loofah 2.3.1 → 2.19.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +193 -40
- data/README.md +13 -12
- data/lib/loofah/elements.rb +79 -75
- data/lib/loofah/helpers.rb +5 -4
- data/lib/loofah/html/document.rb +1 -0
- data/lib/loofah/html/document_fragment.rb +4 -2
- data/lib/loofah/html5/libxml2_workarounds.rb +8 -7
- data/lib/loofah/html5/safelist.rb +273 -27
- data/lib/loofah/html5/scrub.rb +147 -52
- data/lib/loofah/instance_methods.rb +14 -8
- data/lib/loofah/metahelpers.rb +2 -1
- data/lib/loofah/scrubber.rb +12 -7
- data/lib/loofah/scrubbers.rb +20 -18
- data/lib/loofah/version.rb +5 -0
- data/lib/loofah/xml/document.rb +1 -0
- data/lib/loofah/xml/document_fragment.rb +2 -1
- data/lib/loofah.rb +33 -16
- metadata +45 -125
- data/.gemtest +0 -0
- data/Gemfile +0 -22
- data/Manifest.txt +0 -41
- data/Rakefile +0 -81
- data/benchmark/benchmark.rb +0 -149
- data/benchmark/fragment.html +0 -96
- data/benchmark/helper.rb +0 -73
- data/benchmark/www.slashdot.com.html +0 -2560
- data/test/assets/msword.html +0 -63
- data/test/assets/testdata_sanitizer_tests1.dat +0 -502
- data/test/helper.rb +0 -18
- data/test/html5/test_sanitizer.rb +0 -401
- data/test/html5/test_scrub.rb +0 -10
- data/test/integration/test_ad_hoc.rb +0 -220
- data/test/integration/test_helpers.rb +0 -43
- data/test/integration/test_html.rb +0 -72
- data/test/integration/test_scrubbers.rb +0 -400
- data/test/integration/test_xml.rb +0 -55
- data/test/unit/test_api.rb +0 -142
- data/test/unit/test_encoding.rb +0 -20
- data/test/unit/test_helpers.rb +0 -62
- data/test/unit/test_scrubber.rb +0 -229
- data/test/unit/test_scrubbers.rb +0 -14
data/lib/loofah/helpers.rb
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
module Loofah
|
2
3
|
module Helpers
|
3
4
|
class << self
|
@@ -27,7 +28,7 @@ module Loofah
|
|
27
28
|
#
|
28
29
|
# Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
|
29
30
|
#
|
30
|
-
def sanitize_css
|
31
|
+
def sanitize_css(style_string)
|
31
32
|
::Loofah::HTML5::Scrub.scrub_css style_string
|
32
33
|
end
|
33
34
|
|
@@ -68,7 +69,7 @@ module Loofah
|
|
68
69
|
# Loofah::Helpers::ActionView.set_as_default_sanitizer
|
69
70
|
#
|
70
71
|
class FullSanitizer
|
71
|
-
def sanitize
|
72
|
+
def sanitize(html, *args)
|
72
73
|
Loofah::Helpers.strip_tags html
|
73
74
|
end
|
74
75
|
end
|
@@ -85,11 +86,11 @@ module Loofah
|
|
85
86
|
# Loofah::Helpers::ActionView.set_as_default_sanitizer
|
86
87
|
#
|
87
88
|
class SafeListSanitizer
|
88
|
-
def sanitize
|
89
|
+
def sanitize(html, *args)
|
89
90
|
Loofah::Helpers.sanitize html
|
90
91
|
end
|
91
92
|
|
92
|
-
def sanitize_css
|
93
|
+
def sanitize_css(style_string, *args)
|
93
94
|
Loofah::Helpers.sanitize_css style_string
|
94
95
|
end
|
95
96
|
end
|
data/lib/loofah/html/document.rb
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
module Loofah
|
2
3
|
module HTML # :nodoc:
