loofah 2.2.3 → 2.21.1

data/lib/loofah/html/document_fragment.rb

@@ -1,40 +0,0 @@
-module Loofah
-  module HTML # :nodoc:
-    #
-    #  Subclass of Nokogiri::HTML::DocumentFragment.
-    #
-    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
-    #
-    class DocumentFragment < Nokogiri::HTML::DocumentFragment
-      include Loofah::TextBehavior
-
-      class << self
-        #
-        #  Overridden Nokogiri::HTML::DocumentFragment
-        #  constructor. Applications should use Loofah.fragment to
-        #  parse a fragment.
-        #
-        def parse tags, encoding = nil
-          doc = Loofah::HTML::Document.new
-
-          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
-          doc.encoding = encoding
-
-          new(doc, tags)
-        end
-      end
-
-      #
-      #  Returns the HTML markup contained by the fragment
-      #
-      def to_s
-        serialize_root.children.to_s
-      end
-      alias :serialize :to_s
-
-      def serialize_root
-        at_xpath("./body") || self
-      end
-    end
-  end
-end

data/lib/loofah/html5/whitelist.rb

@@ -1,186 +0,0 @@
-require 'set'
-
-module Loofah
-  module HTML5 # :nodoc:
-    #
-    #  HTML whitelist lifted from HTML5lib sanitizer code:
-    #
-    #    http://code.google.com/p/html5lib/
-    #
-    # <html5_license>
-    #
-    #   Copyright (c) 2006-2008 The Authors
-    #
-    #   Contributors:
-    #   James Graham - jg307@cam.ac.uk
-    #   Anne van Kesteren - annevankesteren@gmail.com
-    #   Lachlan Hunt - lachlan.hunt@lachy.id.au
-    #   Matt McDonald - kanashii@kanashii.ca
-    #   Sam Ruby - rubys@intertwingly.net
-    #   Ian Hickson (Google) - ian@hixie.ch
-    #   Thomas Broyer - t.broyer@ltgt.net
-    #   Jacques Distler - distler@golem.ph.utexas.edu
-    #   Henri Sivonen - hsivonen@iki.fi
-    #   The Mozilla Foundation (contributions from Henri Sivonen since 2008)
-    #
-    #   Permission is hereby granted, free of charge, to any person
-    #   obtaining a copy of this software and associated documentation
-    #   files (the "Software"), to deal in the Software without
-    #   restriction, including without limitation the rights to use, copy,
-    #   modify, merge, publish, distribute, sublicense, and/or sell copies
-    #   of the Software, and to permit persons to whom the Software is
-    #   furnished to do so, subject to the following conditions:
-    #
-    #   The above copyright notice and this permission notice shall be
-    #   included in all copies or substantial portions of the Software.
-    #
-    #   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-    #   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-    #   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-    #   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-    #   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-    #   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    #   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    #   DEALINGS IN THE SOFTWARE.
-    #
-    # </html5_license>
-    module WhiteList
-
-      ACCEPTABLE_ELEMENTS = Set.new %w[a abbr acronym address area
-      article aside audio b bdi bdo big blockquote br button canvas
-      caption center cite code col colgroup command datalist dd del
-      details dfn dir div dl dt em fieldset figcaption figure footer
-      font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
-      legend li main map mark menu meter nav ol output optgroup option p
-      pre q s samp section select small span strike strong sub summary
-      sup table tbody td textarea tfoot th thead time tr tt u ul var
-      video]
-
-      MATHML_ELEMENTS = Set.new %w[annotation annotation-xml maction math merror mfrac
-      mfenced mi mmultiscripts mn mo mover mpadded mphantom mprescripts mroot mrow
-      mspace msqrt mstyle msub msubsup msup mtable mtd mtext mtr munder
-      munderover none semantics]
-
-      SVG_ELEMENTS = Set.new %w[a animate animateColor animateMotion animateTransform
-      circle clipPath defs desc ellipse feGaussianBlur filter font-face
-      font-face-name font-face-src foreignObject
-      g glyph hkern linearGradient line marker mask metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch symbol
-      text textPath title tspan use]
-
-      ACCEPTABLE_ATTRIBUTES = Set.new %w[abbr accept accept-charset accesskey action
-      align alt axis border cellpadding cellspacing char charoff charset
-      checked cite class clear cols colspan color compact coords datetime
-      dir disabled enctype for frame headers height href hreflang hspace id
-      ismap label lang longdesc loop loopcount loopend loopstart
-      maxlength media method multiple name nohref
-      noshade nowrap poster preload prompt readonly rel rev rows rowspan rules scope
-      selected shape size span src start style summary tabindex target title
-      type usemap valign value vspace width xml:lang]
-
