loofah 2.2.3 → 2.9.0

data/lib/loofah/html5/whitelist.rb

@@ -1,186 +0,0 @@
-require 'set'
-
-module Loofah
-  module HTML5 # :nodoc:
-    #
-    #  HTML whitelist lifted from HTML5lib sanitizer code:
-    #
-    #    http://code.google.com/p/html5lib/
-    #
-    # <html5_license>
-    #
-    #   Copyright (c) 2006-2008 The Authors
-    #
-    #   Contributors:
-    #   James Graham - jg307@cam.ac.uk
-    #   Anne van Kesteren - annevankesteren@gmail.com
-    #   Lachlan Hunt - lachlan.hunt@lachy.id.au
-    #   Matt McDonald - kanashii@kanashii.ca
-    #   Sam Ruby - rubys@intertwingly.net
-    #   Ian Hickson (Google) - ian@hixie.ch
-    #   Thomas Broyer - t.broyer@ltgt.net
-    #   Jacques Distler - distler@golem.ph.utexas.edu
-    #   Henri Sivonen - hsivonen@iki.fi
-    #   The Mozilla Foundation (contributions from Henri Sivonen since 2008)
-    #
-    #   Permission is hereby granted, free of charge, to any person
-    #   obtaining a copy of this software and associated documentation
-    #   files (the "Software"), to deal in the Software without
-    #   restriction, including without limitation the rights to use, copy,
-    #   modify, merge, publish, distribute, sublicense, and/or sell copies
-    #   of the Software, and to permit persons to whom the Software is
-    #   furnished to do so, subject to the following conditions:
-    #
-    #   The above copyright notice and this permission notice shall be
-    #   included in all copies or substantial portions of the Software.
-    #
-    #   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-    #   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-    #   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-    #   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-    #   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-    #   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    #   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    #   DEALINGS IN THE SOFTWARE.
-    #
-    # </html5_license>
-    module WhiteList
-
-      ACCEPTABLE_ELEMENTS = Set.new %w[a abbr acronym address area
-      article aside audio b bdi bdo big blockquote br button canvas
-      caption center cite code col colgroup command datalist dd del
-      details dfn dir div dl dt em fieldset figcaption figure footer
-      font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
-      legend li main map mark menu meter nav ol output optgroup option p
-      pre q s samp section select small span strike strong sub summary
-      sup table tbody td textarea tfoot th thead time tr tt u ul var
-      video]
-
-      MATHML_ELEMENTS = Set.new %w[annotation annotation-xml maction math merror mfrac
-      mfenced mi mmultiscripts mn mo mover mpadded mphantom mprescripts mroot mrow
-      mspace msqrt mstyle msub msubsup msup mtable mtd mtext mtr munder
-      munderover none semantics]
-
-      SVG_ELEMENTS = Set.new %w[a animate animateColor animateMotion animateTransform
-      circle clipPath defs desc ellipse feGaussianBlur filter font-face
-      font-face-name font-face-src foreignObject
-      g glyph hkern linearGradient line marker mask metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch symbol
-      text textPath title tspan use]
-
-      ACCEPTABLE_ATTRIBUTES = Set.new %w[abbr accept accept-charset accesskey action
-      align alt axis border cellpadding cellspacing char charoff charset
-      checked cite class clear cols colspan color compact coords datetime
-      dir disabled enctype for frame headers height href hreflang hspace id
-      ismap label lang longdesc loop loopcount loopend loopstart
-      maxlength media method multiple name nohref
-      noshade nowrap poster preload prompt readonly rel rev rows rowspan rules scope
-      selected shape size span src start style summary tabindex target title
-      type usemap valign value vspace width xml:lang]
-
-      MATHML_ATTRIBUTES = Set.new %w[actiontype align close
-      columnalign columnlines columnspacing columnspan depth display
-      displaystyle encoding equalcolumns equalrows fence fontstyle fontweight
-      frame height linethickness lspace mathbackground mathcolor mathvariant
-      maxsize minsize open other rowalign rowlines
-      rowspacing rowspan rspace scriptlevel selection separator separators
-      stretchy width xlink:href xlink:show xlink:type xmlns xmlns:xlink]
-
