loofah 2.2.3 → 2.19.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +212 -31
- data/README.md +18 -24
- data/lib/loofah/elements.rb +79 -75
- data/lib/loofah/helpers.rb +18 -7
- data/lib/loofah/html/document.rb +1 -0
- data/lib/loofah/html/document_fragment.rb +4 -2
- data/lib/loofah/html5/libxml2_workarounds.rb +8 -7
- data/lib/loofah/html5/safelist.rb +1043 -0
- data/lib/loofah/html5/scrub.rb +73 -48
- data/lib/loofah/instance_methods.rb +14 -8
- data/lib/loofah/metahelpers.rb +2 -1
- data/lib/loofah/scrubber.rb +8 -7
- data/lib/loofah/scrubbers.rb +19 -13
- data/lib/loofah/version.rb +5 -0
- data/lib/loofah/xml/document.rb +1 -0
- data/lib/loofah/xml/document_fragment.rb +2 -1
- data/lib/loofah.rb +35 -18
- metadata +52 -138
- data/.gemtest +0 -0
- data/Gemfile +0 -22
- data/Manifest.txt +0 -40
- data/Rakefile +0 -79
- data/benchmark/benchmark.rb +0 -149
- data/benchmark/fragment.html +0 -96
- data/benchmark/helper.rb +0 -73
- data/benchmark/www.slashdot.com.html +0 -2560
- data/lib/loofah/html5/whitelist.rb +0 -186
- data/test/assets/msword.html +0 -63
- data/test/assets/testdata_sanitizer_tests1.dat +0 -502
- data/test/helper.rb +0 -18
- data/test/html5/test_sanitizer.rb +0 -382
- data/test/integration/test_ad_hoc.rb +0 -204
- data/test/integration/test_helpers.rb +0 -43
- data/test/integration/test_html.rb +0 -72
- data/test/integration/test_scrubbers.rb +0 -400
- data/test/integration/test_xml.rb +0 -55
- data/test/unit/test_api.rb +0 -142
- data/test/unit/test_encoding.rb +0 -20
- data/test/unit/test_helpers.rb +0 -62
- data/test/unit/test_scrubber.rb +0 -229
- data/test/unit/test_scrubbers.rb +0 -14
data/lib/loofah/helpers.rb
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
module Loofah
|
2
3
|
module Helpers
|
3
4
|
class << self
|
@@ -27,7 +28,7 @@ module Loofah
|
|
27
28
|
#
|
28
29
|
# Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
|
29
30
|
#
|
30
|
-
def sanitize_css
|
31
|
+
def sanitize_css(style_string)
|
31
32
|
::Loofah::HTML5::Scrub.scrub_css style_string
|
32
33
|
end
|
33
34
|
|
@@ -46,8 +47,13 @@ module Loofah
|
|
46
47
|
@full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
|
47
48
|
end
|
48
49
|
|
50
|
+
def safe_list_sanitizer
|
51
|
+
@safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new
|
52
|
+
end
|
53
|
+
|
49
54
|
def white_list_sanitizer
|
50
|
-
|
55
|
+
warn "warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead."
|
56
|
+
safe_list_sanitizer
|
51
57
|
end
|
52
58
|
end
|
53
59
|
|
@@ -63,7 +69,7 @@ module Loofah
|
|
63
69
|
# Loofah::Helpers::ActionView.set_as_default_sanitizer
|
64
70
|
#
|
65
71
|
class FullSanitizer
|
66
|
-
def sanitize
|
72
|
+
def sanitize(html, *args)
|
67
73
|
Loofah::Helpers.strip_tags html
|
68
74
|
end
|
69
75
|
end
|
@@ -73,21 +79,26 @@ module Loofah
|
|
73
79
|
#
|
74
80
|
# To use by default, call this in an application initializer:
|
75
81
|
#
|
76
|
-
# ActionView::Helpers::SanitizeHelper.
|
82
|
+
# ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = ::Loofah::Helpers::ActionView::SafeListSanitizer.new
|
77
83
|
#
|
78
84
|
# Or, to generally opt-in to Loofah's view sanitizers:
|
79
85
|
#
|
80
86
|
# Loofah::Helpers::ActionView.set_as_default_sanitizer
|
81
87
|
#
|
82
|
-
class
|
83
|
-
def sanitize
|
88
|
+
class SafeListSanitizer
|
89
|
+
def sanitize(html, *args)
|
84
90
|
Loofah::Helpers.sanitize html
|
85
91
|
end
|
86
92
|
|
87
|
-
def sanitize_css
|
93
|
+
def sanitize_css(style_string, *args)
|
88
94
|
Loofah::Helpers.sanitize_css style_string
|
89
95
|
end
|
90
96
|
end
|
97
|
+
|
98
|
+
WhiteListSanitizer = SafeListSanitizer
|
99
|
+
if Object.respond_to?(:deprecate_constant)
|
100
|
+
deprecate_constant :WhiteListSanitizer
|
101
|
+
end
|
91
102
|
end
|
92
103
|
end
|
93
104
|
end
|
data/lib/loofah/html/document.rb
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
module Loofah
|
2
3
|
module HTML # :nodoc:
|
3
4
|
#
|
@@ -14,10 +15,10 @@ module Loofah
|
|
14
15
|
# constructor. Applications should use Loofah.fragment to
|
15
16
|
# parse a fragment.
|
16
17
|
#
|
17
|
-
def parse
|
18
|
+
def parse(tags, encoding = nil)
|
18
19
|
doc = Loofah::HTML::Document.new
|
19
20
|
|
20
|
-
encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name :
|
21
|
+
encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
|
21
22
|
doc.encoding = encoding
|
22
23
|
|
23
24
|
new(doc, tags)
|
@@ -30,6 +31,7 @@ module Loofah
|
|
30
31
|
def to_s
|
31
32
|
serialize_root.children.to_s
|
32
33
|
end
|
34
|
+
|
33
35
|
alias :serialize :to_s
|
34
36
|
|
35
37
|
def serialize_root
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# coding: utf-8
|
2
|
-
|
2
|
+
# frozen_string_literal: true
|
3
|
+
require "set"
|
3
4
|
|
4
5
|
module Loofah
|
5
6
|
#
|
@@ -16,11 +17,11 @@ module Loofah
|
|
16
17
|
# see comments about CVE-2018-8048 within the tests for more information
|
17
18
|
#
|
18
19
|
BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
|
20
|
+
href
|
21
|
+
action
|
22
|
+
src
|
23
|
+
name
|
24
|
+
]
|
25
|
+
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
|
25
26
|
end
|
26
27
|
end
|