loofah 2.24.1 → 2.25.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/SECURITY.md +1 -1
- data/lib/loofah/html5/scrub.rb +28 -14
- data/lib/loofah/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d07f9d310067f14d41ee4661fd3cd831de5af3d1c60bbfc949ba57219636ee9f
|
|
4
|
+
data.tar.gz: 0ea8df2bfb5396bcbcbec9b1ba3c7d1d0e852739be595efc4e27826226246eac
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0562da17634578281969ad6ebab59608ca78048d46a0ef298a5f767e32a0c66d11d74c1edd89a9710c80b2a27cc745af434890f8a79f055748e213642084f0c2
|
|
7
|
+
data.tar.gz: a39abf331334da243c9b608ab0a41fe5c08c0a41622433c86a3013a8aaaa204458afc7b99fe7d9042471f467433c6f4101f8f09adaddfb80fe091bf2541b6917
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,15 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 2.25.1 / 2026-03-17
|
|
4
|
+
|
|
5
|
+
* Ensure `Loofah::HTML5::Scrub.allowed_uri?` recognizes unescaped whitespace entities and rejects schemas containing them. See [GHSA-46fp-8f5p-pf2m](https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m). #302 @flavorjones
|
|
6
|
+
|
|
7
|
+
## 2.25.0 / 2025-12-15
|
|
8
|
+
|
|
9
|
+
* Extract `Loofah::HTML5::Scrub.allowed_uri?` which operates on a string. Previously this logic was coupled to the parsed tree in `.scrub_uri_attribute`. #300 @flavorjones
|
|
10
|
+
* Tightened up how entities and control characters are handled when detecting allowed URIs. #301 @flavorjones
|
|
11
|
+
|
|
12
|
+
|
|
3
13
|
## 2.24.1 / 2025-05-12
|
|
4
14
|
|
|
5
15
|
### Ruby support
|
data/SECURITY.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
The Loofah core contributors take security very seriously and investigate all reported vulnerabilities.
|
|
4
4
|
|
|
5
|
-
If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via
|
|
5
|
+
If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via Github](https://github.com/flavorjones/loofah/security).
|
|
6
6
|
|
|
7
7
|
Your report will be acknowledged within 24 hours, and you'll receive a more detailed response within 72 hours indicating next steps in handling your report.
|
|
8
8
|
|
data/lib/loofah/html5/scrub.rb
CHANGED
|
@@ -14,6 +14,7 @@ module Loofah
|
|
|
14
14
|
CSS_WHITESPACE = " "
|
|
15
15
|
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
|
16
16
|
DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
|
|
17
|
+
URI_PROTOCOL_REGEX = /\A[a-z][a-z0-9+\-.]*:/ # RFC 3986
|
|
17
18
|
|
|
18
19
|
class << self
|
|
19
20
|
def allowed_element?(element_name)
|
|
@@ -140,23 +141,36 @@ module Loofah
|
|
|
140
141
|
attr_node.value = values.join(" ")
|
|
141
142
|
end
|
|
142
143
|
|
|
144
|
+
# Returns true if the given URI string is safe, false otherwise.
|
|
145
|
+
# This method can be used to validate URI attribute values without
|
|
146
|
+
# requiring a Nokogiri DOM node.
|
|
147
|
+
def allowed_uri?(uri_string)
|
|
148
|
+
# Replace control characters both before and after unescaping.
|
|
149
|
+
uri_string = CGI.unescapeHTML(uri_string.gsub(CONTROL_CHARACTERS, ""))
|
|
150
|
+
.gsub(CONTROL_CHARACTERS, "")
|
|
151
|
+
.gsub(":", ":")
|
|
152
|
+
.downcase
|
|
153
|
+
if URI_PROTOCOL_REGEX.match?(uri_string)
|
|
154
|
+
protocol = uri_string.split(SafeList::PROTOCOL_SEPARATOR)[0]
|
|
155
|
+
return false unless SafeList::ALLOWED_PROTOCOLS.include?(protocol)
|
|
156
|
+
|
|
157
|
+
if protocol == "data"
|
|
158
|
+
# permit only allowed data mediatypes
|
|
159
|
+
mediatype = uri_string.split(SafeList::PROTOCOL_SEPARATOR)[1]
|
|
160
|
+
mediatype, _ = mediatype.split(/[;,]/)[0..1] if mediatype
|
|
161
|
+
return false if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
|
|
162
|
+
end
|
|
163
|
+
end
|
|
164
|
+
true
|
|
165
|
+
end
|
|
166
|
+
|
|
143
167
|
def scrub_uri_attribute(attr_node)
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
!SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
|
|
168
|
+
if allowed_uri?(attr_node.value)
|
|
169
|
+
false
|
|
170
|
+
else
|
|
148
171
|
attr_node.remove
|
|
149
|
-
|
|
150
|
-
elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == "data"
|
|
151
|
-
# permit only allowed data mediatypes
|
|
152
|
-
mediatype = val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1]
|
|
153
|
-
mediatype, _ = mediatype.split(";")[0..1] if mediatype
|
|
154
|
-
if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
|
|
155
|
-
attr_node.remove
|
|
156
|
-
return true
|
|
157
|
-
end
|
|
172
|
+
true
|
|
158
173
|
end
|
|
159
|
-
false
|
|
160
174
|
end
|
|
161
175
|
|
|
162
176
|
#
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: loofah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.25.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Dalessio
|
|
@@ -96,7 +96,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
96
96
|
- !ruby/object:Gem::Version
|
|
97
97
|
version: '0'
|
|
98
98
|
requirements: []
|
|
99
|
-
rubygems_version:
|
|
99
|
+
rubygems_version: 4.0.3
|
|
100
100
|
specification_version: 4
|
|
101
101
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|
|
102
102
|
and fragments, built on top of Nokogiri.
|