.rb
 lib/loofah/xml/document.rb
 lib/loofah/xml/document_fragment.rb
+test/assets/msword.html
 test/assets/testdata_sanitizer_tests1.dat
 test/helper.rb
 test/html5/test_sanitizer.rb
+test/html5/test_scrub.rb
 test/integration/test_ad_hoc.rb
 test/integration/test_helpers.rb
 test/integration/test_html.rb

data/README.md CHANGED

@@ -1,36 +1,29 @@
 # Loofah
 * https://github.com/flavorjones/loofah
-* http://rubydoc.info/github/flavorjones/loofah/master/frames
-* http://librelist.com/browser/loofah
+* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
+* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
 ## Status
 |System|Status|
 |--|--|
-| Concourse | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
+| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
 | Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
-| Version Eye | [![Version Eye](https://www.versioneye.com/ruby/loofah/badge.png)](https://www.versioneye.com/ruby/loofah) |
 ## Description
-Loofah is a general library for manipulating and transforming HTML/XML
-documents and fragments. It's built on top of Nokogiri and libxml2, so
-it's fast and has a nice API.
+Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
-Loofah excels at HTML sanitization (XSS prevention). It includes some
-nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-most likely won't make your codes less secure. (These statements have
-not been evaluated by Netexperts.)
+Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
-ActiveRecord extensions for sanitization are available in the
-[`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 ## Features
-* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists).
+* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's safelists).
 * Common HTML sanitizing tasks are built-in:
   * _Strip_ unsafe tags, leaving behind only the inner text.
   * _Prune_ unsafe tags and their subtrees, removing all traces that they ever existed.
@@ -222,7 +215,7 @@ Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
 === Built-In HTML Scrubbers
 Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
-whitelist algorithm:
+safelist algorithm:
 ``` ruby
 doc.scrub!(:strip)       # replaces unknown/unsafe tags with their inner text
@@ -301,23 +294,32 @@ The bug tracker is available here:
 * https://github.com/flavorjones/loofah/issues
-And the mailing list is on librelist:
+And the mailing list is on Google Groups:
-* loofah@librelist.com / http://librelist.com
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
 And the IRC channel is \#loofah on freenode.
 ## Security
-Some tools may incorrectly report loofah is a potential security
-vulnerability. Loofah depends on Nokogiri, and it's possible to use
-Nokogiri in a dangerous way (by enabling its DTDLOAD option and
-disabling its NONET option).  This dangerous Nokogiri configuration,
-which is sometimes used by other components, can create an XML
-External Entity (XXE) vulnerability if the XML data is not trusted.
-However, loofah never enables this dangerous Nokogiri configuration;
-loofah never enables DTDLOAD, and it never disables NONET.
+See [`SECURITY.md`](SECURITY.md) for vulnerability reporting details.
+### "Secure by Default"
+Some tools may incorrectly report Loofah as a potential security
+vulnerability.
+Loofah depends on Nokogiri, and it's _possible_ to use Nokogiri in a
+dangerous way (by enabling its DTDLOAD option and disabling its NONET
+option). This specifically allows the opportunity for an XML External
+Entity (XXE) vulnerability if the XML data is untrusted.
+However, Loofah __never enables this Nokogiri configuration__; Loofah
+never enables DTDLOAD, and it never disables NONET, thereby protecting
+you by default from this XXE vulnerability.
 ## Related Links
@@ -345,7 +347,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
 ## Thank You
-The following people have generously donated via the Pledgie[http://pledgie.com] badge on the {Loofah github page}[https://github.com/flavorjones/loofah]:
+The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
 * Bill Harding