RubyGems - loofah - Versions diffs - 2.21.4 → 2.23.0 - Mend

loofah 2.21.4 → 2.23.0

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5bc700e0a8a523327ae05ebaace9741de9c00f165279a9525515c6c50699c0d9
-  data.tar.gz: cc8db32a403e04256aad34637f0824b117159d357a4e180be1385b3998d90208
+  metadata.gz: 69d24833d5dac5e1845b35ab17eddb200056337faf201d91a88067f1000bdb95
+  data.tar.gz: 5c9939a49b3c05d69ba197a76d4f9118631be7110ced87b375113289f23493eb
 SHA512:
-  metadata.gz: bda76a2e8ade5dd0461b3dca3386fb9a297fba1213a81ca404026fe17b33ab74fa4ed92916b11f921ac9e6b7bc77751e40ef7fabc706891d39e4e83cc091c17a
-  data.tar.gz: 981e45721b457e5c00a4c68dac710f121e23e0f26d5a1c35fbb3958b0e2574c12065e0b5166d0b55b0d836e79762326af1039aa442347993bc22c95ce5dad5fa
+  metadata.gz: aed08cf6f2d7cd3ca89c475f40ff25affab14337ab7baf41e2ca7e157feb1e3ba13c97c693ee3a42417cc181136ca52c26d2c844fd35fd8de3d0e89893cdaf6e
+  data.tar.gz: a7d36d63f3825a2e5976038776ad68e6932cc473422909d49283fd426c143f743733a1e4f4fddea135c828bb7a2d3015fbd566f7b61ae5fb1bf35af2c5ce8e14

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # Changelog
+## 2.23.0 / 2024-10-24
+### Added
+* Allow CSS property `min-width`. [#287] @lazyatom
+## 2.22.0 / 2023-11-13
+### Added
+* A `:targetblank` HTML scrubber which ensures all hyperlinks have `target="_blank"`. [#275] @stefannibrasil and @thdaraujo
+* A `:noreferrer` HTML scrubber which ensures all hyperlinks have `rel=noreferrer`, similar to the `:nofollow` and `:noopener` scrubbers. [#277] @wynksaiddestroy
 ## 2.21.4 / 2023-10-10
 ### Fixed

data/README.md CHANGED Viewed

@@ -29,6 +29,7 @@ Active Record extensions for HTML sanitization are available in the [`loofah-act
   * _Whitewash_ the markup, removing all attributes and namespaced nodes.
 * Other common HTML transformations are built-in:
   * Add the _nofollow_ attribute to all hyperlinks.
+  * Add the _target=\_blank_ attribute to all hyperlinks.
   * Remove _unprintable_ characters from text nodes.
 * Format markup as plain text, with (or without) sensible whitespace handling around block elements.
 * Replace Rails's `strip_tags` and `sanitize` view helper methods.
@@ -229,8 +230,11 @@ doc.scrub!(:whitewash)   #  removes unknown/unsafe/namespaced tags and their chi
 Loofah also comes with some common transformation tasks:
 ``` ruby
-doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
+doc.scrub!(:nofollow)    #  adds rel="nofollow" attribute to links
+doc.scrub!(:noopener)    #  adds rel="noopener" attribute to links
+doc.scrub!(:noreferrer)  #  adds rel="noreferrer" attribute to links
 doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
+doc.scrub!(:targetblank) #     adds target="_blank" attribute to links
 ```
 See `Loofah::Scrubbers` for more details and example usage.
@@ -333,20 +337,64 @@ See [`SECURITY.md`](SECURITY.md) for vulnerability reporting details.
 Featuring code contributed by:
-* Aaron Patterson
-* John Barnette
-* Josh Owens
-* Paul Dix
-* Luke Melia
+* [@flavorjones](https://github.com/flavorjones)
+* [@brynary](https://github.com/brynary)
+* [@olleolleolle](https://github.com/olleolleolle)
+* [@JuanitoFatas](https://github.com/JuanitoFatas)
+* [@kaspth](https://github.com/kaspth)
+* [@tenderlove](https://github.com/tenderlove)
+* [@ktdreyer](https://github.com/ktdreyer)
+* [@orien](https://github.com/orien)
+* [@asok](https://github.com/asok)
+* [@junaruga](https://github.com/junaruga)
+* [@MothOnMars](https://github.com/MothOnMars)
+* [@nick-desteffen](https://github.com/nick-desteffen)
+* [@NikoRoberts](https://github.com/NikoRoberts)
+* [@trans](https://github.com/trans)
+* [@andreynering](https://github.com/andreynering)
+* [@aried3r](https://github.com/aried3r)
+* [@baopham](https://github.com/baopham)
+* [@batter](https://github.com/batter)
+* [@brendon](https://github.com/brendon)
+* [@cjba7](https://github.com/cjba7)
+* [@christiankisssner](https://github.com/christiankisssner)
+* [@dacort](https://github.com/dacort)
+* [@danfstucky](https://github.com/danfstucky)
+* [@david-a-wheeler](https://github.com/david-a-wheeler)
+* [@dharamgollapudi](https://github.com/dharamgollapudi)
+* [@georgeclaghorn](https://github.com/georgeclaghorn)
+* [@gogainda](https://github.com/gogainda)
+* [@jaredbeck](https://github.com/jaredbeck)
+* [@ThatHurleyGuy](https://github.com/ThatHurleyGuy)
+* [@jstorimer](https://github.com/jstorimer)
+* [@jbarnette](https://github.com/jbarnette)
+* [@queso](https://github.com/queso)
+* [@technicalpickles](https://github.com/technicalpickles)
+* [@kyoshidajp](https://github.com/kyoshidajp)
+* [@kristianfreeman](https://github.com/kristianfreeman)
+* [@louim](https://github.com/louim)
+* [@mrpasquini](https://github.com/mrpasquini)
+* [@olivierlacan](https://github.com/olivierlacan)
+* [@pauldix](https://github.com/pauldix)
+* [@sampokuokkanen](https://github.com/sampokuokkanen)
+* [@stefannibrasil](https://github.com/stefannibrasil)
+* [@tastycode](https://github.com/tastycode)
+* [@vipulnsward](https://github.com/vipulnsward)
+* [@joncalhoun](https://github.com/joncalhoun)
+* [@ahorek](https://github.com/ahorek)
+* [@rmacklin](https://github.com/rmacklin)
+* [@y-yagi](https://github.com/y-yagi)
+* [@lazyatom](https://github.com/lazyatom)
 And a big shout-out to Corey Innis for the name, and feedback on the API.
 ## Thank You
-The following people have generously funded Loofah:
+The following people have generously funded Loofah with financial sponsorship:
 * Bill Harding
+* [Sentry](https://sentry.io/) @getsentry
 ## Historical Note

