loofah 2.2.3 → 2.21.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (46) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +269 -31
  3. data/README.md +109 -124
  4. data/lib/loofah/concerns.rb +207 -0
  5. data/lib/loofah/elements.rb +85 -79
  6. data/lib/loofah/helpers.rb +37 -20
  7. data/lib/loofah/{html → html4}/document.rb +6 -7
  8. data/lib/loofah/html4/document_fragment.rb +15 -0
  9. data/lib/loofah/html5/document.rb +17 -0
  10. data/lib/loofah/html5/document_fragment.rb +15 -0
  11. data/lib/loofah/html5/libxml2_workarounds.rb +10 -8
  12. data/lib/loofah/html5/safelist.rb +1055 -0
  13. data/lib/loofah/html5/scrub.rb +153 -58
  14. data/lib/loofah/metahelpers.rb +11 -6
  15. data/lib/loofah/scrubber.rb +22 -15
  16. data/lib/loofah/scrubbers.rb +66 -55
  17. data/lib/loofah/version.rb +6 -0
  18. data/lib/loofah/xml/document.rb +2 -0
  19. data/lib/loofah/xml/document_fragment.rb +4 -7
  20. data/lib/loofah.rb +131 -38
  21. metadata +28 -216
  22. data/.gemtest +0 -0
  23. data/Gemfile +0 -22
  24. data/Manifest.txt +0 -40
  25. data/Rakefile +0 -79
  26. data/benchmark/benchmark.rb +0 -149
  27. data/benchmark/fragment.html +0 -96
  28. data/benchmark/helper.rb +0 -73
  29. data/benchmark/www.slashdot.com.html +0 -2560
  30. data/lib/loofah/html/document_fragment.rb +0 -40
  31. data/lib/loofah/html5/whitelist.rb +0 -186
  32. data/lib/loofah/instance_methods.rb +0 -127
  33. data/test/assets/msword.html +0 -63
  34. data/test/assets/testdata_sanitizer_tests1.dat +0 -502
  35. data/test/helper.rb +0 -18
  36. data/test/html5/test_sanitizer.rb +0 -382
  37. data/test/integration/test_ad_hoc.rb +0 -204
  38. data/test/integration/test_helpers.rb +0 -43
  39. data/test/integration/test_html.rb +0 -72
  40. data/test/integration/test_scrubbers.rb +0 -400
  41. data/test/integration/test_xml.rb +0 -55
  42. data/test/unit/test_api.rb +0 -142
  43. data/test/unit/test_encoding.rb +0 -20
  44. data/test/unit/test_helpers.rb +0 -62
  45. data/test/unit/test_scrubber.rb +0 -229
  46. data/test/unit/test_scrubbers.rb +0 -14
@@ -0,0 +1,1055 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "set"
4
+
5
+ module Loofah
6
+ module HTML5 # :nodoc:
7
+ #
8
+ # HTML safelist lifted from HTML5lib sanitizer code:
9
+ #
10
+ # http://code.google.com/p/html5lib/
11
+ #
12
+ # <html5_license>
13
+ #
14
+ # Copyright (c) 2006-2008 The Authors
15
+ #
16
+ # Contributors:
17
+ # James Graham - jg307@cam.ac.uk
18
+ # Anne van Kesteren - annevankesteren@gmail.com
19
+ # Lachlan Hunt - lachlan.hunt@lachy.id.au
20
+ # Matt McDonald - kanashii@kanashii.ca
21
+ # Sam Ruby - rubys@intertwingly.net
22
+ # Ian Hickson (Google) - ian@hixie.ch
23
+ # Thomas Broyer - t.broyer@ltgt.net
24
+ # Jacques Distler - distler@golem.ph.utexas.edu
25
+ # Henri Sivonen - hsivonen@iki.fi
26
+ # The Mozilla Foundation (contributions from Henri Sivonen since 2008)
27
+ #
28
+ # Permission is hereby granted, free of charge, to any person
29
+ # obtaining a copy of this software and associated documentation
30
+ # files (the "Software"), to deal in the Software without
31
+ # restriction, including without limitation the rights to use, copy,
32
+ # modify, merge, publish, distribute, sublicense, and/or sell copies
33
+ # of the Software, and to permit persons to whom the Software is
34
+ # furnished to do so, subject to the following conditions:
35
+ #
36
+ # The above copyright notice and this permission notice shall be
37
+ # included in all copies or substantial portions of the Software.