|
3
4
|
#
|
@@ -14,10 +15,10 @@ module Loofah
|
|
14
15
|
# constructor. Applications should use Loofah.fragment to
|
15
16
|
# parse a fragment.
|
16
17
|
#
|
17
|
-
def parse
|
18
|
+
def parse(tags, encoding = nil)
|
18
19
|
doc = Loofah::HTML::Document.new
|
19
20
|
|
20
|
-
encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name :
|
21
|
+
encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
|
21
22
|
doc.encoding = encoding
|
22
23
|
|
23
24
|
new(doc, tags)
|
@@ -30,6 +31,7 @@ module Loofah
|
|
30
31
|
def to_s
|
31
32
|
serialize_root.children.to_s
|
32
33
|
end
|
34
|
+
|
33
35
|
alias :serialize :to_s
|
34
36
|
|
35
37
|
def serialize_root
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# coding: utf-8
|
2
|
-
|
2
|
+
# frozen_string_literal: true
|
3
|
+
require "set"
|
3
4
|
|
4
5
|
module Loofah
|
5
6
|
#
|
@@ -16,11 +17,11 @@ module Loofah
|
|
16
17
|
# see comments about CVE-2018-8048 within the tests for more information
|
17
18
|
#
|
18
19
|
BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
|
20
|
+
href
|
21
|
+
action
|
22
|
+
src
|
23
|
+
name
|
24
|
+
]
|
25
|
+
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
|
25
26
|
end
|
26
27
|
end
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
require "set"
|
2
3
|
|
3
4
|
module Loofah
|
@@ -139,6 +140,7 @@ module Loofah
|
|
139
140
|
"ul",
|
140
141
|
"var",
|
141
142
|
"video",
|
143
|
+
"wbr",
|
142
144
|
])
|
143
145
|
|
144
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -146,6 +148,7 @@ module Loofah
|
|
146
148
|
"annotation-xml",
|
147
149
|
"maction",
|
148
150
|
"math",
|
151
|
+
"menclose",
|
149
152
|
"merror",
|
150
153
|
"mfenced",
|
151
154
|
"mfrac",
|
@@ -159,6 +162,7 @@ module Loofah
|
|
159
162
|
"mprescripts",
|
160
163
|
"mroot",
|
161
164
|
"mrow",
|
165
|
+
"ms",
|
162
166
|
"mspace",
|
163
167
|
"msqrt",
|
164
168
|
"mstyle",
|
@@ -311,6 +315,7 @@ module Loofah
|
|
311
315
|
"columnspacing",
|
312
316
|
"columnspan",
|
313
317
|
"depth",
|
318
|
+
"dir",
|
314
319
|
"display",
|
315
320
|
"displaystyle",
|
316
321
|
"encoding",
|
@@ -321,19 +326,24 @@ module Loofah
|
|
321
326
|
"fontweight",
|
322
327
|
"frame",
|
323
328
|
"height",
|
329
|
+
"href",
|
324
330
|
"linethickness",
|
331
|
+
"lquote",
|
325
332
|
"lspace",
|
326
333
|
"mathbackground",
|
327
334
|
"mathcolor",
|
335
|
+
"mathsize",
|
328
336
|
"mathvariant",
|
329
337
|
"maxsize",
|
330
338
|
"minsize",
|
339
|
+
"notation",
|
331
340
|
"open",
|
332
341
|
"other",
|
333
342
|
"rowalign",
|
334
343
|
"rowlines",
|
335
344
|
"rowspacing",
|
336
345
|
"rowspan",
|
346
|
+
"rquote",
|
337
347
|
"rspace",
|
338
348
|
"scriptlevel",
|
339
349
|
"selection",
|
@@ -502,6 +512,62 @@ module Loofah
|
|
502
512
|
"zoomAndPan",
|
503
513
|
])
|
504
514
|
|
515
|
+
ARIA_ATTRIBUTES = Set.new([
|
516
|
+
"aria-activedescendant",
|
517
|
+
"aria-atomic",
|
518
|
+
"aria-autocomplete",
|
519
|
+
"aria-braillelabel",
|
520
|
+
"aria-brailleroledescription",
|
521
|
+
"aria-busy",
|
522
|
+
"aria-checked",
|
523
|
+
"aria-colcount",
|
524
|
+
"aria-colindex",
|
525
|
+
"aria-colindextext",
