loofah 2.4.0 → 2.5.0

data/lib/loofah/html5/scrub.rb

@@ -1,23 +1,21 @@
 # frozen_string_literal: true
-require 'cgi'
-require 'crass'
+require "cgi"
+require "crass"
 
 module Loofah
   module HTML5 # :nodoc:
     module Scrub
-
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
-      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
-      CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
+      CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
+      CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
 
       class << self
-
-        def allowed_element? element_name
+        def allowed_element?(element_name)
           ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name
         end
 
         #  alternative implementation of the html5lib attribute scrubbing algorithm
-        def scrub_attributes node
+        def scrub_attributes(node)
           node.attribute_nodes.each do |attr_node|
             attr_name = if attr_node.namespace
                           "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
@@ -36,14 +34,14 @@ module Loofah
 
             if SafeList::ATTR_VAL_IS_URI.include?(attr_name)
               # this block lifted nearly verbatim from HTML5 sanitization
-              val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase
-              if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
+              val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS, "").downcase
+              if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && !SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
                 attr_node.remove
                 next
-              elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == 'data'
+              elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == "data"
                 # permit only allowed data mediatypes
                 mediatype = val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1]
-                mediatype, _ = mediatype.split(';')[0..1] if mediatype
+                mediatype, _ = mediatype.split(";")[0..1] if mediatype
                 if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
                   attr_node.remove
                   next
@@ -51,9 +49,9 @@ module Loofah
               end
             end
             if SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-              attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+              attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, " ") if attr_node.value
             end
-            if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+            if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
               attr_node.remove
               next
             end
@@ -68,12 +66,12 @@ module Loofah
           force_correct_attribute_escaping! node
         end
 
-        def scrub_css_attribute node
-          style = node.attributes['style']
+        def scrub_css_attribute(node)
+          style = node.attributes["style"]
           style.value = scrub_css(style.value) if style
         end
 
-        def scrub_css style
+        def scrub_css(style)
           style_tree = Crass.parse_properties style
           sanitized_tree = []
 
@@ -85,7 +83,7 @@ module Loofah
             name = node[:name].downcase
             if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name)
               sanitized_tree << node << CRASS_SEMICOLON
-            elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split('-').first)
+            elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
               value = node[:value].split.map do |keyword|
                 if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
                   keyword
@@ -107,7 +105,7 @@ module Loofah
         #
         #  see comments about CVE-2018-8048 within the tests for more information
         #
-        def force_correct_attribute_escaping! node
+        def force_correct_attribute_escaping!(node)
           return unless Nokogiri::VersionInfo.instance.libxml2?
 
           node.attribute_nodes.each do |attr_node|
@@ -123,11 +121,10 @@ module Loofah
             #
             encoding = attr_node.value.encoding
             attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
-              '%' + m.unpack('H2' * m.bytesize).join('%').upcase
+              "%" + m.unpack("H2" * m.bytesize).join("%").upcase
             end.force_encoding(encoding)
           end
         end
-
       end
     end
   end

data/lib/loofah/instance_methods.rb

@@ -92,7 +92,7 @@ module Loofah
     #    # decidedly not ok for browser:
     #    frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
     #
-    def text(options={})
+    def text(options = {})
       result = serialize_root.children.inner_text rescue ""
       if options[:encode_special_chars] == false
         result # possibly dangerous if rendered in a browser
@@ -100,8 +100,9 @@ module Loofah
         encode_special_chars result
       end
     end
+
     alias :inner_text :text
-    alias :to_str     :text
+    alias :to_str :text
 
     #
     #  Returns a plain-text version of the markup contained by the
@@ -113,7 +114,7 @@ module Loofah
     #    Loofah.document("<h1>Title</h1><div>Content</div>").to_text
     #    # => "\nTitle\n\nContent\n"
     #
-    def to_text(options={})
+    def to_text(options = {})
       Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
     end
   end

data/lib/loofah/metahelpers.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Loofah
   module MetaHelpers # :nodoc:
-    def self.add_downcased_set_members_to_all_set_constants mojule
+    def self.add_downcased_set_members_to_all_set_constants(mojule)
       mojule.constants.each do |constant_sym|
         constant = mojule.const_get constant_sym
         next unless Set === constant

data/lib/loofah/scrubber.rb

@@ -3,7 +3,7 @@ module Loofah
   #
   #  A RuntimeError raised when Loofah could not find an appropriate scrubber.
   #
-  class ScrubberNotFound < RuntimeError ; end
+  class ScrubberNotFound < RuntimeError; end
 
