loofah 2.7.0 → 2.19.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +107 -0
  3. data/README.md +13 -12
  4. data/lib/loofah/elements.rb +5 -2
  5. data/lib/loofah/html5/safelist.rb +262 -27
  6. data/lib/loofah/html5/scrub.rb +135 -40
  7. data/lib/loofah/instance_methods.rb +9 -5
  8. data/lib/loofah/scrubber.rb +4 -0
  9. data/lib/loofah/scrubbers.rb +9 -8
  10. data/lib/loofah/version.rb +5 -0
  11. data/lib/loofah.rb +13 -15
  12. metadata +40 -137
  13. data/Gemfile +0 -24
  14. data/Manifest.txt +0 -25
  15. data/Rakefile +0 -97
  16. data/benchmark/benchmark.rb +0 -154
  17. data/benchmark/fragment.html +0 -96
  18. data/benchmark/helper.rb +0 -73
  19. data/benchmark/www.slashdot.com.html +0 -2560
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ce7e800422f2b83325a3c37aeb81c5fcb7f2c6d76d9be1f5228f3d49077643b8
4
- data.tar.gz: 6f4a5303926248d42f4e375d59d8d92e60c7fb797762910dd027aa54d8875922
3
+ metadata.gz: bd3edb0acdf2359d82564aca0bc13710d9f6c49157963d18953ff55bd7c14413
4
+ data.tar.gz: 3a6e11b7deb9cfb469aaf6ec919062687bd4215ef11980bded72ca298807610c
5
5
  SHA512:
6
- metadata.gz: 98570a9ed755a285a42b31c05b8f45413b77119162d190c199f2ea8624f1038cff8ce8532e4339e3747410c9ab8ca645b02f237975643d24b4ad3b447336a35a
7
- data.tar.gz: '020485b66a1cb57fe1359bfbeec912631a48b268bbeb754b2ff67fa237cbb840d8ad5e66ec8b64b36d869dcf6866bd3c30191e3596a6481fd9a9258b0f4f8d96'
6
+ metadata.gz: 4970a6aa72265f60556dd6fd254375c86d3f83be23f3bbcc8b04df00ce0e801e8ef9e67d0a77ca6a21915be89226131c16a7f3540f02538cc2b9a369950dfebf
7
+ data.tar.gz: 27e3a06cc391ec3d9e3c966efdb6b4ce58e98c397ec87490d418406c17757e5cb0193edabaced30a9f24320c729e6730308e346610859f9f7c6d5fcc6f72cd56
data/CHANGELOG.md CHANGED
@@ -1,5 +1,112 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.19.1 / 2022-12-13
4
+
5
+ ### Security
6
+
7
+ * Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
8
+ * Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
9
+ * Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
10
+
11
+
12
+ ## 2.19.0 / 2022-09-14
13
+
14
+ ### Features
15
+
16
+ * Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
17
+
18
+
19
+ ## 2.18.0 / 2022-05-11
20
+
21
+ ### Features
22
+
23
+ * Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
24
+
25
+
26
+ ## 2.17.0 / 2022-04-28
27
+
28
+ ### Features
29
+
30
+ * Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
31
+
32
+
33
+ ## 2.16.0 / 2022-04-01
34
+
35
+ ### Features
36
+
37
+ * Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
38
+
39
+
40
+ ## 2.15.0 / 2022-03-14
41
+
42
+ ### Features
43
+
44
+ * Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
45
+
46
+
47
+ ## 2.14.0 / 2022-02-11
48
+
49
+ ### Features
50
+
51
+ * The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
52
+
53
+
54
+ ## 2.13.0 / 2021-12-10
55
+
56
+ ### Bug fixes
57
+
58
+ * Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
59
+
60
+
61
+ ## 2.12.0 / 2021-08-11
62
+
63
+ ### Features
64
+
65
+ * Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
66
+
67
+
68
+ ## 2.11.0 / 2021-07-31
69
+
70
+ ### Features
71
+
72
+ * Allow HTML5 element `wbr`.
73
+ * Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
74
+
75
+
76
+ ### Changes
77
+
78
+ * Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
79
+ * Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
80
+
81
+
82
+ ## 2.10.0 / 2021-06-06
83
+
84
+ ### Features
85
+
86
+ * Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
87
+
88
+
89
+ ## 2.9.1 / 2021-04-07
90
+
91
+ ### Bug fixes
92
+
93
+ * Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
94
+
95
+
96
+ ## 2.9.0 / 2021-01-14
97
+
98
+ ### Features
99
+
100
+ * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
101
+
102
+
103
+ ## 2.8.0 / 2020-11-25
104
+
105
+ ### Features
106
+
107
+ * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
108
+
109
+
3
110
  ## 2.7.0 / 2020-08-26
4
111
 