|
526
|
+
"aria-colspan",
|
527
|
+
"aria-controls",
|
528
|
+
"aria-current",
|
529
|
+
"aria-describedby",
|
530
|
+
"aria-description",
|
531
|
+
"aria-details",
|
532
|
+
"aria-disabled",
|
533
|
+
"aria-dropeffect",
|
534
|
+
"aria-errormessage",
|
535
|
+
"aria-expanded",
|
536
|
+
"aria-flowto",
|
537
|
+
"aria-grabbed",
|
538
|
+
"aria-haspopup",
|
539
|
+
"aria-hidden",
|
540
|
+
"aria-invalid",
|
541
|
+
"aria-keyshortcuts",
|
542
|
+
"aria-label",
|
543
|
+
"aria-labelledby",
|
544
|
+
"aria-level",
|
545
|
+
"aria-live",
|
546
|
+
"aria-multiline",
|
547
|
+
"aria-multiselectable",
|
548
|
+
"aria-orientation",
|
549
|
+
"aria-owns",
|
550
|
+
"aria-placeholder",
|
551
|
+
"aria-posinset",
|
552
|
+
"aria-pressed",
|
553
|
+
"aria-readonly",
|
554
|
+
"aria-relevant",
|
555
|
+
"aria-required",
|
556
|
+
"aria-roledescription",
|
557
|
+
"aria-rowcount",
|
558
|
+
"aria-rowindex",
|
559
|
+
"aria-rowindextext",
|
560
|
+
"aria-rowspan",
|
561
|
+
"aria-selected",
|
562
|
+
"aria-setsize",
|
563
|
+
"aria-sort",
|
564
|
+
"aria-valuemax",
|
565
|
+
"aria-valuemin",
|
566
|
+
"aria-valuenow",
|
567
|
+
"aria-valuetext",
|
568
|
+
"role",
|
569
|
+
])
|
570
|
+
|
505
571
|
ATTR_VAL_IS_URI = Set.new([
|
506
572
|
"action",
|
507
573
|
"cite",
|
@@ -548,6 +614,10 @@ module Loofah
|
|
548
614
|
|
549
615
|
ACCEPTABLE_CSS_PROPERTIES = Set.new([
|
550
616
|
"azimuth",
|
617
|
+
"align-content",
|
618
|
+
"align-items",
|
619
|
+
"align-self",
|
620
|
+
"aspect-ratio",
|
551
621
|
"background-color",
|
552
622
|
"border-bottom-color",
|
553
623
|
"border-collapse",
|
@@ -561,6 +631,13 @@ module Loofah
|
|
561
631
|
"direction",
|
562
632
|
"display",
|
563
633
|
"elevation",
|
634
|
+
"flex",
|
635
|
+
"flex-basis",
|
636
|
+
"flex-direction",
|
637
|
+
"flex-flow",
|
638
|
+
"flex-grow",
|
639
|
+
"flex-shrink",
|
640
|
+
"flex-wrap",
|
564
641
|
"float",
|
565
642
|
"font",
|
566
643
|
"font-family",
|
@@ -569,11 +646,19 @@ module Loofah
|
|
569
646
|
"font-variant",
|
570
647
|
"font-weight",
|
571
648
|
"height",
|
649
|
+
"justify-content",
|
572
650
|
"letter-spacing",
|
573
651
|
"line-height",
|
574
652
|
"list-style",
|
575
653
|
"list-style-type",
|
654
|
+
"max-width",
|
655
|
+
"order",
|
576
656
|
"overflow",
|
657
|
+
"overflow-x",
|
658
|
+
"overflow-y",
|
659
|
+
"page-break-after",
|
660
|
+
"page-break-before",
|
661
|
+
"page-break-inside",
|
577
662
|
"pause",
|
578
663
|
"pause-after",
|
579
664
|
"pause-before",
|
@@ -599,48 +684,213 @@ module Loofah
|
|
599
684
|
|
600
685
|
ACCEPTABLE_CSS_KEYWORDS = Set.new([
|
601
686
|
"!important",
|
602
|
-
"aqua",
|
603
687
|
"auto",
|
604
|
-
"black",
|
605
688
|
"block",
|
606
|
-
"blue",
|
607
689
|
"bold",
|
608
690
|
"both",
|
609
691
|
"bottom",
|
610
|
-
"brown",
|
611
692
|
"center",
|
612
693
|
"collapse",
|
613
694
|
"dashed",
|
614
695
|
"dotted",
|
615
|
-
"
|
616
|
-
"
|
617
|
-
"
|
696
|
+
"double",
|
697
|
+
"groove",
|
698
|
+
"hidden",
|
699
|
+
"inherit",
|
700
|
+
"initial",
|
701
|
+
"inset",
|
618
702
|
"italic",
|
619
703
|
"left",
|
620
|
-
"lime",
|
621
|
-
