loofah 2.7.0 → 2.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +107 -0
  3. data/README.md +13 -12
  4. data/lib/loofah/elements.rb +5 -2
  5. data/lib/loofah/html5/safelist.rb +262 -27
  6. data/lib/loofah/html5/scrub.rb +135 -40
  7. data/lib/loofah/instance_methods.rb +9 -5
  8. data/lib/loofah/scrubber.rb +4 -0
  9. data/lib/loofah/scrubbers.rb +9 -8
  10. data/lib/loofah/version.rb +5 -0
  11. data/lib/loofah.rb +13 -15
  12. metadata +40 -137
  13. data/Gemfile +0 -24
  14. data/Manifest.txt +0 -25
  15. data/Rakefile +0 -97
  16. data/benchmark/benchmark.rb +0 -154
  17. data/benchmark/fragment.html +0 -96
  18. data/benchmark/helper.rb +0 -73
  19. data/benchmark/www.slashdot.com.html +0 -2560
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ce7e800422f2b83325a3c37aeb81c5fcb7f2c6d76d9be1f5228f3d49077643b8
4
- data.tar.gz: 6f4a5303926248d42f4e375d59d8d92e60c7fb797762910dd027aa54d8875922
3
+ metadata.gz: bd3edb0acdf2359d82564aca0bc13710d9f6c49157963d18953ff55bd7c14413
4
+ data.tar.gz: 3a6e11b7deb9cfb469aaf6ec919062687bd4215ef11980bded72ca298807610c
5
5
  SHA512:
6
- metadata.gz: 98570a9ed755a285a42b31c05b8f45413b77119162d190c199f2ea8624f1038cff8ce8532e4339e3747410c9ab8ca645b02f237975643d24b4ad3b447336a35a
7
- data.tar.gz: '020485b66a1cb57fe1359bfbeec912631a48b268bbeb754b2ff67fa237cbb840d8ad5e66ec8b64b36d869dcf6866bd3c30191e3596a6481fd9a9258b0f4f8d96'
6
+ metadata.gz: 4970a6aa72265f60556dd6fd254375c86d3f83be23f3bbcc8b04df00ce0e801e8ef9e67d0a77ca6a21915be89226131c16a7f3540f02538cc2b9a369950dfebf
7
+ data.tar.gz: 27e3a06cc391ec3d9e3c966efdb6b4ce58e98c397ec87490d418406c17757e5cb0193edabaced30a9f24320c729e6730308e346610859f9f7c6d5fcc6f72cd56
data/CHANGELOG.md CHANGED
@@ -1,5 +1,112 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.19.1 / 2022-12-13
4
+
5
+ ### Security
6
+
7
+ * Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
8
+ * Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
9
+ * Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
10
+
11
+
12
+ ## 2.19.0 / 2022-09-14
13
+
14
+ ### Features
15
+
16
+ * Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
17
+
18
+
19
+ ## 2.18.0 / 2022-05-11
20
+
21
+ ### Features
22
+
23
+ * Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
24
+
25
+
26
+ ## 2.17.0 / 2022-04-28
27
+
28
+ ### Features
29
+
30
+ * Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
31
+
32
+
33
+ ## 2.16.0 / 2022-04-01
34
+
35
+ ### Features
36
+
37
+ * Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
38
+
39
+
40
+ ## 2.15.0 / 2022-03-14
41
+
42
+ ### Features
43
+
44
+ * Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
45
+
46
+
47
+ ## 2.14.0 / 2022-02-11
48
+
49
+ ### Features
50
+
51
+ * The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
52
+
53
+
54
+ ## 2.13.0 / 2021-12-10
55
+
56
+ ### Bug fixes
57
+
58
+ * Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
59
+
60
+
61
+ ## 2.12.0 / 2021-08-11
62
+
63
+ ### Features
64
+
65
+ * Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
66
+
67
+
68
+ ## 2.11.0 / 2021-07-31
69
+
70
+ ### Features
71
+
72
+ * Allow HTML5 element `wbr`.
73
+ * Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
74
+
75
+
76
+ ### Changes
77
+
78
+ * Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
79
+ * Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
80
+
81
+
82
+ ## 2.10.0 / 2021-06-06
83
+
84
+ ### Features
85
+
86
+ * Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
87
+
88
+
89
+ ## 2.9.1 / 2021-04-07
90
+
91
+ ### Bug fixes
92
+
93
+ * Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
94
+
95
+
96
+ ## 2.9.0 / 2021-01-14
97
+
98
+ ### Features
99
+
100
+ * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
101
+
102
+
103
+ ## 2.8.0 / 2020-11-25
104
+
105
+ ### Features
106
+
107
+ * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
108
+
109
+
3
110
  ## 2.7.0 / 2020-08-26
4
111
 