38
+ #
39
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
40
+ # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
41
+ # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
42
+ # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
43
+ # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
44
+ # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
45
+ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
46
+ # DEALINGS IN THE SOFTWARE.
47
+ #
48
+ # </html5_license>
49
+ module SafeList
50
+ ACCEPTABLE_ELEMENTS = Set.new([
51
+ "a",
52
+ "abbr",
53
+ "acronym",
54
+ "address",
55
+ "area",
56
+ "article",
57
+ "aside",
58
+ "audio",
59
+ "b",
60
+ "bdi",
61
+ "bdo",
62
+ "big",
63
+ "blockquote",
64
+ "br",
65
+ "button",
66
+ "canvas",
67
+ "caption",
68
+ "center",
69
+ "cite",
70
+ "code",
71
+ "col",
72
+ "colgroup",
73
+ "command",
74
+ "datalist",
75
+ "dd",
76
+ "del",
77
+ "details",
78
+ "dfn",
79
+ "dir",
80
+ "div",
81
+ "dl",
82
+ "dt",
83
+ "em",
84
+ "fieldset",
85
+ "figcaption",
86
+ "figure",
87
+ "font",
88
+ "footer",
89
+ "form",
90
+ "h1",
91
+ "h2",
92
+ "h3",
93
+ "h4",
94
+ "h5",
95
+ "h6",
96
+ "header",
97
+ "hr",
98
+ "i",
99
+ "img",
100
+ "input",
101
+ "ins",
102
+ "kbd",
103
+ "label",
104
+ "legend",
105
+ "li",
106
+ "main",
107
+ "map",
108
+ "mark",
109
+ "menu",
110
+ "meter",
111
+ "nav",
112
+ "ol",
113
+ "optgroup",
114
+ "option",
115
+ "output",
116
+ "p",
117
+ "pre",
118
+ "q",
119
+ "s",
120
+ "samp",
121
+ "section",
122
+ "select",
123
+ "small",
124
+ "span",
125
+ "strike",
126
+ "strong",
127
+ "sub",
128
+ "summary",
129
+ "sup",
130
+ "table",
131
+ "tbody",
132
+ "td",
133
+ "textarea",
134
+ "tfoot",
135
+ "th",
136
+ "thead",
137
+ "time",
138
+ "tr",
139
+ "tt",
140
+ "u",
141
+ "ul",
142
+ "var",
143
+ "video",
144
+ "wbr",
145
+ ])
146
+
147
+ MATHML_ELEMENTS = Set.new([
148
+ "annotation",
149
+ "annotation-xml",
150
+ "maction",
151
+ "math",
152
+ "menclose",
153
+ "merror",
154
+ "mfenced",
155
+ "mfrac",
156
+ "mi",
157
+ "mmultiscripts",
158
+ "mn",
159
+ "mo",
160
+ "mover",
161
+ "mpadded",
162
+ "mphantom",
163
+ "mprescripts",
164
+ "mroot",
165
+ "mrow",
166
+ "ms",
167
+ "mspace",
168
+ "msqrt",
169
+ "mstyle",
170
+ "msub",
171
+ "msubsup",
172
+ "msup",
173
+ "mtable",
174
+ "mtd",
175
+ "mtext",
176
+ "mtr",
177
+ "munder",
178
+ "munderover",
179
+ "none",
180
+ "semantics",
181
+ ])
182
+
183
+ SVG_ELEMENTS = Set.new([
184
+ "a",
185
+ "altGlyph",
186
+ "animate",
187
+ "animateColor",
188
+ "animateMotion",
189
+ "animateTransform",
190
+ "circle",
191
+ "clipPath",
192
+ "cursor",
193
+ "defs",
194
+ "desc",
195
+ "ellipse",
196
+ "feGaussianBlur",
197
+ "feImage",
198
+ "filter",
199
+ "font-face",
200
+ "font-face-name",
