loofah 2.6.0 → 2.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +119 -0
  3. data/README.md +13 -12
  4. data/lib/loofah/elements.rb +5 -2
  5. data/lib/loofah/html5/safelist.rb +265 -27
  6. data/lib/loofah/html5/scrub.rb +136 -39
  7. data/lib/loofah/instance_methods.rb +9 -5
  8. data/lib/loofah/scrubber.rb +4 -0
  9. data/lib/loofah/scrubbers.rb +9 -8
  10. data/lib/loofah/version.rb +5 -0
  11. data/lib/loofah.rb +13 -15
  12. metadata +40 -137
  13. data/Gemfile +0 -24
  14. data/Manifest.txt +0 -25
  15. data/Rakefile +0 -97
  16. data/benchmark/benchmark.rb +0 -154
  17. data/benchmark/fragment.html +0 -96
  18. data/benchmark/helper.rb +0 -73
  19. data/benchmark/www.slashdot.com.html +0 -2560
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '0378734abbcf1f374d8d501038180ff4d9492e4282ffe4d6134322dd213fc80b'
4
- data.tar.gz: 54955254f4179bf55adfc5bdaf3464c8a8f921f6e8e7fc92d9d2588b4fea02b1
3
+ metadata.gz: bd3edb0acdf2359d82564aca0bc13710d9f6c49157963d18953ff55bd7c14413
4
+ data.tar.gz: 3a6e11b7deb9cfb469aaf6ec919062687bd4215ef11980bded72ca298807610c
5
5
  SHA512:
6
- metadata.gz: e80d9e87682cbfd18b6f86a10f9928c3b94fb7f123792d8284344cf65a878a1ee8258b408dac8df87791ca5beda99858dfbac6515334d87bc2d98b45cdf17802
7
- data.tar.gz: da7fd4181e8f829837f0d1458e856b8ace6ed94fa13cdc227bc9432baaff0ec514f894b04b9d00157c6edddcff6a714284bc42a1c878a2ddb90d08b68931dba9
6
+ metadata.gz: 4970a6aa72265f60556dd6fd254375c86d3f83be23f3bbcc8b04df00ce0e801e8ef9e67d0a77ca6a21915be89226131c16a7f3540f02538cc2b9a369950dfebf
7
+ data.tar.gz: 27e3a06cc391ec3d9e3c966efdb6b4ce58e98c397ec87490d418406c17757e5cb0193edabaced30a9f24320c729e6730308e346610859f9f7c6d5fcc6f72cd56
data/CHANGELOG.md CHANGED
@@ -1,5 +1,124 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.19.1 / 2022-12-13
4
+
5
+ ### Security
6
+
7
+ * Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
8
+ * Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
9
+ * Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
10
+
11
+
12
+ ## 2.19.0 / 2022-09-14
13
+
14
+ ### Features
15
+
16
+ * Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
17
+
18
+
19
+ ## 2.18.0 / 2022-05-11
20
+
21
+ ### Features
22
+
23
+ * Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
24
+
25
+
26
+ ## 2.17.0 / 2022-04-28
27
+
28
+ ### Features
29
+
30
+ * Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
31
+
32
+
33
+ ## 2.16.0 / 2022-04-01
34
+
35
+ ### Features
36
+
37
+ * Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
38
+
39
+
40
+ ## 2.15.0 / 2022-03-14
41
+
42
+ ### Features
43
+
44
+ * Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
45
+
46
+
47
+ ## 2.14.0 / 2022-02-11
48
+
49
+ ### Features
50
+
51
+ * The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
52
+
53
+
54
+ ## 2.13.0 / 2021-12-10
55
+
56
+ ### Bug fixes
57
+
58
+ * Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
59
+
60
+
61
+ ## 2.12.0 / 2021-08-11
62
+
63
+ ### Features
64
+
65
+ * Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
66
+
67
+
68
+ ## 2.11.0 / 2021-07-31
69
+
70
+ ### Features
71
+
72
+ * Allow HTML5 element `wbr`.
73
+ * Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
74
+
75
+
76
+ ### Changes
77
+
78
+ * Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
79
+ * Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
80
+
81
+
82
+ ## 2.10.0 / 2021-06-06
83
+
84
+ ### Features
85
+
86
+ * Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
87
+
88
+
89
+ ## 2.9.1 / 2021-04-07
90
+
91
+ ### Bug fixes
92
+
93
+ * Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
94
+
95
+
96
+ ## 2.9.0 / 2021-01-14
97
+
98
+ ### Features
99
+
100
+ * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
101
+
102
+
103
+ ## 2.8.0 / 2020-11-25
104
+
105
+ ### Features
106
+
107
+ * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
108
+
109
+
110
+ ## 2.7.0 / 2020-08-26
111
+
112
+ ### Features
113
+
114
+ * Allow CSS properties `page-break-before`, `page-break-inside`, and `page-break-after`. [[#190](https://github.com/flavorjones/loofah/issues/190)] (Thanks, [@ahorek](https://github.com/ahorek)!)
115
+
116
+
117
+ ### Fixes
118
+
119
+ * Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!)
120
+
121
+
3
122
  ## 2.6.0 / 2020-06-16
4
123
 
