loofah 2.3.0 → 2.7.0

data/lib/loofah/instance_methods.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   #
   #  Mixes +scrub!+ into Document, DocumentFragment, Node and NodeSet.
@@ -91,7 +92,7 @@ module Loofah
     #    # decidedly not ok for browser:
     #    frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
     #
-    def text(options={})
+    def text(options = {})
       result = serialize_root.children.inner_text rescue ""
       if options[:encode_special_chars] == false
         result # possibly dangerous if rendered in a browser
@@ -99,8 +100,9 @@ module Loofah
         encode_special_chars result
       end
     end
+
     alias :inner_text :text
-    alias :to_str     :text
+    alias :to_str :text
 
     #
     #  Returns a plain-text version of the markup contained by the
@@ -112,7 +114,7 @@ module Loofah
     #    Loofah.document("<h1>Title</h1><div>Content</div>").to_text
     #    # => "\nTitle\n\nContent\n"
     #
-    def to_text(options={})
+    def to_text(options = {})
       Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
     end
   end

data/lib/loofah/metahelpers.rb

@@ -1,6 +1,7 @@
+# frozen_string_literal: true
 module Loofah
   module MetaHelpers # :nodoc:
-    def self.add_downcased_set_members_to_all_set_constants mojule
+    def self.add_downcased_set_members_to_all_set_constants(mojule)
       mojule.constants.each do |constant_sym|
         constant = mojule.const_get constant_sym
         next unless Set === constant

data/lib/loofah/scrubber.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module Loofah
   #
   #  A RuntimeError raised when Loofah could not find an appropriate scrubber.
   #
-  class ScrubberNotFound < RuntimeError ; end
+  class ScrubberNotFound < RuntimeError; end
 
   #
   #  A Scrubber wraps up a block (or method) that is run on an HTML node (element):
@@ -36,7 +37,7 @@ module Loofah
     CONTINUE = Object.new.freeze
 
     # Top-down Scrubbers may return STOP to indicate that the subtree should not be traversed.
-    STOP     = Object.new.freeze
+    STOP = Object.new.freeze
 
     # When a scrubber is initialized, the :direction may be specified
     # as :top_down (the default) or :bottom_up.
@@ -64,7 +65,7 @@ module Loofah
     def initialize(options = {}, &block)
       direction = options[:direction] || :top_down
       unless [:top_down, :bottom_up].include?(direction)
-        raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up" 
+        raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up"
       end
       @direction, @block = direction, block
     end
@@ -91,10 +92,10 @@ module Loofah
     # If the attribute is set, don't overwrite the existing value
     #
     def append_attribute(node, attribute, value)
-      current_value = node.get_attribute(attribute) || ''
+      current_value = node.get_attribute(attribute) || ""
       current_values = current_value.split(/\s+/)
       updated_value = current_values | [value]
-      node.set_attribute(attribute, updated_value.join(' '))
+      node.set_attribute(attribute, updated_value.join(" "))
     end
 
     private
@@ -118,11 +119,11 @@ module Loofah
       else
         return if scrub(node) == STOP
       end
-      node.children.each {|j| traverse_conditionally_top_down(j)}
+      node.children.each { |j| traverse_conditionally_top_down(j) }
     end
 
     def traverse_conditionally_bottom_up(node)
-      node.children.each {|j| traverse_conditionally_bottom_up(j)}
+      node.children.each { |j| traverse_conditionally_bottom_up(j) }
       if block
         block.call(node)
       else

data/lib/loofah/scrubbers.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   #
   #  Loofah provides some built-in scrubbers for sanitizing with
@@ -205,8 +206,8 @@ module Loofah
       end
 
       def scrub(node)
-        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a')
-        append_attribute(node, 'rel', 'nofollow')
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "nofollow")
         return STOP
       end
     end
@@ -226,8 +227,8 @@ module Loofah
       end
 
       def scrub(node)
-        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a')
-        append_attribute(node, 'rel', 'noopener')
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "noopener")
         return STOP
       end
     end
@@ -267,7 +268,7 @@ module Loofah
 
       def scrub(node)
         if node.type == Nokogiri::XML::Node::TEXT_NODE || node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
-          node.content = node.content.gsub(/\u2028|\u2029/, '')
+          node.content = node.content.gsub(/\u2028|\u2029/, "")
         end
         CONTINUE
       end
@@ -277,14 +278,14 @@ module Loofah
     #  A hash that maps a symbol (like +:prune+) to the appropriate Scrubber (Loofah::Scrubbers::Prune).
     #
     MAP = {
-      :escape    => Escape,
-      :prune     => Prune,
+      :escape => Escape,
+      :prune => Prune,
       :whitewash => Whitewash,
-      :strip     => Strip,
-      :nofollow  => NoFollow,
+      :strip => Strip,
+      :nofollow => NoFollow,
       :noopener => NoOpener,
       :newline_block_elements => NewlineBlockElements,
-      :unprintable => Unprintable
+      :unprintable => Unprintable,
     }
 