5
112
  ### Features
data/README.md CHANGED
@@ -1,15 +1,13 @@
1
1
  # Loofah
2
2
 
3
3
  * https://github.com/flavorjones/loofah
4
- * Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
4
+ * Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
5
5
  * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
6
6
 
7
7
  ## Status
8
8
 
9
- |System|Status|
10
- |--|--|
11
- | Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
12
- | Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
9
+ [![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
10
+ [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
13
11
 
14
12
 
15
13
  ## Description
@@ -135,13 +133,12 @@ and `text` to return plain text:
135
133
  doc.text # => "ohai! div is safe "
136
134
  ```
137
135
 
138
- Also, `to_text` is available, which does the right thing with
139
- whitespace around block-level elements.
136
+ Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
140
137
 
141
138
  ``` ruby
142
- doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
143
- doc.text # => "TitleContent" # probably not what you want
144
- doc.to_text # => "\nTitle\n\nContent\n" # better
139
+ doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
140
+ doc.text # => "TitleContentNext line" # probably not what you want
141
+ doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
145
142
  ```
146
143
 
147
144
  ### Loofah::XML::Document and Loofah::XML::DocumentFragment
@@ -212,7 +209,7 @@ end
212
209
  Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
213
210
  ```
214
211
 
215
- === Built-In HTML Scrubbers
212
+ ### Built-In HTML Scrubbers
216
213
 
217
214
  Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
218
215
  safelist algorithm:
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
301
298
 
302
299
  And the IRC channel is \#loofah on freenode.
303
300
 
301
+ Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
302
+
303
+ [tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
304
+
304
305
 
305
306
  ## Security
306
307
 
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
347
348
 
348
349
  ## Thank You
349
350
 
350
- The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
351
+ The following people have generously funded Loofah:
351
352
 
352
353
  * Bill Harding
353
354
 
data/lib/loofah/elements.rb CHANGED
@@ -70,8 +70,6 @@ module Loofah
70
70
  video
71
71
  ]
72
72
 
73
- STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
74
-
75
73
  # The following elements may also be considered block-level
76
74
  # elements since they may contain block-level elements
77
75
  LOOSE_BLOCK_LEVEL = Set.new %w[dd
@@ -86,7 +84,12 @@ module Loofah
86
84
  tr
87
85
  ]
88
86
 
87
+ # Elements that aren't block but should generate a newline in #to_text
88
+ INLINE_LINE_BREAK = Set.new(["br"])
89
+
90
+ STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
89
91
  BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
92
+ LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
90
93
  end
91
94
 
92
95
  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
data/lib/loofah/html5/safelist.rb CHANGED
@@ -140,6 +140,7 @@ module Loofah
140
140
  "ul",
141
141
  "var",
142
142
  "video",
143
+ "wbr",
143
144
  ])
144
145
 