201
+ "font-face-src",
202
+ "foreignObject",
203
+ "g",
204
+ "glyph",
205
+ "hkern",
206
+ "line",
207
+ "linearGradient",
208
+ "marker",
209
+ "mask",
210
+ "metadata",
211
+ "missing-glyph",
212
+ "mpath",
213
+ "path",
214
+ "pattern",
215
+ "polygon",
216
+ "polyline",
217
+ "radialGradient",
218
+ "rect",
219
+ "set",
220
+ "stop",
221
+ "svg",
222
+ "switch",
223
+ "symbol",
224
+ "text",
225
+ "textPath",
226
+ "title",
227
+ "tref",
228
+ "tspan",
229
+ "use",
230
+ ])
231
+
232
+ ACCEPTABLE_ATTRIBUTES = Set.new([
233
+ "abbr",
234
+ "accept",
235
+ "accept-charset",
236
+ "accesskey",
237
+ "action",
238
+ "align",
239
+ "alt",
240
+ "axis",
241
+ "border",
242
+ "cellpadding",
243
+ "cellspacing",
244
+ "char",
245
+ "charoff",
246
+ "charset",
247
+ "checked",
248
+ "cite",
249
+ "class",
250
+ "clear",
251
+ "color",
252
+ "cols",
253
+ "colspan",
254
+ "compact",
255
+ "contenteditable",
256
+ "coords",
257
+ "datetime",
258
+ "dir",
259
+ "disabled",
260
+ "enctype",
261
+ "for",
262
+ "frame",
263
+ "headers",
264
+ "height",
265
+ "href",
266
+ "hreflang",
267
+ "hspace",
268
+ "id",
269
+ "ismap",
270
+ "label",
271
+ "lang",
272
+ "longdesc",
273
+ "loop",
274
+ "loopcount",
275
+ "loopend",
276
+ "loopstart",
277
+ "maxlength",
278
+ "media",
279
+ "method",
280
+ "multiple",
281
+ "name",
282
+ "nohref",
283
+ "noshade",
284
+ "nowrap",
285
+ "poster",
286
+ "preload",
287
+ "prompt",
288
+ "readonly",
289
+ "rel",
290
+ "rev",
291
+ "rows",
292
+ "rowspan",
293
+ "rules",
294
+ "scope",
295
+ "selected",
296
+ "shape",
297
+ "size",
298
+ "span",
299
+ "src",
300
+ "start",
301
+ "style",
302
+ "summary",
303
+ "tabindex",
304
+ "target",
305
+ "title",
306
+ "type",
307
+ "usemap",
308
+ "valign",
309
+ "value",
310
+ "vspace",
311
+ "width",
312
+ "xml:lang",
313
+ ])
314
+
315
+ MATHML_ATTRIBUTES = Set.new([
316
+ "actiontype",
317
+ "align",
318
+ "close",
319
+ "columnalign",
320
+ "columnlines",
321
+ "columnspacing",
322
+ "columnspan",
323
+ "depth",
324
+ "dir",
325
+ "display",
326
+ "displaystyle",
327
+ "encoding",
328
+ "equalcolumns",
329
+ "equalrows",
330
+ "fence",
331
+ "fontstyle",
332
+ "fontweight",
333
+ "frame",
334
+ "height",
335
+ "href",
336
+ "linethickness",
337
+ "lquote",
338
+ "lspace",
339
+ "mathbackground",
340
+ "mathcolor",
341
+ "mathsize",
342
+ "mathvariant",
343
+ "maxsize",
344
+ "minsize",
345
+ "notation",
346
+ "open",
347
+ "other",
348
+ "rowalign",
349
+ "rowlines",
350
+ "rowspacing",
351
+ "rowspan",
352
+ "rquote",
353
+ "rspace",
354
+ "scriptlevel",
355
+ "selection",
356
+ "separator",
357
+ "separators",
358
+ "stretchy",
359
+ "width",
360
+ "xlink:href",
361
+ "xlink:show",
362
+ "xlink:type",
363
+ "xmlns",
364
+ "xmlns:xlink",
365
