loofah 2.7.0 → 2.19.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +107 -0
- data/README.md +13 -12
- data/lib/loofah/elements.rb +5 -2
- data/lib/loofah/html5/safelist.rb +262 -27
- data/lib/loofah/html5/scrub.rb +135 -40
- data/lib/loofah/instance_methods.rb +9 -5
- data/lib/loofah/scrubber.rb +4 -0
- data/lib/loofah/scrubbers.rb +9 -8
- data/lib/loofah/version.rb +5 -0
- data/lib/loofah.rb +13 -15
- metadata +40 -137
- data/Gemfile +0 -24
- data/Manifest.txt +0 -25
- data/Rakefile +0 -97
- data/benchmark/benchmark.rb +0 -154
- data/benchmark/fragment.html +0 -96
- data/benchmark/helper.rb +0 -73
- data/benchmark/www.slashdot.com.html +0 -2560
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bd3edb0acdf2359d82564aca0bc13710d9f6c49157963d18953ff55bd7c14413
|
4
|
+
data.tar.gz: 3a6e11b7deb9cfb469aaf6ec919062687bd4215ef11980bded72ca298807610c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4970a6aa72265f60556dd6fd254375c86d3f83be23f3bbcc8b04df00ce0e801e8ef9e67d0a77ca6a21915be89226131c16a7f3540f02538cc2b9a369950dfebf
|
7
|
+
data.tar.gz: 27e3a06cc391ec3d9e3c966efdb6b4ce58e98c397ec87490d418406c17757e5cb0193edabaced30a9f24320c729e6730308e346610859f9f7c6d5fcc6f72cd56
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,112 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.19.1 / 2022-12-13
|
4
|
+
|
5
|
+
### Security
|
6
|
+
|
7
|
+
* Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
|
8
|
+
* Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
|
9
|
+
* Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
|
10
|
+
|
11
|
+
|
12
|
+
## 2.19.0 / 2022-09-14
|
13
|
+
|
14
|
+
### Features
|
15
|
+
|
16
|
+
* Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
|
17
|
+
|
18
|
+
|
19
|
+
## 2.18.0 / 2022-05-11
|
20
|
+
|
21
|
+
### Features
|
22
|
+
|
23
|
+
* Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
|
24
|
+
|
25
|
+
|
26
|
+
## 2.17.0 / 2022-04-28
|
27
|
+
|
28
|
+
### Features
|
29
|
+
|
30
|
+
* Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
31
|
+
|
32
|
+
|
33
|
+
## 2.16.0 / 2022-04-01
|
34
|
+
|
35
|
+
### Features
|
36
|
+
|
37
|
+
* Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
38
|
+
|
39
|
+
|
40
|
+
## 2.15.0 / 2022-03-14
|
41
|
+
|
42
|
+
### Features
|
43
|
+
|
44
|
+
* Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
|
45
|
+
|
46
|
+
|
47
|
+
## 2.14.0 / 2022-02-11
|
48
|
+
|
49
|
+
### Features
|
50
|
+
|
51
|
+
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
|
52
|
+
|
53
|
+
|
54
|
+
## 2.13.0 / 2021-12-10
|
55
|
+
|
56
|
+
### Bug fixes
|
57
|
+
|
58
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
59
|
+
|
60
|
+
|
61
|
+
## 2.12.0 / 2021-08-11
|
62
|
+
|
63
|
+
### Features
|
64
|
+
|
65
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
66
|
+
|
67
|
+
|
68
|
+
## 2.11.0 / 2021-07-31
|
69
|
+
|
70
|
+
### Features
|
71
|
+
|
72
|
+
* Allow HTML5 element `wbr`.
