loofah 2.3.1 → 2.4.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/Gemfile +8 -7
- data/Rakefile +10 -0
- data/lib/loofah.rb +2 -1
- data/lib/loofah/elements.rb +1 -0
- data/lib/loofah/helpers.rb +1 -0
- data/lib/loofah/html/document.rb +1 -0
- data/lib/loofah/html/document_fragment.rb +1 -0
- data/lib/loofah/html5/libxml2_workarounds.rb +1 -0
- data/lib/loofah/html5/safelist.rb +2 -0
- data/lib/loofah/html5/scrub.rb +2 -1
- data/lib/loofah/instance_methods.rb +1 -0
- data/lib/loofah/metahelpers.rb +1 -0
- data/lib/loofah/scrubber.rb +1 -0
- data/lib/loofah/scrubbers.rb +1 -0
- data/lib/loofah/xml/document.rb +1 -0
- data/lib/loofah/xml/document_fragment.rb +1 -0
- data/test/html5/test_sanitizer.rb +13 -0
- metadata +20 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 29f0764dd4fc0eed44139b573bd3708917cab618126b094b9faa42d26a29d949
|
|
4
|
+
data.tar.gz: e1e9cc2ecbd68de48d1f2554a65b86bed0756616008cf9c9a7ed62af1197afa4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05bc54adcab4ee55e52f69685366ba81e492a6b6c25c8e282d79d4ec85349f8ac37c3e34b74ed81089bda662ebed620c208a7a46bc64f4a504ec1bf51f7c8bf9
|
|
7
|
+
data.tar.gz: 8b0e5d75ab88d683240183b5b3e4ed3d1a1fd26bac0d89780ce64722a3d05cba95c42376208e294ad1b3b215fcb90a795e479a2d0e8a3fd643d3b136e88bb562
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 2.4.0 / 2019-11-25
|
|
4
|
+
|
|
5
|
+
### Features
|
|
6
|
+
|
|
7
|
+
* Allow CSS property `max-width` [#175] (Thanks, @bchaney!)
|
|
8
|
+
* Allow CSS sizes expressed in `rem` [#176, #177]
|
|
9
|
+
* Add `frozen_string_literal: true` magic comment to all `lib` files. [#118]
|
|
10
|
+
|
|
11
|
+
|
|
3
12
|
## 2.3.1 / 2019-10-22
|
|
4
13
|
|
|
5
14
|
### Security
|
data/Gemfile
CHANGED
|
@@ -7,16 +7,17 @@ source "https://rubygems.org/"
|
|
|
7
7
|
gem "nokogiri", ">=1.5.9"
|
|
8
8
|
gem "crass", "~>1.0.2"
|
|
9
9
|
|
|
10
|
-
gem "rake", "
|
|
10
|
+
gem "rake", "~>12.3", :group => [:development, :test]
|
|
11
11
|
gem "minitest", "~>2.2", :group => [:development, :test]
|
|
12
12
|
gem "rr", "~>1.2.0", :group => [:development, :test]
|
|
13
|
-
gem "json", "
|
|
14
|
-
gem "hoe-gemspec", "
|
|
15
|
-
gem "hoe-debugging", "
|
|
16
|
-
gem "hoe-bundler", "
|
|
17
|
-
gem "hoe-git", "
|
|
13
|
+
gem "json", "~>2.2.0", :group => [:development, :test]
|
|
14
|
+
gem "hoe-gemspec", "~>1.0", :group => [:development, :test]
|
|
15
|
+
gem "hoe-debugging", "~>2.0", :group => [:development, :test]
|
|
16
|
+
gem "hoe-bundler", "~>1.5", :group => [:development, :test]
|
|
17
|
+
gem "hoe-git", "~>1.6", :group => [:development, :test]
|
|
18
18
|
gem "concourse", ">=0.26.0", :group => [:development, :test]
|
|
19
|
+
gem "rubocop", ">=0.76.0", :group => [:development, :test]
|
|
19
20
|
gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
|
|
20
|
-
gem "hoe", "~>3.
|
|
21
|
+
gem "hoe", "~>3.20", :group => [:development, :test]
|
|
21
22
|
|
|
22
23
|
# vim: syntax=ruby
|
data/Rakefile
CHANGED
|
@@ -28,6 +28,7 @@ Hoe.spec "loofah" do
|
|
|
28
28
|
extra_dev_deps << ["hoe-bundler", "~> 1.5"]
|
|
29
29
|
extra_dev_deps << ["hoe-git", "~> 1.6"]
|
|
30
30
|
extra_dev_deps << ["concourse", ">=0.26.0"]
|
|
31
|
+
extra_dev_deps << ["rubocop", ">=0.76.0"]
|
|
31
32
|
end
|
|
32
33
|
|
|
33
34
|
task :gemspec do
|
|
@@ -75,6 +76,15 @@ task :generate_safelists do
|
|
|
75
76
|
load "tasks/generate-safelists"
|
|
76
77
|
end
|
|
77
78
|
|
|
79
|
+
task :rubocop => [:rubocop_security, :rubocop_frozen_string_literals]
|
|
80
|
+
task :rubocop_security do
|
|
81
|
+
sh "rubocop lib --only Security"
|
|
82
|
+
end
|
|
83
|
+
task :rubocop_frozen_string_literals do
|
|
84
|
+
sh "rubocop lib --auto-correct --only Style/FrozenStringLiteralComment"
|
|
85
|
+
end
|
|
86
|
+
Rake::Task[:test].prerequisites << :rubocop
|
|
87
|
+
|
|
78
88
|
Concourse.new("loofah", fly_target: "ci") do |c|
|
|
79
89
|
c.add_pipeline "loofah", "loofah.yml"
|
|
80
90
|
c.add_pipeline "loofah-pr", "loofah-pr.yml"
|
data/lib/loofah.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__))) unless $LOAD_PATH.include?(File.expand_path(File.dirname(__FILE__)))
|
|
2
3
|
|
|
3
4
|
require "nokogiri"
|
|
@@ -28,7 +29,7 @@ require "loofah/html/document_fragment"
|
|
|
28
29
|
#
|
|
29
30
|
module Loofah
|
|
30
31
|
# The version of Loofah you are using
|
|
31
|
-
VERSION = "2.
