loofah 2.2.3 → 2.19.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +221 -31
  3. data/README.md +18 -24
  4. data/lib/loofah/elements.rb +79 -75
  5. data/lib/loofah/helpers.rb +18 -7
  6. data/lib/loofah/html/document.rb +1 -0
  7. data/lib/loofah/html/document_fragment.rb +4 -2
  8. data/lib/loofah/html5/libxml2_workarounds.rb +8 -7
  9. data/lib/loofah/html5/safelist.rb +1042 -0
  10. data/lib/loofah/html5/scrub.rb +150 -55
  11. data/lib/loofah/instance_methods.rb +14 -8
  12. data/lib/loofah/metahelpers.rb +2 -1
  13. data/lib/loofah/scrubber.rb +12 -7
  14. data/lib/loofah/scrubbers.rb +21 -19
  15. data/lib/loofah/version.rb +5 -0
  16. data/lib/loofah/xml/document.rb +1 -0
  17. data/lib/loofah/xml/document_fragment.rb +2 -1
  18. data/lib/loofah.rb +35 -18
  19. metadata +52 -138
  20. data/.gemtest +0 -0
  21. data/Gemfile +0 -22
  22. data/Manifest.txt +0 -40
  23. data/Rakefile +0 -79
  24. data/benchmark/benchmark.rb +0 -149
  25. data/benchmark/fragment.html +0 -96
  26. data/benchmark/helper.rb +0 -73
  27. data/benchmark/www.slashdot.com.html +0 -2560
  28. data/lib/loofah/html5/whitelist.rb +0 -186
  29. data/test/assets/msword.html +0 -63
  30. data/test/assets/testdata_sanitizer_tests1.dat +0 -502
  31. data/test/helper.rb +0 -18
  32. data/test/html5/test_sanitizer.rb +0 -382
  33. data/test/integration/test_ad_hoc.rb +0 -204
  34. data/test/integration/test_helpers.rb +0 -43
  35. data/test/integration/test_html.rb +0 -72
  36. data/test/integration/test_scrubbers.rb +0 -400
  37. data/test/integration/test_xml.rb +0 -55
  38. data/test/unit/test_api.rb +0 -142
  39. data/test/unit/test_encoding.rb +0 -20
  40. data/test/unit/test_helpers.rb +0 -62
  41. data/test/unit/test_scrubber.rb +0 -229
  42. data/test/unit/test_scrubbers.rb +0 -14
data/lib/loofah/html5/safelist.rb ADDED
@@ -0,0 +1,1042 @@
1
+ # frozen_string_literal: true
2
+ require "set"
3
+
4
+ module Loofah
5
+ module HTML5 # :nodoc:
6
+ #
7
+ # HTML safelist lifted from HTML5lib sanitizer code:
8
+ #
9
+ # http://code.google.com/p/html5lib/
10
+ #
11
+ # <html5_license>
12
+ #
13
+ # Copyright (c) 2006-2008 The Authors
14
+ #
15
+ # Contributors:
16
+ # James Graham - jg307@cam.ac.uk
17
+ # Anne van Kesteren - annevankesteren@gmail.com
18
+ # Lachlan Hunt - lachlan.hunt@lachy.id.au
19
+ # Matt McDonald - kanashii@kanashii.ca
20
+ # Sam Ruby - rubys@intertwingly.net
21
+ # Ian Hickson (Google) - ian@hixie.ch
22
+ # Thomas Broyer - t.broyer@ltgt.net
23
+ # Jacques Distler - distler@golem.ph.utexas.edu
24
+ # Henri Sivonen - hsivonen@iki.fi
25
+ # The Mozilla Foundation (contributions from Henri Sivonen since 2008)
26
+ #
27
+ # Permission is hereby granted, free of charge, to any person
28
+ # obtaining a copy of this software and associated documentation
29
+ # files (the "Software"), to deal in the Software without
30
+ # restriction, including without limitation the rights to use, copy,
31
+ # modify, merge, publish, distribute, sublicense, and/or sell copies
32
+ # of the Software, and to permit persons to whom the Software is
33
+ # furnished to do so, subject to the following conditions:
34
+ #
35
+ # The above copyright notice and this permission notice shall be
36
+ # included in all copies or substantial portions of the Software.