|
73
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
74
|
+
|
75
|
+
|
76
|
+
### Changes
|
77
|
+
|
78
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
79
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
80
|
+
|
81
|
+
|
82
|
+
## 2.10.0 / 2021-06-06
|
83
|
+
|
84
|
+
### Features
|
85
|
+
|
86
|
+
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
|
87
|
+
|
88
|
+
|
89
|
+
## 2.9.1 / 2021-04-07
|
90
|
+
|
91
|
+
### Bug fixes
|
92
|
+
|
93
|
+
* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
|
94
|
+
|
95
|
+
|
96
|
+
## 2.9.0 / 2021-01-14
|
97
|
+
|
98
|
+
### Features
|
99
|
+
|
100
|
+
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
|
101
|
+
|
102
|
+
|
103
|
+
## 2.8.0 / 2020-11-25
|
104
|
+
|
105
|
+
### Features
|
106
|
+
|
107
|
+
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
|
108
|
+
|
109
|
+
|
3
110
|
## 2.7.0 / 2020-08-26
|
4
111
|
|
5
112
|
### Features
|
data/README.md
CHANGED
@@ -1,15 +1,13 @@
|
|
1
1
|
# Loofah
|
2
2
|
|
3
3
|
* https://github.com/flavorjones/loofah
|
4
|
-
* Docs: http://rubydoc.info/github/flavorjones/loofah/
|
4
|
+
* Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
|
5
5
|
* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
|
10
|
-
|
11
|
-
| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
|
12
|
-
| Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
10
|
+
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
13
11
|
|
14
12
|
|
15
13
|
## Description
|
@@ -135,13 +133,12 @@ and `text` to return plain text:
|
|
135
133
|
doc.text # => "ohai! div is safe "
|
136
134
|
```
|
137
135
|
|
138
|
-
Also, `to_text` is available, which does the right thing with
|
139
|
-
whitespace around block-level elements.
|
136
|
+
Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
|
140
137
|
|
141
138
|
``` ruby
|
142
|
-
doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
|
143
|
-
doc.text # => "
|
144
|
-
doc.to_text # => "\nTitle\n\nContent\n"
|
139
|
+
doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
|
140
|
+
doc.text # => "TitleContentNext line" # probably not what you want
|
141
|
+
doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
|
145
142
|
```
|
146
143
|
|
147
144
|
### Loofah::XML::Document and Loofah::XML::DocumentFragment
|
@@ -212,7 +209,7 @@ end
|
|
212
209
|
Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
|
213
210
|
```
|
214
211
|
|
215
|
-
|
212
|
+
### Built-In HTML Scrubbers
|
216
213
|
|
217
214
|
Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
|
218
215
|
safelist algorithm:
|
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
|
|
301
298
|
|
302
299
|
And the IRC channel is \#loofah on freenode.
|
303
300
|
|
301
|
+
Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
|
302
|
+
|
303
|
+
[tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
|
304
|
+
|
304
305
|
|
305
306
|
## Security
|
306
307
|
|
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
|
|
347
348
|
|
348
349
|
## Thank You
|
349
350
|
|
350
|
-
