loofah 2.8.0 → 2.11.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +38 -1
  3. data/README.md +3 -4
  4. data/lib/loofah/html5/safelist.rb +11 -7
  5. data/lib/loofah/html5/scrub.rb +45 -23
  6. data/lib/loofah/version.rb +1 -1
  7. metadata +36 -50
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: af120a1d5829e0f0a9676dddd8b9b112a432c6f05c65b2522d8d1aafe8bde311
4
- data.tar.gz: a19cfbdb4c3751332d471478718ae384dde5ef970ac482f5f0fb2a027561c0d6
3
+ metadata.gz: 522ebc47f9d42ec64069bb77099c6eb6e96de6d70f73ba62f126227a38f1cdb4
4
+ data.tar.gz: d558598dfe8cf3af9fa6b7075faf463dcffa68611404869334d3c66a81587074
5
5
  SHA512:
6
- metadata.gz: 93bbb41db6d1edd130d6c83fba87e70c145ec01f57120b406096ae56e7993f56803e04d40ee50faaf2f48fb3a2f6d704e5659923d8e5c04f62f6989591e37fa4
7
- data.tar.gz: 8d7fd16c9ba849ae552c22bc37795efc1b1382d8ef83816ad2f66a868d7e9628562e7581af67a5ab7c5ab50ff7da26ebbb13b7b38099da72859583cd5ef1aa3b
6
+ metadata.gz: 13254497bb7b9b04b72aaabdf7c1297a0f732612e85c241b820c8e21861acfa9716d51b205aa972281602ce5582e85913ed682761f4ca228b1bd5919c23e10e4
7
+ data.tar.gz: d7d9e41f40f65b93aeeed8561d058df6fb0757cdb80f0380d1db19b2c705cfae032f7f254c1a58142b8c8e32cda27d9e3c1b501859ff1714ed30f2c5c0e107d2
data/CHANGELOG.md CHANGED
@@ -1,6 +1,43 @@
1
1
  # Changelog
2
2
 
3
- ### 2.8.0 / 2020-11-25
3
+ ## 2.11.0 / 2021-07-31
4
+
5
+ ### Features
6
+
7
+ * Allow HTML5 element `wbr`.
8
+ * Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
9
+
10
+
11
+ ### Changes
12
+
13
+ * Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
14
+ * Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
15
+
16
+
17
+ ## 2.10.0 / 2021-06-06
18
+
19
+ ### Features
20
+
21
+ * Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
22
+
23
+
24
+ ## 2.9.1 / 2021-04-07
25
+
26
+ ### Bug fixes
27
+
28
+ * Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
29
+
30
+
31
+ ## 2.9.0 / 2021-01-14
32
+
33
+ ### Features
34
+
35
+ * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
36
+
37
+
38
+ ## 2.8.0 / 2020-11-25
39
+
40
+ ### Features
4
41
 
5
42
  * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
6
43
 
data/README.md CHANGED
@@ -1,13 +1,12 @@
1
1
  # Loofah
2
2
 
3
3
  * https://github.com/flavorjones/loofah
4
- * Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
4
+ * Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
5
5
  * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
6
6
 
7
7
  ## Status
8
8
 
9
- [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master)
10
- [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
9
+ [![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
11
10
  [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
12
11
 
13
12
 
@@ -211,7 +210,7 @@ end
211
210
  Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
212
211
  ```
213
212
 
214
- === Built-In HTML Scrubbers
213
+ ### Built-In HTML Scrubbers
215
214
 
216
215
  Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
217
216
  safelist algorithm:
data/lib/loofah/html5/safelist.rb CHANGED
@@ -140,6 +140,7 @@ module Loofah
140
140
  "ul",
141
141
  "var",
142
142
  "video",
143
+ "wbr",
143
144
  ])
144
145
 
145
146
  MATHML_ELEMENTS = Set.new([
@@ -588,6 +589,8 @@ module Loofah
588
589
  "max-width",
589
590
  "order",
590
591
  "overflow",
592
+ "overflow-x",
593
+ "overflow-y",
591
594
  "page-break-after",
592
595
  "page-break-before",
593
596
  "page-break-inside",
@@ -635,6 +638,8 @@ module Loofah
635
638
  "green",
636
639
  "groove",
637
640
  "hidden",
641
+ "inherit",
642
+ "initial",
638
643
  "inset",
639
644
  "italic",
640
645
  "left",
@@ -650,16 +655,19 @@ module Loofah
650
655
  "pointer",
651
656
  "purple",
652
657
  "red",
658
+ "revert",
653
659
  "ridge",
654
660
  "right",
661
+ "separate",
655
662
  "silver",
656
663
  "solid",
657
664
  "teal",
658
- "thin",
659
665
  "thick",
666
+ "thin",
660
667
  "top",
661
668
  "transparent",
662
669
  "underline",
670
+ "unset",
663
671
  "white",
664
672
  "yellow",
665
673
  ])
@@ -786,18 +794,14 @@ module Loofah
786
794
  ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
787
795
  ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
788
796
 
797
+ # TODO: remove VOID_ELEMENTS in a future major release
798
+ # and put it in the tests (it is used only for testing, not for functional behavior)
789
799
  VOID_ELEMENTS = Set.new([
790
800
  "area",
791
- "base",
792
801
  "br",
793
- "col",
794
- "embed",
795
802
  "hr",
796
803
  "img",
797
804
  "input",
798
- "link",
799
- "meta",
800
- "param",
801
805
  ])
802
806
 
803
807
  # additional tags we should consider safe since we have libxml2 fixing up our documents.
data/lib/loofah/html5/scrub.rb CHANGED
@@ -7,22 +7,23 @@ module Loofah
7
7
  module Scrub
8
8
  CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
9
9
  CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
10
- CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }
10
+ CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
11
11
  CSS_IMPORTANT = '!important'
12
+ CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
12
13
 
13
14
  class << self
14
15
  def allowed_element?(element_name)
15
- ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name
16
+ ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
16
17
  end
17
18
 
18
19
  # alternative implementation of the html5lib attribute scrubbing algorithm
19
20
  def scrub_attributes(node)
20
21
  node.attribute_nodes.each do |attr_node|
21
22
  attr_name = if attr_node.namespace
22
- "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
23
- else
24
- attr_node.node_name
25
- end
23
+ "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
24
+ else
25
+ attr_node.node_name
26
+ end
26
27
 
27
28
  if attr_name =~ /\Adata-[\w-]+\z/
28
29
  next
@@ -58,13 +59,13 @@ module Loofah
58
59
  end
59
60
  end
60
61
 
61
- scrub_css_attribute node
62
+ scrub_css_attribute(node)
62
63
 
63
64
  node.attribute_nodes.each do |attr_node|
64
65
  node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
65
66
  end
66
67
 
67
- force_correct_attribute_escaping! node
68
+ force_correct_attribute_escaping!(node)
68
69
  end
69
70
 
70
71
  def scrub_css_attribute(node)
@@ -73,33 +74,54 @@ module Loofah
73
74
  end
74
75
 
75
76
  def scrub_css(style)
76
- style_tree = Crass.parse_properties style
77
+ style_tree = Crass.parse_properties(style)
77
78
  sanitized_tree = []