5
124
  ### Features
data/README.md CHANGED
@@ -1,15 +1,13 @@
1
1
  # Loofah
2
2
 
3
3
  * https://github.com/flavorjones/loofah
4
- * Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
4
+ * Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
5
5
  * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
6
6
 
7
7
  ## Status
8
8
 
9
- |System|Status|
10
- |--|--|
11
- | Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
12
- | Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
9
+ [![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
10
+ [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
13
11
 
14
12
 
15
13
  ## Description
@@ -135,13 +133,12 @@ and `text` to return plain text:
135
133
  doc.text # => "ohai! div is safe "
136
134
  ```
137
135
 
138
- Also, `to_text` is available, which does the right thing with
139
- whitespace around block-level elements.
136
+ Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
140
137
 
141
138
  ``` ruby
142
- doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
143
- doc.text # => "TitleContent" # probably not what you want
144
- doc.to_text # => "\nTitle\n\nContent\n" # better
139
+ doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
140
+ doc.text # => "TitleContentNext line" # probably not what you want
141
+ doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
145
142
  ```
146
143
 
147
144
  ### Loofah::XML::Document and Loofah::XML::DocumentFragment
@@ -212,7 +209,7 @@ end
212
209
  Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
213
210
  ```
214
211
 
215
- === Built-In HTML Scrubbers
212
+ ### Built-In HTML Scrubbers
216
213
 
217
214
  Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
218
215
  safelist algorithm:
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
301
298
 
302
299
  And the IRC channel is \#loofah on freenode.
303
300
 
301
+ Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
302
+
303
+ [tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
304
+
304
305
 
305
306
  ## Security
306
307
 
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
347
348
 
348
349
  ## Thank You
349
350
 
350
- The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
351
+ The following people have generously funded Loofah:
351
352
 
352
353
  * Bill Harding
353
354
 
data/lib/loofah/elements.rb CHANGED
@@ -70,8 +70,6 @@ module Loofah
70
70
  video
71
71
  ]
72
72
 
73
- STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
74
-
75
73
  # The following elements may also be considered block-level
76
74
  # elements since they may contain block-level elements
77
75
  LOOSE_BLOCK_LEVEL = Set.new %w[dd
@@ -86,7 +84,12 @@ module Loofah
86
84
  tr
87
85
  ]
88
86
 
87
+ # Elements that aren't block but should generate a newline in #to_text
88
+ INLINE_LINE_BREAK = Set.new(["br"])
89
+
90
+ STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
89
91
  BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
92
+ LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
90
93
  end
91
94
 
92
95
  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
data/lib/loofah/html5/safelist.rb CHANGED
@@ -140,6 +140,7 @@ module Loofah
140
140
  "ul",
141
141
  "var",
142
142
  "video",
143
+ "wbr",
143
144
  ])
144
145
 
