loofah 2.5.0 → 2.9.1

data/lib/loofah/html5/scrub.rb

@@ -7,21 +7,23 @@ module Loofah
     module Scrub
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
-      CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
+      CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
+      CSS_IMPORTANT = '!important'
+      CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
 
       class << self
         def allowed_element?(element_name)
-          ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name
+          ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
         end
 
         #  alternative implementation of the html5lib attribute scrubbing algorithm
         def scrub_attributes(node)
           node.attribute_nodes.each do |attr_node|
             attr_name = if attr_node.namespace
-                          "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
-                        else
-                          attr_node.node_name
-                        end
+              "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+            else
+              attr_node.node_name
+            end
 
             if attr_name =~ /\Adata-[\w-]+\z/
               next
@@ -57,13 +59,13 @@ module Loofah
             end
           end
 
-          scrub_css_attribute node
+          scrub_css_attribute(node)
 
           node.attribute_nodes.each do |attr_node|
             node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
           end
 
-          force_correct_attribute_escaping! node
+          force_correct_attribute_escaping!(node)
         end
 
         def scrub_css_attribute(node)
@@ -72,32 +74,54 @@ module Loofah
         end
 
         def scrub_css(style)
-          style_tree = Crass.parse_properties style
+          style_tree = Crass.parse_properties(style)
           sanitized_tree = []
 
           style_tree.each do |node|
             next unless node[:node] == :property
             next if node[:children].any? do |child|
-              [:url, :bad_url].include?(child[:node]) || (child[:node] == :function && !SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase))
+              [:url, :bad_url].include?(child[:node])
             end
+
             name = node[:name].downcase
-            if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name)
-              sanitized_tree << node << CRASS_SEMICOLON
-            elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
-              value = node[:value].split.map do |keyword|
-                if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
+            next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) ||
+                SafeList::ALLOWED_SVG_PROPERTIES.include?(name) ||
+                SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
+
+            value = node[:children].map do |child|
+              case child[:node]
+              when :whitespace
+                nil
+              when :string
+                if child[:raw] =~ CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES
+                  Crass::Parser.stringify(child)
+                else
+                  nil
+                end
+              when :function
+                if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
+                  Crass::Parser.stringify(child)
+                end
+              when :ident
+                keyword = child[:value]
+                if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) ||
+                   SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) ||
+                   (keyword =~ CSS_KEYWORDISH)
                   keyword
                 end
-              end.compact
-              unless value.empty?
-                propstring = sprintf "%s:%s", name, value.join(" ")
-                sanitized_node = Crass.parse_properties(propstring).first
-                sanitized_tree << sanitized_node << CRASS_SEMICOLON
+              else
+                child[:raw]
               end
-            end
+            end.compact
+
+            next if value.empty?
+            value << CSS_IMPORTANT if node[:important]
+            propstring = format("%s:%s", name, value.join(" "))
+            sanitized_node = Crass.parse_properties(propstring).first
+            sanitized_tree << sanitized_node << CRASS_SEMICOLON
           end
 
-          Crass::Parser.stringify sanitized_tree
+          Crass::Parser.stringify(sanitized_tree)
         end
 
         #

data/lib/loofah/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Loofah
+  # The version of Loofah you are using
+  VERSION = "2.9.1"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.9.1
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-05 00:00:00.000000000 Z
+date: 2021-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -45,28 +45,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '5.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '5.14'
 - !ruby/object:Gem::Dependency
   name: rr
   requirement: !ruby/object:Gem::Requirement
@@ -87,98 +87,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.2.0
-- !ruby/object:Gem::Dependency
-  name: hoe-gemspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: hoe-debugging
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
-  name: hoe-bundler
+  name: concourse
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0.33'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0.33'
 - !ruby/object:Gem::Dependency
-  name: hoe-git
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
-- !ruby/object:Gem::Dependency
-  name: concourse
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.26.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.26.0
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.76.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.76.0
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -200,19 +144,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '7'
 - !ruby/object:Gem::Dependency
-  name: hoe
+  name: hoe-markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.22'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.22'
+        version: '1.3'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
@@ -224,24 +168,12 @@ email:
 - bryan@brynary.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- CHANGELOG.md
-- MIT-LICENSE.txt
-- Manifest.txt
-- README.md
-- SECURITY.md
+extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- Gemfile
 - MIT-LICENSE.txt
-- Manifest.txt
 - README.md
-- Rakefile
 - SECURITY.md
-- benchmark/benchmark.rb
-- benchmark/fragment.html
-- benchmark/helper.rb
-- benchmark/www.slashdot.com.html
 - lib/loofah.rb
 - lib/loofah/elements.rb
 - lib/loofah/helpers.rb
@@ -254,6 +186,7 @@ files:
 - lib/loofah/metahelpers.rb
 - lib/loofah/scrubber.rb
 - lib/loofah/scrubbers.rb
+- lib/loofah/version.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
 homepage: https://github.com/flavorjones/loofah
@@ -261,14 +194,12 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/flavorjones/loofah
+  source_code_uri: https://github.com/flavorjones/loofah
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
+  changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
   documentation_uri: https://www.rubydoc.info/gems/loofah/
-  changelog_uri: https://github.com/flavorjones/loofah/master/CHANGELOG.md
-  source_code_uri: https://github.com/flavorjones/loofah
 post_install_message: 
-rdoc_options:
-- "--main"
-- README.md
+rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
@@ -282,7 +213,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents

data/Gemfile

@@ -1,23 +0,0 @@
-# -*- ruby -*-
-
-# DO NOT EDIT THIS FILE. Instead, edit Rakefile, and run `rake bundler:gemfile`.
-
-source "https://rubygems.org/"
-
-gem "nokogiri", ">=1.5.9"
-gem "crass", "~>1.0.2"
-
-gem "rake", "~>12.3", :group => [:development, :test]
-gem "minitest", "~>2.2", :group => [:development, :test]
-gem "rr", "~>1.2.0", :group => [:development, :test]
-gem "json", "~>2.2.0", :group => [:development, :test]
-gem "hoe-gemspec", "~>1.0", :group => [:development, :test]
-gem "hoe-debugging", "~>2.0", :group => [:development, :test]
-gem "hoe-bundler", "~>1.5", :group => [:development, :test]
-gem "hoe-git", "~>1.6", :group => [:development, :test]
-gem "concourse", ">=0.26.0", :group => [:development, :test]
-gem "rubocop", ">=0.76.0", :group => [:development, :test]
-gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
-gem "hoe", "~>3.20", :group => [:development, :test]
-
-# vim: syntax=ruby

data/Manifest.txt

@@ -1,25 +0,0 @@
-CHANGELOG.md
-Gemfile
-MIT-LICENSE.txt
-Manifest.txt
-README.md
-Rakefile
-SECURITY.md
-benchmark/benchmark.rb
-benchmark/fragment.html
-benchmark/helper.rb
-benchmark/www.slashdot.com.html
-lib/loofah.rb
-lib/loofah/elements.rb
-lib/loofah/helpers.rb
-lib/loofah/html/document.rb
-lib/loofah/html/document_fragment.rb
-lib/loofah/html5/libxml2_workarounds.rb
-lib/loofah/html5/safelist.rb
-lib/loofah/html5/scrub.rb
-lib/loofah/instance_methods.rb
-lib/loofah/metahelpers.rb
-lib/loofah/scrubber.rb
-lib/loofah/scrubbers.rb
-lib/loofah/xml/document.rb
-lib/loofah/xml/document_fragment.rb

data/Rakefile

@@ -1,97 +0,0 @@
-require "rubygems"
-require "hoe"
-require "concourse"
-
-Hoe.plugin :git
-Hoe.plugin :gemspec
-Hoe.plugin :bundler
-Hoe.plugin :debugging
-
-Hoe.spec "loofah" do
-  developer "Mike Dalessio", "mike.dalessio@gmail.com"
-  developer "Bryan Helmkamp", "bryan@brynary.com"
-
-  self.history_file = "CHANGELOG.md"
-  self.readme_file = "README.md"
-  self.license "MIT"
-  self.urls = {
-    "home" => "https://github.com/flavorjones/loofah",
-    "bugs" => "https://github.com/flavorjones/loofah/issues",
-    "doco" => "https://www.rubydoc.info/gems/loofah/",
-    "clog" => "https://github.com/flavorjones/loofah/master/CHANGELOG.md",
-    "code" => "https://github.com/flavorjones/loofah",
-  }
-
-  extra_deps << ["nokogiri", ">=1.5.9"]
-  extra_deps << ["crass", "~> 1.0.2"]
-
-  extra_dev_deps << ["rake", "~> 12.3"]
-  extra_dev_deps << ["minitest", "~>2.2"]
-  extra_dev_deps << ["rr", "~>1.2.0"]
-  extra_dev_deps << ["json", "~> 2.2.0"]
-  extra_dev_deps << ["hoe-gemspec", "~> 1.0"]
-  extra_dev_deps << ["hoe-debugging", "~> 2.0"]
-  extra_dev_deps << ["hoe-bundler", "~> 1.5"]
-  extra_dev_deps << ["hoe-git", "~> 1.6"]
-  extra_dev_deps << ["concourse", ">=0.26.0"]
-  extra_dev_deps << ["rubocop", ">=0.76.0"]
-end
-
-task :gemspec do
-  system %q(rake debug_gem | grep -v "^\(in " > loofah.gemspec)
-end
-
-task :redocs => :fix_css
-task :docs => :fix_css
-task :fix_css do
-  better_css = <<-EOT
-    .method-description pre {
-      margin                    : 1em 0 ;
-    }
-
-    .method-description ul {
-      padding                   : .5em 0 .5em 2em ;
-    }
-
-    .method-description p {
-      margin-top                : .5em ;
-    }
-
-    #main ul, div#documentation ul {
-      list-style-type           : disc ! IMPORTANT ;
-      list-style-position       : inside ! IMPORTANT ;
-    }
-
-    h2 + ul {
-      margin-top                : 1em;
-    }
-  EOT
-  puts "* fixing css"
-  File.open("doc/rdoc.css", "a") { |f| f.write better_css }
-end
-
-desc "generate and upload docs to rubyforge"
-task :doc_upload_to_rubyforge => :docs do
-  Dir.chdir "doc" do
-    system "rsync -avz --delete * rubyforge.org:/var/www/gforge-projects/loofah/loofah"
-  end
-end
-
-desc "generate safelists from W3C specifications"
-task :generate_safelists do
-  load "tasks/generate-safelists"
-end
-
-task :rubocop => [:rubocop_security, :rubocop_frozen_string_literals]
-task :rubocop_security do
-  sh "rubocop lib --only Security"
-end
-task :rubocop_frozen_string_literals do
-  sh "rubocop lib --auto-correct --only Style/FrozenStringLiteralComment"
-end
-Rake::Task[:test].prerequisites << :rubocop
-
-Concourse.new("loofah", fly_target: "ci") do |c|
-  c.add_pipeline "loofah", "loofah.yml"
-  c.add_pipeline "loofah-pr", "loofah-pr.yml"
-end