78
79
 
79
80
  style_tree.each do |node|
80
81
  next unless node[:node] == :property
81
82
  next if node[:children].any? do |child|
82
- [:url, :bad_url].include?(child[:node]) || (child[:node] == :function && !SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase))
83
+ [:url, :bad_url].include?(child[:node])
83
84
  end
85
+
84
86
  name = node[:name].downcase
85
- if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name)
86
- sanitized_tree << node << CRASS_SEMICOLON
87
- elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
88
- value = node[:value].split.map do |keyword|
89
- if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
87
+ next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) ||
88
+ SafeList::ALLOWED_SVG_PROPERTIES.include?(name) ||
89
+ SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
90
+
91
+ value = node[:children].map do |child|
92
+ case child[:node]
93
+ when :whitespace
94
+ nil
95
+ when :string
96
+ if child[:raw] =~ CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES
97
+ Crass::Parser.stringify(child)
98
+ else
99
+ nil
100
+ end
101
+ when :function
102
+ if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
103
+ Crass::Parser.stringify(child)
104
+ end
105
+ when :ident
106
+ keyword = child[:value]
107
+ if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) ||
108
+ SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) ||
109
+ (keyword =~ CSS_KEYWORDISH)
90
110
  keyword
91
111
  end
92
- end.compact
93
- unless value.empty?
94
- value << CSS_IMPORTANT if node[:important]
95
- propstring = sprintf "%s:%s", name, value.join(" ")
96
- sanitized_node = Crass.parse_properties(propstring).first
97
- sanitized_tree << sanitized_node << CRASS_SEMICOLON
112
+ else
113
+ child[:raw]
98
114
  end
99
- end
115
+ end.compact
116
+
117
+ next if value.empty?
118
+ value << CSS_IMPORTANT if node[:important]
119
+ propstring = format("%s:%s", name, value.join(" "))
120
+ sanitized_node = Crass.parse_properties(propstring).first
121
+ sanitized_tree << sanitized_node << CRASS_SEMICOLON
100
122
  end
101
123
 
102
- Crass::Parser.stringify sanitized_tree
124
+ Crass::Parser.stringify(sanitized_tree)
103
125
  end
104
126
 
105
127
  #
data/lib/loofah/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
  module Loofah
3
3
  # The version of Loofah you are using
4
- VERSION = "2.8.0"
4
+ VERSION = "2.11.0"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.8.0
4
+ version: 2.11.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Dalessio
@@ -9,22 +9,8 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2020-11-25 00:00:00.000000000 Z
12
+ date: 2021-07-31 00:00:00.000000000 Z
13
13
  dependencies:
14
- - !ruby/object:Gem::Dependency
15
- name: nokogiri
16
- requirement: !ruby/object:Gem::Requirement
17
- requirements:
18
- - - ">="
19
- - !ruby/object:Gem::Version
20
- version: 1.5.9
21
- type: :runtime
22
- prerelease: false
23
- version_requirements: !ruby/object:Gem::Requirement
24
- requirements:
25
- - - ">="
26
- - !ruby/object:Gem::Version
27
- version: 1.5.9
28
14
  - !ruby/object:Gem::Dependency
29
15
  name: crass
30
16
  requirement: !ruby/object:Gem::Requirement
@@ -40,47 +26,33 @@ dependencies:
40
26
  - !ruby/object:Gem::Version
41
27
  version: 1.0.2
42
28
  - !ruby/object:Gem::Dependency
43
- name: rake
44
- requirement: !ruby/object:Gem::Requirement
45
- requirements:
46
- - - "~>"
47
- - !ruby/object:Gem::Version
48
- version: '13.0'
49
- type: :development
50
- prerelease: false
51
- version_requirements: !ruby/object:Gem::Requirement
52
- requirements:
53
- - - "~>"
54
- - !ruby/object:Gem::Version
55
- version: '13.0'
56
- - !ruby/object:Gem::Dependency