37
+ #
38
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
39
+ # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
40
+ # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
41
+ # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
42
+ # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
43
+ # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
44
+ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
45
+ # DEALINGS IN THE SOFTWARE.
46
+ #
47
+ # </html5_license>
48
+ module SafeList
49
+ ACCEPTABLE_ELEMENTS = Set.new([
50
+ "a",
51
+ "abbr",
52
+ "acronym",
53
+ "address",
54
+ "area",
55
+ "article",
56
+ "aside",
57
+ "audio",
58
+ "b",
59
+ "bdi",
60
+ "bdo",
61
+ "big",
62
+ "blockquote",
63
+ "br",
64
+ "button",
65
+ "canvas",
66
+ "caption",
67
+ "center",
68
+ "cite",
69
+ "code",
70
+ "col",
71
+ "colgroup",
72
+ "command",
73
+ "datalist",
74
+ "dd",
75
+ "del",
76
+ "details",
77
+ "dfn",
78
+ "dir",
79
+ "div",
80
+ "dl",
81
+ "dt",
82
+ "em",
83
+ "fieldset",
84
+ "figcaption",
85
+ "figure",
86
+ "font",
87
+ "footer",
88
+ "form",
89
+ "h1",
90
+ "h2",
91
+ "h3",
92
+ "h4",
93
+ "h5",
94
+ "h6",
95
+ "header",
96
+ "hr",
97
+ "i",
98
+ "img",
99
+ "input",
100
+ "ins",
101
+ "kbd",
102
+ "label",
103
+ "legend",
104
+ "li",
105
+ "main",
106
+ "map",
107
+ "mark",
108
+ "menu",
109
+ "meter",
110
+ "nav",
111
+ "ol",
112
+ "optgroup",
113
+ "option",
114
+ "output",
115
+ "p",
116
+ "pre",
117
+ "q",
118
+ "s",
119
+ "samp",
120
+ "section",
121
+ "select",
122
+ "small",
123
+ "span",
124
+ "strike",
125
+ "strong",
126
+ "sub",
127
+ "summary",
128
+ "sup",
129
+ "table",
130
+ "tbody",
131
+ "td",
132
+ "textarea",
133
+ "tfoot",
134
+ "th",
135
+ "thead",
136
+ "time",
137
+ "tr",
138
+ "tt",
139
+ "u",
140
+ "ul",
141
+ "var",
142
+ "video",
143
+ "wbr",
144
+ ])
145
+
146
+ MATHML_ELEMENTS = Set.new([
147
+ "annotation",
148
+ "annotation-xml",
149
+ "maction",
150
+ "math",
151
+ "menclose",
152
+ "merror",
153
+ "mfenced",
154
+ "mfrac",
155
+ "mi",
156
+ "mmultiscripts",
157
+ "mn",
158
+ "mo",
159
+ "mover",
160
+ "mpadded",
161
+ "mphantom",
162
+ "mprescripts",
163
+ "mroot",
164
+ "mrow",
165
+ "ms",
166
+ "mspace",
167
+ "msqrt",
168
+ "mstyle",
169
+ "msub",
170
+ "msubsup",
171
+ "msup",
172
+ "mtable",
173
+ "mtd",
174
+ "mtext",
175
+ "mtr",
176
+ "munder",
177
+ "munderover",
178
+ "none",
179
+ "semantics",
180
+ ])
181
+
182
+ SVG_ELEMENTS = Set.new([
183
+ "a",
184
+ "animate",
185
+ "animateColor",
186
+ "animateMotion",
187
+ "animateTransform",
188
+ "circle",
189
+ "clipPath",
190
+ "defs",
191
+ "desc",
192
+ "ellipse",
193
+ "feGaussianBlur",
194
+ "filter",
195
+ "font-face",
196
+ "font-face-name",
197
+ "font-face-src",