5
112
  ### Features
data/README.md CHANGED
@@ -1,15 +1,13 @@
1
1
  # Loofah
2
2
 
3
3
  * https://github.com/flavorjones/loofah
4
- * Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
4
+ * Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
5
5
  * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
6
6
 
7
7
  ## Status
8
8
 
9
- |System|Status|
10
- |--|--|
11
- | Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
12
- | Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
9
+ [![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
10
+ [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
13
11
 
14
12
 
15
13
  ## Description
@@ -135,13 +133,12 @@ and `text` to return plain text:
135
133
  doc.text # => "ohai! div is safe "
136
134
  ```
137
135
 
138
- Also, `to_text` is available, which does the right thing with
139
- whitespace around block-level elements.
136
+ Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
140
137
 
141
138
  ``` ruby
142
- doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
143
- doc.text # => "TitleContent" # probably not what you want
144
- doc.to_text # => "\nTitle\n\nContent\n" # better
139
+ doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
140
+ doc.text # => "TitleContentNext line" # probably not what you want
141
+ doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
145
142
  ```
146
143
 
147
144
  ### Loofah::XML::Document and Loofah::XML::DocumentFragment
@@ -212,7 +209,7 @@ end
212
209
  Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
213
210
  ```
214
211
 
215
- === Built-In HTML Scrubbers
212
+ ### Built-In HTML Scrubbers
216
213
 
217
214
  Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
218
215
  safelist algorithm:
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
301
298
 
302
299
  And the IRC channel is \#loofah on freenode.
303
300
 
301
+ Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
302
+
303
+ [tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
304
+
304
305
 
305
306
  ## Security
306
307
 
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
347
348
 
348
349
  ## Thank You
349
350
 
350
- The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
351
+ The following people have generously funded Loofah:
351
352
 
352
353
  * Bill Harding
353
354
 
data/lib/loofah/elements.rb CHANGED
@@ -70,8 +70,6 @@ module Loofah
70
70
  video
71
71
  ]
72
72
 
73
- STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
74
-
75
73
  # The following elements may also be considered block-level
76
74
  # elements since they may contain block-level elements
77
75
  LOOSE_BLOCK_LEVEL = Set.new %w[dd
@@ -86,7 +84,12 @@ module Loofah
86
84
  tr
87
85
  ]
88
86
 
87
+ # Elements that aren't block but should generate a newline in #to_text
88
+ INLINE_LINE_BREAK = Set.new(["br"])
89
+
90
+ STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
89
91
  BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
92
+ LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
90
93
  end
91
94
 
92
95
  ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
data/lib/loofah/html5/safelist.rb CHANGED
@@ -140,6 +140,7 @@ module Loofah
140
140
  "ul",
141
141
  "var",
142
142
  "video",
143
+ "wbr",
143
144
  ])
144
145
 