|
|
32
|
+
VERSION = "2.4.0"
|
|
32
33
|
|
|
33
34
|
class << self
|
|
34
35
|
# Shortcut for Loofah::HTML::Document.parse
|
data/lib/loofah/elements.rb
CHANGED
data/lib/loofah/helpers.rb
CHANGED
data/lib/loofah/html/document.rb
CHANGED
data/lib/loofah/html5/scrub.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
require 'cgi'
|
|
2
3
|
require 'crass'
|
|
3
4
|
|
|
@@ -6,7 +7,7 @@ module Loofah
|
|
|
6
7
|
module Scrub
|
|
7
8
|
|
|
8
9
|
CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
|
|
9
|
-
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
|
|
10
|
+
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
|
|
10
11
|
CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
|
|
11
12
|
|
|
12
13
|
class << self
|
data/lib/loofah/metahelpers.rb
CHANGED
data/lib/loofah/scrubber.rb
CHANGED
data/lib/loofah/scrubbers.rb
CHANGED
data/lib/loofah/xml/document.rb
CHANGED
|
@@ -294,6 +294,12 @@ class Html5TestSanitizer < Loofah::TestCase
|
|
|
294
294
|
assert_match %r/0.3333333334em/, sane.inner_html
|
|
295
295
|
end
|
|
296
296
|
|
|
297
|
+
def test_css_rem_value
|
|
298
|
+
html = "<span style=\"margin-top:10rem;\">"
|
|
299
|
+
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
|
|
300
|
+
assert_match %r/10rem/, sane.inner_html
|
|
301
|
+
end
|
|
302
|
+
|
|
297
303
|
def test_css_function_sanitization_leaves_safelisted_functions_calc
|
|
298
304
|
html = "<span style=\"width:calc(5%)\">"
|
|
299
305
|
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
|
|
@@ -326,6 +332,13 @@ class Html5TestSanitizer < Loofah::TestCase
|
|
|
326
332
|
assert_match %r/<span><\/span>/, sane.inner_html
|
|
327
333
|
end
|
|
328
334
|
|
|
335
|
+
def test_css_max_width
|
|
336
|
+
html = '<div style="max-width: 100%;"></div>'
|
|
337
|
+
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
|
|
338
|
+
assert_match %r/max-width/, sane.inner_html
|
|
339
|
+
end
|
|
340
|
+
|
|
341
|
+
|
|
329
342
|
def test_issue_90_slow_regex
|
|
330
343
|
skip("timing tests are hard to make pass and have little regression-testing value")
|
|
331
344
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: loofah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Dalessio
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2019-
|
|
12
|
+
date: 2019-11-25 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: nokogiri
|
|
@@ -165,6 +165,20 @@ dependencies:
|
|
|
165
165
|
- - ">="
|
|
166
166
|
- !ruby/object:Gem::Version
|
|
167
167
|
version: 0.26.0
|
|
168
|
+
- !ruby/object:Gem::Dependency
|
|
169
|
+
name: rubocop
|
|
170
|
+
requirement: !ruby/object:Gem::Requirement
|
|
171
|
+
requirements:
|
|
172
|
+
- - ">="
|
|
173
|
+
- !ruby/object:Gem::Version
|
|
174
|
+
version: 0.76.0
|
|
175
|
+
type: :development
|
|
176
|
+
prerelease: false
|
|
177
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
178
|
+
requirements:
|
|
179
|
+
- - ">="
|
|
180
|
+
- !ruby/object:Gem::Version
|
|
181
|
+
version: 0.76.0
|
|
168
182
|
- !ruby/object:Gem::Dependency
|
|
169
183
|
name: rdoc
|
|
170
184
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -191,14 +205,14 @@ dependencies:
|
|
|
191
205
|
requirements:
|
|
192
206
|
- - "~>"
|
|
193
207
|
- !ruby/object:Gem::Version
|
|
194
|
-
version: '3.
|
|
208
|
+
version: '3.20'
|
|
195
209
|
type: :development
|
|
196
210
|
prerelease: false
|
|
197
211
|
version_requirements: !ruby/object:Gem::Requirement
|
|
198
212
|
requirements:
|
|
199
213
|
- - "~>"
|
|
200
214
|
- !ruby/object:Gem::Version
|
|
201
|
-
version: '3.
|
|
215
|
+
version: '3.20'
|
|
202
216
|
description: |-
|
|
203
217
|
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
|
|
204
218
|
|
|
@@ -261,7 +275,8 @@ files:
|
|
|
261
275
|
homepage: https://github.com/flavorjones/loofah
|
|
262
276
|
licenses:
|
|
263
277
|
- MIT
|
|
264
|
-
metadata:
|
|
278
|
+
metadata:
|
|
279
|
+
homepage_uri: https://github.com/flavorjones/loofah
|
|
265
280
|
post_install_message:
|
|
266
281
|
rdoc_options:
|
|
267
282
|
- "--main"
|