198
+ "foreignObject",
199
+ "g",
200
+ "glyph",
201
+ "hkern",
202
+ "line",
203
+ "linearGradient",
204
+ "marker",
205
+ "mask",
206
+ "metadata",
207
+ "missing-glyph",
208
+ "mpath",
209
+ "path",
210
+ "polygon",
211
+ "polyline",
212
+ "radialGradient",
213
+ "rect",
214
+ "set",
215
+ "stop",
216
+ "svg",
217
+ "switch",
218
+ "symbol",
219
+ "text",
220
+ "textPath",
221
+ "title",
222
+ "tspan",
223
+ "use",
224
+ ])
225
+
226
+ ACCEPTABLE_ATTRIBUTES = Set.new([
227
+ "abbr",
228
+ "accept",
229
+ "accept-charset",
230
+ "accesskey",
231
+ "action",
232
+ "align",
233
+ "alt",
234
+ "axis",
235
+ "border",
236
+ "cellpadding",
237
+ "cellspacing",
238
+ "char",
239
+ "charoff",
240
+ "charset",
241
+ "checked",
242
+ "cite",
243
+ "class",
244
+ "clear",
245
+ "color",
246
+ "cols",
247
+ "colspan",
248
+ "compact",
249
+ "contenteditable",
250
+ "coords",
251
+ "datetime",
252
+ "dir",
253
+ "disabled",
254
+ "enctype",
255
+ "for",
256
+ "frame",
257
+ "headers",
258
+ "height",
259
+ "href",
260
+ "hreflang",
261
+ "hspace",
262
+ "id",
263
+ "ismap",
264
+ "label",
265
+ "lang",
266
+ "longdesc",
267
+ "loop",
268
+ "loopcount",
269
+ "loopend",
270
+ "loopstart",
271
+ "maxlength",
272
+ "media",
273
+ "method",
274
+ "multiple",
275
+ "name",
276
+ "nohref",
277
+ "noshade",
278
+ "nowrap",
279
+ "poster",
280
+ "preload",
281
+ "prompt",
282
+ "readonly",
283
+ "rel",
284
+ "rev",
285
+ "rows",
286
+ "rowspan",
287
+ "rules",
288
+ "scope",
289
+ "selected",
290
+ "shape",
291
+ "size",
292
+ "span",
293
+ "src",
294
+ "start",
295
+ "style",
296
+ "summary",
297
+ "tabindex",
298
+ "target",
299
+ "title",
300
+ "type",
301
+ "usemap",
302
+ "valign",
303
+ "value",
304
+ "vspace",
305
+ "width",
306
+ "xml:lang",
307
+ ])
308
+
309
+ MATHML_ATTRIBUTES = Set.new([
310
+ "actiontype",
311
+ "align",
312
+ "close",
313
+ "columnalign",
314
+ "columnlines",
315
+ "columnspacing",
316
+ "columnspan",
317
+ "depth",
318
+ "dir",
319
+ "display",
320
+ "displaystyle",
321
+ "encoding",
322
+ "equalcolumns",
323
+ "equalrows",
324
+ "fence",
325
+ "fontstyle",
326
+ "fontweight",
327
+ "frame",
328
+ "height",
329
+ "href",
330
+ "linethickness",
331
+ "lquote",
332
+ "lspace",
333
+ "mathbackground",
334
+ "mathcolor",
335
+ "mathsize",
336
+ "mathvariant",
337
+ "maxsize",
338
+ "minsize",
339
+ "notation",
340
+ "open",
341
+ "other",
342
+ "rowalign",
343
+ "rowlines",
344
+ "rowspacing",
345
+ "rowspan",
346
+ "rquote",
347
+ "rspace",
348
+ "scriptlevel",
349
+ "selection",
350
+ "separator",
351
+ "separators",
352
+ "stretchy",
353
+ "width",
354
+ "xlink:href",
355
+ "xlink:show",
356
+ "xlink:type",
357
+ "xmlns",
358
+ "xmlns:xlink",
359
+ ])
360
+
361