-      SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-       arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class clip-path clip-rule color
-       color-interpolation-filters color-rendering content cx cy d dx
-       dy descent display dur end fill fill-opacity fill-rule
-       filterRes filterUnits font-family
-       font-size font-stretch font-style font-variant font-weight fx fy g1
-       g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
-       ideographic k keyPoints keySplines keyTimes lang marker-end
-       marker-mid marker-start markerHeight markerUnits markerWidth
-       maskContentUnits maskUnits mathematical max method min name offset opacity orient origin
-       overline-position overline-thickness panose-1 path pathLength
-       patternContentUnits patternTransform patternUnits  points
-       preserveAspectRatio primitiveUnits r refX refY repeatCount repeatDur
-       requiredExtensions requiredFeatures restart rotate rx ry slope spacing
-       startOffset stdDeviation stemh
-       stemv stop-color stop-opacity strikethrough-position
-       strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-       stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-       u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-       x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-       xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-       xmlns:xlink y y1 y2 zoomAndPan]
-
-      ATTR_VAL_IS_URI = Set.new %w[href src cite action longdesc xlink:href xml:base poster preload]
-
-      SVG_ATTR_VAL_ALLOWS_REF = Set.new %w[clip-path color-profile cursor fill
-      filter marker marker-start marker-mid marker-end mask stroke]
-
-      SVG_ALLOW_LOCAL_HREF = Set.new %w[altGlyph animate animateColor animateMotion
-      animateTransform cursor feImage filter linearGradient pattern
-      radialGradient textpath tref set use]
-
-      ACCEPTABLE_CSS_PROPERTIES = Set.new %w[azimuth background-color
-      border-bottom-color border-collapse border-color border-left-color
-      border-right-color border-top-color clear color cursor direction
-      display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height list-style-type
-      overflow pause pause-after pause-before pitch pitch-range richness speak
-      speak-header speak-numeral speak-punctuation speech-rate stress
-      text-align text-decoration text-indent unicode-bidi vertical-align
-      voice-family volume white-space width]
-
-      ACCEPTABLE_CSS_KEYWORDS = Set.new %w[auto aqua black block blue bold both bottom
-      brown center collapse dashed dotted fuchsia gray green !important
-      italic left lime maroon medium none navy normal nowrap olive pointer
-      purple red right solid silver teal top transparent underline white
-      yellow]
-
-      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
-
-      SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
-
-      ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
-      stroke-width stroke-linecap stroke-linejoin stroke-opacity]
-
-      PROTOCOL_SEPARATOR = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
-
-      ACCEPTABLE_PROTOCOLS = Set.new %w[ed2k ftp http https irc mailto news gopher nntp
-      telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs data]
-
-      ACCEPTABLE_URI_DATA_MEDIATYPES = Set.new %w[text/plain text/css image/png image/gif
-        image/jpeg image/svg+xml]
-
-      # subclasses may define their own versions of these constants
-      ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
-      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
-      ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
-      ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
-      ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
-      ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
-      ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
-      ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
-
-      VOID_ELEMENTS = Set.new %w[
-        base
-        link
-        meta
-        hr
-        br
-        img
-        embed
-        param
-        area
-        col
-        input
-      ]
-
-      # additional tags we should consider safe since we have libxml2 fixing up our documents.
-      TAGS_SAFE_WITH_LIBXML2 = Set.new %w[html head body]
-      ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
-    end
-
-    ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::HTML5::WhiteList
-  end
-end