145
146
  MATHML_ELEMENTS = Set.new([
@@ -147,6 +148,7 @@ module Loofah
147
148
  "annotation-xml",
148
149
  "maction",
149
150
  "math",
151
+ "menclose",
150
152
  "merror",
151
153
  "mfenced",
152
154
  "mfrac",
@@ -160,6 +162,7 @@ module Loofah
160
162
  "mprescripts",
161
163
  "mroot",
162
164
  "mrow",
165
+ "ms",
163
166
  "mspace",
164
167
  "msqrt",
165
168
  "mstyle",
@@ -312,6 +315,7 @@ module Loofah
312
315
  "columnspacing",
313
316
  "columnspan",
314
317
  "depth",
318
+ "dir",
315
319
  "display",
316
320
  "displaystyle",
317
321
  "encoding",
@@ -322,19 +326,24 @@ module Loofah
322
326
  "fontweight",
323
327
  "frame",
324
328
  "height",
329
+ "href",
325
330
  "linethickness",
331
+ "lquote",
326
332
  "lspace",
327
333
  "mathbackground",
328
334
  "mathcolor",
335
+ "mathsize",
329
336
  "mathvariant",
330
337
  "maxsize",
331
338
  "minsize",
339
+ "notation",
332
340
  "open",
333
341
  "other",
334
342
  "rowalign",
335
343
  "rowlines",
336
344
  "rowspacing",
337
345
  "rowspan",
346
+ "rquote",
338
347
  "rspace",
339
348
  "scriptlevel",
340
349
  "selection",
@@ -503,6 +512,62 @@ module Loofah
503
512
  "zoomAndPan",
504
513
  ])
505
514
 
515
+ ARIA_ATTRIBUTES = Set.new([
516
+ "aria-activedescendant",
517
+ "aria-atomic",
518
+ "aria-autocomplete",
519
+ "aria-braillelabel",
520
+ "aria-brailleroledescription",
521
+ "aria-busy",
522
+ "aria-checked",
523
+ "aria-colcount",
524
+ "aria-colindex",
525
+ "aria-colindextext",
526
+ "aria-colspan",
527
+ "aria-controls",
528
+ "aria-current",
529
+ "aria-describedby",
530
+ "aria-description",
531
+ "aria-details",
532
+ "aria-disabled",
533
+ "aria-dropeffect",
534
+ "aria-errormessage",
535
+ "aria-expanded",
536
+ "aria-flowto",
537
+ "aria-grabbed",
538
+ "aria-haspopup",
539
+ "aria-hidden",
540
+ "aria-invalid",
541
+ "aria-keyshortcuts",
542
+ "aria-label",
543
+ "aria-labelledby",
544
+ "aria-level",
545
+ "aria-live",
546
+ "aria-multiline",
547
+ "aria-multiselectable",
548
+ "aria-orientation",
549
+ "aria-owns",
550
+ "aria-placeholder",
551
+ "aria-posinset",
552
+ "aria-pressed",
553
+ "aria-readonly",
554
+ "aria-relevant",
555
+ "aria-required",
556
+ "aria-roledescription",
557
+ "aria-rowcount",
558
+ "aria-rowindex",
559
+ "aria-rowindextext",
560
+ "aria-rowspan",
561
+ "aria-selected",
562
+ "aria-setsize",
563
+ "aria-sort",
564
+ "aria-valuemax",
565
+ "aria-valuemin",
566
+ "aria-valuenow",
567
+ "aria-valuetext",
568
+ "role",
569
+ ])
570
+
506
571
  ATTR_VAL_IS_URI = Set.new([
507
572
  "action",
508
573
  "cite",
@@ -549,6 +614,10 @@ module Loofah
549
614
 
550
615
  ACCEPTABLE_CSS_PROPERTIES = Set.new([
551
616
  "azimuth",
617
+ "align-content",
618
+ "align-items",
619
+ "align-self",
620
+ "aspect-ratio",
552
621
  "background-color",
553
622
  "border-bottom-color",
554
623
  "border-collapse",
@@ -562,6 +631,13 @@ module Loofah
562
631
  "direction",
563
632
  "display",
564
633
  "elevation",
634
+ "flex",
635
+ "flex-basis",
636
+ "flex-direction",
637
+ "flex-flow",
638
+ "flex-grow",
639
+ "flex-shrink",
640
+ "flex-wrap",
565
641
  "float",
566
642
  "font",
567
643
  "font-family",
@@ -570,12 +646,16 @@ module Loofah
570
646
  "font-variant",
571
647
  "font-weight",
572
648
  "height",
649
+ "justify-content",
573
650
  "letter-spacing",
574
651
  "line-height",
575
652
  "list-style",
576
653
  "list-style-type",
577
654
  "max-width",
655
+ "order",
578
656
  "overflow",
657
+ "overflow-x",
658
+ "overflow-y",
579
659
  "page-break-after",
580
660
  "page-break-before",
581
661
  "page-break-inside",
@@ -604,54 +684,213 @@ module Loofah
604
684
 
605
685
  ACCEPTABLE_CSS_KEYWORDS = Set.new([
606
686
  "!important",
607
- "aqua",
608
687
  "auto",
609
- "black",
610
688
  "block",
611
- "blue",
612
689
  "bold",
613
690
  "both",
614
691
  "bottom",
615
- "brown",
616
692
  "center",
617
693
  "collapse",
618
694
  "dashed",
619
695
  "dotted",
620
696
  "double",
621
- "fuchsia",
622
- "gray",
623
- "green",
624
697
  "groove",
625
698
  "hidden",
699
+ "inherit",
700
+ "initial",
626
701
  "inset",
627
702
  "italic",
628
703
  "left",
629
- "lime",
630
- "maroon",
631
704
  "medium",
632
- "navy",
633
705
  "none",
634
706
  "normal",
635
707
  "nowrap",
636
- "olive",
637
708
  "outset",
638
709
  "pointer",
639
- "purple",
640
- "red",
710
+ "revert",
641
711
  "ridge",
642
712
  "right",
643
- "silver",
713
+ "separate",
644
714
  "solid",
645
- "teal",
646
- "thin",
647
715
  "thick",
716
+ "thin",
648
717
  "top",
649
718
  "transparent",
650
719
  "underline",
651
- "white",
652
- "yellow",
720
+ "unset",
653
721
  ])
654
722
 