+ SVG_ATTRIBUTES = Set.new([
362
+ "accent-height",
363
+ "accumulate",
364
+ "additive",
365
+ "alphabetic",
366
+ "arabic-form",
367
+ "ascent",
368
+ "attributeName",
369
+ "attributeType",
370
+ "baseProfile",
371
+ "bbox",
372
+ "begin",
373
+ "calcMode",
374
+ "cap-height",
375
+ "class",
376
+ "clip-path",
377
+ "clip-rule",
378
+ "color",
379
+ "color-interpolation-filters",
380
+ "color-rendering",
381
+ "content",
382
+ "cx",
383
+ "cy",
384
+ "d",
385
+ "descent",
386
+ "display",
387
+ "dur",
388
+ "dx",
389
+ "dy",
390
+ "end",
391
+ "fill",
392
+ "fill-opacity",
393
+ "fill-rule",
394
+ "filterRes",
395
+ "filterUnits",
396
+ "font-family",
397
+ "font-size",
398
+ "font-stretch",
399
+ "font-style",
400
+ "font-variant",
401
+ "font-weight",
402
+ "fx",
403
+ "fy",
404
+ "g1",
405
+ "g2",
406
+ "glyph-name",
407
+ "gradientUnits",
408
+ "hanging",
409
+ "height",
410
+ "horiz-adv-x",
411
+ "horiz-origin-x",
412
+ "id",
413
+ "ideographic",
414
+ "k",
415
+ "keyPoints",
416
+ "keySplines",
417
+ "keyTimes",
418
+ "lang",
419
+ "marker-end",
420
+ "marker-mid",
421
+ "marker-start",
422
+ "markerHeight",
423
+ "markerUnits",
424
+ "markerWidth",
425
+ "maskContentUnits",
426
+ "maskUnits",
427
+ "mathematical",
428
+ "max",
429
+ "method",
430
+ "min",
431
+ "name",
432
+ "offset",
433
+ "opacity",
434
+ "orient",
435
+ "origin",
436
+ "overline-position",
437
+ "overline-thickness",
438
+ "panose-1",
439
+ "path",
440
+ "pathLength",
441
+ "patternContentUnits",
442
+ "patternTransform",
443
+ "patternUnits",
444
+ "points",
445
+ "preserveAspectRatio",
446
+ "primitiveUnits",
447
+ "r",
448
+ "refX",
449
+ "refY",
450
+ "repeatCount",
451
+ "repeatDur",
452
+ "requiredExtensions",
453
+ "requiredFeatures",
454
+ "restart",
455
+ "rotate",
456
+ "rx",
457
+ "ry",
458
+ "slope",
459
+ "spacing",
460
+ "startOffset",
461
+ "stdDeviation",
462
+ "stemh",
463
+ "stemv",
464
+ "stop-color",
465
+ "stop-opacity",
466
+ "strikethrough-position",
467
+ "strikethrough-thickness",
468
+ "stroke",
469
+ "stroke-dasharray",
470
+ "stroke-dashoffset",
471
+ "stroke-linecap",
472
+ "stroke-linejoin",
473
+ "stroke-miterlimit",
474
+ "stroke-opacity",
475
+ "stroke-width",
476
+ "systemLanguage",
477
+ "target",
478
+ "text-anchor",
479
+ "transform",
480
+ "type",
481
+ "u1",
482
+ "u2",
483
+ "underline-position",
484
+ "underline-thickness",
485
+ "unicode",
486
+ "unicode-range",
487
+ "units-per-em",
488
+ "version",
489
+ "viewBox",
490
+ "visibility",
491
+ "width",
492
+ "widths",
493
+ "x",
494
+ "x-height",
495
+ "x1",
496
+ "x2",
497
+ "xlink:actuate",
498
+ "xlink:arcrole",
499
+ "xlink:href",
500
+ "xlink:role",
501
+ "xlink:show",
502
+ "xlink:title",
503
+ "xlink:type",
504