145
146
  MATHML_ELEMENTS = Set.new([
@@ -147,6 +148,7 @@ module Loofah
147
148
  "annotation-xml",
148
149
  "maction",
149
150
  "math",
151
+ "menclose",
150
152
  "merror",
151
153
  "mfenced",
152
154
  "mfrac",
@@ -160,6 +162,7 @@ module Loofah
160
162
  "mprescripts",
161
163
  "mroot",
162
164
  "mrow",
165
+ "ms",
163
166
  "mspace",
164
167
  "msqrt",
165
168
  "mstyle",
@@ -312,6 +315,7 @@ module Loofah
312
315
  "columnspacing",
313
316
  "columnspan",
314
317
  "depth",
318
+ "dir",
315
319
  "display",
316
320
  "displaystyle",
317
321
  "encoding",
@@ -322,19 +326,24 @@ module Loofah
322
326
  "fontweight",
323
327
  "frame",
324
328
  "height",
329
+ "href",
325
330
  "linethickness",
331
+ "lquote",
326
332
  "lspace",
327
333
  "mathbackground",
328
334
  "mathcolor",
335
+ "mathsize",
329
336
  "mathvariant",
330
337
  "maxsize",
331
338
  "minsize",
339
+ "notation",
332
340
  "open",
333
341
  "other",
334
342
  "rowalign",
335
343
  "rowlines",
336
344
  "rowspacing",
337
345
  "rowspan",
346
+ "rquote",
338
347
  "rspace",
339
348
  "scriptlevel",
340
349
  "selection",
@@ -503,6 +512,62 @@ module Loofah
503
512
  "zoomAndPan",
504
513
  ])
505
514
 
515
+ ARIA_ATTRIBUTES = Set.new([
516
+ "aria-activedescendant",
517
+ "aria-atomic",
518
+ "aria-autocomplete",
519
+ "aria-braillelabel",
520
+ "aria-brailleroledescription",
521
+ "aria-busy",
522
+ "aria-checked",
523
+ "aria-colcount",
524
+ "aria-colindex",
525
+ "aria-colindextext",
526
+ "aria-colspan",
527
+ "aria-controls",
528
+ "aria-current",
529
+ "aria-describedby",
530
+ "aria-description",
531
+ "aria-details",
532
+ "aria-disabled",
533
+ "aria-dropeffect",
534
+ "aria-errormessage",
535
+ "aria-expanded",
536
+ "aria-flowto",
537
+ "aria-grabbed",
538
+ "aria-haspopup",
539
+ "aria-hidden",
540
+ "aria-invalid",
541
+ "aria-keyshortcuts",
542
+ "aria-label",
543
+ "aria-labelledby",
544
+ "aria-level",
545
+ "aria-live",
546
+ "aria-multiline",
547
+ "aria-multiselectable",
548
+ "aria-orientation",
549
+ "aria-owns",
550
+ "aria-placeholder",
551
+ "aria-posinset",
552
+ "aria-pressed",
553
+ "aria-readonly",
554
+ "aria-relevant",
555
+ "aria-required",
556
+ "aria-roledescription",
557
+ "aria-rowcount",
558
+ "aria-rowindex",
559
+ "aria-rowindextext",
560
+ "aria-rowspan",
561
+ "aria-selected",
562
+ "aria-setsize",
563
+ "aria-sort",
564
+ "aria-valuemax",
565
+ "aria-valuemin",
566
+ "aria-valuenow",
567
+ "aria-valuetext",
568
+ "role",
569
+ ])
570
+
506
571
  ATTR_VAL_IS_URI = Set.new([
507
572
  "action",
508
573
  "cite",
@@ -549,6 +614,10 @@ module Loofah
549
614
 
550
615
  ACCEPTABLE_CSS_PROPERTIES = Set.new([
551
616
  "azimuth",
617
+ "align-content",
618
+ "align-items",
619
+ "align-self",
620
+ "aspect-ratio",
552
621
  "background-color",
553
622
  "border-bottom-color",
554
623
  "border-collapse",
@@ -562,6 +631,13 @@ module Loofah
562
631
  "direction",
563
632
  "display",
564
633
  "elevation",
634
+ "flex",
635
+ "flex-basis",
636
+ "flex-direction",
637
+ "flex-flow",
638
+ "flex-grow",
639
+ "flex-shrink",
640
+ "flex-wrap",
565
641
  "float",
566
642
  "font",
567
643
  "font-family",
@@ -570,12 +646,19 @@ module Loofah
570
646
  "font-variant",
571
647
  "font-weight",
572
648
  "height",
649
+ "justify-content",
573
650
  "letter-spacing",
574
651
  "line-height",
575
652
  "list-style",
576
653
  "list-style-type",
577
654
  "max-width",
655
+ "order",
578
656
  "overflow",
657
+ "overflow-x",
658
+ "overflow-y",
659
+ "page-break-after",
660
+ "page-break-before",
661
+ "page-break-inside",
579
662
  "pause",
580
663
  "pause-after",
581
664
  "pause-before",
@@ -601,54 +684,213 @@ module Loofah
601
684
 
