loofah 2.7.0 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce7e800422f2b83325a3c37aeb81c5fcb7f2c6d76d9be1f5228f3d49077643b8
-  data.tar.gz: 6f4a5303926248d42f4e375d59d8d92e60c7fb797762910dd027aa54d8875922
+  metadata.gz: 10f6e8ff06a760da3400cdf8660e6768cfc2e7bbcb34a3ae6aaadea5e29ff924
+  data.tar.gz: 7e0accdb26147612bd7da3abc8fa98a6fac850dbb7a0ee99d20375400de4b877
 SHA512:
-  metadata.gz: 98570a9ed755a285a42b31c05b8f45413b77119162d190c199f2ea8624f1038cff8ce8532e4339e3747410c9ab8ca645b02f237975643d24b4ad3b447336a35a
-  data.tar.gz: '020485b66a1cb57fe1359bfbeec912631a48b268bbeb754b2ff67fa237cbb840d8ad5e66ec8b64b36d869dcf6866bd3c30191e3596a6481fd9a9258b0f4f8d96'
+  metadata.gz: 11b0f4dcad5a9f38444e9eebd45cb09705e536468c901c03d792711133536812f8b0579533eb54a305311d5303fdd4cf510761a9a0d42d0af46bb153d3402a3c
+  data.tar.gz: d6032694eaaaddd47c02868ecb037dc2673b5ebd749a7d8846c2a55e13744f9455a66b41ec16a4cf3c4905e6019df3493972ec462cd04404365ebe202e15e211

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+### 2.9.0 / 2021-01-14
+
+* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
+
+
+### 2.8.0 / 2020-11-25
+
+* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
+
+
 ## 2.7.0 / 2020-08-26
 
 ### Features

data/README.md

@@ -6,10 +6,9 @@
 
 ## Status
 
-|System|Status|
-|--|--|
-| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
-| Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
+[![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master)
+[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
+[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
 
 
 ## Description
@@ -301,6 +300,10 @@ And the mailing list is on Google Groups:
 
 And the IRC channel is \#loofah on freenode.
 
+Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
+
+  [tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
+
 
 ## Security
 

data/lib/loofah.rb

@@ -3,21 +3,22 @@ $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__))) unless $LOAD_PATH.i
 
 require "nokogiri"
 
-require "loofah/metahelpers"
-require "loofah/elements"
+require_relative "loofah/version"
+require_relative "loofah/metahelpers"
+require_relative "loofah/elements"
 
-require "loofah/html5/safelist"
-require "loofah/html5/libxml2_workarounds"
-require "loofah/html5/scrub"
+require_relative "loofah/html5/safelist"
+require_relative "loofah/html5/libxml2_workarounds"
+require_relative "loofah/html5/scrub"
 
-require "loofah/scrubber"
-require "loofah/scrubbers"
+require_relative "loofah/scrubber"
+require_relative "loofah/scrubbers"
 
-require "loofah/instance_methods"
-require "loofah/xml/document"
-require "loofah/xml/document_fragment"
-require "loofah/html/document"
-require "loofah/html/document_fragment"
+require_relative "loofah/instance_methods"
+require_relative "loofah/xml/document"
+require_relative "loofah/xml/document_fragment"
+require_relative "loofah/html/document"
+require_relative "loofah/html/document_fragment"
 
 # == Strings and IO Objects as Input
 #
@@ -28,9 +29,6 @@ require "loofah/html/document_fragment"
 # quantities of docs.
 #
 module Loofah
-  # The version of Loofah you are using
-  VERSION = "2.7.0"
-
   class << self
     # Shortcut for Loofah::HTML::Document.parse
     # This method accepts the same parameters as Nokogiri::HTML::Document.parse

data/lib/loofah/html5/safelist.rb

@@ -549,6 +549,9 @@ module Loofah
 
       ACCEPTABLE_CSS_PROPERTIES = Set.new([
                                             "azimuth",
+                                            "align-content",
+                                            "align-items",
+                                            "align-self",
                                             "background-color",
                                             "border-bottom-color",
                                             "border-collapse",
@@ -562,6 +565,13 @@ module Loofah
                                             "direction",
                                             "display",
                                             "elevation",
+                                            "flex",
+                                            "flex-basis",
+                                            "flex-direction",
+                                            "flex-flow",
+                                            "flex-grow",
+                                            "flex-shrink",
+                                            "flex-wrap",
                                             "float",
                                             "font",
                                             "font-family",
@@ -570,11 +580,13 @@ module Loofah
                                             "font-variant",
                                             "font-weight",
                                             "height",
+                                            "justify-content",
                                             "letter-spacing",
                                             "line-height",
                                             "list-style",
                                             "list-style-type",
                                             "max-width",
+                                            "order",
                                             "overflow",
                                             "page-break-after",
                                             "page-break-before",

data/lib/loofah/html5/scrub.rb

@@ -7,22 +7,22 @@ module Loofah
     module Scrub
       CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
-      CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
+      CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
       CSS_IMPORTANT = '!important'
 
       class << self
         def allowed_element?(element_name)
-          ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name
+          ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
         end
 