+ "xml:base",
505
+ "xml:lang",
506
+ "xml:space",
507
+ "xmlns",
508
+ "xmlns:xlink",
509
+ "y",
510
+ "y1",
511
+ "y2",
512
+ "zoomAndPan",
513
+ ])
514
+
515
+ ARIA_ATTRIBUTES = Set.new([
516
+ "aria-activedescendant",
517
+ "aria-atomic",
518
+ "aria-autocomplete",
519
+ "aria-braillelabel",
520
+ "aria-brailleroledescription",
521
+ "aria-busy",
522
+ "aria-checked",
523
+ "aria-colcount",
524
+ "aria-colindex",
525
+ "aria-colindextext",
526
+ "aria-colspan",
527
+ "aria-controls",
528
+ "aria-current",
529
+ "aria-describedby",
530
+ "aria-description",
531
+ "aria-details",
532
+ "aria-disabled",
533
+ "aria-dropeffect",
534
+ "aria-errormessage",
535
+ "aria-expanded",
536
+ "aria-flowto",
537
+ "aria-grabbed",
538
+ "aria-haspopup",
539
+ "aria-hidden",
540
+ "aria-invalid",
541
+ "aria-keyshortcuts",
542
+ "aria-label",
543
+ "aria-labelledby",
544
+ "aria-level",
545
+ "aria-live",
546
+ "aria-multiline",
547
+ "aria-multiselectable",
548
+ "aria-orientation",
549
+ "aria-owns",
550
+ "aria-placeholder",
551
+ "aria-posinset",
552
+ "aria-pressed",
553
+ "aria-readonly",
554
+ "aria-relevant",
555
+ "aria-required",
556
+ "aria-roledescription",
557
+ "aria-rowcount",
558
+ "aria-rowindex",
559
+ "aria-rowindextext",
560
+ "aria-rowspan",
561
+ "aria-selected",
562
+ "aria-setsize",
563
+ "aria-sort",
564
+ "aria-valuemax",
565
+ "aria-valuemin",
566
+ "aria-valuenow",
567
+ "aria-valuetext",
568
+ "role",
569
+ ])
570
+
571
+ ATTR_VAL_IS_URI = Set.new([
572
+ "action",
573
+ "cite",
574
+ "href",
575
+ "longdesc",
576
+ "poster",
577
+ "preload",
578
+ "src",
579
+ "xlink:href",
580
+ "xml:base",
581
+ ])
582
+
583
+ SVG_ATTR_VAL_ALLOWS_REF = Set.new([
584
+ "clip-path",
585
+ "color-profile",
586
+ "cursor",
587
+ "fill",
588
+ "filter",
589
+ "marker",
590
+ "marker-end",
591
+ "marker-mid",
592
+ "marker-start",
593
+ "mask",
594
+ "stroke",
595
+ ])
596
+
597
+ SVG_ALLOW_LOCAL_HREF = Set.new([
598
+ "altGlyph",
599
+ "animate",
600
+ "animateColor",
601
+ "animateMotion",
602
+ "animateTransform",
603
+ "cursor",
604
+ "feImage",
605
+ "filter",
606
+ "linearGradient",
607
+ "pattern",
608
+ "radialGradient",
609
+ "set",
610
+ "textpath",
611
+ "tref",
612
+ "use",
613
+ ])
614
+
615
+ ACCEPTABLE_CSS_PROPERTIES = Set.new([
616
+ "azimuth",
617
+ "align-content",
618
+ "align-items",
619
+ "align-self",
620
+ "aspect-ratio",
621
+ "background-color",
622
+ "border-bottom-color",
623
+ "border-collapse",
624
+ "border-color",
625
+ "border-left-color",
626
+ "border-right-color",
627
+ "border-top-color",
628
+ "clear",
629
+ "color",
630
+ "cursor",
631
+ "direction",
632
+ "display",
633
+ "elevation",
634
+ "flex",
635
+ "flex-basis",
636
+ "flex-direction",
637
+ "flex-flow",
638
+ "flex-grow",
639
+ "flex-shrink",
640
+ "flex-wrap",
641
+ "float",
642
+ "font",
643
+ "font-family",
644
+ "font-size",
645
+ "font-style",
646
+ "font-variant",
647
+ "font-weight",
648
+ "height",
649
+ "justify-content",
650
+ "letter-spacing",
651
+ "line-height",
652
+ "list-style",
653
+ "list-style-type",
654
+ "max-width",
655
+ "order",
656
+ "overflow",
657
+ "overflow-x",
658
+ "overflow-y",
659
+ "page-break-after",
660
+ "page-break-before",
661
+ "page-break-inside",
662
+ "pause",
663
+ "pause-after",
664
+ "pause-before",
665
+ "pitch",
666
+ "pitch-range",
667
+ "richness",
668
+ "speak",
669
+ "speak-header",
670
+ "speak-numeral",
671
+ "speak-punctuation",
672
+ "speech-rate",
673
+ "stress",
674
+ "text-align",
675
+ "text-decoration",
676
+ "text-indent",
677
+ "unicode-bidi",
678
+ "vertical-align",
679
+ "voice-family",
680
+ "volume",
681
+ "white-space",
682
+ "width",
683
+ ])
684
+
685
+ ACCEPTABLE_CSS_KEYWORDS = Set.new([
686
+ "!important",
687
+ "auto",
688
+ "block",
689
+ "bold",
690
+ "both",
691
+ "bottom",
692
+ "center",
693
+ "collapse",
694
+ "dashed",
695
+ "dotted",
696
+ "double",
697
+ "groove",
698
+ "hidden",
699
+ "inherit",
700
+ "initial",
701
+ "inset",
702
+ "italic",
703
+ "left",
704
+ "medium",
705
+ "none",
706
+ "normal",
707
+ "nowrap",
708
+ "outset",
709
+ "pointer",
710
+ "revert",
711
+ "ridge",
712
+ "right",
713
+ "separate",
714
+ "solid",
715
+ "thick",
716
+ "thin",
717
+ "top",
718
+ "transparent",
719
+ "underline",
720
+ "unset",
721
+ ])
722
+
723
+ # https://www.w3.org/TR/css-color-3/#html4
724
+ ACCEPTABLE_CSS_COLORS = Set.new([
725
+ "aqua",
726
+ "black",
727
+ "blue",
728
+ "fuchsia",
729
+ "gray",
730
+ "green",
731
+ "lime",
732
+ "maroon",
733
+ "navy",
734
+ "olive",
735
+ "purple",
736
+ "red",
737
+ "silver",
738
+ "teal",
739
+ "white",
740
+ "yellow",
741
+ ])
742
+
743
+ # https://www.w3.org/TR/css-color-3/#svg-color
744
+ ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
745
+ "aliceblue",
746
+ "antiquewhite",
747
+ "aqua",
748
+ "aquamarine",
749
+ "azure",
750
+ "beige",
751
+ "bisque",
752
+ "black",
753
+ "blanchedalmond",
754
+ "blue",
755
+ "blueviolet",
756
+ "brown",
757
+ "burlywood",
758
+ "cadetblue",
759
+ "chartreuse",
760
+ "chocolate",
761
+ "coral",
762
+ "cornflowerblue",
763
+ "cornsilk",
764
+ "crimson",
765
+ "cyan",
766
+ "darkblue",
767
+ "darkcyan",
768
+ "darkgoldenrod",
769
+ "darkgray",
770
+ "darkgreen",
771
+ "darkgrey",
772
+ "darkkhaki",
773
+ "darkmagenta",
774
+ "darkolivegreen",
775
+ "darkorange",
776
+ "darkorchid",
777
+ "darkred",
778
+ "darksalmon",
779
+ "darkseagreen",
780
+ "darkslateblue",
781
+ "darkslategray",
782
+ "darkslategrey",
783