-      MATHML_ATTRIBUTES = Set.new %w[actiontype align close
-      columnalign columnlines columnspacing columnspan depth display
-      displaystyle encoding equalcolumns equalrows fence fontstyle fontweight
-      frame height linethickness lspace mathbackground mathcolor mathvariant
-      maxsize minsize open other rowalign rowlines
-      rowspacing rowspan rspace scriptlevel selection separator separators
-      stretchy width xlink:href xlink:show xlink:type xmlns xmlns:xlink]
-
-      SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-       arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class clip-path clip-rule color
-       color-interpolation-filters color-rendering content cx cy d dx
-       dy descent display dur end fill fill-opacity fill-rule
-       filterRes filterUnits font-family
-       font-size font-stretch font-style font-variant font-weight fx fy g1
-       g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
-       ideographic k keyPoints keySplines keyTimes lang marker-end
-       marker-mid marker-start markerHeight markerUnits markerWidth
-       maskContentUnits maskUnits mathematical max method min name offset opacity orient origin
-       overline-position overline-thickness panose-1 path pathLength
-       patternContentUnits patternTransform patternUnits  points
-       preserveAspectRatio primitiveUnits r refX refY repeatCount repeatDur
-       requiredExtensions requiredFeatures restart rotate rx ry slope spacing
-       startOffset stdDeviation stemh
-       stemv stop-color stop-opacity strikethrough-position
-       strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-       stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-       u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-       x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-       xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-       xmlns:xlink y y1 y2 zoomAndPan]
-
-      ATTR_VAL_IS_URI = Set.new %w[href src cite action longdesc xlink:href xml:base poster preload]
-
-      SVG_ATTR_VAL_ALLOWS_REF = Set.new %w[clip-path color-profile cursor fill
-      filter marker marker-start marker-mid marker-end mask stroke]
-
-      SVG_ALLOW_LOCAL_HREF = Set.new %w[altGlyph animate animateColor animateMotion
-      animateTransform cursor feImage filter linearGradient pattern
-      radialGradient textpath tref set use]
-
-      ACCEPTABLE_CSS_PROPERTIES = Set.new %w[azimuth background-color
-      border-bottom-color border-collapse border-color border-left-color
-      border-right-color border-top-color clear color cursor direction
-      display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height list-style-type
-      overflow pause pause-after pause-before pitch pitch-range richness speak
-      speak-header speak-numeral speak-punctuation speech-rate stress
-      text-align text-decoration text-indent unicode-bidi vertical-align
-      voice-family volume white-space width]
-
-      ACCEPTABLE_CSS_KEYWORDS = Set.new %w[auto aqua black block blue bold both bottom
-      brown center collapse dashed dotted fuchsia gray green !important
-      italic left lime maroon medium none navy normal nowrap olive pointer
-      purple red right solid silver teal top transparent underline white
-      yellow]
-
-      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
-
-      SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
-
-      ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
-      stroke-width stroke-linecap stroke-linejoin stroke-opacity]
-
-      PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
-
-      ACCEPTABLE_PROTOCOLS = Set.new %w[ed2k ftp http https irc mailto news gopher nntp
-      telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs data]
-
-      ACCEPTABLE_URI_DATA_MEDIATYPES = Set.new %w[text/plain text/css image/png image/gif
-        image/jpeg image/svg+xml]
-
-      # subclasses may define their own versions of these constants
-      ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
-      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
-      ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
-      ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
-      ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
-      ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
-      ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
-      ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
-
-      VOID_ELEMENTS = Set.new %w[
-        base
-        link
-        meta
-        hr
-        br
-        img
-        embed
-        param
-        area
-        col
-        input
-      ]
-
-      # additional tags we should consider safe since we have libxml2 fixing up our documents.
-      TAGS_SAFE_WITH_LIBXML2 = Set.new %w[html head body]
-      ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
-    end
-
-    ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::HTML5::WhiteList
-  end
-end

data/lib/loofah/instance_methods.rb

@@ -1,127 +0,0 @@
-module Loofah
-  #
-  #  Mixes +scrub!+ into Document, DocumentFragment, Node and NodeSet.
-  #
-  #  Traverse the document or fragment, invoking the +scrubber+ on
-  #  each node.
-  #
-  #  +scrubber+ must either be one of the symbols representing the
-  #  built-in scrubbers (see Scrubbers), or a Scrubber instance.
-  #
-  #    span2div = Loofah::Scrubber.new do |node|
-  #      node.name = "div" if node.name == "span"
-  #    end
-  #    Loofah.fragment("<span>foo</span><p>bar</p>").scrub!(span2div).to_s
-  #    # => "<div>foo</div><p>bar</p>"
-  #
-  #  or
-  #
-  #    unsafe_html = "ohai! <div>div is safe</div> <script>but script is not</script>"
-  #    Loofah.fragment(unsafe_html).scrub!(:strip).to_s
-  #    # => "ohai! <div>div is safe</div> "
-  #
-  #  Note that this method is called implicitly from
-  #  Loofah.scrub_fragment and Loofah.scrub_document.
-  #
-  #  Please see Scrubber for more information on implementation and traversal, and
-  #  README.rdoc for more example usage.
-  #
-  module ScrubBehavior
-    module Node # :nodoc:
-      def scrub!(scrubber)
-        #
-        #  yes. this should be three separate methods. but nokogiri
-        #  decorates (or not) based on whether the module name has
-        #  already been included. and since documents get decorated
-        #  just like their constituent nodes, we need to jam all the
-        #  logic into a single module.
-        #
-        scrubber = ScrubBehavior.resolve_scrubber(scrubber)
-        case self
-        when Nokogiri::XML::Document
-          scrubber.traverse(root) if root
-        when Nokogiri::XML::DocumentFragment
-          children.scrub! scrubber
-        else
-          scrubber.traverse(self)
-        end
-        self
-      end
-    end
-
-    module NodeSet # :nodoc:
-      def scrub!(scrubber)
-        each { |node| node.scrub!(scrubber) }
-        self
-      end
-    end
-
-    def ScrubBehavior.resolve_scrubber(scrubber) # :nodoc:
-      scrubber = Scrubbers::MAP[scrubber].new if Scrubbers::MAP[scrubber]
-      unless scrubber.is_a?(Loofah::Scrubber)
-        raise Loofah::ScrubberNotFound, "not a Scrubber or a scrubber name: #{scrubber.inspect}"
-      end
-      scrubber
-    end
-  end
-
-  #
-  #  Overrides +text+ in HTML::Document and HTML::DocumentFragment,
-  #  and mixes in +to_text+.
-  #
-  module TextBehavior
-    #
-    #  Returns a plain-text version of the markup contained by the document,
-    #  with HTML entities encoded.
-    #
-    #  This method is significantly faster than #to_text, but isn't
-    #  clever about whitespace around block elements.
-    #
-    #    Loofah.document("<h1>Title</h1><div>Content</div>").text
-    #    # => "TitleContent"
-    #
-    #  By default, the returned text will have HTML entities
-    #  escaped. If you want unescaped entities, and you understand
-    #  that the result is unsafe to render in a browser, then you
-    #  can pass an argument as shown:
-    #
-    #    frag = Loofah.fragment("&lt;script&gt;alert('EVIL');&lt;/script&gt;")
-    #    # ok for browser:
-    #    frag.text                                 # => "&lt;script&gt;alert('EVIL');&lt;/script&gt;"
-    #    # decidedly not ok for browser:
-    #    frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
-    #
-    def text(options={})
-      result = serialize_root.children.inner_text rescue ""
-      if options[:encode_special_chars] == false
-        result # possibly dangerous if rendered in a browser
-      else
-        encode_special_chars result
-      end
-    end
-    alias :inner_text :text
-    alias :to_str     :text
-
-    #
-    #  Returns a plain-text version of the markup contained by the
-    #  fragment, with HTML entities encoded.
-    #
-    #  This method is slower than #to_text, but is clever about
-    #  whitespace around block elements.
-    #
-    #    Loofah.document("<h1>Title</h1><div>Content</div>").to_text
-    #    # => "\nTitle\n\nContent\n"
-    #
-    def to_text(options={})
-      Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
-    end
-  end
-
-  module DocumentDecorator # :nodoc:
-    def initialize(*args, &block)
-      super
-      self.decorators(Nokogiri::XML::Node) << ScrubBehavior::Node
-      self.decorators(Nokogiri::XML::NodeSet) << ScrubBehavior::NodeSet
-    end
-  end
-end

data/test/assets/msword.html

@@ -1,63 +0,0 @@
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>