         #  alternative implementation of the html5lib attribute scrubbing algorithm
         def scrub_attributes(node)
           node.attribute_nodes.each do |attr_node|
             attr_name = if attr_node.namespace
-                          "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
-                        else
-                          attr_node.node_name
-                        end
+              "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+            else
+              attr_node.node_name
+            end
 
             if attr_name =~ /\Adata-[\w-]+\z/
               next
@@ -58,13 +58,13 @@ module Loofah
             end
           end
 
-          scrub_css_attribute node
+          scrub_css_attribute(node)
 
           node.attribute_nodes.each do |attr_node|
             node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
           end
 
-          force_correct_attribute_escaping! node
+          force_correct_attribute_escaping!(node)
         end
 
         def scrub_css_attribute(node)
@@ -73,33 +73,50 @@ module Loofah
         end
 
         def scrub_css(style)
-          style_tree = Crass.parse_properties style
+          style_tree = Crass.parse_properties(style)
           sanitized_tree = []
 
           style_tree.each do |node|
             next unless node[:node] == :property
             next if node[:children].any? do |child|
-              [:url, :bad_url].include?(child[:node]) || (child[:node] == :function && !SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase))
+              [:url, :bad_url].include?(child[:node])
             end
+
             name = node[:name].downcase
-            if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name)
-              sanitized_tree << node << CRASS_SEMICOLON
-            elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
-              value = node[:value].split.map do |keyword|
-                if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
+            next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) ||
+                SafeList::ALLOWED_SVG_PROPERTIES.include?(name) ||
+                SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
+
+            value = node[:children].map do |child|
+              case child[:node]
+              when :whitespace
+                nil
+              when :string
+                nil
+              when :function
+                if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
+                  Crass::Parser.stringify(child)
+                end
+              when :ident
+                keyword = child[:value]
+                if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) ||
+                   SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) ||
+                   (keyword =~ CSS_KEYWORDISH)
                   keyword
                 end
-              end.compact
-              unless value.empty?
-                value << CSS_IMPORTANT if node[:important]
-                propstring = sprintf "%s:%s", name, value.join(" ")
-                sanitized_node = Crass.parse_properties(propstring).first
-                sanitized_tree << sanitized_node << CRASS_SEMICOLON
+              else
+                child[:raw]
               end
-            end
+            end.compact
+
+            next if value.empty?
+            value << CSS_IMPORTANT if node[:important]
+            propstring = format("%s:%s", name, value.join(" "))
+            sanitized_node = Crass.parse_properties(propstring).first
+            sanitized_tree << sanitized_node << CRASS_SEMICOLON
           end
 
-          Crass::Parser.stringify sanitized_tree
+          Crass::Parser.stringify(sanitized_tree)
         end
 
         #

data/lib/loofah/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Loofah
+  # The version of Loofah you are using
+  VERSION = "2.9.0"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-26 00:00:00.000000000 Z
+date: 2021-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -45,28 +45,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '5.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '5.14'
 - !ruby/object:Gem::Dependency
   name: rr
   requirement: !ruby/object:Gem::Requirement
@@ -87,112 +87,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.3.0
-- !ruby/object:Gem::Dependency
-  name: hoe-gemspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: hoe-debugging
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: hoe-bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
-  name: hoe-git
+  name: concourse
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0.33'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0.33'
 - !ruby/object:Gem::Dependency
-  name: hoe-markdown
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-- !ruby/object:Gem::Dependency
-  name: concourse
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.26.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.26.0
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.76.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.76.0
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -214,19 +144,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '7'
 - !ruby/object:Gem::Dependency
-  name: hoe
+  name: hoe-markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.22'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.22'
+        version: '1.3'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
@@ -238,24 +168,12 @@ email:
 - bryan@brynary.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- CHANGELOG.md
-- MIT-LICENSE.txt
-- Manifest.txt
-- README.md
-- SECURITY.md
+extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- Gemfile
 - MIT-LICENSE.txt
-- Manifest.txt
 - README.md
-- Rakefile
 - SECURITY.md
-- benchmark/benchmark.rb
-- benchmark/fragment.html
-- benchmark/helper.rb
-- benchmark/www.slashdot.com.html
 - lib/loofah.rb
 - lib/loofah/elements.rb
 - lib/loofah/helpers.rb
@@ -268,6 +186,7 @@ files:
 - lib/loofah/metahelpers.rb
 - lib/loofah/scrubber.rb
 - lib/loofah/scrubbers.rb
+- lib/loofah/version.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
 homepage: https://github.com/flavorjones/loofah
@@ -275,14 +194,12 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/flavorjones/loofah
+  source_code_uri: https://github.com/flavorjones/loofah
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
-  documentation_uri: https://www.rubydoc.info/gems/loofah/
   changelog_uri: https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md
-  source_code_uri: https://github.com/flavorjones/loofah
+  documentation_uri: https://www.rubydoc.info/gems/loofah/
 post_install_message: 
-rdoc_options:
-- "--main"
-- README.md
+rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
@@ -296,7 +213,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents