loofah 2.21.3 → 2.22.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +17 -0
  3. data/README.md +5 -1
  4. data/lib/loofah/html5/scrub.rb +5 -4
  5. data/lib/loofah/scrubbers.rb +68 -0
  6. data/lib/loofah/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '00569b28a0bc6307a0a8eb8704ad374f10269008dada5d09470c1a2a87da0a6f'
4
- data.tar.gz: eff12a44f1152dc377ac0a6859be97f85b5a0a031a0b7688387c73f7130351d3
3
+ metadata.gz: '09399c4b678f5d51f0089e553e0504cd5e997374801b0ff18e99a3c18cf42c7e'
4
+ data.tar.gz: 61f4d3825963ec3346189675b57074fe8ca8350939113ddde05a03be655c0dc9
5
5
  SHA512:
6
- metadata.gz: fbcf412c0105203fe3d9ee057dc146cc7f8e9f29587c0f97b9c03a5206eacd31f7170042c74050d40093875b8109f524434a0960ef9305269fdda536e3049e3b
7
- data.tar.gz: 48c3f2c0f4a0b2316c46ad1826c61ded9c3438ace28c477d7b67cc345847a00bb5747bab5b22cf5d774e82c90bedd085a9878c40609f93abda49f6aa01257f7c
6
+ metadata.gz: 508cada7b06e26b50bc9801a5f2f833f99f77525eda86c1b4ef036fd81453caff7e6fdc6964c2e591c7ab5d634da4178b87ab2f804d18fb08b9dd12dd4e0f7fb
7
+ data.tar.gz: 6fbd6b84c763ad90154c8ae545de46683e3ee40c2c75109b9b73b56d81179d992927e5ff54b76c8c22ce019b5901840f9873b152f9558381375171f452738ca2
data/CHANGELOG.md CHANGED
@@ -1,7 +1,24 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.22.0 / 2023-11-13
4
+
5
+ ### Added
6
+
7
+ * A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
8
+ * A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
9
+
10
+
11
+ ## 2.21.4 / 2023-10-10
12
+
13
+ ### Fixed
14
+
15
+ * `Loofah::HTML5::Scrub.scrub_css` is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, `.scrub_css` no longer inserts whitespace between tokens that did not already have whitespace between them. [[#273](https://github.com/flavorjones/loofah/issues/273), fixes [#271](https://github.com/flavorjones/loofah/issues/271)]
16
+
17
+
3
18
  ## 2.21.3 / 2023-05-15
4
19
 
20
+ ### Fixed
21
+
5
22
  * Quash "instance variable not initialized" warning in Ruby < 3.0. [[#268](https://github.com/flavorjones/loofah/issues/268)] (Thanks, [@dharamgollapudi](https://github.com/dharamgollapudi)!)
6
23
 
7
24
 
data/README.md CHANGED
@@ -29,6 +29,7 @@ Active Record extensions for HTML sanitization are available in the [`loofah-act
29
29
  * _Whitewash_ the markup, removing all attributes and namespaced nodes.
30
30
  * Other common HTML transformations are built-in:
31
31
  * Add the _nofollow_ attribute to all hyperlinks.
32
+ * Add the _target=\_blank_ attribute to all hyperlinks.
32
33
  * Remove _unprintable_ characters from text nodes.
33
34
  * Format markup as plain text, with (or without) sensible whitespace handling around block elements.
34
35
  * Replace Rails's `strip_tags` and `sanitize` view helper methods.
@@ -229,8 +230,11 @@ doc.scrub!(:whitewash) # removes unknown/unsafe/namespaced tags and their chi
229
230
  Loofah also comes with some common transformation tasks:
230
231
 
231
232
  ``` ruby
232
- doc.scrub!(:nofollow) # adds rel="nofollow" attribute to links
233
+ doc.scrub!(:nofollow) # adds rel="nofollow" attribute to links
234
+ doc.scrub!(:noopener) # adds rel="noopener" attribute to links
235
+ doc.scrub!(:noreferrer) # adds rel="noreferrer" attribute to links
233
236
  doc.scrub!(:unprintable) # removes unprintable characters from text nodes
237
+ doc.scrub!(:targetblank) # adds target="_blank" attribute to links
234
238
  ```
235
239
 
236
240
  See `Loofah::Scrubbers` for more details and example usage.
data/lib/loofah/html5/scrub.rb CHANGED
@@ -10,6 +10,7 @@ module Loofah
10
10
  CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ # rubocop:disable Layout/LineLength
11
11
  CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
12
12
  CSS_IMPORTANT = "!important"
13
+ CSS_WHITESPACE = " "
13
14
  CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
14
15
  DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
15
16
 
@@ -87,7 +88,7 @@ module Loofah
87
88
  value = node[:children].map do |child|
88
89
  case child[:node]
89
90
  when :whitespace
90
- nil
91
+ CSS_WHITESPACE
91
92
  when :string
92
93
  if CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES.match?(child[:raw])
93
94
  Crass::Parser.stringify(child)
@@ -106,12 +107,12 @@ module Loofah
106
107
  else
107
108
  child[:raw]
108
109
  end
109
- end.compact
110
+ end.compact.join.strip
110
111
 