145
146
  MATHML_ELEMENTS = Set.new([
@@ -147,6 +148,7 @@ module Loofah
147
148
  "annotation-xml",
148
149
  "maction",
149
150
  "math",
151
+ "menclose",
150
152
  "merror",
151
153
  "mfenced",
152
154
  "mfrac",
@@ -160,6 +162,7 @@ module Loofah
160
162
  "mprescripts",
161
163
  "mroot",
162
164
  "mrow",
165
+ "ms",
163
166
  "mspace",
164
167
  "msqrt",
165
168
  "mstyle",
@@ -312,6 +315,7 @@ module Loofah
312
315
  "columnspacing",
313
316
  "columnspan",
314
317
  "depth",
318
+ "dir",
315
319
  "display",
316
320
  "displaystyle",
317
321
  "encoding",
@@ -322,19 +326,24 @@ module Loofah
322
326
  "fontweight",
323
327
  "frame",
324
328
  "height",
329
+ "href",
325
330
  "linethickness",
331
+ "lquote",
326
332
  "lspace",
327
333
  "mathbackground",
328
334
  "mathcolor",
335
+ "mathsize",
329
336
  "mathvariant",
330
337
  "maxsize",
331
338
  "minsize",
339
+ "notation",
332
340
  "open",
333
341
  "other",
334
342
  "rowalign",
335
343
  "rowlines",
336
344
  "rowspacing",
337
345
  "rowspan",
346
+ "rquote",
338
347
  "rspace",
339
348
  "scriptlevel",
340
349
  "selection",
@@ -503,6 +512,62 @@ module Loofah
503
512
  "zoomAndPan",
504
513
  ])
505
514
 
515
+ ARIA_ATTRIBUTES = Set.new([
516
+ "aria-activedescendant",
517
+ "aria-atomic",
518
+ "aria-autocomplete",
519
+ "aria-braillelabel",
520
+ "aria-brailleroledescription",
521
+ "aria-busy",
522
+ "aria-checked",
523
+ "aria-colcount",
524
+ "aria-colindex",
525
+ "aria-colindextext",
526
+ "aria-colspan",
527
+ "aria-controls",
528
+ "aria-current",
529
+ "aria-describedby",
530
+ "aria-description",
531
+ "aria-details",
532
+ "aria-disabled",
533
+ "aria-dropeffect",
534
+ "aria-errormessage",
535
+ "aria-expanded",
536
+ "aria-flowto",
537
+ "aria-grabbed",
538
+ "aria-haspopup",
539
+ "aria-hidden",
540
+ "aria-invalid",
541
+ "aria-keyshortcuts",
542
+ "aria-label",
543
+ "aria-labelledby",
544
+ "aria-level",
545
+ "aria-live",
546
+ "aria-multiline",
547
+ "aria-multiselectable",
548
+ "aria-orientation",
549
+ "aria-owns",
550
+ "aria-placeholder",
551
+ "aria-posinset",
552
+ "aria-pressed",
553
+ "aria-readonly",
554
+ "aria-relevant",
555
+ "aria-required",
556
+ "aria-roledescription",
557
+ "aria-rowcount",
558
+ "aria-rowindex",
559
+ "aria-rowindextext",
560
+ "aria-rowspan",
561
+ "aria-selected",
562
+ "aria-setsize",
563
+ "aria-sort",
564
+ "aria-valuemax",
565
+ "aria-valuemin",
566
+ "aria-valuenow",
567
+ "aria-valuetext",
568
+ "role",
569
+ ])
570
+
506
571
  ATTR_VAL_IS_URI = Set.new([
507
572
  "action",
508
573
  "cite",
@@ -549,6 +614,10 @@ module Loofah
549
614
 
550
615
  ACCEPTABLE_CSS_PROPERTIES = Set.new([
551
616
  "azimuth",
617
+ "align-content",
618
+ "align-items",
619
+ "align-self",
620
+ "aspect-ratio",
552
621
  "background-color",
553
622
  "border-bottom-color",
554
623
  "border-collapse",
@@ -562,6 +631,13 @@ module Loofah
562
631
  "direction",
563
632
  "display",
564
633
  "elevation",
634
+ "flex",
635
+ "flex-basis",
636
+ "flex-direction",
637
+ "flex-flow",
638
+ "flex-grow",
639
+ "flex-shrink",
640
+ "flex-wrap",
565
641
  "float",
566
642
  "font",
567
643
  "font-family",
@@ -570,12 +646,16 @@ module Loofah
570
646
  "font-variant",
571
647
  "font-weight",
572
648
  "height",
649
+ "justify-content",
573
650
  "letter-spacing",
574
651
  "line-height",
575
652
  "list-style",
576
653
  "list-style-type",
577
654
  "max-width",
655
+ "order",
578
656
  "overflow",
657
+ "overflow-x",
658
+ "overflow-y",
579
659
  "page-break-after",
580
660
  "page-break-before",
581
661
  "page-break-inside",
@@ -604,54 +684,213 @@ module Loofah
604
684
 