The following people have generously
|
351
|
+
The following people have generously funded Loofah:
|
351
352
|
|
352
353
|
* Bill Harding
|
353
354
|
|
data/lib/loofah/elements.rb
CHANGED
@@ -70,8 +70,6 @@ module Loofah
|
|
70
70
|
video
|
71
71
|
]
|
72
72
|
|
73
|
-
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
74
|
-
|
75
73
|
# The following elements may also be considered block-level
|
76
74
|
# elements since they may contain block-level elements
|
77
75
|
LOOSE_BLOCK_LEVEL = Set.new %w[dd
|
@@ -86,7 +84,12 @@ module Loofah
|
|
86
84
|
tr
|
87
85
|
]
|
88
86
|
|
87
|
+
# Elements that aren't block but should generate a newline in #to_text
|
88
|
+
INLINE_LINE_BREAK = Set.new(["br"])
|
89
|
+
|
90
|
+
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
89
91
|
BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
|
92
|
+
LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
|
90
93
|
end
|
91
94
|
|
92
95
|
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
|
@@ -140,6 +140,7 @@ module Loofah
|
|
140
140
|
"ul",
|
141
141
|
"var",
|
142
142
|
"video",
|
143
|
+
"wbr",
|
143
144
|
])
|
144
145
|
|
145
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -147,6 +148,7 @@ module Loofah
|
|
147
148
|
"annotation-xml",
|
148
149
|
"maction",
|
149
150
|
"math",
|
151
|
+
"menclose",
|
150
152
|
"merror",
|
151
153
|
"mfenced",
|
152
154
|
"mfrac",
|
@@ -160,6 +162,7 @@ module Loofah
|
|
160
162
|
"mprescripts",
|
161
163
|
"mroot",
|
162
164
|
"mrow",
|
165
|
+
"ms",
|
163
166
|
"mspace",
|
164
167
|
"msqrt",
|
165
168
|
"mstyle",
|
@@ -312,6 +315,7 @@ module Loofah
|
|
312
315
|
"columnspacing",
|
313
316
|
"columnspan",
|
314
317
|
"depth",
|
318
|
+
"dir",
|
315
319
|
"display",
|
316
320
|
"displaystyle",
|
317
321
|
"encoding",
|
@@ -322,19 +326,24 @@ module Loofah
|
|
322
326
|
"fontweight",
|
323
327
|
"frame",
|
324
328
|
"height",
|
329
|
+
"href",
|
325
330
|
"linethickness",
|
331
|
+
"lquote",
|
326
332
|
"lspace",
|
327
333
|
"mathbackground",
|
328
334
|
"mathcolor",
|
335
|
+
"mathsize",
|
329
336
|
"mathvariant",
|
330
337
|
"maxsize",
|
331
338
|
"minsize",
|
339
|
+
"notation",
|
332
340
|
"open",
|
333
341
|
"other",
|
334
342
|
"rowalign",
|
335
343
|
"rowlines",
|
336
344
|
"rowspacing",
|
337
345
|
"rowspan",
|
346
|
+
"rquote",
|
338
347
|
"rspace",
|
339
348
|
"scriptlevel",
|
340
349
|
"selection",
|
@@ -503,6 +512,62 @@ module Loofah
|
|
503
512
|
"zoomAndPan",
|
504
513
|
])
|
505
514
|
|
515
|
+
ARIA_ATTRIBUTES = Set.new([
|
516
|
+
"aria-activedescendant",
|
517
|
+
"aria-atomic",
|
518
|
+
"aria-autocomplete",
|
519
|
+
"aria-braillelabel",
|
520
|
+
"aria-brailleroledescription",
|
521
|
+
"aria-busy",
|
522
|
+
"aria-checked",
|
523
|
+
"aria-colcount",
|
524
|
+
"aria-colindex",
|
525
|
+
"aria-colindextext",
|
526
|
+
"aria-colspan",
|
527
|
+
"aria-controls",
|
528
|
+
"aria-current",
|
529
|
+
"aria-describedby",
|
530
|
+
"aria-description",
|
531
|
+
"aria-details",
|
532
|
+
"aria-disabled",
|
533
|
+
"aria-dropeffect",
|
534
|
+