602
685
  ACCEPTABLE_CSS_KEYWORDS = Set.new([
603
686
  "!important",
604
- "aqua",
605
687
  "auto",
606
- "black",
607
688
  "block",
608
- "blue",
609
689
  "bold",
610
690
  "both",
611
691
  "bottom",
612
- "brown",
613
692
  "center",
614
693
  "collapse",
615
694
  "dashed",
616
695
  "dotted",
617
696
  "double",
618
- "fuchsia",
619
- "gray",
620
- "green",
621
697
  "groove",
622
698
  "hidden",
699
+ "inherit",
700
+ "initial",
623
701
  "inset",
624
702
  "italic",
625
703
  "left",
626
- "lime",
627
- "maroon",
628
704
  "medium",
629
- "navy",
630
705
  "none",
631
706
  "normal",
632
707
  "nowrap",
633
- "olive",
634
708
  "outset",
635
709
  "pointer",
636
- "purple",
637
- "red",
710
+ "revert",
638
711
  "ridge",
639
712
  "right",
640
- "silver",
713
+ "separate",
641
714
  "solid",
642
- "teal",
643
- "thin",
644
715
  "thick",
716
+ "thin",
645
717
  "top",
646
718
  "transparent",
647
719
  "underline",
648
- "white",
649
- "yellow",
720
+ "unset",
650
721
  ])
651
722
 