605
685
  ACCEPTABLE_CSS_KEYWORDS = Set.new([
606
686
  "!important",
607
- "aqua",
608
687
  "auto",
609
- "black",
610
688
  "block",
611
- "blue",
612
689
  "bold",
613
690
  "both",
614
691
  "bottom",
615
- "brown",
616
692
  "center",
617
693
  "collapse",
618
694
  "dashed",
619
695
  "dotted",
620
696
  "double",
621
- "fuchsia",
622
- "gray",
623
- "green",
624
697
  "groove",
625
698
  "hidden",
699
+ "inherit",
700
+ "initial",
626
701
  "inset",
627
702
  "italic",
628
703
  "left",
629
- "lime",
630
- "maroon",
631
704
  "medium",
632
- "navy",
633
705
  "none",
634
706
  "normal",
635
707
  "nowrap",
636
- "olive",
637
708
  "outset",
638
709
  "pointer",
639
- "purple",
640
- "red",
710
+ "revert",
641
711
  "ridge",
642
712
  "right",
643
- "silver",
713
+ "separate",
644
714
  "solid",
645
- "teal",
646
- "thin",
647
715
  "thick",
716
+ "thin",
648
717
  "top",
649
718
  "transparent",
650
719
  "underline",
651
- "white",
652
- "yellow",
720
+ "unset",
653
721
  ])
654
722
 
723
+ # https://www.w3.org/TR/css-color-3/#html4
724
+ ACCEPTABLE_CSS_COLORS = Set.new([
725
+ "aqua",
726
+ "black",
727
+ "blue",
728
+ "fuchsia",
729
+ "gray",
730
+ "green",
731
+ "lime",
732
+ "maroon",
733
+ "navy",
734
+ "olive",
735
+ "purple",
736
+ "red",
737
+ "silver",
738
+ "teal",
739
+ "white",
740
+ "yellow",
741
+ ])
742
+
743
+ # https://www.w3.org/TR/css-color-3/#svg-color
744
+ ACCEPTABLE_CSS_EXTENDED_COLORS = Set.new([
745
+ "aliceblue",
746
+ "antiquewhite",
747
+ "aqua",
748
+ "aquamarine",
749
+ "azure",
750
+ "beige",
751
+ "bisque",
752
+ "black",
753
+ "blanchedalmond",
754
+ "blue",
755
+ "blueviolet",
756
+ "brown",
757
+ "burlywood",
758
+ "cadetblue",
759
+ "chartreuse",
760
+ "chocolate",
761
+ "coral",
762
+ "cornflowerblue",
763
+ "cornsilk",
764
+ "crimson",
765
+ "cyan",
766
+ "darkblue",
767
+ "darkcyan",
768
+ "darkgoldenrod",
769
+ "darkgray",
770
+ "darkgreen",
771
+ "darkgrey",
772
+ "darkkhaki",
773
+ "darkmagenta",
774
+ "darkolivegreen",
775
+ "darkorange",
776
+ "darkorchid",
777
+ "darkred",
778
+ "darksalmon",
779
+ "darkseagreen",
780
+ "darkslateblue",
781
+ "darkslategray",
782
+ "darkslategrey",
783
+ "darkturquoise",
784
+ "darkviolet",
785
+ "deeppink",
786
+ "deepskyblue",
787
+ "dimgray",
788
+ "dimgrey",
789
+ "dodgerblue",
790
+ "firebrick",
791
+ "floralwhite",
792
+ "forestgreen",
793
+ "fuchsia",
794
+ "gainsboro",
795
+ "ghostwhite",
796
+ "gold",
797
+ "goldenrod",
798
+ "gray",
799
+ "green",
800
+ "greenyellow",
801
+ "grey",
802
+ "honeydew",
803
+ "hotpink",
804
+ "indianred",
805
+ "indigo",
806
+ "ivory",
807
+ "khaki",
808
+ "lavender",
809
+ "lavenderblush",
810
+ "lawngreen",
811
+ "lemonchiffon",
812
+ "lightblue",
813
+ "lightcoral",
814
+ "lightcyan",
815
+ "lightgoldenrodyellow",
816
+ "lightgray",
817
+ "lightgreen",
818
+ "lightgrey",
819
+ "lightpink",
820
+ "lightsalmon",
821
+ "lightseagreen",
822
+ "lightskyblue",
823
+ "lightslategray",
824
+ "lightslategrey",
825
+ "lightsteelblue",
826
+ "lightyellow",
827
+ "lime",
828
+ "limegreen",
829
+ "linen",
830
+ "magenta",
831
+ "maroon",
832
+ "mediumaquamarine",
833
+ "mediumblue",
834
+ "mediumorchid",
835
+ "mediumpurple",
836
+ "mediumseagreen",
837
+ "mediumslateblue",
838
+ "mediumspringgreen",
839
+ "mediumturquoise",
840
+ "mediumvioletred",
841
+ "midnightblue",
842
+ "mintcream",
843
+ "mistyrose",
844
+ "moccasin",
845
+ "navajowhite",
846
+ "navy",
847
+ "oldlace",
848
+ "olive",
849
+ "olivedrab",
850
+ "orange",
851
+ "orangered",
852
+ "orchid",
853
+ "palegoldenrod",
854
+ "palegreen",
855
+ "paleturquoise",
856
+ "palevioletred",
857
+ "papayawhip",
858
+ "peachpuff",
859
+ "peru",
860
+ "pink",
861
+ "plum",
862
+ "powderblue",
863
+ "purple",
864
+ "red",
865
+ "rosybrown",
866
+ "royalblue",
867
+ "saddlebrown",
868
+ "salmon",
869
+ "sandybrown",
870
+ "seagreen",
871
+ "seashell",
872
+ "sienna",
873
+ "silver",
874
+ "skyblue",
875
+ "slateblue",
876
+ "slategray",
877
+ "slategrey",
878
+ "snow",
879
+ "springgreen",
880
+ "steelblue",
881
+ "tan",
882
+ "teal",
883
+ "thistle",
884
+ "tomato",
885
+ "turquoise",
886
+ "violet",
887
+ "wheat",
888
+ "white",
889
+ "whitesmoke",
890
+ "yellow",
891
+ "yellowgreen",
892
+ ])
893
+
655
894
  # see https://www.quackit.com/css/functions/
656
895
  # omit `url` and `image` from that list
657
896
  ACCEPTABLE_CSS_FUNCTIONS = Set.new([
@@ -746,6 +985,7 @@ module Loofah
746
985
  "rsync",
747
986
  "rtsp",
748
987
  "sftp",
988
+ "sms",
749
989
  "ssh",
750
990
  "tag",
751
991
  "tel",
@@ -759,33 +999,28 @@ module Loofah
759
999
  "image/gif",
760
1000
  "image/jpeg",
761
1001
  "image/png",
762
- "image/svg+xml",
763
1002
  "text/css",
764
1003
  "text/plain",
765
1004
  ])
766
1005
 
767
1006
  # subclasses may define their own versions of these constants
768
1007
  ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
769
- ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
1008
+ ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
770
1009
  ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
771
- ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
1010
+ ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS + ACCEPTABLE_CSS_COLORS + ACCEPTABLE_CSS_EXTENDED_COLORS
772
1011
  ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
773
1012
  ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
774
1013
  ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
775
1014
  ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
776
1015
 
1016
+ # TODO: remove VOID_ELEMENTS in a future major release
1017
+ # and put it in the tests (it is used only for testing, not for functional behavior)
777
1018
  VOID_ELEMENTS = Set.new([
778
1019
  "area",
779
- "base",
780
1020
  "br",
781
- "col",
782
- "embed",
783
1021
  "hr",
784
1022
  "img",
785
1023
  "input",
786
- "link",
787
- "meta",
788
- "param",
789
1024
  ])
790
1025
 
791
1026
  # additional tags we should consider safe since we have libxml2 fixing up our documents.