+ "darkturquoise",
784
+ "darkviolet",
785
+ "deeppink",
786
+ "deepskyblue",
787
+ "dimgray",
788
+ "dimgrey",
789
+ "dodgerblue",
790
+ "firebrick",
791
+ "floralwhite",
792
+ "forestgreen",
793
+ "fuchsia",
794
+ "gainsboro",
795
+ "ghostwhite",
796
+ "gold",
797
+ "goldenrod",
798
+ "gray",
799
+ "green",
800
+ "greenyellow",
801
+ "grey",
802
+ "honeydew",
803
+ "hotpink",
804
+ "indianred",
805
+ "indigo",
806
+ "ivory",
807
+ "khaki",
808
+ "lavender",
809
+ "lavenderblush",
810
+ "lawngreen",
811
+ "lemonchiffon",
812
+ "lightblue",
813
+ "lightcoral",
814
+ "lightcyan",
815
+ "lightgoldenrodyellow",
816
+ "lightgray",
817
+ "lightgreen",
818
+ "lightgrey",
819
+ "lightpink",
820
+ "lightsalmon",
821
+ "lightseagreen",
822
+ "lightskyblue",
823
+ "lightslategray",
824
+ "lightslategrey",
825
+ "lightsteelblue",
826
+ "lightyellow",
827
+ "lime",
828
+ "limegreen",
829
+ "linen",
830
+ "magenta",
831
+ "maroon",
832
+ "mediumaquamarine",
833
+ "mediumblue",
834
+ "mediumorchid",
835
+ "mediumpurple",
836
+ "mediumseagreen",
837
+ "mediumslateblue",
838
+ "mediumspringgreen",
839
+ "mediumturquoise",
840
+ "mediumvioletred",
841
+ "midnightblue",
842
+ "mintcream",
843
+ "mistyrose",
844
+ "moccasin",
845
+ "navajowhite",
846
+ "navy",
847
+ "oldlace",
848
+ "olive",
849
+ "olivedrab",
850
+ "orange",
851
+ "orangered",
852
+ "orchid",
853
+ "palegoldenrod",
854
+ "palegreen",
855
+ "paleturquoise",
856
+ "palevioletred",
857
+ "papayawhip",
858
+ "peachpuff",
859
+ "peru",
860
+ "pink",
861
+ "plum",
862
+ "powderblue",
863
+ "purple",
864
+ "red",
865
+ "rosybrown",
866
+ "royalblue",
867
+ "saddlebrown",
868
+ "salmon",
869
+ "sandybrown",
870
+ "seagreen",
871
+ "seashell",
872
+ "sienna",
873
+ "silver",
874
+ "skyblue",
875
+ "slateblue",
876
+ "slategray",
877
+ "slategrey",
878
+ "snow",
879
+ "springgreen",
880
+ "steelblue",
881
+ "tan",
882
+ "teal",
883
+ "thistle",
884
+ "tomato",
885
+ "turquoise",
886
+ "violet",
887
+ "wheat",
888
+ "white",
889
+ "whitesmoke",
890
+ "yellow",
891
+ "yellowgreen",
892
+ ])
893
+
894
+ # see https://www.quackit.com/css/functions/
895
+ # omit `url` and `image` from that list
896
+ ACCEPTABLE_CSS_FUNCTIONS = Set.new([
897
+ "attr",
898
+ "blur",
899
+ "brightness",
900
+ "calc",
901
+ "circle",
902
+ "contrast",
903
+ "counter",
904
+ "counters",
905
+ "cubic-bezier",
906
+ "drop-shadow",
907
+ "ellipse",
908
+ "grayscale",
909
+ "hsl",
910
+ "hsla",
911
+ "hue-rotate",
912
+ "hwb",
913
+ "inset",
914
+ "invert",
915
+ "linear-gradient",
916
+ "matrix",
917
+ "matrix3d",
918
+ "opacity",
919
+ "perspective",
920
+ "polygon",
921
+ "radial-gradient",
922
+ "repeating-linear-gradient",
923
+ "repeating-radial-gradient",
924
+ "rgb",
925
