loofah 2.21.3 → 2.22.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/README.md +5 -1
- data/lib/loofah/html5/scrub.rb +5 -4
- data/lib/loofah/scrubbers.rb +68 -0
- data/lib/loofah/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz: '
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '09399c4b678f5d51f0089e553e0504cd5e997374801b0ff18e99a3c18cf42c7e'
|
4
|
+
data.tar.gz: 61f4d3825963ec3346189675b57074fe8ca8350939113ddde05a03be655c0dc9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 508cada7b06e26b50bc9801a5f2f833f99f77525eda86c1b4ef036fd81453caff7e6fdc6964c2e591c7ab5d634da4178b87ab2f804d18fb08b9dd12dd4e0f7fb
|
7
|
+
data.tar.gz: 6fbd6b84c763ad90154c8ae545de46683e3ee40c2c75109b9b73b56d81179d992927e5ff54b76c8c22ce019b5901840f9873b152f9558381375171f452738ca2
|
data/CHANGELOG.md
CHANGED
@@ -1,7 +1,24 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.22.0 / 2023-11-13
|
4
|
+
|
5
|
+
### Added
|
6
|
+
|
7
|
+
* A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
|
8
|
+
* A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
|
9
|
+
|
10
|
+
|
11
|
+
## 2.21.4 / 2023-10-10
|
12
|
+
|
13
|
+
### Fixed
|
14
|
+
|
15
|
+
* `Loofah::HTML5::Scrub.scrub_css` is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, `.scrub_css` no longer inserts whitespace between tokens that did not already have whitespace between them. [[#273](https://github.com/flavorjones/loofah/issues/273), fixes [#271](https://github.com/flavorjones/loofah/issues/271)]
|
16
|
+
|
17
|
+
|
3
18
|
## 2.21.3 / 2023-05-15
|
4
19
|
|
20
|
+
### Fixed
|
21
|
+
|
5
22
|
* Quash "instance variable not initialized" warning in Ruby < 3.0. [[#268](https://github.com/flavorjones/loofah/issues/268)] (Thanks, [@dharamgollapudi](https://github.com/dharamgollapudi)!)
|
6
23
|
|
7
24
|
|
data/README.md
CHANGED
@@ -29,6 +29,7 @@ Active Record extensions for HTML sanitization are available in the [`loofah-act
|
|
29
29
|
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
|
30
30
|
* Other common HTML transformations are built-in:
|
31
31
|
* Add the _nofollow_ attribute to all hyperlinks.
|
32
|
+
* Add the _target=\_blank_ attribute to all hyperlinks.
|
32
33
|
* Remove _unprintable_ characters from text nodes.
|
33
34
|
* Format markup as plain text, with (or without) sensible whitespace handling around block elements.
|
34
35
|
* Replace Rails's `strip_tags` and `sanitize` view helper methods.
|
@@ -229,8 +230,11 @@ doc.scrub!(:whitewash) # removes unknown/unsafe/namespaced tags and their chi
|
|
229
230
|
Loofah also comes with some common transformation tasks:
|
230
231
|
|
231
232
|
``` ruby
|
232
|
-
doc.scrub!(:nofollow) #
|
233
|
+
doc.scrub!(:nofollow) # adds rel="nofollow" attribute to links
|
234
|
+
doc.scrub!(:noopener) # adds rel="noopener" attribute to links
|
235
|
+
doc.scrub!(:noreferrer) # adds rel="noreferrer" attribute to links
|
233
236
|
doc.scrub!(:unprintable) # removes unprintable characters from text nodes
|
237
|
+
doc.scrub!(:targetblank) # adds target="_blank" attribute to links
|
234
238
|
```
|
235
239
|
|
236
240
|
See `Loofah::Scrubbers` for more details and example usage.
|
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -10,6 +10,7 @@ module Loofah
|
|
10
10
|
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ # rubocop:disable Layout/LineLength
|
11
11
|
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
12
12
|
CSS_IMPORTANT = "!important"
|
13
|
+
CSS_WHITESPACE = " "
|
13
14
|
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
14
15
|
DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
|
15
16
|
|
@@ -87,7 +88,7 @@ module Loofah
|
|
87
88
|
value = node[:children].map do |child|
|
88
89
|
case child[:node]
|
89
90
|
when :whitespace
|
90
|
-
|
91
|
+
CSS_WHITESPACE
|
91
92
|
when :string
|
92
93
|
if CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES.match?(child[:raw])
|
93
94
|
Crass::Parser.stringify(child)
|
@@ -106,12 +107,12 @@ module Loofah
|
|
106
107
|
else
|
107
108
|
child[:raw]
|
108
109
|
end
|
109
|
-
end.compact
|
110
|
+
end.compact.join.strip
|
110
111
|
|
111
112
|
next if value.empty?