"maroon",
|
622
704
|
"medium",
|
623
|
-
"navy",
|
624
705
|
"none",
|
625
706
|
"normal",
|
626
707
|
"nowrap",
|
627
|
-
"
|
708
|
+
"outset",
|
628
709
|
"pointer",
|
629
|
-
"
|
630
|
-
"
|
710
|
+
"revert",
|
711
|
+
"ridge",
|
631
712
|
"right",
|
632
|
-
"
|
713
|
+
"separate",
|
633
714
|
"solid",
|
634
|
-
"teal",
|
635
|
-
"thin",
|
636
715
|
"thick",
|
716
|
+
"thin",
|
637
717
|
"top",
|
638
718
|
"transparent",
|
639
719
|
"underline",
|
640
|
-
"
|
641
|
-
"yellow",
|
720
|
+
"unset",
|
642
721
|
])
|
643
722
|
|
723
|
+
# https://www.w3.org/TR/css-color-3/#html4
|
724
|
+
ACCEPTABLE_CSS_COLORS = Set.new([
|
725
|
+
"aqua",
|
726
|
+
"black",
|
727
|
+
"blue",
|
728
|
+
"fuchsia",
|
729
|
+
"gray",
|
730
|
+
"green",
|
731
|
+
"lime",
|
732
|
+
"maroon",
|
733
|
+
"navy",
|
734
|
+
"olive",
|
735
|
+
"purple",
|
736
|
+
"red",
|
737
|
+
"silver",
|
738
|
+
"teal",
|
739
|
+
"white",
|
740
|
+
"yellow",
|
741
|
+
])
|
742
|
+
|
743
|
+
# https://www.w3.org/TR/css-color-3/#svg-color
|
744
|
+
ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
|
745
|
+
"aliceblue",
|
746
|
+
"antiquewhite",
|
747
|
+
"aqua",
|
748
|
+
"aquamarine",
|
749
|
+
"azure",
|
750
|
+
"beige",
|
751
|
+
"bisque",
|
752
|
+
"black",
|
753
|
+
"blanchedalmond",
|
754
|
+
"blue",
|
755
|
+
"blueviolet",
|
756
|
+
"brown",
|
757
|
+
"burlywood",
|
758
|
+
"cadetblue",
|
759
|
+
"chartreuse",
|
760
|
+
"chocolate",
|
761
|
+
"coral",
|
762
|
+
"cornflowerblue",
|
763
|
+
"cornsilk",
|
764
|
+
"crimson",
|
765
|
+
"cyan",
|
766
|
+
"darkblue",
|
767
|
+
"darkcyan",
|
768
|
+
"darkgoldenrod",
|
769
|
+
"darkgray",
|
770
|
+
"darkgreen",
|
771
|
+
"darkgrey",
|
772
|
+
"darkkhaki",
|
773
|
+
"darkmagenta",
|
774
|
+
"darkolivegreen",
|
775
|
+
"darkorange",
|
776
|
+
"darkorchid",
|
777
|
+
"darkred",
|
778
|
+
"darksalmon",
|
779
|
+
"darkseagreen",
|
780
|
+
"darkslateblue",
|
781
|
+
"darkslategray",
|
782
|
+
"darkslategrey",
|
783
|
+
"darkturquoise",
|
784
|
+
"darkviolet",
|
785
|
+
"deeppink",
|
786
|
+
"deepskyblue",
|
787
|
+
"dimgray",
|
788
|
+
"dimgrey",
|
789
|
+
"dodgerblue",
|
790
|
+
"firebrick",
|
791
|
+
"floralwhite",
|
792
|
+
"forestgreen",
|
793
|
+
"fuchsia",
|
794
|
+
"gainsboro",
|
795
|
+
"ghostwhite",
|
796
|
+
"gold",
|
797
|
+
"goldenrod",
|
798
|
+
"gray",
|
799
|
+
"green",
|
800
|
+
"greenyellow",
|
801
|
+
"grey",
|
802
|
+
"honeydew",
|
803
|
+
"hotpink",
|
804
|
+
"indianred",
|
805
|
+
"indigo",
|
806
|
+
"ivory",
|
807
|
+
"khaki",
|
808
|
+
"lavender",
|
809
|
+
"lavenderblush",
|
810
|
+
"lawngreen",
|
811
|
+
"lemonchiffon",
|
812
|
+
"lightblue",
|
813
|
+
"lightcoral",
|
814
|
+
"lightcyan",
|
815
|
+
"lightgoldenrodyellow",
|
816
|
+
"lightgray",
|
817
|
+
"lightgreen",
|
818
|
+
"lightgrey",
|
819
|
+
"lightpink",
|
820
|
+
"lightsalmon",
|
821
|
+
"lightseagreen",
|
822
|
+
"lightskyblue",
|
823
|
+
"lightslategray",
|
824
|
+
"lightslategrey",
|
825
|
+
"lightsteelblue",
|
826
|
+
"lightyellow",
|
827
|
+
"lime",
|
828
|
+
"limegreen",
|
829
|
+
"linen",
|
830
|
+
"magenta",
|
831
|
+
"maroon",
|
832
|
+
"mediumaquamarine",
|
833
|
+
"mediumblue",
|
834
|
+
"mediumorchid",
|
835
|
+
"mediumpurple",
|
836
|
+
"mediumseagreen",
|
837
|
+
"mediumslateblue",
|
838
|
+
"mediumspringgreen",
|
839
|
+
"mediumturquoise",
|
840
|
+
"mediumvioletred",
|
841
|
+
"midnightblue",
|
842
|
+
"mintcream",
|
843
|
+
"mistyrose",
|
844
|
+
"moccasin",
|
845
|
+
"navajowhite",
|
846
|
+
"navy",
|
847
|
+
"oldlace",
|
848
|
+
"olive",
|
849
|
+
"olivedrab",
|
850
|
+
"orange",
|
851
|
+
"orangered",
|
852
|
+
"orchid",
|
853
|
+
"palegoldenrod",
|
854
|
+
"palegreen",
|
855
|
+
"paleturquoise",
|
856
|
+
"palevioletred",
|
857
|
+
"papayawhip",
|
858
|
+
"peachpuff",
|
859
|
+
"peru",
|
860
|
+
"pink",
|
861
|
+
"plum",
|
862
|
+
"powderblue",
|
863
|
+
"purple",
|
864
|
+
"red",
|
865
|
+
"rosybrown",
|
866
|
+
"royalblue",
|
867
|
+
"saddlebrown",
|
868
|
+
"salmon",
|
869
|
+
"sandybrown",
|
870
|
+
"seagreen",
|
871
|
+
"seashell",
|
872
|
+
"sienna",
|
873
|
+
"silver",
|
874
|
+
"skyblue",
|
875
|
+
"slateblue",
|
876
|
+
"slategray",
|
877
|
+
"slategrey",
|
878
|
+
"snow",
|
879
|
+
"springgreen",
|
880
|
+
"steelblue",
|
881
|
+
"tan",
|
882
|
+
"teal",
|
883
|
+
"thistle",
|
884
|
+
"tomato",
|
885
|
+
"turquoise",
|
886
|
+
"violet",
|
887
|
+
"wheat",
|
888
|
+
"white",
|
889
|
+
"whitesmoke",
|
890
|
+
"yellow",
|
891
|
+
"yellowgreen",
|
892
|
+
])
|
893
|
+
|
644
894
|
# see https://www.quackit.com/css/functions/
|
645
895
|
# omit `url` and `image` from that list
|
646
896
|
ACCEPTABLE_CSS_FUNCTIONS = Set.new([
|
@@ -735,6 +985,7 @@ module Loofah
|
|
735
985
|
"rsync",
|
736
986
|
"rtsp",
|
737
987
|
"sftp",
|
988
|
+
"sms",
|
738
989
|
"ssh",
|
739
990
|
"tag",
|
740
991
|
"tel",
|
@@ -748,33 +999,28 @@ module Loofah
|
|
748
999
|
"image/gif",
|
749
1000
|
"image/jpeg",
|
750
1001
|
"image/png",
|
751
|
-
"image/svg+xml",
|
752
1002
|
"text/css",
|
753
1003
|
"text/plain",
|
754
1004
|
])
|
755
1005
|
|
756
1006
|
# subclasses may define their own versions of these constants
|
757
1007
|
ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
|
758
|
-
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
|
1008
|
+
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
|
759
1009
|
ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
|
760
|
-
ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
|
1010
|
+
ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
|
761
1011
|
ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
|
762
1012
|
ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
|
763
1013
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
764
1014
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
765
1015
|
|
1016
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
1017
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
766
1018
|
VOID_ELEMENTS = Set.new([
|
767
1019
|
"area",
|
768
|
-
"base",
|
769
1020
|
"br",
|
770
|
-
"col",
|
771
|
-
"embed",
|
772
1021
|
"hr",
|
773
1022
|
"img",
|
774
1023
|
"input",
|
775
|
-
"link",
|
776
|
-
"meta",
|
777
|
-
"param",
|
778
1024
|
])
|
779
1025
|
|
780
1026
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|