RubyGems - loofah - Versions diffs - 2.21.4 → 2.23.0 - Mend

loofah 2.21.4 → 2.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5bc700e0a8a523327ae05ebaace9741de9c00f165279a9525515c6c50699c0d9
-  data.tar.gz: cc8db32a403e04256aad34637f0824b117159d357a4e180be1385b3998d90208
+  metadata.gz: 69d24833d5dac5e1845b35ab17eddb200056337faf201d91a88067f1000bdb95
+  data.tar.gz: 5c9939a49b3c05d69ba197a76d4f9118631be7110ced87b375113289f23493eb
 SHA512:
-  metadata.gz: bda76a2e8ade5dd0461b3dca3386fb9a297fba1213a81ca404026fe17b33ab74fa4ed92916b11f921ac9e6b7bc77751e40ef7fabc706891d39e4e83cc091c17a
-  data.tar.gz: 981e45721b457e5c00a4c68dac710f121e23e0f26d5a1c35fbb3958b0e2574c12065e0b5166d0b55b0d836e79762326af1039aa442347993bc22c95ce5dad5fa
+  metadata.gz: aed08cf6f2d7cd3ca89c475f40ff25affab14337ab7baf41e2ca7e157feb1e3ba13c97c693ee3a42417cc181136ca52c26d2c844fd35fd8de3d0e89893cdaf6e
+  data.tar.gz: a7d36d63f3825a2e5976038776ad68e6932cc473422909d49283fd426c143f743733a1e4f4fddea135c828bb7a2d3015fbd566f7b61ae5fb1bf35af2c5ce8e14

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # Changelog
+## 2.23.0 / 2024-10-24
+### Added
+* Allow CSS property `min-width`. [#287] @lazyatom
+## 2.22.0 / 2023-11-13
+### Added
+* A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
+* A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
 ## 2.21.4 / 2023-10-10
 ### Fixed

data/README.md CHANGED Viewed

@@ -29,6 +29,7 @@ Active Record extensions for HTML sanitization are available in the [`loofah-act
   * _Whitewash_ the markup, removing all attributes and namespaced nodes.
 * Other common HTML transformations are built-in:
   * Add the _nofollow_ attribute to all hyperlinks.
+  * Add the _target=\_blank_ attribute to all hyperlinks.
   * Remove _unprintable_ characters from text nodes.
 * Format markup as plain text, with (or without) sensible whitespace handling around block elements.
 * Replace Rails's `strip_tags` and `sanitize` view helper methods.
@@ -229,8 +230,11 @@ doc.scrub!(:whitewash)   #  removes unknown/unsafe/namespaced tags and their chi
 Loofah also comes with some common transformation tasks:
 ``` ruby
-doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
+doc.scrub!(:nofollow)    #  adds rel="nofollow" attribute to links
+doc.scrub!(:noopener)    #  adds rel="noopener" attribute to links
+doc.scrub!(:noreferrer)  #  adds rel="noreferrer" attribute to links
 doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
+doc.scrub!(:targetblank) #     adds target="_blank" attribute to links
 ```
 See `Loofah::Scrubbers` for more details and example usage.
@@ -333,20 +337,64 @@ See [`SECURITY.md`](SECURITY.md) for vulnerability reporting details.
 Featuring code contributed by:
-* Aaron Patterson
-* John Barnette
-* Josh Owens
-* Paul Dix
-* Luke Melia
+* [@flavorjones](https://github.com/flavorjones)
+* [@brynary](https://github.com/brynary)
+* [@olleolleolle](https://github.com/olleolleolle)
+* [@JuanitoFatas](https://github.com/JuanitoFatas)
+* [@kaspth](https://github.com/kaspth)
+* [@tenderlove](https://github.com/tenderlove)
+* [@ktdreyer](https://github.com/ktdreyer)
+* [@orien](https://github.com/orien)
+* [@asok](https://github.com/asok)
+* [@junaruga](https://github.com/junaruga)
+* [@MothOnMars](https://github.com/MothOnMars)
+* [@nick-desteffen](https://github.com/nick-desteffen)
+* [@NikoRoberts](https://github.com/NikoRoberts)
+* [@trans](https://github.com/trans)
+* [@andreynering](https://github.com/andreynering)
+* [@aried3r](https://github.com/aried3r)
+* [@baopham](https://github.com/baopham)
+* [@batter](https://github.com/batter)
+* [@brendon](https://github.com/brendon)
+* [@cjba7](https://github.com/cjba7)
+* [@christiankisssner](https://github.com/christiankisssner)
+* [@dacort](https://github.com/dacort)
+* [@danfstucky](https://github.com/danfstucky)
+* [@david-a-wheeler](https://github.com/david-a-wheeler)
+* [@dharamgollapudi](https://github.com/dharamgollapudi)
+* [@georgeclaghorn](https://github.com/georgeclaghorn)
+* [@gogainda](https://github.com/gogainda)
+* [@jaredbeck](https://github.com/jaredbeck)
+* [@ThatHurleyGuy](https://github.com/ThatHurleyGuy)
+* [@jstorimer](https://github.com/jstorimer)
+* [@jbarnette](https://github.com/jbarnette)
+* [@queso](https://github.com/queso)
+* [@technicalpickles](https://github.com/technicalpickles)
+* [@kyoshidajp](https://github.com/kyoshidajp)
+* [@kristianfreeman](https://github.com/kristianfreeman)
+* [@louim](https://github.com/louim)
+* [@mrpasquini](https://github.com/mrpasquini)
+* [@olivierlacan](https://github.com/olivierlacan)
+* [@pauldix](https://github.com/pauldix)
+* [@sampokuokkanen](https://github.com/sampokuokkanen)
+* [@stefannibrasil](https://github.com/stefannibrasil)
+* [@tastycode](https://github.com/tastycode)
+* [@vipulnsward](https://github.com/vipulnsward)
+* [@joncalhoun](https://github.com/joncalhoun)
+* [@ahorek](https://github.com/ahorek)
+* [@rmacklin](https://github.com/rmacklin)
+* [@y-yagi](https://github.com/y-yagi)
+* [@lazyatom](https://github.com/lazyatom)
 And a big shout-out to Corey Innis for the name, and feedback on the API.
 ## Thank You
-The following people have generously funded Loofah:
+The following people have generously funded Loofah with financial sponsorship:
 * Bill Harding
+* [Sentry](https://sentry.io/) @getsentry
 ## Historical Note

