loofah 2.2.3 → 2.21.1

data/lib/loofah/elements.rb

@@ -1,92 +1,98 @@
-require 'set'
+# frozen_string_literal: true
+
+require "set"
 
 module Loofah
   module Elements
-    STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-      address
-      blockquote
-      center
-      dir
-      div
-      dl
-      fieldset
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      hr
-      isindex
-      menu
-      noframes
-      noscript
-      ol
-      p
-      pre
-      table
-      ul
-    ]
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new([
+      "address",
+      "blockquote",
+      "center",
+      "dir",
+      "div",
+      "dl",
+      "fieldset",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "hr",
+      "isindex",
+      "menu",
+      "noframes",
+      "noscript",
+      "ol",
+      "p",
+      "pre",
+      "table",
+      "ul",
+    ])
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
-    STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-      address
-      article
-      aside
-      blockquote
-      canvas
-      dd
-      div
-      dl
-      dt
-      fieldset
-      figcaption
-      figure
-      footer
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      header
-      hgroup
-      hr
-      li
-      main
-      nav
-      noscript
-      ol
-      output
-      p
-      pre
-      section
-      table
-      tfoot
-      ul
-      video
-    ]
-
-    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new([
+      "address",
+      "article",
+      "aside",
+      "blockquote",
+      "canvas",
+      "dd",
+      "div",
+      "dl",
+      "dt",
+      "fieldset",
+      "figcaption",
+      "figure",
+      "footer",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "header",
+      "hgroup",
+      "hr",
+      "li",
+      "main",
+      "nav",
+      "noscript",
+      "ol",
+      "output",
+      "p",
+      "pre",
+      "section",
+      "table",
+      "tfoot",
+      "ul",
+      "video",
+    ])
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
-    LOOSE_BLOCK_LEVEL = Set.new %w[dd
-      dt
-      frameset
-      li
-      tbody
-      td
-      tfoot
-      th
-      thead
-      tr
-    ]
+    LOOSE_BLOCK_LEVEL = Set.new([
+      "dd",
+      "dt",
+      "frameset",
+      "li",
+      "tbody",
+      "td",
+      "tfoot",
+      "th",
+      "thead",
+      "tr",
+    ])
 
+    # Elements that aren't block but should generate a newline in #to_text
+    INLINE_LINE_BREAK = Set.new(["br"])
+
+    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
+    LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
   end
 
-  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
+  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::Elements)
 end

data/lib/loofah/helpers.rb

@@ -1,42 +1,47 @@
+# frozen_string_literal: true
+
 module Loofah
   module Helpers
     class << self
       #
       #  A replacement for Rails's built-in +strip_tags+ helper.
       #
-      #   Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
+      #    Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
       #
       def strip_tags(string_or_io)
-        Loofah.fragment(string_or_io).text
+        Loofah.html4_fragment(string_or_io).text
       end
 
       #
       #  A replacement for Rails's built-in +sanitize+ helper.
       #
-      #   Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+      #    Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>")
+      #    # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
       #
       def sanitize(string_or_io)
-        loofah_fragment = Loofah.fragment(string_or_io)
+        loofah_fragment = Loofah.html4_fragment(string_or_io)
         loofah_fragment.scrub!(:strip)
-        loofah_fragment.xpath("./form").each { |form| form.remove }
+        loofah_fragment.xpath("./form").each(&:remove)
         loofah_fragment.to_s
       end
 
       #
       #  A replacement for Rails's built-in +sanitize_css+ helper.
       #
-      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
+      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)")
+      #    # => "display: block;"
       #
-      def sanitize_css style_string
-        ::Loofah::HTML5::Scrub.scrub_css style_string
+      def sanitize_css(style_string)
+        ::Loofah::HTML5::Scrub.scrub_css(style_string)
       end
 
       #
-      #  A helper to remove extraneous whitespace from text-ified HTML
+      #  A helper to remove extraneous whitespace from text-ified HTML.
+      #
       #  TODO: remove this in a future major-point-release.
       #
       def remove_extraneous_whitespace(string)
-        Loofah.remove_extraneous_whitespace string
+        Loofah.remove_extraneous_whitespace(string)
       end
     end
 
@@ -46,8 +51,13 @@ module Loofah
           @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
         end
 
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new
+        end
+
         def white_list_sanitizer
-          @white_list_sanitizer ||= ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
+          warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.")
+          safe_list_sanitizer
         end
       end
 
@@ -56,15 +66,16 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = ::Loofah::Helpers::ActionView::FullSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = \
+      #      Loofah::Helpers::ActionView::FullSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
       class FullSanitizer
-        def sanitize html, *args
-          Loofah::Helpers.strip_tags html
+        def sanitize(html, *args)
+          Loofah::Helpers.strip_tags(html)
         end
       end
 
@@ -73,21 +84,27 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.white_list_sanitizer = ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \
+      #      Loofah::Helpers::ActionView::SafeListSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
-      class WhiteListSanitizer
-        def sanitize html, *args
-          Loofah::Helpers.sanitize html
+      class SafeListSanitizer
+        def sanitize(html, *args)
+          Loofah::Helpers.sanitize(html)
         end
 
-        def sanitize_css style_string, *args
-          Loofah::Helpers.sanitize_css style_string
+        def sanitize_css(style_string, *args)
+          Loofah::Helpers.sanitize_css(style_string)
         end
       end
+
+      WhiteListSanitizer = SafeListSanitizer
+      if Object.respond_to?(:deprecate_constant)
+        deprecate_constant :WhiteListSanitizer
+      end
     end
   end
 end

data/lib/loofah/{html → html4}/document.rb

@@ -1,18 +1,17 @@
+# frozen_string_literal: true
+
 module Loofah
-  module HTML # :nodoc:
+  module HTML4 # :nodoc:
     #
-    #  Subclass of Nokogiri::HTML::Document.
+    #  Subclass of Nokogiri::HTML4::Document.
     #
     #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
     #
-    class Document < Nokogiri::HTML::Document
+    class Document < Nokogiri::HTML4::Document
       include Loofah::ScrubBehavior::Node
       include Loofah::DocumentDecorator
       include Loofah::TextBehavior
-
-      def serialize_root
-        at_xpath("/html/body")
-      end
+      include Loofah::HtmlDocumentBehavior
     end
   end
 end

data/lib/loofah/html4/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML4 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML4::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML4::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::Document.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class Document < Nokogiri::HTML5::Document
+      include Loofah::ScrubBehavior::Node
+      include Loofah::DocumentDecorator
+      include Loofah::TextBehavior
+      include Loofah::HtmlDocumentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML5::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -1,5 +1,7 @@
 # coding: utf-8
-require 'set'
+# frozen_string_literal: true
+
+require "set"
 
 module Loofah
   #
@@ -15,12 +17,12 @@ module Loofah
     #
     #  see comments about CVE-2018-8048 within the tests for more information
     #
-    BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
-        href
-        action
-        src
-        name
-      ]
-    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
+    BROKEN_ESCAPING_ATTRIBUTES = Set.new([
+      "href",
+      "action",
+      "src",
+      "name",
+    ])
+    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
   end
 end