111
112
  next if value.empty?
112
113
 
113
- value << CSS_IMPORTANT if node[:important]
114
- propstring = format("%s:%s", name, value.join(" "))
114
+ value << CSS_WHITESPACE << CSS_IMPORTANT if node[:important]
115
+ propstring = format("%s:%s", name, value)
115
116
  sanitized_node = Crass.parse_properties(propstring).first
116
117
  sanitized_tree << sanitized_node << CRASS_SEMICOLON
117
118
  end
data/lib/loofah/scrubbers.rb CHANGED
@@ -61,6 +61,15 @@ module Loofah
61
61
  # => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
62
62
  #
63
63
  #
64
+ # === Loofah::Scrubbers::TargetBlank / scrub!(:targetblank)
65
+ #
66
+ # +:targetblank+ adds a target="_blank" attribute to all links
67
+ #
68
+ # link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
69
+ # Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
70
+ # => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
71
+ #
72
+ #
64
73
  # === Loofah::Scrubbers::NoOpener / scrub!(:noopener)
65
74
  #
66
75
  # +:noopener+ adds a rel="noopener" attribute to all links
@@ -69,6 +78,14 @@ module Loofah
69
78
  # Loofah.html5_fragment(link_farmers_markup).scrub!(:noopener)
70
79
  # => "ohai! <a href='http://www.myswarmysite.com/' rel="noopener">I like your blog post</a>"
71
80
  #
81
+ # === Loofah::Scrubbers::NoReferrer / scrub!(:noreferrer)
82
+ #
83
+ # +:noreferrer+ adds a rel="noreferrer" attribute to all links
84
+ #
85
+ # link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
86
+ # Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
87
+ # => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
88
+ #
72
89
  #
73
90
  # === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
74
91
  #
@@ -213,6 +230,33 @@ module Loofah
213
230
  end
214
231
  end
215
232
 
233
+ #
234
+ # === scrub!(:targetblank)
235
+ #
236
+ # +:targetblank+ adds a target="_blank" attribute to all links.
237
+ # If there is a target already set, replaces it with target="_blank".
238
+ #
239
+ # link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
240
+ # Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
241
+ # => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
242
+ #
243
+ # On modern browsers, setting target="_blank" on anchor elements implicitly provides the same
244
+ # behavior as setting rel="noopener".
245
+ #
246
+ class TargetBlank < Scrubber
247
+ def initialize # rubocop:disable Lint/MissingSuper
248
+ @direction = :top_down
249
+ end
250
+
251
+ def scrub(node)
252
+ return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
253
+
254
+ node.set_attribute("target", "_blank")
255
+
256
+ STOP
257
+ end
258
+ end
259
+
216
260
  #
217
261
  # === scrub!(:noopener)
218
262
  #
@@ -235,6 +279,28 @@ module Loofah
235
279
  end
236
280
  end
237
281
 
282
+ #
283
+ # === scrub!(:noreferrer)
284
+ #
285
+ # +:noreferrer+ adds a rel="noreferrer" attribute to all links
286
+ #
287
+ # link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
288
+ # Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
289
+ # => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
290
+ #
291
+ class NoReferrer < Scrubber
292
+ def initialize # rubocop:disable Lint/MissingSuper
293
+ @direction = :top_down
294
+ end
295
+
296
+ def scrub(node)
297
+ return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
298
+
299
+ append_attribute(node, "rel", "noreferrer")
300
+ STOP
301
+ end
302
+ end
303
+
238
304
  # This class probably isn't useful publicly, but is used for #to_text's current implemention
239
305
  class NewlineBlockElements < Scrubber # :nodoc:
240
306
  def initialize # rubocop:disable Lint/MissingSuper
@@ -292,6 +358,8 @@ module Loofah
292
358
  strip: Strip,
293
359
  nofollow: NoFollow,
294
360
  noopener: NoOpener,
361
+ noreferrer: NoReferrer,
362
+ targetblank: TargetBlank,
295
363
  newline_block_elements: NewlineBlockElements,
296
364
  unprintable: Unprintable,
297
365
  }
data/lib/loofah/version.rb CHANGED
@@ -2,5 +2,5 @@
2
2
 
3
3
  module Loofah
4
4
  # The version of Loofah you are using
5
- VERSION = "2.21.3"
5
+ VERSION = "2.22.0"
6
6
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.21.3
4
+ version: 2.22.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2023-05-15 00:00:00.000000000 Z
12
+ date: 2023-11-13 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: crass
@@ -97,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
97
97
  - !ruby/object:Gem::Version
98
98
  version: '0'
99
99
  requirements: []
100
- rubygems_version: 3.4.10
100
+ rubygems_version: 3.4.19
101
101
  signing_key:
102
102
  specification_version: 4
103
103
  summary: Loofah is a general library for manipulating and transforming HTML/XML documents