loofah 2.2.3 → 2.19.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +212 -31
  3. data/README.md +18 -24
  4. data/lib/loofah/elements.rb +79 -75
  5. data/lib/loofah/helpers.rb +18 -7
  6. data/lib/loofah/html/document.rb +1 -0
  7. data/lib/loofah/html/document_fragment.rb +4 -2
  8. data/lib/loofah/html5/libxml2_workarounds.rb +8 -7
  9. data/lib/loofah/html5/safelist.rb +1043 -0
  10. data/lib/loofah/html5/scrub.rb +73 -48
  11. data/lib/loofah/instance_methods.rb +14 -8
  12. data/lib/loofah/metahelpers.rb +2 -1
  13. data/lib/loofah/scrubber.rb +8 -7
  14. data/lib/loofah/scrubbers.rb +19 -13
  15. data/lib/loofah/version.rb +5 -0
  16. data/lib/loofah/xml/document.rb +1 -0
  17. data/lib/loofah/xml/document_fragment.rb +2 -1
  18. data/lib/loofah.rb +35 -18
  19. metadata +52 -138
  20. data/.gemtest +0 -0
  21. data/Gemfile +0 -22
  22. data/Manifest.txt +0 -40
  23. data/Rakefile +0 -79
  24. data/benchmark/benchmark.rb +0 -149
  25. data/benchmark/fragment.html +0 -96
  26. data/benchmark/helper.rb +0 -73
  27. data/benchmark/www.slashdot.com.html +0 -2560
  28. data/lib/loofah/html5/whitelist.rb +0 -186
  29. data/test/assets/msword.html +0 -63
  30. data/test/assets/testdata_sanitizer_tests1.dat +0 -502
  31. data/test/helper.rb +0 -18
  32. data/test/html5/test_sanitizer.rb +0 -382
  33. data/test/integration/test_ad_hoc.rb +0 -204
  34. data/test/integration/test_helpers.rb +0 -43
  35. data/test/integration/test_html.rb +0 -72
  36. data/test/integration/test_scrubbers.rb +0 -400
  37. data/test/integration/test_xml.rb +0 -55
  38. data/test/unit/test_api.rb +0 -142
  39. data/test/unit/test_encoding.rb +0 -20
  40. data/test/unit/test_helpers.rb +0 -62
  41. data/test/unit/test_scrubber.rb +0 -229
  42. data/test/unit/test_scrubbers.rb +0 -14
data/lib/loofah/helpers.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module Loofah
2
3
  module Helpers
3
4
  class << self
@@ -27,7 +28,7 @@ module Loofah
27
28
  #
28
29
  # Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
29
30
  #
30
- def sanitize_css style_string
31
+ def sanitize_css(style_string)
31
32
  ::Loofah::HTML5::Scrub.scrub_css style_string
32
33
  end
33
34
 
@@ -46,8 +47,13 @@ module Loofah
46
47
  @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
47
48
  end
48
49
 
50
+ def safe_list_sanitizer
51
+ @safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new
52
+ end
53
+
49
54
  def white_list_sanitizer
50
- @white_list_sanitizer ||= ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
55
+ warn "warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead."
56
+ safe_list_sanitizer
51
57
  end
52
58
  end
53
59
 
@@ -63,7 +69,7 @@ module Loofah
63
69
  # Loofah::Helpers::ActionView.set_as_default_sanitizer
64
70
  #
65
71
  class FullSanitizer
66
- def sanitize html, *args
72
+ def sanitize(html, *args)
67
73
  Loofah::Helpers.strip_tags html
68
74
  end
69
75
  end
@@ -73,21 +79,26 @@ module Loofah
73
79
  #
74
80
  # To use by default, call this in an application initializer:
75
81
  #
76
- # ActionView::Helpers::SanitizeHelper.white_list_sanitizer = ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
82
+ # ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = ::Loofah::Helpers::ActionView::SafeListSanitizer.new
77
83
  #
78
84
  # Or, to generally opt-in to Loofah's view sanitizers:
79
85
  #
80
86
  # Loofah::Helpers::ActionView.set_as_default_sanitizer
81
87
  #
82
- class WhiteListSanitizer
83
- def sanitize html, *args
88
+ class SafeListSanitizer
89
+ def sanitize(html, *args)
84
90
  Loofah::Helpers.sanitize html
85
91
  end
86
92
 
87
- def sanitize_css style_string, *args
93
+ def sanitize_css(style_string, *args)
88
94
  Loofah::Helpers.sanitize_css style_string
89
95
  end
90
96
  end
97
+
98
+ WhiteListSanitizer = SafeListSanitizer
99
+ if Object.respond_to?(:deprecate_constant)
100
+ deprecate_constant :WhiteListSanitizer
101
+ end
91
102
  end
92
103
  end
93
104
  end
data/lib/loofah/html/document.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module Loofah
2
3
  module HTML # :nodoc:
3
4
  #
data/lib/loofah/html/document_fragment.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module Loofah
2
3
  module HTML # :nodoc:
3
4
  #
@@ -14,10 +15,10 @@ module Loofah
14
15
  # constructor. Applications should use Loofah.fragment to
15
16
  # parse a fragment.
16
17
  #
17
- def parse tags, encoding = nil
18
+ def parse(tags, encoding = nil)
18
19
  doc = Loofah::HTML::Document.new
19
20
 
20
- encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
21
+ encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
21
22
  doc.encoding = encoding
22
23
 
23
24
  new(doc, tags)
@@ -30,6 +31,7 @@ module Loofah
30
31
  def to_s
31
32
  serialize_root.children.to_s
32
33
  end
34
+
33
35
  alias :serialize :to_s
34
36
 
35
37
  def serialize_root
data/lib/loofah/html5/libxml2_workarounds.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  # coding: utf-8
2
- require 'set'
2
+ # frozen_string_literal: true
3
+ require "set"
3
4
 
4
5
  module Loofah
5
6
  #
@@ -16,11 +17,11 @@ module Loofah
16
17
  # see comments about CVE-2018-8048 within the tests for more information
17
18
  #
18
19
  BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
19
- href
20
- action
21
- src
22
- name
23
- ]
24
- BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
20
+ href
21
+ action
22
+ src
23
+ name
24
+ ]
25
+ BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
25
26
  end
26
27
  end