loofah 2.2.0 → 2.3.1

data/test/unit/test_helpers.rb

@@ -44,17 +44,17 @@ class UnitTestHelpers < Loofah::TestCase
         end
       end
 
-      describe "WhiteListSanitizer#sanitize" do
+      describe "SafeListSanitizer#sanitize" do
         it "calls .sanitize" do
           mock(Loofah::Helpers).sanitize("foobar")
-          Loofah::Helpers::ActionView::WhiteListSanitizer.new.sanitize "foobar"
+          Loofah::Helpers::ActionView::SafeListSanitizer.new.sanitize "foobar"
         end
       end
 
-      describe "WhiteListSanitizer#sanitize_css" do
+      describe "SafeListSanitizer#sanitize_css" do
         it "calls .sanitize_css" do
           mock(Loofah::Helpers).sanitize_css("foobar")
-          Loofah::Helpers::ActionView::WhiteListSanitizer.new.sanitize_css "foobar"
+          Loofah::Helpers::ActionView::SafeListSanitizer.new.sanitize_css "foobar"
         end
       end
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-11 00:00:00.000000000 Z
+date: 2019-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -43,16 +43,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -85,115 +85,126 @@ dependencies:
   name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: hoe-gemspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: hoe-debugging
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: hoe-bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: hoe-git
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: concourse
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.15.0
+        version: 0.26.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.15.0
+        version: 0.26.0
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
 - !ruby/object:Gem::Dependency
   name: hoe
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
-description: ''
+        version: '3.18'
+description: |-
+  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
+
+  Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
+
+  ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
@@ -204,6 +215,7 @@ extra_rdoc_files:
 - MIT-LICENSE.txt
 - Manifest.txt
 - README.md
+- SECURITY.md
 files:
 - ".gemtest"
 - CHANGELOG.md
@@ -212,6 +224,7 @@ files:
 - Manifest.txt
 - README.md
 - Rakefile
+- SECURITY.md
 - benchmark/benchmark.rb
 - benchmark/fragment.html
 - benchmark/helper.rb
@@ -221,17 +234,20 @@ files:
 - lib/loofah/helpers.rb
 - lib/loofah/html/document.rb
 - lib/loofah/html/document_fragment.rb
+- lib/loofah/html5/libxml2_workarounds.rb
+- lib/loofah/html5/safelist.rb
 - lib/loofah/html5/scrub.rb
-- lib/loofah/html5/whitelist.rb
 - lib/loofah/instance_methods.rb
 - lib/loofah/metahelpers.rb
 - lib/loofah/scrubber.rb
 - lib/loofah/scrubbers.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
+- test/assets/msword.html
 - test/assets/testdata_sanitizer_tests1.dat
 - test/helper.rb
 - test/html5/test_sanitizer.rb
+- test/html5/test_scrub.rb
 - test/integration/test_ad_hoc.rb
 - test/integration/test_helpers.rb
 - test/integration/test_html.rb
@@ -242,14 +258,14 @@ files:
 - test/unit/test_helpers.rb
 - test/unit/test_scrubber.rb
 - test/unit/test_scrubbers.rb
-homepage: 
+homepage: https://github.com/flavorjones/loofah
 licenses:
 - MIT
 metadata: {}
 post_install_message: 
 rdoc_options:
 - "--main"
-- README.rdoc
+- README.md
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
@@ -263,9 +279,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: ''
+summary: Loofah is a general library for manipulating and transforming HTML/XML documents
+  and fragments, built on top of Nokogiri
 test_files: []