     #

data/lib/loofah/xml/document.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   module XML # :nodoc:
     #

data/lib/loofah/xml/document_fragment.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Loofah
   module XML # :nodoc:
     #
@@ -12,7 +13,7 @@ module Loofah
         #  constructor. Applications should use Loofah.fragment to
         #  parse a fragment.
         #
-        def parse tags
+        def parse(tags)
           doc = Loofah::XML::Document.new
           doc.encoding = tags.encoding.name if tags.respond_to?(:encoding)
           self.new(doc, tags)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-28 00:00:00.000000000 Z
+date: 2020-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -87,14 +87,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: hoe-gemspec
   requirement: !ruby/object:Gem::Requirement
@@ -151,6 +151,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: hoe-markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: concourse
   requirement: !ruby/object:Gem::Requirement
@@ -165,6 +179,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.26.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.76.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.76.0
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -191,26 +219,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
 description: |-
-  Loofah is a general library for manipulating and transforming HTML/XML
-  documents and fragments. It's built on top of Nokogiri and libxml2, so
-  it's fast and has a nice API.
+  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
-  Loofah excels at HTML sanitization (XSS prevention). It includes some
-  nice HTML sanitizers, which are based on HTML5lib's safelist, so it
-  most likely won't make your codes less secure. (These statements have
-  not been evaluated by Netexperts.)
+  Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
 
-  ActiveRecord extensions for sanitization are available in the
-  [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+  ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
@@ -223,7 +245,6 @@ extra_rdoc_files:
 - README.md
 - SECURITY.md
 files:
-- ".gemtest"
 - CHANGELOG.md
 - Gemfile
 - MIT-LICENSE.txt
@@ -249,25 +270,15 @@ files:
 - lib/loofah/scrubbers.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
-- test/assets/msword.html
-- test/assets/testdata_sanitizer_tests1.dat
-- test/helper.rb
-- test/html5/test_sanitizer.rb
-- test/html5/test_scrub.rb
-- test/integration/test_ad_hoc.rb
-- test/integration/test_helpers.rb
-- test/integration/test_html.rb
-- test/integration/test_scrubbers.rb
-- test/integration/test_xml.rb
-- test/unit/test_api.rb
-- test/unit/test_encoding.rb
-- test/unit/test_helpers.rb
-- test/unit/test_scrubber.rb
-- test/unit/test_scrubbers.rb
 homepage: https://github.com/flavorjones/loofah
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://github.com/flavorjones/loofah
+  bug_tracker_uri: https://github.com/flavorjones/loofah/issues
+  documentation_uri: https://www.rubydoc.info/gems/loofah/
+  changelog_uri: https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/flavorjones/loofah
 post_install_message: 
 rdoc_options:
 - "--main"
@@ -285,9 +296,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents
-  and fragments
+  and fragments, built on top of Nokogiri
 test_files: []