data/lib/loofah/html5/safelist.rb CHANGED Viewed

@@ -663,6 +663,7 @@ module Loofah
         "list-style",
         "list-style-type",
         "max-width",
+        "min-width",
         "order",
         "overflow",
         "overflow-x",

data/lib/loofah/scrubbers.rb CHANGED Viewed

@@ -61,6 +61,15 @@ module Loofah
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
   #
   #
+  #  === Loofah::Scrubbers::TargetBlank / scrub!(:targetblank)
+  #
+  #  +:targetblank+ adds a target="_blank" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+  #
+  #
   #  === Loofah::Scrubbers::NoOpener / scrub!(:noopener)
   #
   #  +:noopener+ adds a rel="noopener" attribute to all links
@@ -69,6 +78,14 @@ module Loofah
   #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noopener)
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noopener">I like your blog post</a>"
   #
+  #  === Loofah::Scrubbers::NoReferrer / scrub!(:noreferrer)
+  #
+  #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+  #
   #
   #  === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
   #
@@ -213,6 +230,33 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:targetblank)
+    #
+    #  +:targetblank+ adds a target="_blank" attribute to all links.
+    #  If there is a target already set, replaces it with target="_blank".
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+    #
+    #  On modern browsers, setting target="_blank" on anchor elements implicitly provides the same
+    #  behavior as setting rel="noopener".
+    #
+    class TargetBlank < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        node.set_attribute("target", "_blank")
+        STOP
+      end
+    end
     #
     #  === scrub!(:noopener)
     #
@@ -235,6 +279,28 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:noreferrer)
+    #
+    #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+    #
+    class NoReferrer < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "noreferrer")
+        STOP
+      end
+    end
     # This class probably isn't useful publicly, but is used for #to_text's current implemention
     class NewlineBlockElements < Scrubber # :nodoc:
       def initialize # rubocop:disable Lint/MissingSuper
@@ -292,6 +358,8 @@ module Loofah
       strip: Strip,
       nofollow: NoFollow,
       noopener: NoOpener,
+      noreferrer: NoReferrer,
+      targetblank: TargetBlank,
       newline_block_elements: NewlineBlockElements,
       unprintable: Unprintable,
     }

data/lib/loofah/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.21.4"
+  VERSION = "2.23.0"
 end

metadata CHANGED Viewed

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.21.4
+  version: 2.23.0
 platform: ruby
 authors:
 - Mike Dalessio
 - Bryan Helmkamp
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-10 00:00:00.000000000 Z
+date: 2024-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -82,7 +82,7 @@ metadata:
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
   changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
   documentation_uri: https://www.rubydoc.info/gems/loofah/
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -97,8 +97,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.0.dev
-signing_key:
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents
   and fragments, built on top of Nokogiri.