data/lib/loofah/html5/whitelist.rb

@@ -1,186 +0,0 @@
-require 'set'
-
-module Loofah
-  module HTML5 # :nodoc:
-    #
-    #  HTML whitelist lifted from HTML5lib sanitizer code:
-    #
-    #    http://code.google.com/p/html5lib/
-    #
-    # <html5_license>
-    #
-    #   Copyright (c) 2006-2008 The Authors
-    #
-    #   Contributors:
-    #   James Graham - jg307@cam.ac.uk
-    #   Anne van Kesteren - annevankesteren@gmail.com
-    #   Lachlan Hunt - lachlan.hunt@lachy.id.au
-    #   Matt McDonald - kanashii@kanashii.ca
-    #   Sam Ruby - rubys@intertwingly.net
-    #   Ian Hickson (Google) - ian@hixie.ch
-    #   Thomas Broyer - t.broyer@ltgt.net
-    #   Jacques Distler - distler@golem.ph.utexas.edu
-    #   Henri Sivonen - hsivonen@iki.fi
-    #   The Mozilla Foundation (contributions from Henri Sivonen since 2008)
-    #
-    #   Permission is hereby granted, free of charge, to any person
-    #   obtaining a copy of this software and associated documentation
-    #   files (the "Software"), to deal in the Software without
-    #   restriction, including without limitation the rights to use, copy,
-    #   modify, merge, publish, distribute, sublicense, and/or sell copies
-    #   of the Software, and to permit persons to whom the Software is
-    #   furnished to do so, subject to the following conditions:
-    #
-    #   The above copyright notice and this permission notice shall be
-    #   included in all copies or substantial portions of the Software.
-    #
-    #   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-    #   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-    #   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-    #   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-    #   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-    #   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    #   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    #   DEALINGS IN THE SOFTWARE.
-    #
-    # </html5_license>
-    module WhiteList
-
-      ACCEPTABLE_ELEMENTS = Set.new %w[a abbr acronym address area
-      article aside audio b bdi bdo big blockquote br button canvas
-      caption center cite code col colgroup command datalist dd del
-      details dfn dir div dl dt em fieldset figcaption figure footer
-      font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
-      legend li main map mark menu meter nav ol output optgroup option p
-      pre q s samp section select small span strike strong sub summary
-      sup table tbody td textarea tfoot th thead time tr tt u ul var
-      video]
-
-      MATHML_ELEMENTS = Set.new %w[annotation annotation-xml maction math merror mfrac
-      mfenced mi mmultiscripts mn mo mover mpadded mphantom mprescripts mroot mrow
-      mspace msqrt mstyle msub msubsup msup mtable mtd mtext mtr munder
-      munderover none semantics]
-
-      SVG_ELEMENTS = Set.new %w[a animate animateColor animateMotion animateTransform
-      circle clipPath defs desc ellipse feGaussianBlur filter font-face
-      font-face-name font-face-src foreignObject
-      g glyph hkern linearGradient line marker mask metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch symbol
-      text textPath title tspan use]
-
-      ACCEPTABLE_ATTRIBUTES = Set.new %w[abbr accept accept-charset accesskey action
-      align alt axis border cellpadding cellspacing char charoff charset
-      checked cite class clear cols colspan color compact coords datetime
-      dir disabled enctype for frame headers height href hreflang hspace id
-      ismap label lang longdesc loop loopcount loopend loopstart
-      maxlength media method multiple name nohref
-      noshade nowrap poster preload prompt readonly rel rev rows rowspan rules scope
-      selected shape size span src start style summary tabindex target title
-      type usemap valign value vspace width xml:lang]
-
-      MATHML_ATTRIBUTES = Set.new %w[actiontype align close
-      columnalign columnlines columnspacing columnspan depth display
-      displaystyle encoding equalcolumns equalrows fence fontstyle fontweight
-      frame height linethickness lspace mathbackground mathcolor mathvariant
-      maxsize minsize open other rowalign rowlines
-      rowspacing rowspan rspace scriptlevel selection separator separators
-      stretchy width xlink:href xlink:show xlink:type xmlns xmlns:xlink]
-
-      SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-       arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class clip-path clip-rule color
-       color-interpolation-filters color-rendering content cx cy d dx
-       dy descent display dur end fill fill-opacity fill-rule
-       filterRes filterUnits font-family
-       font-size font-stretch font-style font-variant font-weight from fx fy g1
-       g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
-       ideographic k keyPoints keySplines keyTimes lang marker-end
-       marker-mid marker-start markerHeight markerUnits markerWidth
-       maskContentUnits maskUnits mathematical max method min name offset opacity orient origin
-       overline-position overline-thickness panose-1 path pathLength
-       patternContentUnits patternTransform patternUnits  points
-       preserveAspectRatio primitiveUnits r refX refY repeatCount repeatDur
-       requiredExtensions requiredFeatures restart rotate rx ry slope spacing
-       startOffset stdDeviation stemh
-       stemv stop-color stop-opacity strikethrough-position
-       strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-       stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-       u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-       x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-       xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-       xmlns:xlink y y1 y2 zoomAndPan]
-
-      ATTR_VAL_IS_URI = Set.new %w[href src cite action longdesc xlink:href xml:base poster preload]
-
-      SVG_ATTR_VAL_ALLOWS_REF = Set.new %w[clip-path color-profile cursor fill
-      filter marker marker-start marker-mid marker-end mask stroke]
-
-      SVG_ALLOW_LOCAL_HREF = Set.new %w[altGlyph animate animateColor animateMotion
-      animateTransform cursor feImage filter linearGradient pattern
-      radialGradient textpath tref set use]
-
-      ACCEPTABLE_CSS_PROPERTIES = Set.new %w[azimuth background-color
-      border-bottom-color border-collapse border-color border-left-color
-      border-right-color border-top-color clear color cursor direction
-      display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height list-style-type
-      overflow pause pause-after pause-before pitch pitch-range richness speak
-      speak-header speak-numeral speak-punctuation speech-rate stress
-      text-align text-decoration text-indent unicode-bidi vertical-align
-      voice-family volume white-space width]
-
-      ACCEPTABLE_CSS_KEYWORDS = Set.new %w[auto aqua black block blue bold both bottom
-      brown center collapse dashed dotted fuchsia gray green !important
-      italic left lime maroon medium none navy normal nowrap olive pointer
-      purple red right solid silver teal top transparent underline white
-      yellow]
-
-      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
-
-      SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
-
-      ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
-      stroke-width stroke-linecap stroke-linejoin stroke-opacity]
-
-      PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
-
-      ACCEPTABLE_PROTOCOLS = Set.new %w[ed2k ftp http https irc mailto news gopher nntp
-      telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs data]
-
-      ACCEPTABLE_URI_DATA_MEDIATYPES = Set.new %w[text/plain text/css image/png image/gif
-        image/jpeg image/svg+xml]
-
-      # subclasses may define their own versions of these constants
-      ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
-      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
-      ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
-      ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
-      ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
-      ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
-      ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
-      ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
-
-      VOID_ELEMENTS = Set.new %w[
-        base
-        link
-        meta
-        hr
-        br
-        img
-        embed
-        param
-        area
-        col
-        input
-      ]
-
-      # additional tags we should consider safe since we have libxml2 fixing up our documents.
-      TAGS_SAFE_WITH_LIBXML2 = Set.new %w[html head body]
-      ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
-    end
-
-    ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::HTML5::WhiteList
-  end
-end