+ "rgba",
926
+ "rotate",
927
+ "rotate3d",
928
+ "rotateX",
929
+ "rotateY",
930
+ "rotateZ",
931
+ "saturate",
932
+ "sepia",
933
+ "scale",
934
+ "scale3d",
935
+ "scaleX",
936
+ "scaleY",
937
+ "scaleZ",
938
+ "skew",
939
+ "skewX",
940
+ "skewY",
941
+ "symbols",
942
+ "translate",
943
+ "translate3d",
944
+ "translateX",
945
+ "translateY",
946
+ "translateZ",
947
+ ])
948
+
949
+ SHORTHAND_CSS_PROPERTIES = Set.new([
950
+ "background",
951
+ "border",
952
+ "margin",
953
+ "padding",
954
+ ])
955
+
956
+ ACCEPTABLE_SVG_PROPERTIES = Set.new([
957
+ "fill",
958
+ "fill-opacity",
959
+ "fill-rule",
960
+ "stroke",
961
+ "stroke-width",
962
+ "stroke-linecap",
963
+ "stroke-linejoin",
964
+ "stroke-opacity",
965
+ ])
966
+
967
+ PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
968
+
969
+ ACCEPTABLE_PROTOCOLS = Set.new([
970
+ "afs",
971
+ "aim",
972
+ "callto",
973
+ "data",
974
+ "ed2k",
975
+ "feed",
976
+ "ftp",
977
+ "gopher",
978
+ "http",
979
+ "https",
980
+ "irc",
981
+ "line",
982
+ "mailto",
983
+ "news",
984
+ "nntp",
985
+ "rsync",
986
+ "rtsp",
987
+ "sftp",
988
+ "sms",
989
+ "ssh",
990
+ "tag",
991
+ "tel",
992
+ "telnet",
993
+ "urn",
994
+ "webcal",
995
+ "xmpp",
996
+ ])
997
+
998
+ ACCEPTABLE_URI_DATA_MEDIATYPES = Set.new([
999
+ "image/gif",
1000
+ "image/jpeg",
1001
+ "image/png",
1002
+ "text/css",
1003
+ "text/plain",
1004
+ ])
1005
+
1006
+ # subclasses may define their own versions of these constants
1007
+ ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
1008
+ ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
1009
+ ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
1010
+ ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
1011
+ ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
1012
+ ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
1013
+ ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
1014
+ ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
1015
+
1016
+ # TODO: remove VOID_ELEMENTS in a future major release
1017
+ # and put it in the tests (it is used only for testing, not for functional behavior)
1018
+ VOID_ELEMENTS = Set.new([
1019
+ "area",
1020
+ "br",
1021
+ "hr",
1022
+ "img",
1023
+ "input",
1024
+ ])
1025
+
1026
+ # additional tags we should consider safe since we have libxml2 fixing up our documents.
1027
+ TAGS_SAFE_WITH_LIBXML2 = Set.new([
1028
+ "body",
1029
+ "head",
1030
+ "html",
1031
+ ])
1032
+ ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
1033
+ end
1034
+
1035
+ WhiteList = SafeList
1036
+ if Object.respond_to?(:deprecate_constant)
1037
+ deprecate_constant :WhiteList
1038
+ end
1039
+
1040
+ ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::HTML5::SafeList
1041
+ end
1042
+ end