723
+ # https://www.w3.org/TR/css-color-3/#html4
724
+ ACCEPTABLE_CSS_COLORS = Set.new([
725
+ "aqua",
726
+ "black",
727
+ "blue",
728
+ "fuchsia",
729
+ "gray",
730
+ "green",
731
+ "lime",
732
+ "maroon",
733
+ "navy",
734
+ "olive",
735
+ "purple",
736
+ "red",
737
+ "silver",
738
+ "teal",
739
+ "white",
740
+ "yellow",
741
+ ])
742
+
743
+ # https://www.w3.org/TR/css-color-3/#svg-color
744
+ ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
745
+ "aliceblue",
746
+ "antiquewhite",
747
+ "aqua",
748
+ "aquamarine",
749
+ "azure",
750
+ "beige",
751
+ "bisque",
752
+ "black",
753
+ "blanchedalmond",
754
+ "blue",
755
+ "blueviolet",
756
+ "brown",
757
+ "burlywood",
758
+ "cadetblue",
759
+ "chartreuse",
760
+ "chocolate",
761
+ "coral",
762
+ "cornflowerblue",
763
+ "cornsilk",
764
+ "crimson",
765
+ "cyan",
766
+ "darkblue",
767
+ "darkcyan",
768
+ "darkgoldenrod",
769
+ "darkgray",
770
+ "darkgreen",
771
+ "darkgrey",
772
+ "darkkhaki",
773
+ "darkmagenta",
774
+ "darkolivegreen",
775
+ "darkorange",
776
+ "darkorchid",
777
+ "darkred",
778
+ "darksalmon",
779
+ "darkseagreen",
780
+ "darkslateblue",
781
+ "darkslategray",
782
+ "darkslategrey",
783
+ "darkturquoise",
784
+ "darkviolet",
785
+ "deeppink",
786
+ "deepskyblue",
787
+ "dimgray",
788
+ "dimgrey",
789
+ "dodgerblue",
790
+ "firebrick",
791
+ "floralwhite",
792
+ "forestgreen",
793
+ "fuchsia",
794
+ "gainsboro",
795
+ "ghostwhite",
796
+ "gold",
797
+ "goldenrod",
798
+ "gray",
799
+ "green",
800
+ "greenyellow",
801
+ "grey",
802
+ "honeydew",
803
+ "hotpink",
804
+ "indianred",
805
+ "indigo",
806
+ "ivory",
807
+ "khaki",
808
+ "lavender",
809
+ "lavenderblush",
810
+ "lawngreen",
811
+ "lemonchiffon",
812
+ "lightblue",
813
+ "lightcoral",
814
+ "lightcyan",
815
+ "lightgoldenrodyellow",
816
+ "lightgray",
817
+ "lightgreen",
818
+ "lightgrey",
819
+ "lightpink",
820
+ "lightsalmon",
821
+ "lightseagreen",
822
+ "lightskyblue",
823
+ "lightslategray",
824
+ "lightslategrey",
825
+ "lightsteelblue",
826
+ "lightyellow",
827
+ "lime",
828
+ "limegreen",
829
+ "linen",
830
+ "magenta",
831
+ "maroon",
832
+ "mediumaquamarine",
833
+ "mediumblue",
834
+ "mediumorchid",
835
+ "mediumpurple",
836
+ "mediumseagreen",
837
+ "mediumslateblue",
838
+ "mediumspringgreen",
839
+ "mediumturquoise",
840
+ "mediumvioletred",
841
+ "midnightblue",
842
+ "mintcream",
843
+ "mistyrose",
844
+ "moccasin",
845
+ "navajowhite",
846
+ "navy",
847
+ "oldlace",
848
+ "olive",
849
+ "olivedrab",
850
+ "orange",
851
+ "orangered",
852
+ "orchid",
853
+ "palegoldenrod",
854
+ "palegreen",
855
+ "paleturquoise",
856
+ "palevioletred",
857
+ "papayawhip",
858
+ "peachpuff",
859
+ "peru",
860
+ "pink",
861
+ "plum",
862
+ "powderblue",
863
+ "purple",
864
+ "red",
865
+ "rosybrown",
866
+ "royalblue",
867
+ "saddlebrown",
868
+ "salmon",
869
+ "sandybrown",
870
+ "seagreen",
871
+ "seashell",
872
+ "sienna",
873
+ "silver",
874
+ "skyblue",
875
+ "slateblue",
876
+ "slategray",
877
+ "slategrey",
878
+ "snow",
879
+ "springgreen",
880
+ "steelblue",
881
+ "tan",
882
+ "teal",
883
+ "thistle",
884
+ "tomato",
885
+ "turquoise",
886
+ "violet",
887
+ "wheat",
888
+ "white",
889
+ "whitesmoke",
890
+ "yellow",
891
+ "yellowgreen",
892
+ ])
893
+
652
894
  # see https://www.quackit.com/css/functions/
653
895
  # omit `url` and `image` from that list
654
896
  ACCEPTABLE_CSS_FUNCTIONS = Set.new([
@@ -743,6 +985,7 @@ module Loofah
743
985
  "rsync",
744
986
  "rtsp",
745
987
  "sftp",
988
+ "sms",
746
989
  "ssh",
747
990
  "tag",
748
991
  "tel",
@@ -756,33 +999,28 @@ module Loofah
756
999
  "image/gif",
757
1000
  "image/jpeg",
758
1001
  "image/png",
759
- "image/svg+xml",
760
1002
  "text/css",
761
1003
  "text/plain",
762
1004
  ])
763
1005
 
764
1006
  # subclasses may define their own versions of these constants
765
1007
  ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
766
- ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
1008
+ ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
767
1009
  ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
768
- ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
1010
+ ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
769
1011
  ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
770
1012
  ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
771
1013
  ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
772
1014
  ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
773
1015
 
1016
+ # TODO: remove VOID_ELEMENTS in a future major release
1017
+ # and put it in the tests (it is used only for testing, not for functional behavior)
774
1018
  VOID_ELEMENTS = Set.new([
775
1019
  "area",
776
- "base",
777
1020
  "br",
778
- "col",
779
- "embed",
780
1021
  "hr",
781
1022
  "img",
782
1023
  "input",
783
- "link",
784
- "meta",
785
- "param",
786
1024
  ])
787
1025
 
788
1026
  # additional tags we should consider safe since we have libxml2 fixing up our documents.