loofah 2.2.3 → 2.6.0

data/benchmark/benchmark.rb

@@ -23,7 +23,7 @@ def compare_scrub_methods
 end
 
 module TestSet
-  def test_set options={}
+  def test_set(options = {})
     scale = options[:rehearse] ? 10 : 1
     puts self.class.name
 
@@ -49,6 +49,7 @@ end
 
 class HeadToHeadRailsSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -65,6 +66,7 @@ end
 
 class HeadToHeadRailsStripTags < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -81,6 +83,7 @@ end
 
 class HeadToHeadSanitizerSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -100,6 +103,7 @@ end
 
 class HeadToHeadHtml5LibSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -120,6 +124,7 @@ end
 
 class HeadToHeadHTMLFilter < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 

data/benchmark/helper.rb

@@ -1,13 +1,13 @@
-require 'rubygems'
-require 'open-uri'
-require 'hpricot'
+require "rubygems"
+require "open-uri"
+require "hpricot"
 require File.expand_path(File.dirname(__FILE__) + "/../lib/loofah")
-require 'benchmark'
+require "benchmark"
 require "action_view"
 require "action_controller/vendor/html-scanner"
 require "sanitize"
-require 'hitimes'
-require 'htmlfilter'
+require "hitimes"
+require "htmlfilter"
 
 unless defined?(HTMLFilter)
   HTMLFilter = HtmlFilter
@@ -19,20 +19,20 @@ class RailsSanitize
 end
 
 class HTML5libSanitize
-  require 'html5/html5parser'
-  require 'html5/liberalxmlparser'
-  require 'html5/treewalkers'
-  require 'html5/treebuilders'
-  require 'html5/serializer'
-  require 'html5/sanitizer'
+  require "html5/html5parser"
+  require "html5/liberalxmlparser"
+  require "html5/treewalkers"
+  require "html5/treebuilders"
+  require "html5/serializer"
+  require "html5/sanitizer"
 
   include HTML5
 
   def sanitize(html)
     HTMLParser.parse_fragment(html, {
-      :tokenizer  => HTMLSanitizer,
-      :encoding   => 'utf-8',
-      :tree       => TreeBuilders::REXML::TreeBuilder
+      :tokenizer => HTMLSanitizer,
+      :encoding => "utf-8",
+      :tree => TreeBuilders::REXML::TreeBuilder,
     }).to_s
   end
 end

data/lib/loofah.rb

@@ -1,22 +1,23 @@
+# frozen_string_literal: true
 $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__))) unless $LOAD_PATH.include?(File.expand_path(File.dirname(__FILE__)))
 
-require 'nokogiri'
+require "nokogiri"
 
-require 'loofah/metahelpers'
-require 'loofah/elements'
+require "loofah/metahelpers"
+require "loofah/elements"
 
-require 'loofah/html5/whitelist'
-require 'loofah/html5/libxml2_workarounds'
-require 'loofah/html5/scrub'
+require "loofah/html5/safelist"
+require "loofah/html5/libxml2_workarounds"
+require "loofah/html5/scrub"
 
-require 'loofah/scrubber'
-require 'loofah/scrubbers'
+require "loofah/scrubber"
+require "loofah/scrubbers"
 
-require 'loofah/instance_methods'
-require 'loofah/xml/document'
-require 'loofah/xml/document_fragment'
-require 'loofah/html/document'
-require 'loofah/html/document_fragment'
+require "loofah/instance_methods"
+require "loofah/xml/document"
+require "loofah/xml/document_fragment"
+require "loofah/html/document"
+require "loofah/html/document_fragment"
 
 # == Strings and IO Objects as Input
 #
@@ -28,13 +29,13 @@ require 'loofah/html/document_fragment'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '2.2.3'
+  VERSION = "2.6.0"
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse
     # This method accepts the same parameters as Nokogiri::HTML::Document.parse
     def document(*args, &block)
-      Loofah::HTML::Document.parse(*args, &block)
+      remove_comments_before_html_element Loofah::HTML::Document.parse(*args, &block)
     end
 
     # Shortcut for Loofah::HTML::DocumentFragment.parse
@@ -77,7 +78,25 @@ module Loofah
 
     # A helper to remove extraneous whitespace from text-ified HTML
     def remove_extraneous_whitespace(string)
-      string.gsub(/\n\s*\n\s*\n/,"\n\n")
+      string.gsub(/\n\s*\n\s*\n/, "\n\n")
+    end
+
+    private
+
+    # remove comments that exist outside of the HTML element.
+    #
+    # these comments are allowed by the HTML spec:
+    #
+    #    https://www.w3.org/TR/html401/struct/global.html#h-7.1
+    #
+    # but are not scrubbed by Loofah because these nodes don't meet
+    # the contract that scrubbers expect of a node (e.g., it can be
+    # replaced, sibling and children nodes can be created).
+    def remove_comments_before_html_element(doc)
+      doc.children.each do |child|
+        child.unlink if child.comment?
+      end
+      doc
     end
   end
 end

data/lib/loofah/elements.rb

@@ -1,89 +1,90 @@
-require 'set'
+# frozen_string_literal: true
+require "set"
 
 module Loofah
   module Elements
     STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-      address
-      blockquote
-      center
-      dir
-      div
-      dl
-      fieldset
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      hr
-      isindex
-      menu
-      noframes
-      noscript
-      ol
-      p
-      pre
-      table
-      ul
-    ]
+                                         address
+                                         blockquote
+                                         center
+                                         dir
+                                         div
+                                         dl
+                                         fieldset
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         hr
+                                         isindex
+                                         menu
+                                         noframes
+                                         noscript
+                                         ol
+                                         p
+                                         pre
+                                         table
+                                         ul
+                                       ]
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
     STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-      address
-      article
-      aside
-      blockquote
-      canvas
-      dd
-      div
-      dl
-      dt
-      fieldset
-      figcaption
-      figure
-      footer
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      header
-      hgroup
-      hr
-      li
-      main
-      nav
-      noscript
-      ol
-      output
-      p
-      pre
-      section
-      table
-      tfoot
-      ul
-      video
-    ]
+                                         address
+                                         article
+                                         aside
+                                         blockquote
+                                         canvas
+                                         dd
+                                         div
+                                         dl
+                                         dt
+                                         fieldset
+                                         figcaption
+                                         figure
+                                         footer
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         header
+                                         hgroup
+                                         hr
+                                         li
+                                         main
+                                         nav
+                                         noscript
+                                         ol
+                                         output
+                                         p
+                                         pre
+                                         section
+                                         table
+                                         tfoot
+                                         ul
+                                         video
+                                       ]
 
     STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
     LOOSE_BLOCK_LEVEL = Set.new %w[dd
-      dt
-      frameset
-      li
-      tbody
-      td
-      tfoot
-      th
-      thead
-      tr
-    ]
+                                   dt
+                                   frameset
+                                   li
+                                   tbody
+                                   td
+                                   tfoot
+                                   th
+                                   thead
+                                   tr
+                                ]
 
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
   end

data/lib/loofah/helpers.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   module Helpers
     class << self
@@ -27,7 +28,7 @@ module Loofah
       #
       #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
       #
-      def sanitize_css style_string
+      def sanitize_css(style_string)
         ::Loofah::HTML5::Scrub.scrub_css style_string
       end
 
@@ -46,8 +47,13 @@ module Loofah
           @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new
         end
 
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new
+        end
+
         def white_list_sanitizer
-          @white_list_sanitizer ||= ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
+          warn "warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead."
+          safe_list_sanitizer
         end
       end
 
@@ -63,7 +69,7 @@ module Loofah
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
       class FullSanitizer
-        def sanitize html, *args
+        def sanitize(html, *args)
           Loofah::Helpers.strip_tags html
         end
       end
@@ -73,21 +79,26 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.white_list_sanitizer = ::Loofah::Helpers::ActionView::WhiteListSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = ::Loofah::Helpers::ActionView::SafeListSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
-      class WhiteListSanitizer
-        def sanitize html, *args
+      class SafeListSanitizer
+        def sanitize(html, *args)
           Loofah::Helpers.sanitize html
         end
 
-        def sanitize_css style_string, *args
+        def sanitize_css(style_string, *args)
           Loofah::Helpers.sanitize_css style_string
         end
       end
+
+      WhiteListSanitizer = SafeListSanitizer
+      if Object.respond_to?(:deprecate_constant)
+        deprecate_constant :WhiteListSanitizer
+      end
     end
   end
 end

data/lib/loofah/html/document.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   module HTML # :nodoc:
     #

data/lib/loofah/html/document_fragment.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   module HTML # :nodoc:
     #
@@ -14,10 +15,10 @@ module Loofah
         #  constructor. Applications should use Loofah.fragment to
         #  parse a fragment.
         #
-        def parse tags, encoding = nil
+        def parse(tags, encoding = nil)
           doc = Loofah::HTML::Document.new
 
-          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
+          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
           doc.encoding = encoding
 
           new(doc, tags)
@@ -30,6 +31,7 @@ module Loofah
       def to_s
         serialize_root.children.to_s
       end
+
       alias :serialize :to_s
 
       def serialize_root

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -1,5 +1,6 @@
 # coding: utf-8
-require 'set'
+# frozen_string_literal: true
+require "set"
 
 module Loofah
   #
@@ -16,11 +17,11 @@ module Loofah
     #  see comments about CVE-2018-8048 within the tests for more information
     #
     BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
-        href
-        action
-        src
-        name
-      ]
-    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
+                                           href
+                                           action
+                                           src
+                                           name
+                                         ]
+    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
   end
 end