|
112
113
|
|
113
|
-
value << CSS_IMPORTANT if node[:important]
|
114
|
-
propstring = format("%s:%s", name, value
|
114
|
+
value << CSS_WHITESPACE << CSS_IMPORTANT if node[:important]
|
115
|
+
propstring = format("%s:%s", name, value)
|
115
116
|
sanitized_node = Crass.parse_properties(propstring).first
|
116
117
|
sanitized_tree << sanitized_node << CRASS_SEMICOLON
|
117
118
|
end
|
data/lib/loofah/scrubbers.rb
CHANGED
@@ -61,6 +61,15 @@ module Loofah
|
|
61
61
|
# => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
|
62
62
|
#
|
63
63
|
#
|
64
|
+
# === Loofah::Scrubbers::TargetBlank / scrub!(:targetblank)
|
65
|
+
#
|
66
|
+
# +:targetblank+ adds a target="_blank" attribute to all links
|
67
|
+
#
|
68
|
+
# link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
|
69
|
+
# Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
|
70
|
+
# => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
|
71
|
+
#
|
72
|
+
#
|
64
73
|
# === Loofah::Scrubbers::NoOpener / scrub!(:noopener)
|
65
74
|
#
|
66
75
|
# +:noopener+ adds a rel="noopener" attribute to all links
|
@@ -69,6 +78,14 @@ module Loofah
|
|
69
78
|
# Loofah.html5_fragment(link_farmers_markup).scrub!(:noopener)
|
70
79
|
# => "ohai! <a href='http://www.myswarmysite.com/' rel="noopener">I like your blog post</a>"
|
71
80
|
#
|
81
|
+
# === Loofah::Scrubbers::NoReferrer / scrub!(:noreferrer)
|
82
|
+
#
|
83
|
+
# +:noreferrer+ adds a rel="noreferrer" attribute to all links
|
84
|
+
#
|
85
|
+
# link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
|
86
|
+
# Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
|
87
|
+
# => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
|
88
|
+
#
|
72
89
|
#
|
73
90
|
# === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
|
74
91
|
#
|
@@ -213,6 +230,33 @@ module Loofah
|
|
213
230
|
end
|
214
231
|
end
|
215
232
|
|
233
|
+
#
|
234
|
+
# === scrub!(:targetblank)
|
235
|
+
#
|
236
|
+
# +:targetblank+ adds a target="_blank" attribute to all links.
|
237
|
+
# If there is a target already set, replaces it with target="_blank".
|
238
|
+
#
|
239
|
+
# link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
|
240
|
+
# Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
|
241
|
+
# => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
|
242
|
+
#
|
243
|
+
# On modern browsers, setting target="_blank" on anchor elements implicitly provides the same
|
244
|
+
# behavior as setting rel="noopener".
|
245
|
+
#
|
246
|
+
class TargetBlank < Scrubber
|
247
|
+
def initialize # rubocop:disable Lint/MissingSuper
|
248
|
+
@direction = :top_down
|
249
|
+
end
|
250
|
+
|
251
|
+
def scrub(node)
|
252
|
+
return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
|
253
|
+
|
254
|
+
node.set_attribute("target", "_blank")
|
255
|
+
|
256
|
+
STOP
|
257
|
+
end
|
258
|
+
end
|
259
|
+
|
216
260
|
#
|
217
261
|
# === scrub!(:noopener)
|
218
262
|
#
|
@@ -235,6 +279,28 @@ module Loofah
|
|
235
279
|
end
|
236
280
|
end
|
237
281
|
|
282
|
+
#
|
283
|
+
# === scrub!(:noreferrer)
|
284
|
+
#
|
285
|
+
# +:noreferrer+ adds a rel="noreferrer" attribute to all links
|
286
|
+
#
|
287
|
+
# link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
|
288
|
+
# Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
|
289
|
+
# => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
|
290
|
+
#
|
291
|
+
class NoReferrer < Scrubber
|
292
|
+
def initialize # rubocop:disable Lint/MissingSuper
|
293
|
+
@direction = :top_down
|
294
|
+
end
|
295
|
+
|
296
|
+
def scrub(node)
|
297
|
+
return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
|
298
|
+
|
299
|
+
append_attribute(node, "rel", "noreferrer")
|
300
|
+
STOP
|
301
|
+
end
|
302
|
+
end
|
303
|
+
|
238
304
|
# This class probably isn't useful publicly, but is used for #to_text's current implemention
|
239
305
|
class NewlineBlockElements < Scrubber # :nodoc:
|
240
306
|
def initialize # rubocop:disable Lint/MissingSuper
|
@@ -292,6 +358,8 @@ module Loofah
|
|
292
358
|
strip: Strip,
|
293
359
|
nofollow: NoFollow,
|
294
360
|
noopener: NoOpener,
|
361
|
+
noreferrer: NoReferrer,
|
362
|
+
targetblank: TargetBlank,
|
295
363
|
newline_block_elements: NewlineBlockElements,
|
296
364
|
unprintable: Unprintable,
|
297
365
|
}
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.22.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2023-
|
12
|
+
date: 2023-11-13 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: crass
|
@@ -97,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
97
97
|
- !ruby/object:Gem::Version
|
98
98
|
version: '0'
|
99
99
|
requirements: []
|
100
|
-
rubygems_version: 3.4.
|
100
|
+
rubygems_version: 3.4.19
|
101
101
|
signing_key:
|
102
102
|
specification_version: 4
|
103
103
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|