"aria-errormessage",
|
535
|
+
"aria-expanded",
|
536
|
+
"aria-flowto",
|
537
|
+
"aria-grabbed",
|
538
|
+
"aria-haspopup",
|
539
|
+
"aria-hidden",
|
540
|
+
"aria-invalid",
|
541
|
+
"aria-keyshortcuts",
|
542
|
+
"aria-label",
|
543
|
+
"aria-labelledby",
|
544
|
+
"aria-level",
|
545
|
+
"aria-live",
|
546
|
+
"aria-multiline",
|
547
|
+
"aria-multiselectable",
|
548
|
+
"aria-orientation",
|
549
|
+
"aria-owns",
|
550
|
+
"aria-placeholder",
|
551
|
+
"aria-posinset",
|
552
|
+
"aria-pressed",
|
553
|
+
"aria-readonly",
|
554
|
+
"aria-relevant",
|
555
|
+
"aria-required",
|
556
|
+
"aria-roledescription",
|
557
|
+
"aria-rowcount",
|
558
|
+
"aria-rowindex",
|
559
|
+
"aria-rowindextext",
|
560
|
+
"aria-rowspan",
|
561
|
+
"aria-selected",
|
562
|
+
"aria-setsize",
|
563
|
+
"aria-sort",
|
564
|
+
"aria-valuemax",
|
565
|
+
"aria-valuemin",
|
566
|
+
"aria-valuenow",
|
567
|
+
"aria-valuetext",
|
568
|
+
"role",
|
569
|
+
])
|
570
|
+
|
506
571
|
ATTR_VAL_IS_URI = Set.new([
|
507
572
|
"action",
|
508
573
|
"cite",
|
@@ -549,6 +614,10 @@ module Loofah
|
|
549
614
|
|
550
615
|
ACCEPTABLE_CSS_PROPERTIES = Set.new([
|
551
616
|
"azimuth",
|
617
|
+
"align-content",
|
618
|
+
"align-items",
|
619
|
+
"align-self",
|
620
|
+
"aspect-ratio",
|
552
621
|
"background-color",
|
553
622
|
"border-bottom-color",
|
554
623
|
"border-collapse",
|
@@ -562,6 +631,13 @@ module Loofah
|
|
562
631
|
"direction",
|
563
632
|
"display",
|
564
633
|
"elevation",
|
634
|
+
"flex",
|
635
|
+
"flex-basis",
|
636
|
+
"flex-direction",
|
637
|
+
"flex-flow",
|
638
|
+
"flex-grow",
|
639
|
+
"flex-shrink",
|
640
|
+
"flex-wrap",
|
565
641
|
"float",
|
566
642
|
"font",
|
567
643
|
"font-family",
|
@@ -570,12 +646,16 @@ module Loofah
|
|
570
646
|
"font-variant",
|
571
647
|
"font-weight",
|
572
648
|
"height",
|
649
|
+
"justify-content",
|
573
650
|
"letter-spacing",
|
574
651
|
"line-height",
|
575
652
|
"list-style",
|
576
653
|
"list-style-type",
|
577
654
|
"max-width",
|
655
|
+
"order",
|
578
656
|
"overflow",
|
657
|
+
"overflow-x",
|
658
|
+
"overflow-y",
|
579
659
|
"page-break-after",
|
580
660
|
"page-break-before",
|
581
661
|
"page-break-inside",
|
@@ -604,54 +684,213 @@ module Loofah
|
|
604
684
|
|
605
685
|
ACCEPTABLE_CSS_KEYWORDS = Set.new([
|
606
686
|
"!important",
|
607
|
-
"aqua",
|
608
687
|
"auto",
|
609
|
-
"black",
|
610
688
|
"block",
|
611
|
-
"blue",
|
612
689
|
"bold",
|
613
690
|
"both",
|
614
691
|
"bottom",
|
615
|
-
"brown",
|
616
692
|
"center",
|
617
693
|
"collapse",
|
618
694
|
"dashed",
|
619
695
|
"dotted",
|
620
696
|
"double",
|
621
|
-
"fuchsia",
|
622
|
-
"gray",
|
623
|
-
"green",
|
624
697
|
"groove",
|
625
698
|
"hidden",
|
699
|
+
"inherit",
|
700
|
+
"initial",
|
626
701
|
"inset",
|
627
702
|
"italic",
|
628
703
|
"left",
|
629
|
-
"lime",
|
630
|
-
"maroon",
|
631
704
|
"medium",
|
632
|
-
"navy",
|
633
705
|
"none",
|
634
706
|
"normal",
|
635
707
|
"nowrap",
|
636
|
-
"olive",
|
637
708
|
"outset",
|
638
709
|
"pointer",
|
639
|
-
"
