RubyGems - loofah - Versions diffs - 2.21.3 → 2.22.0 - Mend

loofah 2.21.3 → 2.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '00569b28a0bc6307a0a8eb8704ad374f10269008dada5d09470c1a2a87da0a6f'
-  data.tar.gz: eff12a44f1152dc377ac0a6859be97f85b5a0a031a0b7688387c73f7130351d3
+  metadata.gz: '09399c4b678f5d51f0089e553e0504cd5e997374801b0ff18e99a3c18cf42c7e'
+  data.tar.gz: 61f4d3825963ec3346189675b57074fe8ca8350939113ddde05a03be655c0dc9
 SHA512:
-  metadata.gz: fbcf412c0105203fe3d9ee057dc146cc7f8e9f29587c0f97b9c03a5206eacd31f7170042c74050d40093875b8109f524434a0960ef9305269fdda536e3049e3b
-  data.tar.gz: 48c3f2c0f4a0b2316c46ad1826c61ded9c3438ace28c477d7b67cc345847a00bb5747bab5b22cf5d774e82c90bedd085a9878c40609f93abda49f6aa01257f7c
+  metadata.gz: 508cada7b06e26b50bc9801a5f2f833f99f77525eda86c1b4ef036fd81453caff7e6fdc6964c2e591c7ab5d634da4178b87ab2f804d18fb08b9dd12dd4e0f7fb
+  data.tar.gz: 6fbd6b84c763ad90154c8ae545de46683e3ee40c2c75109b9b73b56d81179d992927e5ff54b76c8c22ce019b5901840f9873b152f9558381375171f452738ca2

data/CHANGELOG.md CHANGED Viewed

@@ -1,7 +1,24 @@
 # Changelog
+## 2.22.0 / 2023-11-13
+### Added
+* A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
+* A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
+## 2.21.4 / 2023-10-10
+### Fixed
+* `Loofah::HTML5::Scrub.scrub_css` is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, `.scrub_css` no longer inserts whitespace between tokens that did not already have whitespace between them. [[#273](https://github.com/flavorjones/loofah/issues/273), fixes [#271](https://github.com/flavorjones/loofah/issues/271)]
 ## 2.21.3 / 2023-05-15
+### Fixed
 * Quash "instance variable not initialized" warning in Ruby < 3.0. [[#268](https://github.com/flavorjones/loofah/issues/268)] (Thanks, [@dharamgollapudi](https://github.com/dharamgollapudi)!)

data/README.md CHANGED Viewed

@@ -29,6 +29,7 @@ Active Record extensions for HTML sanitization are available in the [`loofah-act
   * _Whitewash_ the markup, removing all attributes and namespaced nodes.
 * Other common HTML transformations are built-in:
   * Add the _nofollow_ attribute to all hyperlinks.
+  * Add the _target=\_blank_ attribute to all hyperlinks.
   * Remove _unprintable_ characters from text nodes.
 * Format markup as plain text, with (or without) sensible whitespace handling around block elements.
 * Replace Rails's `strip_tags` and `sanitize` view helper methods.
@@ -229,8 +230,11 @@ doc.scrub!(:whitewash)   #  removes unknown/unsafe/namespaced tags and their chi
 Loofah also comes with some common transformation tasks:
 ``` ruby
-doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
+doc.scrub!(:nofollow)    #  adds rel="nofollow" attribute to links
+doc.scrub!(:noopener)    #  adds rel="noopener" attribute to links
+doc.scrub!(:noreferrer)  #  adds rel="noreferrer" attribute to links
 doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
+doc.scrub!(:targetblank) #     adds target="_blank" attribute to links
 ```
 See `Loofah::Scrubbers` for more details and example usage.

data/lib/loofah/html5/scrub.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Loofah
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ # rubocop:disable Layout/LineLength
       CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
       CSS_IMPORTANT = "!important"
+      CSS_WHITESPACE = " "
       CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
       DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
@@ -87,7 +88,7 @@ module Loofah
             value = node[:children].map do |child|
               case child[:node]
               when :whitespace
-                nil
+                CSS_WHITESPACE
               when :string
                 if CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES.match?(child[:raw])
                   Crass::Parser.stringify(child)
@@ -106,12 +107,12 @@ module Loofah
               else
                 child[:raw]
               end
-            end.compact
+            end.compact.join.strip
             next if value.empty?
-            value << CSS_IMPORTANT if node[:important]
-            propstring = format("%s:%s", name, value.join(" "))
+            value << CSS_WHITESPACE << CSS_IMPORTANT if node[:important]
+            propstring = format("%s:%s", name, value)
             sanitized_node = Crass.parse_properties(propstring).first
             sanitized_tree << sanitized_node << CRASS_SEMICOLON
           end

data/lib/loofah/scrubbers.rb CHANGED Viewed

@@ -61,6 +61,15 @@ module Loofah
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
   #
   #
+  #  === Loofah::Scrubbers::TargetBlank / scrub!(:targetblank)
+  #
+  #  +:targetblank+ adds a target="_blank" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+  #
+  #
   #  === Loofah::Scrubbers::NoOpener / scrub!(:noopener)
   #
   #  +:noopener+ adds a rel="noopener" attribute to all links
@@ -69,6 +78,14 @@ module Loofah
   #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noopener)
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noopener">I like your blog post</a>"
   #
+  #  === Loofah::Scrubbers::NoReferrer / scrub!(:noreferrer)
+  #
+  #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+  #
   #
   #  === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
   #
@@ -213,6 +230,33 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:targetblank)
+    #
+    #  +:targetblank+ adds a target="_blank" attribute to all links.
+    #  If there is a target already set, replaces it with target="_blank".
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+    #
+    #  On modern browsers, setting target="_blank" on anchor elements implicitly provides the same
+    #  behavior as setting rel="noopener".
+    #
+    class TargetBlank < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        node.set_attribute("target", "_blank")
+        STOP
+      end
+    end
     #
     #  === scrub!(:noopener)
     #
@@ -235,6 +279,28 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:noreferrer)
+    #
+    #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+    #
+    class NoReferrer < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "noreferrer")
+        STOP
+      end
+    end
     # This class probably isn't useful publicly, but is used for #to_text's current implemention
     class NewlineBlockElements < Scrubber # :nodoc:
       def initialize # rubocop:disable Lint/MissingSuper
@@ -292,6 +358,8 @@ module Loofah
       strip: Strip,
       nofollow: NoFollow,
       noopener: NoOpener,
+      noreferrer: NoReferrer,
+      targetblank: TargetBlank,
       newline_block_elements: NewlineBlockElements,
       unprintable: Unprintable,
     }

data/lib/loofah/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.21.3"
+  VERSION = "2.22.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.21.3
+  version: 2.22.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-15 00:00:00.000000000 Z
+date: 2023-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -97,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents