loofah 2.20.0 → 2.21.0.rc1

data/lib/loofah/elements.rb

@@ -1,88 +1,90 @@
 # frozen_string_literal: true
+
 require "set"
 
 module Loofah
   module Elements
-    STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-                                         address
-                                         blockquote
-                                         center
-                                         dir
-                                         div
-                                         dl
-                                         fieldset
-                                         form
-                                         h1
-                                         h2
-                                         h3
-                                         h4
-                                         h5
-                                         h6
-                                         hr
-                                         isindex
-                                         menu
-                                         noframes
-                                         noscript
-                                         ol
-                                         p
-                                         pre
-                                         table
-                                         ul
-                                       ]
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new([
+      "address",
+      "blockquote",
+      "center",
+      "dir",
+      "div",
+      "dl",
+      "fieldset",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "hr",
+      "isindex",
+      "menu",
+      "noframes",
+      "noscript",
+      "ol",
+      "p",
+      "pre",
+      "table",
+      "ul",
+    ])
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
-    STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-                                         address
-                                         article
-                                         aside
-                                         blockquote
-                                         canvas
-                                         dd
-                                         div
-                                         dl
-                                         dt
-                                         fieldset
-                                         figcaption
-                                         figure
-                                         footer
-                                         form
-                                         h1
-                                         h2
-                                         h3
-                                         h4
-                                         h5
-                                         h6
-                                         header
-                                         hgroup
-                                         hr
-                                         li
-                                         main
-                                         nav
-                                         noscript
-                                         ol
-                                         output
-                                         p
-                                         pre
-                                         section
-                                         table
-                                         tfoot
-                                         ul
-                                         video
-                                       ]
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new([
+      "address",
+      "article",
+      "aside",
+      "blockquote",
+      "canvas",
+      "dd",
+      "div",
+      "dl",
+      "dt",
+      "fieldset",
+      "figcaption",
+      "figure",
+      "footer",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "header",
+      "hgroup",
+      "hr",
+      "li",
+      "main",
+      "nav",
+      "noscript",
+      "ol",
+      "output",
+      "p",
+      "pre",
+      "section",
+      "table",
+      "tfoot",
+      "ul",
+      "video",
+    ])
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
-    LOOSE_BLOCK_LEVEL = Set.new %w[dd
-                                   dt
-                                   frameset
-                                   li
-                                   tbody
-                                   td
-                                   tfoot
-                                   th
-                                   thead
-                                   tr
-                                ]
+    LOOSE_BLOCK_LEVEL = Set.new([
+      "dd",
+      "dt",
+      "frameset",
+      "li",
+      "tbody",
+      "td",
+      "tfoot",
+      "th",
+      "thead",
+      "tr",
+    ])
 
     # Elements that aren't block but should generate a newline in #to_text
     INLINE_LINE_BREAK = Set.new(["br"])
@@ -92,5 +94,5 @@ module Loofah
     LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
   end
 
-  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
+  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants(::Loofah::Elements)
 end

data/lib/loofah/helpers.rb

@@ -1,43 +1,47 @@
 # frozen_string_literal: true
+
 module Loofah
   module Helpers
     class << self
       #
       #  A replacement for Rails's built-in +strip_tags+ helper.
       #
-      #   Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
+      #    Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there"
       #
       def strip_tags(string_or_io)
-        Loofah.fragment(string_or_io).text
+        Loofah.html4_fragment(string_or_io).text
       end
 
       #
       #  A replacement for Rails's built-in +sanitize+ helper.
       #
-      #   Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+      #    Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>")
+      #    # => "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
       #
       def sanitize(string_or_io)
-        loofah_fragment = Loofah.fragment(string_or_io)
+        loofah_fragment = Loofah.html4_fragment(string_or_io)
         loofah_fragment.scrub!(:strip)
-        loofah_fragment.xpath("./form").each { |form| form.remove }
+        loofah_fragment.xpath("./form").each(&:remove)
         loofah_fragment.to_s
       end
 
       #
       #  A replacement for Rails's built-in +sanitize_css+ helper.
       #
-      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
+      #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)")
+      #    # => "display: block;"
       #
       def sanitize_css(style_string)
-        ::Loofah::HTML5::Scrub.scrub_css style_string
+        ::Loofah::HTML5::Scrub.scrub_css(style_string)
       end
 
       #
-      #  A helper to remove extraneous whitespace from text-ified HTML
+      #  A helper to remove extraneous whitespace from text-ified HTML.
+      #
       #  TODO: remove this in a future major-point-release.
       #
       def remove_extraneous_whitespace(string)
-        Loofah.remove_extraneous_whitespace string
+        Loofah.remove_extraneous_whitespace(string)
       end
     end
 
@@ -52,7 +56,7 @@ module Loofah
         end
 
         def white_list_sanitizer
-          warn "warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead."
+          warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.")
           safe_list_sanitizer
         end
       end
@@ -62,7 +66,8 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = ::Loofah::Helpers::ActionView::FullSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.full_sanitizer = \
+      #      Loofah::Helpers::ActionView::FullSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
@@ -70,7 +75,7 @@ module Loofah
       #
       class FullSanitizer
         def sanitize(html, *args)
-          Loofah::Helpers.strip_tags html
+          Loofah::Helpers.strip_tags(html)
         end
       end
 
@@ -79,7 +84,8 @@ module Loofah
       #
       #  To use by default, call this in an application initializer:
       #
-      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = ::Loofah::Helpers::ActionView::SafeListSanitizer.new
+      #    ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \
+      #      Loofah::Helpers::ActionView::SafeListSanitizer.new
       #
       #  Or, to generally opt-in to Loofah's view sanitizers:
       #
@@ -87,11 +93,11 @@ module Loofah
       #
       class SafeListSanitizer
         def sanitize(html, *args)
-          Loofah::Helpers.sanitize html
+          Loofah::Helpers.sanitize(html)
         end
 
         def sanitize_css(style_string, *args)
-          Loofah::Helpers.sanitize_css style_string
+          Loofah::Helpers.sanitize_css(style_string)
         end
       end
 

data/lib/loofah/{html → html4}/document.rb

@@ -1,19 +1,17 @@
 # frozen_string_literal: true
+
 module Loofah
-  module HTML # :nodoc:
+  module HTML4 # :nodoc:
     #
-    #  Subclass of Nokogiri::HTML::Document.
+    #  Subclass of Nokogiri::HTML4::Document.
     #
     #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
     #
-    class Document < Nokogiri::HTML::Document
+    class Document < Nokogiri::HTML4::Document
       include Loofah::ScrubBehavior::Node
       include Loofah::DocumentDecorator
       include Loofah::TextBehavior
-
-      def serialize_root
-        at_xpath("/html/body")
-      end
+      include Loofah::HtmlDocumentBehavior
     end
   end
 end

data/lib/loofah/html4/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML4 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML4::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML4::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::Document.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class Document < Nokogiri::HTML5::Document
+      include Loofah::ScrubBehavior::Node
+      include Loofah::DocumentDecorator
+      include Loofah::TextBehavior
+      include Loofah::HtmlDocumentBehavior
+    end
+  end
+end

data/lib/loofah/html5/document_fragment.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Loofah
+  module HTML5 # :nodoc:
+    #
+    #  Subclass of Nokogiri::HTML5::DocumentFragment.
+    #
+    #  See Loofah::ScrubBehavior and Loofah::TextBehavior for additional methods.
+    #
+    class DocumentFragment < Nokogiri::HTML5::DocumentFragment
+      include Loofah::TextBehavior
+      include Loofah::HtmlFragmentBehavior
+    end
+  end
+end

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -1,5 +1,6 @@
 # coding: utf-8
 # frozen_string_literal: true
+
 require "set"
 
 module Loofah
@@ -16,12 +17,12 @@ module Loofah
     #
     #  see comments about CVE-2018-8048 within the tests for more information
     #
-    BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
-                                           href
-                                           action
-                                           src
-                                           name
-                                         ]
+    BROKEN_ESCAPING_ATTRIBUTES = Set.new([
+      "href",
+      "action",
+      "src",
+      "name",
+    ])
     BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
   end
 end