+ ])
366
+
367
+ SVG_ATTRIBUTES = Set.new([
368
+ "accent-height",
369
+ "accumulate",
370
+ "additive",
371
+ "alphabetic",
372
+ "arabic-form",
373
+ "ascent",
374
+ "attributeName",
375
+ "attributeType",
376
+ "baseProfile",
377
+ "bbox",
378
+ "begin",
379
+ "calcMode",
380
+ "cap-height",
381
+ "class",
382
+ "clip-path",
383
+ "clip-rule",
384
+ "color",
385
+ "color-interpolation-filters",
386
+ "color-profile",
387
+ "color-rendering",
388
+ "content",
389
+ "cursor",
390
+ "cx",
391
+ "cy",
392
+ "d",
393
+ "descent",
394
+ "display",
395
+ "dur",
396
+ "dx",
397
+ "dy",
398
+ "end",
399
+ "fill",
400
+ "fill-opacity",
401
+ "fill-rule",
402
+ "filter",
403
+ "filterRes",
404
+ "filterUnits",
405
+ "font-family",
406
+ "font-size",
407
+ "font-stretch",
408
+ "font-style",
409
+ "font-variant",
410
+ "font-weight",
411
+ "fx",
412
+ "fy",
413
+ "g1",
414
+ "g2",
415
+ "glyph-name",
416
+ "gradientUnits",
417
+ "hanging",
418
+ "height",
419
+ "horiz-adv-x",
420
+ "horiz-origin-x",
421
+ "id",
422
+ "ideographic",
423
+ "k",
424
+ "keyPoints",
425
+ "keySplines",
426
+ "keyTimes",
427
+ "lang",
428
+ "marker",
429
+ "marker-end",
430
+ "marker-mid",
431
+ "marker-start",
432
+ "markerHeight",
433
+ "markerUnits",
434
+ "markerWidth",
435
+ "mask",
436
+ "maskContentUnits",
437
+ "maskUnits",
438
+ "mathematical",
439
+ "max",
440
+ "method",
441
+ "min",
442
+ "name",
443
+ "offset",
444
+ "opacity",
445
+ "orient",
446
+ "origin",
447
+ "overline-position",
448
+ "overline-thickness",
449
+ "panose-1",
450
+ "path",
451
+ "pathLength",
452
+ "patternContentUnits",
453
+ "patternTransform",
454
+ "patternUnits",
455
+ "points",
456
+ "preserveAspectRatio",
457
+ "primitiveUnits",
458
+ "r",
459
+ "refX",
460
+ "refY",
461
+ "repeatCount",
462
+ "repeatDur",
463
+ "requiredExtensions",
464
+ "requiredFeatures",
465
+ "restart",
466
+ "rotate",
467
+ "rx",
468
+ "ry",
469
+ "slope",
470
+ "spacing",
471
+ "startOffset",
472
+ "stdDeviation",
473
+ "stemh",
474
+ "stemv",
475
+ "stop-color",
476
+ "stop-opacity",
477
+ "strikethrough-position",
478
+ "strikethrough-thickness",
479
+ "stroke",
480
+ "stroke-dasharray",
481
+ "stroke-dashoffset",
482
+ "stroke-linecap",
483
+ "stroke-linejoin",
484
+ "stroke-miterlimit",
485
+ "stroke-opacity",
486
+ "stroke-width",
487
+ "systemLanguage",
488
+ "target",
489
+ "text-anchor",
490
+ "transform",
491
+ "type",
492
+ "u1",
493
+ "u2",
494
+ "underline-position",
495
+ "underline-thickness",
496
+ "unicode",
497
+ "unicode-range",
498
+ "units-per-em",
499
+ "version",
500
+ "viewBox",
501
+ "visibility",
502
+ "width",
503
+ "widths",
504
+ "x",
505
+ "x-height",
506
+ "x1",
507
+ "x2",
508
+ "xlink:actuate",
509
+ "xlink:arcrole",
510
+ "xlink:href",
511
+ "xlink:role",