data/test/assets/msword.html

@@ -1,63 +0,0 @@
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>

data/test/assets/testdata_sanitizer_tests1.dat

@@ -1,502 +0,0 @@
-[
-  {
-    "name": "IE_Comments",
-    "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
-    "output": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]--&gt;"
-  },
-
-  {
-    "name": "IE_Comments_2",
-    "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
-    "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "allow_colons_in_path_component",
-    "input": "<a href=\"./this:that\">foo</a>",
-    "output": "<a href='./this:that'>foo</a>"
-  },
-
-  {
-    "name": "background_attribute",
-    "input": "<div background=\"javascript:alert('XSS')\"></div>",
-    "output": "<div/>",
-    "xhtml": "<div></div>",
-    "rexml": "<div></div>"
-  },
-
-  {
-    "name": "bgsound",
-    "input": "<bgsound src=\"javascript:alert('XSS');\" />",
-    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
-    "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
-  },
-
-  {
-    "name": "div_background_image_unicode_encoded",
-    "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "div_expression",
-    "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "double_open_angle_brackets",
-    "input": "<img src=http://ha.ckers.org/scriptlet.html <",
-    "output": "<img src='http://ha.ckers.org/scriptlet.html'>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "double_open_angle_brackets_2",
-    "input": "<script src=http://ha.ckers.org/scriptlet.html <",
-    "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "grave_accents",
-    "input": "<img src=`javascript:alert('XSS')` />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "img_dynsrc_lowsrc",
-    "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "img_vbscript",
-    "input": "<img src='vbscript:msgbox(\"XSS\")' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "input_image",
-    "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
-    "output": "<input type='image'>",
-    "rexml": "<input type='image' />"
-  },
-
-  {
-    "name": "link_stylesheets",
-    "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"&gt;",
-    "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "link_stylesheets_2",
-    "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"&gt;",
-    "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "list_style_image",
-    "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
-    "output": "<li>foo</li>"
-  },
-
-  {
-    "name": "no_closing_script_tags",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit",
-    "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_2",
-    "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_3",
-    "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_II",
-    "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_III",
-    "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "platypus",
-    "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;'>never trust your upstream platypus</a>"
-  },
-
-  {
-    "name": "protocol_resolution_in_script_tag",
-    "input": "<script src=//ha.ckers.org/.j></script>",
-    "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_allow_anchors",
-    "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
-    "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
-  },
-
-  {
-    "name": "should_allow_image_alt_attribute",
-    "input": "<img alt='foo' onclick='bar' />",
-    "output": "<img alt='foo'>",
-    "rexml": "<img alt='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_height_attribute",
-    "input": "<img height='foo' onclick='bar' />",
-    "output": "<img height='foo'>",
-    "rexml": "<img height='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_src_attribute",
-    "input": "<img src='foo' onclick='bar' />",
-    "output": "<img src='foo'>",
-    "rexml": "<img src='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_width_attribute",
-    "input": "<img width='foo' onclick='bar' />",
-    "output": "<img width='foo'>",
-    "rexml": "<img width='foo' />"
-  },
-
-  {
-    "name": "should_handle_blank_text",
-    "input": "",
-    "output": ""
-  },
-
-  {
-    "name": "should_handle_malformed_image_tags",
-    "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
-    "output": "<img>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_handle_non_html",
-    "input": "abc",
-    "output": "abc"
-  },
-
-  {
-    "name": "should_not_fall_for_ridiculous_hack",
-    "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_0",
-    "input": "<img src=\"javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_1",
-    "input": "<img src=javascript:alert('XSS') />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_10",
-    "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_11",
-    "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_12",
-    "input": "<img src=\" &#14;  javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_13",
-    "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_14",
-    "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_2",
-    "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_3",
-    "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_4",
-    "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_5",
-    "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_6",
-    "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_7",
-    "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_8",
-    "input": "<img src=\"jav\tascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_9",
-    "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_sanitize_half_open_scripts",
-    "input": "<img src=\"javascript:alert('XSS')\"",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_invalid_script_tag",
-    "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets",
-    "input": "<<script>alert(\"XSS\");//<</script>",
-    "output": "alert(\"XSS\");//",
-    "xhtml": "&lt;&lt;script&gt;alert('XSS');//&lt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
-    "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
-    "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/iframe&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_tag_broken_up_by_null",
-    "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
-    "output": "&lt;scr&gt;&lt;/scr&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_unclosed_script",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols",
-    "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
-    "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols",
-    "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
-    "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "xml_base",
-    "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "xul",
-    "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
-    "output": "<p>fubar</p>"
-  },
-
-  {
-    "name": "quotes_in_attributes",
-    "input": "<img src='foo' title='\"foo\" bar' />",
-    "rexml": "<img src='foo' title='\"foo\" bar' />",
-    "output": "<img src='foo' title='\"foo\" bar'>"
-  },
-
-  {
-    "name": "uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(#foo)' />",
-    "rexml": "<rect fill='url(#foo)'></rect>",
-    "xhtml": "<rect fill='url(#foo)'></rect>",
-    "output": "<rect fill='url(#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(http://bad.com/) #fff' />",
-    "rexml": "<rect fill='  #fff'></rect>",
-    "xhtml": "<rect fill='  #fff'></rect>",
-    "output": "<rect fill='  #fff'/>"
-  },
-
-  {
-    "name": "uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill='url(\n#foo)' />",
-    "rexml": "<rect fill='url(\n#foo)'></rect>",
-    "xhtml": "<rect fill='url(\n#foo)'></rect>",
-    "output": "<rect fill='url(\n#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "rexml": "<rect></rect>",
-    "xhtml": "<rect></rect>",
-    "output": "<rect/>"
-  },
-
-  {
-    "name": "allow_html5_image_tag",
-    "input": "<image src='foo' />",
-    "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
-    "output": "&lt;image src=\"foo\"/&gt;"
-  },
-
-  {
-    "name": "style_attr_end_with_nothing",
-    "input": "<div style=\"color: blue\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_space",
-    "input": "<div style=\"color: blue \" />",
-    "output": "<div style='color: blue ;'/>",
-    "xhtml": "<div style='color: blue ;'></div>",
-    "rexml": "<div style='color: blue ;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon",
-    "input": "<div style=\"color: blue;\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon_space",
-    "input": "<div style=\"color: blue; \" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes",
-   "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
-   "output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
-   "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes_II",
-   "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
-   "output": "<img src='notthere.jpg%22%22onerror=%22alert(2)'>",
-   "rexml": "Ill-formed XHTML!"
-  }
-]