   #
   #  A Scrubber wraps up a block (or method) that is run on an HTML node (element):
@@ -37,7 +37,7 @@ module Loofah
     CONTINUE = Object.new.freeze
 
     # Top-down Scrubbers may return STOP to indicate that the subtree should not be traversed.
-    STOP     = Object.new.freeze
+    STOP = Object.new.freeze
 
     # When a scrubber is initialized, the :direction may be specified
     # as :top_down (the default) or :bottom_up.
@@ -65,7 +65,7 @@ module Loofah
     def initialize(options = {}, &block)
       direction = options[:direction] || :top_down
       unless [:top_down, :bottom_up].include?(direction)
-        raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up" 
+        raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up"
       end
       @direction, @block = direction, block
     end
@@ -92,10 +92,10 @@ module Loofah
     # If the attribute is set, don't overwrite the existing value
     #
     def append_attribute(node, attribute, value)
-      current_value = node.get_attribute(attribute) || ''
+      current_value = node.get_attribute(attribute) || ""
       current_values = current_value.split(/\s+/)
       updated_value = current_values | [value]
-      node.set_attribute(attribute, updated_value.join(' '))
+      node.set_attribute(attribute, updated_value.join(" "))
     end
 
     private
@@ -119,11 +119,11 @@ module Loofah
       else
         return if scrub(node) == STOP
       end
-      node.children.each {|j| traverse_conditionally_top_down(j)}
+      node.children.each { |j| traverse_conditionally_top_down(j) }
     end
 
     def traverse_conditionally_bottom_up(node)
-      node.children.each {|j| traverse_conditionally_bottom_up(j)}
+      node.children.each { |j| traverse_conditionally_bottom_up(j) }
       if block
         block.call(node)
       else

data/lib/loofah/scrubbers.rb

@@ -206,8 +206,8 @@ module Loofah
       end
 
       def scrub(node)
-        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a')
-        append_attribute(node, 'rel', 'nofollow')
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "nofollow")
         return STOP
       end
     end
@@ -227,8 +227,8 @@ module Loofah
       end
 
       def scrub(node)
-        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a')
-        append_attribute(node, 'rel', 'noopener')
+        return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a")
+        append_attribute(node, "rel", "noopener")
         return STOP
       end
     end
@@ -268,7 +268,7 @@ module Loofah
 
       def scrub(node)
         if node.type == Nokogiri::XML::Node::TEXT_NODE || node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
-          node.content = node.content.gsub(/\u2028|\u2029/, '')
+          node.content = node.content.gsub(/\u2028|\u2029/, "")
         end
         CONTINUE
       end
@@ -278,14 +278,14 @@ module Loofah
     #  A hash that maps a symbol (like +:prune+) to the appropriate Scrubber (Loofah::Scrubbers::Prune).
     #
     MAP = {
-      :escape    => Escape,
-      :prune     => Prune,
+      :escape => Escape,
+      :prune => Prune,
       :whitewash => Whitewash,
-      :strip     => Strip,
-      :nofollow  => NoFollow,
+      :strip => Strip,
+      :nofollow => NoFollow,
       :noopener => NoOpener,
       :newline_block_elements => NewlineBlockElements,
-      :unprintable => Unprintable
+      :unprintable => Unprintable,
     }
 
     #

data/lib/loofah/xml/document_fragment.rb

@@ -13,7 +13,7 @@ module Loofah
         #  constructor. Applications should use Loofah.fragment to
         #  parse a fragment.
         #
-        def parse tags
+        def parse(tags)
           doc = Loofah::XML::Document.new
           doc.encoding = tags.encoding.name if tags.respond_to?(:encoding)
           self.new(doc, tags)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.5.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-25 00:00:00.000000000 Z
+date: 2020-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -205,14 +205,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.20'
+        version: '3.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.20'
+        version: '3.22'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
@@ -231,7 +231,6 @@ extra_rdoc_files:
 - README.md
 - SECURITY.md
 files:
-- ".gemtest"
 - CHANGELOG.md
 - Gemfile
 - MIT-LICENSE.txt
@@ -257,26 +256,15 @@ files:
 - lib/loofah/scrubbers.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
-- test/assets/msword.html
-- test/assets/testdata_sanitizer_tests1.dat
-- test/helper.rb
-- test/html5/test_sanitizer.rb
-- test/html5/test_scrub.rb
-- test/integration/test_ad_hoc.rb
-- test/integration/test_helpers.rb
-- test/integration/test_html.rb
-- test/integration/test_scrubbers.rb
-- test/integration/test_xml.rb
-- test/unit/test_api.rb
-- test/unit/test_encoding.rb
-- test/unit/test_helpers.rb
-- test/unit/test_scrubber.rb
-- test/unit/test_scrubbers.rb
 homepage: https://github.com/flavorjones/loofah
 licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/flavorjones/loofah
+  bug_tracker_uri: https://github.com/flavorjones/loofah/issues
+  documentation_uri: https://www.rubydoc.info/gems/loofah/
+  changelog_uri: https://github.com/flavorjones/loofah/master/CHANGELOG.md
+  source_code_uri: https://github.com/flavorjones/loofah
 post_install_message: 
 rdoc_options:
 - "--main"
@@ -294,7 +282,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents

data/test/assets/msword.html

@@ -1,63 +0,0 @@
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>

data/test/assets/testdata_sanitizer_tests1.dat

@@ -1,502 +0,0 @@
-[
-  {
-    "name": "IE_Comments",
-    "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
-    "output": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]--&gt;"
-  },
-
-  {
-    "name": "IE_Comments_2",
-    "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
-    "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "allow_colons_in_path_component",
-    "input": "<a href=\"./this:that\">foo</a>",
-    "output": "<a href='./this:that'>foo</a>"
-  },
-
-  {
-    "name": "background_attribute",
-    "input": "<div background=\"javascript:alert('XSS')\"></div>",
-    "output": "<div/>",
-    "xhtml": "<div></div>",
-    "rexml": "<div></div>"
-  },
-
-  {
-    "name": "bgsound",
-    "input": "<bgsound src=\"javascript:alert('XSS');\" />",
-    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
-    "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
-  },
-
-  {
-    "name": "div_background_image_unicode_encoded",
-    "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "div_expression",
-    "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "double_open_angle_brackets",
-    "input": "<img src=http://ha.ckers.org/scriptlet.html <",
-    "output": "<img src='http://ha.ckers.org/scriptlet.html'>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "double_open_angle_brackets_2",
-    "input": "<script src=http://ha.ckers.org/scriptlet.html <",
-    "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "grave_accents",
-    "input": "<img src=`javascript:alert('XSS')` />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "img_dynsrc_lowsrc",
-    "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "img_vbscript",
-    "input": "<img src='vbscript:msgbox(\"XSS\")' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "input_image",
-    "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
-    "output": "<input type='image'>",
-    "rexml": "<input type='image' />"
-  },
-
-  {
-    "name": "link_stylesheets",
-    "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"&gt;",
-    "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "link_stylesheets_2",
-    "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"&gt;",
-    "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
-  },
-
-  {
-    "name": "list_style_image",
-    "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
-    "output": "<li>foo</li>"
-  },
-
-  {
-    "name": "no_closing_script_tags",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit",
-    "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_2",
-    "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_3",
-    "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_II",
-    "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "non_alpha_non_digit_III",
-    "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
-    "output": "<a>foo</a>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "platypus",
-    "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;'>never trust your upstream platypus</a>"
-  },
-
-  {
-    "name": "protocol_resolution_in_script_tag",
-    "input": "<script src=//ha.ckers.org/.j></script>",
-    "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_allow_anchors",
-    "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
-    "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
-  },
-
-  {
-    "name": "should_allow_image_alt_attribute",
-    "input": "<img alt='foo' onclick='bar' />",
-    "output": "<img alt='foo'>",
-    "rexml": "<img alt='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_height_attribute",
-    "input": "<img height='foo' onclick='bar' />",
-    "output": "<img height='foo'>",
-    "rexml": "<img height='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_src_attribute",
-    "input": "<img src='foo' onclick='bar' />",
-    "output": "<img src='foo'>",
-    "rexml": "<img src='foo' />"
-  },
-
-  {
-    "name": "should_allow_image_width_attribute",
-    "input": "<img width='foo' onclick='bar' />",
-    "output": "<img width='foo'>",
-    "rexml": "<img width='foo' />"
-  },
-
-  {
-    "name": "should_handle_blank_text",
-    "input": "",
-    "output": ""
-  },
-
-  {
-    "name": "should_handle_malformed_image_tags",
-    "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
-    "output": "<img>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_handle_non_html",
-    "input": "abc",
-    "output": "abc"
-  },
-
-  {
-    "name": "should_not_fall_for_ridiculous_hack",
-    "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_0",
-    "input": "<img src=\"javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_1",
-    "input": "<img src=javascript:alert('XSS') />",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_10",
-    "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_11",
-    "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_12",
-    "input": "<img src=\" &#14;  javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_13",
-    "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_14",
-    "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_2",
-    "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_3",
-    "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_4",
-    "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_5",
-    "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_6",
-    "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_7",
-    "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_8",
-    "input": "<img src=\"jav\tascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_not_fall_for_xss_image_hack_9",
-    "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
-    "output": "<img>",
-    "rexml": "<img />"
-  },
-
-  {
-    "name": "should_sanitize_half_open_scripts",
-    "input": "<img src=\"javascript:alert('XSS')\"",
-    "output": "<img>",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_invalid_script_tag",
-    "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets",
-    "input": "<<script>alert(\"XSS\");//<</script>",
-    "output": "alert(\"XSS\");//",
-    "xhtml": "&lt;&lt;script&gt;alert('XSS');//&lt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
-    "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
-    "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/iframe&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_tag_broken_up_by_null",
-    "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
-    "output": "&lt;scr&gt;&lt;/scr&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_sanitize_unclosed_script",
-    "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
-    "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols",
-    "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
-    "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
-    "output": "<a title='1'>boo</a>"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols",
-    "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
-    "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
-    "output": "<img title='1'>boo",
-    "rexml": "<img title='1' />"
-  },
-
-  {
-    "name": "xml_base",
-    "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
-    "output": "<div>foo</div>"
-  },
-
-  {
-    "name": "xul",
-    "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
-    "output": "<p>fubar</p>"
-  },
-
-  {
-    "name": "quotes_in_attributes",
-    "input": "<img src='foo' title='\"foo\" bar' />",
-    "rexml": "<img src='foo' title='\"foo\" bar' />",
-    "output": "<img src='foo' title='\"foo\" bar'>"
-  },
-
-  {
-    "name": "uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(#foo)' />",
-    "rexml": "<rect fill='url(#foo)'></rect>",
-    "xhtml": "<rect fill='url(#foo)'></rect>",
-    "output": "<rect fill='url(#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(http://bad.com/) #fff' />",
-    "rexml": "<rect fill='  #fff'></rect>",
-    "xhtml": "<rect fill='  #fff'></rect>",
-    "output": "<rect fill='  #fff'/>"
-  },
-
-  {
-    "name": "uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill='url(\n#foo)' />",
-    "rexml": "<rect fill='url(\n#foo)'></rect>",
-    "xhtml": "<rect fill='url(\n#foo)'></rect>",
-    "output": "<rect fill='url(\n#foo)'/>"
-  },
-
-  {
-    "name": "absolute_uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "rexml": "<rect></rect>",
-    "xhtml": "<rect></rect>",
-    "output": "<rect/>"
-  },
-
-  {
-    "name": "allow_html5_image_tag",
-    "input": "<image src='foo' />",
-    "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
-    "output": "&lt;image src=\"foo\"/&gt;"
-  },
-
-  {
-    "name": "style_attr_end_with_nothing",
-    "input": "<div style=\"color: blue\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_space",
-    "input": "<div style=\"color: blue \" />",
-    "output": "<div style='color: blue ;'/>",
-    "xhtml": "<div style='color: blue ;'></div>",
-    "rexml": "<div style='color: blue ;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon",
-    "input": "<div style=\"color: blue;\" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-    "name": "style_attr_end_with_semicolon_space",
-    "input": "<div style=\"color: blue; \" />",
-    "output": "<div style='color: blue;'/>",
-    "xhtml": "<div style='color: blue;'></div>",
-    "rexml": "<div style='color: blue;'></div>"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes",
-   "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
-   "output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
-   "rexml": "Ill-formed XHTML!"
-  },
-
-  {
-   "name": "attributes_with_embedded_quotes_II",
-   "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
-   "output": "<img src='notthere.jpg%22%22onerror=%22alert(2)'>",
-   "rexml": "Ill-formed XHTML!"
-  }
-]