512
+ "xlink:show",
513
+ "xlink:title",
514
+ "xlink:type",
515
+ "xml:base",
516
+ "xml:lang",
517
+ "xml:space",
518
+ "xmlns",
519
+ "xmlns:xlink",
520
+ "y",
521
+ "y1",
522
+ "y2",
523
+ "zoomAndPan",
524
+ ])
525
+
526
+ ARIA_ATTRIBUTES = Set.new([
527
+ "aria-activedescendant",
528
+ "aria-atomic",
529
+ "aria-autocomplete",
530
+ "aria-braillelabel",
531
+ "aria-brailleroledescription",
532
+ "aria-busy",
533
+ "aria-checked",
534
+ "aria-colcount",
535
+ "aria-colindex",
536
+ "aria-colindextext",
537
+ "aria-colspan",
538
+ "aria-controls",
539
+ "aria-current",
540
+ "aria-describedby",
541
+ "aria-description",
542
+ "aria-details",
543
+ "aria-disabled",
544
+ "aria-dropeffect",
545
+ "aria-errormessage",
546
+ "aria-expanded",
547
+ "aria-flowto",
548
+ "aria-grabbed",
549
+ "aria-haspopup",
550
+ "aria-hidden",
551
+ "aria-invalid",
552
+ "aria-keyshortcuts",
553
+ "aria-label",
554
+ "aria-labelledby",
555
+ "aria-level",
556
+ "aria-live",
557
+ "aria-multiline",
558
+ "aria-multiselectable",
559
+ "aria-orientation",
560
+ "aria-owns",
561
+ "aria-placeholder",
562
+ "aria-posinset",
563
+ "aria-pressed",
564
+ "aria-readonly",
565
+ "aria-relevant",
566
+ "aria-required",
567
+ "aria-roledescription",
568
+ "aria-rowcount",
569
+ "aria-rowindex",
570
+ "aria-rowindextext",
571
+ "aria-rowspan",
572
+ "aria-selected",
573
+ "aria-setsize",
574
+ "aria-sort",
575
+ "aria-valuemax",
576
+ "aria-valuemin",
577
+ "aria-valuenow",
578
+ "aria-valuetext",
579
+ "role",
580
+ ])
581
+
582
+ ATTR_VAL_IS_URI = Set.new([
583
+ "action",
584
+ "cite",
585
+ "href",
586
+ "longdesc",
587
+ "poster",
588
+ "preload",
589
+ "src",
590
+ "xlink:href",
591
+ "xml:base",
592
+ ])
593
+
594
+ SVG_ATTR_VAL_ALLOWS_REF = Set.new([
595
+ "clip-path",
596
+ "color-profile",
597
+ "cursor",
598
+ "fill",
599
+ "filter",
600
+ "marker",
601
+ "marker-end",
602
+ "marker-mid",
603
+ "marker-start",
604
+ "mask",
605
+ "stroke",
606
+ ])
607
+
608
+ SVG_ALLOW_LOCAL_HREF = Set.new([
609
+ "altGlyph",
610
+ "animate",
611
+ "animateColor",
612
+ "animateMotion",
613
+ "animateTransform",
614
+ "cursor",
615
+ "feImage",
616
+ "filter",
617
+ "linearGradient",
618
+ "pattern",
619
+ "radialGradient",
620
+ "set",
621
+ "textpath",
622
+ "tref",
623
+ "use",
624
+ ])
625
+
626
+ ACCEPTABLE_CSS_PROPERTIES = Set.new([
627
+ "azimuth",
628
+ "align-content",
629
+ "align-items",
630
+ "align-self",
631
+ "aspect-ratio",
632
+ "background-color",
633
+ "border-bottom-color",
634
+ "border-collapse",
635
+ "border-color",
636
+ "border-left-color",
637
+ "border-right-color",
638
+ "border-top-color",
639
+ "clear",
640
+ "color",
641
+ "cursor",
642
+ "direction",
643
+ "display",
644
+ "elevation",
645
+ "flex",
646
+ "flex-basis",
647
+ "flex-direction",
648
+ "flex-flow",
649
+ "flex-grow",
650
+ "flex-shrink",
651
+ "flex-wrap",
652
+ "float",
653
+ "font",
654
+ "font-family",
655
+ "font-size",
656
+ "font-style",
657
+ "font-variant",
658
+ "font-weight",
659
+ "height",
660
+ "justify-content",
661
+ "letter-spacing",
662
+ "line-height",
663
+ "list-style",
664
+ "list-style-type",
665
+ "max-width",
666
+ "order",
667
+ "overflow",
668
+ "overflow-x",
669
+ "overflow-y",
670
+ "page-break-after",
671
+ "page-break-before",
672
+ "page-break-inside",
673
+ "pause",
674
+ "pause-after",
675
+ "pause-before",
676
+ "pitch",
677
+ "pitch-range",
678
+ "richness",
679
+ "speak",
680
+ "speak-header",
681
+ "speak-numeral",
682
+ "speak-punctuation",
683
+ "speech-rate",
684
+ "stress",
685
+ "text-align",
686
+ "text-decoration",
687
+ "text-indent",
688
+ "unicode-bidi",
689
+ "vertical-align",
690
+ "voice-family",
691
+ "volume",
692
+ "white-space",
693
+ "width",
694
+ ])
695
+
696
+ ACCEPTABLE_CSS_KEYWORDS = Set.new([
697
+ "!important",
698
+ "auto",
699
+ "block",
700
+ "bold",
701
+ "both",
702
+ "bottom",
703
+ "center",
704
+ "collapse",
705
+ "dashed",
706
+ "dotted",
707
+ "double",
708
+ "groove",
709
+ "hidden",
710
+ "inherit",
711
+ "initial",
712
+ "inset",
713
+ "italic",
714
+ "left",
715
+ "medium",
716
+ "none",
717
+ "normal",
718
+ "nowrap",
719
+ "outset",
720
+ "pointer",
721
+ "revert",
722
+ "ridge",
723
+ "right",
724
+ "separate",
725
+ "solid",
726
+ "thick",
727
+ "thin",
728
+ "top",
729
+ "transparent",
730
+ "underline",
731
+ "unset",
732
+ ])
733
+
734
+ # https://www.w3.org/TR/css-color-3/#html4
735
+ ACCEPTABLE_CSS_COLORS = Set.new([
736
+ "aqua",
737
+ "black",
738
+ "blue",
739
+ "fuchsia",
740
+ "gray",
741
+ "green",
742
+ "lime",
743
+ "maroon",
744
+ "navy",
745
+ "olive",
746
+ "purple",
747
+ "red",
748
+ "silver",
749
+ "teal",
750
+ "white",
751
+ "yellow",
752
+ ])
753
+
754
+ # https://www.w3.org/TR/css-color-3/#svg-color
755
+ ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
756
+ "aliceblue",
757
+ "antiquewhite",
758
+ "aqua",
759
+ "aquamarine",
760
+ "azure",
761
+ "beige",
762
+ "bisque",
763
+ "black",
764
+ "blanchedalmond",
765
+ "blue",
766
+ "blueviolet",
767
+ "brown",
768
+ "burlywood",
769
+ "cadetblue",
770
+ "chartreuse",
771
+ "chocolate",
772
+ "coral",
773
+ "cornflowerblue",
774
+ "cornsilk",
775
+ "crimson",
776
+ "cyan",
777
+ "darkblue",
778
+ "darkcyan",
779
+ "darkgoldenrod",
780
+ "darkgray",
781
+ "darkgreen",
782
+ "darkgrey",
783
+ "darkkhaki",
784
+ "darkmagenta",
785
+ "darkolivegreen",
786
+ "darkorange",
787
+ "darkorchid",
788
+ "darkred",
789
+ "darksalmon",
790
+ "darkseagreen",
791
+ "darkslateblue",
792
+ "darkslategray",
793
+ "darkslategrey",
794
+ "darkturquoise",
795
+ "darkviolet",
796
+ "deeppink",
797
+ "deepskyblue",
798
+ "dimgray",
799
+ "dimgrey",
800
+ "dodgerblue",
801
+ "firebrick",
802
+ "floralwhite",
803
+ "forestgreen",
804
+ "fuchsia",
805
+ "gainsboro",
806
+ "ghostwhite",
807
+ "gold",
808
+ "goldenrod",
809
+ "gray",
810
+ "green",
811
+ "greenyellow",
812
+ "grey",
813
+ "honeydew",
814
+ "hotpink",
815
+ "indianred",
816
+ "indigo",
817
+ "ivory",
818
+ "khaki",
819
+ "lavender",
820
+ "lavenderblush",
821
+ "lawngreen",
822
+ "lemonchiffon",
823
+ "lightblue",
824
+ "lightcoral",
825
+ "lightcyan",
826
+ "lightgoldenrodyellow",
827
+ "lightgray",
828
+ "lightgreen",
829
+ "lightgrey",
830
+ "lightpink",
831
+ "lightsalmon",
832
+ "lightseagreen",
833
+ "lightskyblue",
834
+ "lightslategray",
835
+ "lightslategrey",
836
+ "lightsteelblue",
837
+ "lightyellow",
838
+ "lime",
839
+ "limegreen",
840
+ "linen",
841
+ "magenta",
842
+ "maroon",
843
+ "mediumaquamarine",
844
+ "mediumblue",
845
+ "mediumorchid",
846
+ "mediumpurple",
847
+ "mediumseagreen",
848
+ "mediumslateblue",
849
+ "mediumspringgreen",
850
+ "mediumturquoise",
851
+ "mediumvioletred",
852
+ "midnightblue",
853
+ "mintcream",
854
+ "mistyrose",
855
+ "moccasin",
856
+ "navajowhite",
857
+ "navy",
858
+ "oldlace",
859
+ "olive",
860
+ "olivedrab",
861
+ "orange",
862
+ "orangered",
863
+ "orchid",
864
+ "palegoldenrod",
865
+ "palegreen",
866
+ "paleturquoise",
867
+ "palevioletred",
868
+ "papayawhip",
869
+ "peachpuff",
870
+ "peru",
871
+ "pink",
872
+ "plum",
873
+ "powderblue",
874
+ "purple",
875
+ "red",
876
+ "rosybrown",
877
+ "royalblue",
878
+ "saddlebrown",
879
+ "salmon",
880
+ "sandybrown",
881
+ "seagreen",
882
+ "seashell",
883
+ "sienna",
884
+ "silver",
885
+ "skyblue",
886
+ "slateblue",
887
+ "slategray",
888
+ "slategrey",
889
+ "snow",
890
+ "springgreen",
891
+ "steelblue",
892
+ "tan",
893
+ "teal",
894
+ "thistle",
895
+ "tomato",
896
+ "turquoise",
897
+ "violet",
898
+ "wheat",
899
+ "white",
900
+ "whitesmoke",
901
+ "yellow",
902
+ "yellowgreen",
903
+ ])
904
+
905
+ # see https://www.quackit.com/css/functions/
906
+ # omit `url` and `image` from that list
907
+ ACCEPTABLE_CSS_FUNCTIONS = Set.new([
908
+ "attr",
909
+ "blur",
910
+ "brightness",
911
+ "calc",
912
+ "circle",
913
+ "contrast",
914
+ "counter",
915
+ "counters",
916
+ "cubic-bezier",
917
+ "drop-shadow",
918
+ "ellipse",
919
+ "grayscale",
920
+ "hsl",
921
+ "hsla",
922
+ "hue-rotate",
923
+ "hwb",
924
+ "inset",
925
+ "invert",
926
+ "linear-gradient",
927
+ "matrix",
928
+ "matrix3d",
929
+ "opacity",
930
+ "perspective",
931
+ "polygon",
932
+ "radial-gradient",
933
+ "repeating-linear-gradient",
934
+ "repeating-radial-gradient",
935
+ "rgb",
936
+ "rgba",
937
+ "rotate",
938
+ "rotate3d",
939
+ "rotateX",
940
+ "rotateY",
941
+ "rotateZ",
942
+ "saturate",
943
+ "sepia",
944
+ "scale",
945
+ "scale3d",
946
+ "scaleX",
947
+ "scaleY",
948
+ "scaleZ",
949
+ "skew",
950
+ "skewX",
951
+ "skewY",
952
+ "symbols",
953
+ "translate",
954
+ "translate3d",
955
+ "translateX",
956
+ "translateY",
957
+ "translateZ",
958
+ ])
959
+
960
+ SHORTHAND_CSS_PROPERTIES = Set.new([
961
+ "background",
962
+ "border",
963
+ "margin",
964
+ "padding",
965
+ ])
966
+
967
+ ACCEPTABLE_SVG_PROPERTIES = Set.new([
968
+ "fill",
969
+ "fill-opacity",
970
+ "fill-rule",
971
+ "stroke",
972
+ "stroke-width",
973
+ "stroke-linecap",
974
+ "stroke-linejoin",
975
+ "stroke-opacity",
976
+ ])
977
+
978
+ PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
979
+
980
+ ACCEPTABLE_PROTOCOLS = Set.new([
981
+ "afs",
982
+ "aim",
983
+ "callto",
984
+ "data",
985
+ "ed2k",
986
+ "fax",
987
+ "feed",
988
+ "ftp",
989
+ "gopher",
990
+ "http",
991
+ "https",
992
+ "irc",
993
+ "line",
994
+ "mailto",
995
+ "modem",
996
+ "news",
997
+ "nntp",
998
+ "rsync",
999
+ "rtsp",
1000
+ "sftp",
1001
+ "sms",
1002
+ "ssh",
1003
+ "tag",
1004
+ "tel",
1005
+ "telnet",
1006
+ "urn",
1007
+ "webcal",
1008
+ "xmpp",
1009
+ ])
1010
+
1011
+ ACCEPTABLE_URI_DATA_MEDIATYPES = Set.new([
1012
+ "image/gif",
1013
+ "image/jpeg",
1014
+ "image/png",
1015
+ "text/css",
1016
+ "text/plain",
1017
+ ])
1018
+
1019
+ # subclasses may define their own versions of these constants
1020
+ ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
1021
+ ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
1022
+ ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
1023
+ ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
1024
+ ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
1025
+ ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
1026
+ ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
1027
+ ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
1028
+
1029
+ # TODO: remove VOID_ELEMENTS in a future major release
1030
+ # and put it in the tests (it is used only for testing, not for functional behavior)
1031
+ VOID_ELEMENTS = Set.new([
1032
+ "area",
1033
+ "br",
1034
+ "hr",
1035
+ "img",
1036
+ "input",
1037
+ ])
1038
+
1039
+ # additional tags we should consider safe since we have libxml2 fixing up our documents.
1040
+ TAGS_SAFE_WITH_LIBXML2 = Set.new([
1041
+ "body",
1042
+ "head",
1043
+ "html",
1044
+ ])
1045
+ ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
1046
+ end
1047
+
1048
+ WhiteList = SafeList
1049
+ if Object.respond_to?(:deprecate_constant)
1050
+ deprecate_constant :WhiteList
1051
+ end
1052
+
1053
+ ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::HTML5::SafeList)
1054
+ end
1055
+ end