data/lib/loofah/html5/safelist.rb CHANGED Viewed

@@ -663,6 +663,7 @@ module Loofah
         "list-style",
         "list-style-type",
         "max-width",
+        "min-width",
         "order",
         "overflow",
         "overflow-x",

data/lib/loofah/scrubbers.rb CHANGED Viewed

@@ -61,6 +61,15 @@ module Loofah
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="nofollow">I like your blog post</a>"
   #
   #
+  #  === Loofah::Scrubbers::TargetBlank / scrub!(:targetblank)
+  #
+  #  +:targetblank+ adds a target="_blank" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+  #
+  #
   #  === Loofah::Scrubbers::NoOpener / scrub!(:noopener)
   #
   #  +:noopener+ adds a rel="noopener" attribute to all links
@@ -69,6 +78,14 @@ module Loofah
   #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noopener)
   #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noopener">I like your blog post</a>"
   #
+  #  === Loofah::Scrubbers::NoReferrer / scrub!(:noreferrer)
+  #
+  #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+  #
+  #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+  #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+  #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+  #
   #
   #  === Loofah::Scrubbers::Unprintable / scrub!(:unprintable)
   #
@@ -213,6 +230,33 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:targetblank)
+    #
+    #  +:targetblank+ adds a target="_blank" attribute to all links.
+    #  If there is a target already set, replaces it with target="_blank".
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:targetblank)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' target="_blank">I like your blog post</a>"
+    #
+    #  On modern browsers, setting target="_blank" on anchor elements implicitly provides the same
+    #  behavior as setting rel="noopener".
+    #
+    class TargetBlank < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        node.set_attribute("target", "_blank")
+        STOP
+      end
+    end
     #
     #  === scrub!(:noopener)
     #
@@ -235,6 +279,28 @@ module Loofah
       end
     end
+    #
+    #  === scrub!(:noreferrer)
+    #
+    #  +:noreferrer+ adds a rel="noreferrer" attribute to all links
+    #
+    #     link_farmers_markup = "ohai! <a href='http://www.myswarmysite.com/'>I like your blog post</a>"
+    #     Loofah.html5_fragment(link_farmers_markup).scrub!(:noreferrer)
+    #     => "ohai! <a href='http://www.myswarmysite.com/' rel="noreferrer">I like your blog post</a>"
+    #
+    class NoReferrer < Scrubber
+      def initialize # rubocop:disable Lint/MissingSuper
+        @direction = :top_down
+      end
+      def scrub(node)
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "noreferrer")
+        STOP
+      end
+    end
     # This class probably isn't useful publicly, but is used for #to_text's current implemention
     class NewlineBlockElements < Scrubber # :nodoc:
       def initialize # rubocop:disable Lint/MissingSuper
@@ -292,6 +358,8 @@ module Loofah
       strip: Strip,
       nofollow: NoFollow,
       noopener: NoOpener,
+      noreferrer: NoReferrer,
+      targetblank: TargetBlank,
       newline_block_elements: NewlineBlockElements,
       unprintable: Unprintable,
     }

data/lib/loofah/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.21.4"
+  VERSION = "2.23.0"
 end

metadata CHANGED Viewed

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.21.4
+  version: 2.23.0
 platform: ruby
 authors:
 - Mike Dalessio
 - Bryan Helmkamp
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-10 00:00:00.000000000 Z
+date: 2024-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -82,7 +82,7 @@ metadata:
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
   changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
   documentation_uri: https://www.rubydoc.info/gems/loofah/
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -97,8 +97,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.0.dev
-signing_key:
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents
   and fragments, built on top of Nokogiri.