data/test/assets/msword.html

@@ -1,63 +0,0 @@
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>

data/test/assets/testdata_sanitizer_tests1.dat

@@ -1,502 +0,0 @@
-[
-  {
-    "name": "IE_Comments",
-    "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
-    "output": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]--&gt;"
-  },
-
-  {
-    "name": "IE_Comments_2",
-    "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
-    "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "allow_colons_in_path_component",
-    "input": "<a href=\"./this:that\">foo</a>",
-    "output": "<a href='./this:that'>foo</a>"
-  },
-
-  {
-    "name": "background_attribute",
-    "input": "<div background=\"javascript:alert('XSS')\"></div>",
-    "output": "<div/>",
-    "xhtml": "<div></div>",
-    "rexml": "<div></div>"
-  },
-
-  {
-    "name": "bgsound",
-    "input": "<bgsound src=\"javascript:alert('XSS');\" />",
-    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
-    "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
-  },
-
-  {
-    "name": "div_background_image_unicode_encoded",
-    "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "div_expression",
-    "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "double_open_angle_brackets",
-    "input": "<img src=http://ha.ckers.org/scriptlet.html <",
-    "output": "<img src='http://ha.ckers.org/scriptlet.html'>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "double_open_angle_brackets_2",
-    "input": "<script src=http://ha.ckers.org/scriptlet.html <",
-    "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "grave_accents",
-    "input": "<img src=`javascript:alert('XSS')` />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "img_dynsrc_lowsrc",
-    "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "img_vbscript",
-    "input": "<img src='vbscript:msgbox(\"XSS\")' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "input_image",
-    "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
-    "output": "<input type='image'>",
-    "rexml": "<input type='image' />"
-  },
-
-  {
-    "name": "link_stylesheets",
-    "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"&gt;",
-    "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "link_stylesheets_2",
-    "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"&gt;",
-    "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "list_style_image",
-    "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
-    "output": "<li>foo</li>"
-  },
-
-  {
-    "name": "no_closing_script_tags",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit",
-    "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_2",
-    "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_3",
-    "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_II",
-    "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_III",
-    "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "platypus",
-    "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;'>never trust your upstream platypus</a>"
-  },
-
-  {
-    "name": "protocol_resolution_in_script_tag",
-    "input": "<script src=//ha.ckers.org/.j></script>",
-    "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_allow_anchors",
-    "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
-    "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
-  },
-
-  {
-    "name": "should_allow_image_alt_attribute",
-    "input": "<img alt='foo' onclick='bar' />",
-    "output": "<img alt='foo'>",
-    "rexml": "<img alt='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_height_attribute",
-    "input": "<img height='foo' onclick='bar' />",
-    "output": "<img height='foo'>",
-    "rexml": "<img height='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_src_attribute",
-    "input": "<img src='foo' onclick='bar' />",
-    "output": "<img src='foo'>",
-    "rexml": "<img src='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_width_attribute",
-    "input": "<img width='foo' onclick='bar' />",
-    "output": "<img width='foo'>",
-    "rexml": "<img width='foo' />"
-  },
-
-  {
-    "name": "should_handle_blank_text",
-    "input": "",
-    "output": ""
-  },
-
-  {
-    "name": "should_handle_malformed_image_tags",
-    "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
-    "output": "<img>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_handle_non_html",
-    "input": "abc",
-    "output": "abc"
-  },
-
-  {
-    "name": "should_not_fall_for_ridiculous_hack",
-    "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_0",
-    "input": "<img src=\"javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_1",
-    "input": "<img src=javascript:alert('XSS') />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_10",
-    "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_11",
-    "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_12",
-    "input": "<img src=\" &#14;  javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_13",
-    "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_14",
-    "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_2",
-    "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_3",
-    "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_4",
-    "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_5",
-    "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_6",
-    "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_7",
-    "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_8",
-    "input": "<img src=\"jav\tascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_9",
-    "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_sanitize_half_open_scripts",
-    "input": "<img src=\"javascript:alert('XSS')\"",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_invalid_script_tag",
-    "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets",
-    "input": "<<script>alert(\"XSS\");//<</script>",
-    "output": "alert(\"XSS\");//",
-    "xhtml": "&lt;&lt;script&gt;alert('XSS');//&lt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
-    "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
-    "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/iframe&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_tag_broken_up_by_null",
-    "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
-    "output": "&lt;scr&gt;&lt;/scr&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_unclosed_script",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols",
-    "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
-    "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols",
-    "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
-    "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "xml_base",
-    "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "xul",
-    "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
-    "output": "<p>fubar</p>"
-  },
-
-  {
-    "name": "quotes_in_attributes",
-    "input": "<img src='foo' title='\"foo\" bar' />",
-    "rexml": "<img src='foo' title='\"foo\" bar' />",
-    "output": "<img src='foo' title='\"foo\" bar'>"
-  },
-
-  {
-    "name": "uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(#foo)' />",
-    "rexml": "<rect fill='url(#foo)'></rect>",
-    "xhtml": "<rect fill='url(#foo)'></rect>",
-    "output": "<rect fill='url(#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(http://bad.com/) #fff' />",
-    "rexml": "<rect fill='  #fff'></rect>",
-    "xhtml": "<rect fill='  #fff'></rect>",
-    "output": "<rect fill='  #fff'/>"
-  },
-
-  {
-    "name": "uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill='url(\n#foo)' />",
-    "rexml": "<rect fill='url(\n#foo)'></rect>",
-    "xhtml": "<rect fill='url(\n#foo)'></rect>",
-    "output": "<rect fill='url(\n#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "rexml": "<rect></rect>",
-    "xhtml": "<rect></rect>",
-    "output": "<rect/>"
-  },
-
-  {
-    "name": "allow_html5_image_tag",
-    "input": "<image src='foo' />",
-    "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
-    "output": "&lt;image src=\"foo\"/&gt;"
-  },
-
-  {
-    "name": "style_attr_end_with_nothing",
-    "input": "<div style=\"color: blue\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_space",
-    "input": "<div style=\"color: blue \" />",
-    "output": "<div style='color: blue ;'/>",
-    "xhtml": "<div style='color: blue ;'></div>",
-    "rexml": "<div style='color: blue ;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon",
-    "input": "<div style=\"color: blue;\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon_space",
-    "input": "<div style=\"color: blue; \" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes",
-   "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
-   "output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
-   "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes_II",
-   "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
-   "output": "<img src='notthere.jpg%22%22onerror=%22alert(2)'>",
-   "rexml": "Ill-formed XHTML!"
-  }
-]