|
640
|
-
"red",
|
710
|
+
"revert",
|
641
711
|
"ridge",
|
642
712
|
"right",
|
643
|
-
"
|
713
|
+
"separate",
|
644
714
|
"solid",
|
645
|
-
"teal",
|
646
|
-
"thin",
|
647
715
|
"thick",
|
716
|
+
"thin",
|
648
717
|
"top",
|
649
718
|
"transparent",
|
650
719
|
"underline",
|
651
|
-
"
|
652
|
-
"yellow",
|
720
|
+
"unset",
|
653
721
|
])
|
654
722
|
|
723
|
+
# https://www.w3.org/TR/css-color-3/#html4
|
724
|
+
ACCEPTABLE_CSS_COLORS = Set.new([
|
725
|
+
"aqua",
|
726
|
+
"black",
|
727
|
+
"blue",
|
728
|
+
"fuchsia",
|
729
|
+
"gray",
|
730
|
+
"green",
|
731
|
+
"lime",
|
732
|
+
"maroon",
|
733
|
+
"navy",
|
734
|
+
"olive",
|
735
|
+
"purple",
|
736
|
+
"red",
|
737
|
+
"silver",
|
738
|
+
"teal",
|
739
|
+
"white",
|
740
|
+
"yellow",
|
741
|
+
])
|
742
|
+
|
743
|
+
# https://www.w3.org/TR/css-color-3/#svg-color
|
744
|
+
ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
|
745
|
+
"aliceblue",
|
746
|
+
"antiquewhite",
|
747
|
+
"aqua",
|
748
|
+
"aquamarine",
|
749
|
+
"azure",
|
750
|
+
"beige",
|
751
|
+
"bisque",
|
752
|
+
"black",
|
753
|
+
"blanchedalmond",
|
754
|
+
"blue",
|
755
|
+
"blueviolet",
|
756
|
+
"brown",
|
757
|
+
"burlywood",
|
758
|
+
"cadetblue",
|
759
|
+
"chartreuse",
|
760
|
+
"chocolate",
|
761
|
+
"coral",
|
762
|
+
"cornflowerblue",
|
763
|
+
"cornsilk",
|
764
|
+
"crimson",
|
765
|
+
"cyan",
|
766
|
+
"darkblue",
|
767
|
+
"darkcyan",
|
768
|
+
"darkgoldenrod",
|
769
|
+
"darkgray",
|
770
|
+
"darkgreen",
|
771
|
+
"darkgrey",
|
772
|
+
"darkkhaki",
|
773
|
+
"darkmagenta",
|
774
|
+
"darkolivegreen",
|
775
|
+
"darkorange",
|
776
|
+
"darkorchid",
|
777
|
+
"darkred",
|
778
|
+
"darksalmon",
|
779
|
+
"darkseagreen",
|
780
|
+
"darkslateblue",
|
781
|
+
"darkslategray",
|
782
|
+
"darkslategrey",
|
783
|
+
"darkturquoise",
|
784
|
+
"darkviolet",
|
785
|
+
"deeppink",
|
786
|
+
"deepskyblue",
|
787
|
+
"dimgray",
|
788
|
+
"dimgrey",
|
789
|
+
"dodgerblue",
|
790
|
+
"firebrick",
|
791
|
+
"floralwhite",
|
792
|
+
"forestgreen",
|
793
|
+
"fuchsia",
|
794
|
+
"gainsboro",
|
795
|
+
"ghostwhite",
|
796
|
+
"gold",
|
797
|
+
"goldenrod",
|
798
|
+
"gray",
|
799
|
+
"green",
|
800
|
+
"greenyellow",
|
801
|
+
"grey",
|
802
|
+
"honeydew",
|
803
|
+
"hotpink",
|
804
|
+
"indianred",
|
805
|
+
"indigo",
|
806
|
+
"ivory",
|
807
|
+
"khaki",
|
808
|
+
"lavender",
|
809
|
+
"lavenderblush",
|
810
|
+
"lawngreen",
|
811
|
+
"lemonchiffon",
|
812
|
+
"lightblue",
|
813
|
+
"lightcoral",
|
814
|
+
"lightcyan",
|
815
|
+
"lightgoldenrodyellow",
|
816
|
+
"lightgray",
|
817
|
+
"lightgreen",
|
818
|
+
"lightgrey",
|
819
|
+
"lightpink",
|
820
|
+
"lightsalmon",
|
821
|
+
"lightseagreen",
|
822
|
+
"lightskyblue",
|
823
|
+
"lightslategray",
|
824
|
+
"lightslategrey",
|
825
|
+
"lightsteelblue",
|
826
|
+
"lightyellow",
|
827
|
+
"lime",
|
828
|
+
"limegreen",
|
829
|
+
"linen",
|
830
|
+
"magenta",
|
831
|
+
"maroon",
|
832
|
+
"mediumaquamarine",
|
833
|
+
"mediumblue",
|
834
|
+
"mediumorchid",
|
835
|
+
"mediumpurple",
|
836
|
+
"mediumseagreen",
|
837
|
+
"mediumslateblue",
|
838
|
+
"mediumspringgreen",
|
839
|
+
"mediumturquoise",
|
840
|
+
"mediumvioletred",
|
841
|
+
"midnightblue",
|
842
|
+
"mintcream",
|
843
|
+
"mistyrose",
|
844
|
+
"moccasin",
|
845
|
+
"navajowhite",
|
846
|
+
"navy",
|
847
|
+
"oldlace",
|
848
|
+
"olive",
|
849
|
+
"olivedrab",
|
850
|
+
"orange",
|
851
|
+
"orangered",
|
852
|
+
"orchid",
|
853
|
+
"palegoldenrod",
|
854
|
+
"palegreen",
|
855
|
+
"paleturquoise",
|
856
|
+
"palevioletred",
|
857
|
+
"papayawhip",
|
858
|
+
"peachpuff",
|
859
|
+
"peru",
|
860
|
+
"pink",
|
861
|
+
"plum",
|
862
|
+
"powderblue",
|
863
|
+
"purple",
|
864
|
+
"red",
|
865
|
+
"rosybrown",
|
866
|
+
"royalblue",
|
867
|
+
"saddlebrown",
|
868
|
+
"salmon",
|
869
|
+
"sandybrown",
|
870
|
+
"seagreen",
|
871
|
+
"seashell",
|
872
|
+
"sienna",
|
873
|
+
"silver",
|
874
|
+
"skyblue",
|
875
|
+
"slateblue",
|
876
|
+
"slategray",
|
877
|
+
"slategrey",
|
878
|
+
"snow",
|
879
|
+
"springgreen",
|
880
|
+
"steelblue",
|
881
|
+
"tan",
|
882
|
+
"teal",
|
883
|
+
"thistle",
|
884
|
+
"tomato",
|
885
|
+
"turquoise",
|
886
|
+
"violet",
|
887
|
+
"wheat",
|
888
|
+
"white",
|
889
|
+
"whitesmoke",
|
890
|
+
"yellow",
|
891
|
+
"yellowgreen",
|
892
|
+
])
|
893
|
+
|
655
894
|
# see https://www.quackit.com/css/functions/
|
656
895
|
# omit `url` and `image` from that list
|
657
896
|
ACCEPTABLE_CSS_FUNCTIONS = Set.new([
|
@@ -746,6 +985,7 @@ module Loofah
|
|
746
985
|
"rsync",
|
747
986
|
"rtsp",
|
748
987
|
"sftp",
|
988
|
+
"sms",
|
749
989
|
"ssh",
|
750
990
|
"tag",
|
751
991
|
"tel",
|
@@ -759,33 +999,28 @@ module Loofah
|
|
759
999
|
"image/gif",
|
760
1000
|
"image/jpeg",
|
761
1001
|
"image/png",
|
762
|
-
"image/svg+xml",
|
763
1002
|
"text/css",
|
764
1003
|
"text/plain",
|
765
1004
|
])
|
766
1005
|
|
767
1006
|
# subclasses may define their own versions of these constants
|
768
1007
|
ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
|
769
|
-
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
|
1008
|
+
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
|
770
1009
|
ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
|
771
|
-
ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
|
1010
|
+
ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
|
772
1011
|
ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
|
773
1012
|
ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
|
774
1013
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
775
1014
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
776
1015
|
|
1016
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
1017
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
777
1018
|
VOID_ELEMENTS = Set.new([
|
778
1019
|
"area",
|
779
|
-
"base",
|
780
1020
|
"br",
|
781
|
-
"col",
|
782
|
-
"embed",
|
783
1021
|
"hr",
|
784
1022
|
"img",
|
785
1023
|
"input",
|
786
|
-
"link",
|
787
|
-
"meta",
|
788
|
-
"param",
|
789
1024
|
])
|
790
1025
|
|
791
1026
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|