723
+ # https://www.w3.org/TR/css-color-3/#html4
724
+ ACCEPTABLE_CSS_COLORS = Set.new([
725
+ "aqua",
726
+ "black",
727
+ "blue",
728
+ "fuchsia",
729
+ "gray",
730
+ "green",
731
+ "lime",
732
+ "maroon",
733
+ "navy",
734
+ "olive",
735
+ "purple",
736
+ "red",
737
+ "silver",
738
+ "teal",
739
+ "white",
740
+ "yellow",
741
+ ])
742
+
743
+ # https://www.w3.org/TR/css-color-3/#svg-color
744
+ ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
745
+ "aliceblue",
746
+ "antiquewhite",
747
+ "aqua",
748
+ "aquamarine",
749
+ "azure",
750
+ "beige",
751
+ "bisque",
752
+ "black",
753
+ "blanchedalmond",
754
+ "blue",
755
+ "blueviolet",
756
+ "brown",
757
+ "burlywood",
758
+ "cadetblue",
759
+ "chartreuse",
760
+ "chocolate",
761
+ "coral",
762
+ "cornflowerblue",
763
+ "cornsilk",
764
+ "crimson",
765
+ "cyan",
766
+ "darkblue",
767
+ "darkcyan",
768
+ "darkgoldenrod",
769
+ "darkgray",
770
+ "darkgreen",
771
+ "darkgrey",
772
+ "darkkhaki",
773
+ "darkmagenta",
774
+ "darkolivegreen",
775
+ "darkorange",
776
+ "darkorchid",
777
+ "darkred",
778
+ "darksalmon",
779
+ "darkseagreen",
780
+ "darkslateblue",
781
+ "darkslategray",
782
+ "darkslategrey",
783
+ "darkturquoise",
784
+ "darkviolet",
785
+ "deeppink",
786
+ "deepskyblue",
787
+ "dimgray",
788
+ "dimgrey",
789
+ "dodgerblue",
790
+ "firebrick",
791
+ "floralwhite",
792
+ "forestgreen",
793
+ "fuchsia",
794
+ "gainsboro",
795
+ "ghostwhite",
796
+ "gold",
797
+ "goldenrod",
798
+ "gray",
799
+ "green",
800
+ "greenyellow",
801
+ "grey",
802
+ "honeydew",
803
+ "hotpink",
804
+ "indianred",
805
+ "indigo",
806
+ "ivory",
807
+ "khaki",
808
+ "lavender",
809
+ "lavenderblush",
810
+ "lawngreen",
811
+ "lemonchiffon",
812
+ "lightblue",
813
+ "lightcoral",
814
+ "lightcyan",
815
+ "lightgoldenrodyellow",
816
+ "lightgray",
817
+ "lightgreen",
818
+ "lightgrey",
819
+ "lightpink",
820
+ "lightsalmon",
821
+ "lightseagreen",
822
+ "lightskyblue",
823
+ "lightslategray",
824
+ "lightslategrey",
825
+ "lightsteelblue",
826
+ "lightyellow",
827
+ "lime",
828
+ "limegreen",
829
+ "linen",
830
+ "magenta",
831
+ "maroon",
832
+ "mediumaquamarine",
833
+ "mediumblue",
834
+ "mediumorchid",
835
+ "mediumpurple",
836
+ "mediumseagreen",
837
+ "mediumslateblue",
838
+ "mediumspringgreen",
839
+ "mediumturquoise",
840
+ "mediumvioletred",
841
+ "midnightblue",
842
+ "mintcream",
843
+ "mistyrose",
844
+ "moccasin",
845
+ "navajowhite",
846
+ "navy",
847
+ "oldlace",
848
+ "olive",
849
+ "olivedrab",
850
+ "orange",
851
+ "orangered",
852
+ "orchid",
853
+ "palegoldenrod",
854
+ "palegreen",
855
+ "paleturquoise",
856
+ "palevioletred",
857
+ "papayawhip",
858
+ "peachpuff",
859
+ "peru",
860
+ "pink",
861
+ "plum",
862
+ "powderblue",
863
+ "purple",
864
+ "red",
865
+ "rosybrown",
866
+ "royalblue",
867
+ "saddlebrown",
868
+ "salmon",
869
+ "sandybrown",
870
+ "seagreen",
871
+ "seashell",
872
+ "sienna",
873
+ "silver",
874
+ "skyblue",
875
+ "slateblue",
876
+ "slategray",
877
+ "slategrey",
878
+ "snow",
879
+ "springgreen",
880
+ "steelblue",
881
+ "tan",
882
+ "teal",
883
+ "thistle",
884
+ "tomato",
885
+ "turquoise",
886
+ "violet",
887
+ "wheat",
888
+ "white",
889
+ "whitesmoke",
890
+ "yellow",
891
+ "yellowgreen",
892
+ ])
893
+
655
894
  # see https://www.quackit.com/css/functions/
656
895
  # omit `url` and `image` from that list
657
896
  ACCEPTABLE_CSS_FUNCTIONS = Set.new([
@@ -746,6 +985,7 @@ module Loofah
746
985
  "rsync",
747
986
  "rtsp",
748
987
  "sftp",
988
+ "sms",
749
989
  "ssh",
750
990
  "tag",
751
991
  "tel",
@@ -759,33 +999,28 @@ module Loofah
759
999
  "image/gif",
760
1000
  "image/jpeg",
761
1001
  "image/png",
762
- "image/svg+xml",
763
1002
  "text/css",
764
1003
  "text/plain",
765
1004
  ])
766
1005
 
767
1006
  # subclasses may define their own versions of these constants
768
1007
  ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
769
- ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
1008
+ ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
770
1009
  ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
771
- ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
1010
+ ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
772
1011
  ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
773
1012
  ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
774
1013
  ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
775
1014
  ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
776
1015
 
1016
+ # TODO: remove VOID_ELEMENTS in a future major release
1017
+ # and put it in the tests (it is used only for testing, not for functional behavior)
777
1018
  VOID_ELEMENTS = Set.new([
778
1019
  "area",
779
- "base",
780
1020
  "br",
781
- "col",
782
- "embed",
783
1021
  "hr",
784
1022
  "img",
785
1023
  "input",
786
- "link",
787
- "meta",
788
- "param",
789
1024
  ])
790
1025
 
791
1026
  # additional tags we should consider safe since we have libxml2 fixing up our documents.