57
- name: minitest
29
+ name: nokogiri
58
30
  requirement: !ruby/object:Gem::Requirement
59
31
  requirements:
60
- - - "~>"
32
+ - - ">="
61
33
  - !ruby/object:Gem::Version
62
- version: '5.14'
63
- type: :development
34
+ version: 1.5.9
35
+ type: :runtime
64
36
  prerelease: false
65
37
  version_requirements: !ruby/object:Gem::Requirement
66
38
  requirements:
67
- - - "~>"
39
+ - - ">="
68
40
  - !ruby/object:Gem::Version
69
- version: '5.14'
41
+ version: 1.5.9
70
42
  - !ruby/object:Gem::Dependency
71
- name: rr
43
+ name: hoe-markdown
72
44
  requirement: !ruby/object:Gem::Requirement
73
45
  requirements:
74
46
  - - "~>"
75
47
  - !ruby/object:Gem::Version
76
- version: 1.2.0
48
+ version: '1.3'
77
49
  type: :development
78
50
  prerelease: false
79
51
  version_requirements: !ruby/object:Gem::Requirement
80
52
  requirements:
81
53
  - - "~>"
82
54
  - !ruby/object:Gem::Version
83
- version: 1.2.0
55
+ version: '1.3'
84
56
  - !ruby/object:Gem::Dependency
85
57
  name: json
86
58
  requirement: !ruby/object:Gem::Requirement
@@ -96,33 +68,33 @@ dependencies:
96
68
  - !ruby/object:Gem::Version
97
69
  version: '2.2'
98
70
  - !ruby/object:Gem::Dependency
99
- name: concourse
71
+ name: minitest
100
72
  requirement: !ruby/object:Gem::Requirement
101
73
  requirements:
102
74
  - - "~>"
103
75
  - !ruby/object:Gem::Version
104
- version: '0.33'
76
+ version: '5.14'
105
77
  type: :development
106
78
  prerelease: false
107
79
  version_requirements: !ruby/object:Gem::Requirement
108
80
  requirements:
109
81
  - - "~>"
110
82
  - !ruby/object:Gem::Version
111
- version: '0.33'
83
+ version: '5.14'
112
84
  - !ruby/object:Gem::Dependency
113
- name: rubocop
85
+ name: rake
114
86
  requirement: !ruby/object:Gem::Requirement
115
87
  requirements:
116
88
  - - "~>"
117
89
  - !ruby/object:Gem::Version
118
- version: '1.1'
90
+ version: '13.0'
119
91
  type: :development
120
92
  prerelease: false
121
93
  version_requirements: !ruby/object:Gem::Requirement
122
94
  requirements:
123
95
  - - "~>"
124
96
  - !ruby/object:Gem::Version
125
- version: '1.1'
97
+ version: '13.0'
126
98
  - !ruby/object:Gem::Dependency
127
99
  name: rdoc
128
100
  requirement: !ruby/object:Gem::Requirement
@@ -144,19 +116,33 @@ dependencies:
144
116
  - !ruby/object:Gem::Version
145
117
  version: '7'
146
118
  - !ruby/object:Gem::Dependency
147
- name: hoe-markdown
119
+ name: rr
148
120
  requirement: !ruby/object:Gem::Requirement
149
121
  requirements:
150
122
  - - "~>"
151
123
  - !ruby/object:Gem::Version
152
- version: '1.3'
124
+ version: 1.2.0
153
125
  type: :development
154
126
  prerelease: false
155
127
  version_requirements: !ruby/object:Gem::Requirement
156
128
  requirements:
157
129
  - - "~>"
158
130
  - !ruby/object:Gem::Version
159
- version: '1.3'
131
+ version: 1.2.0
132
+ - !ruby/object:Gem::Dependency
133
+ name: rubocop
134
+ requirement: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - "~>"
137
+ - !ruby/object:Gem::Version
138
+ version: '1.1'
139
+ type: :development
140
+ prerelease: false
141
+ version_requirements: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - "~>"
144
+ - !ruby/object:Gem::Version
145
+ version: '1.1'
160
146
  description: |-
161
147
  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
162
148
 
@@ -196,7 +182,7 @@ metadata:
196
182
  homepage_uri: https://github.com/flavorjones/loofah
197
183
  source_code_uri: https://github.com/flavorjones/loofah
198
184
  bug_tracker_uri: https://github.com/flavorjones/loofah/issues
199
- changelog_uri: https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md
185
+ changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
200
186
  documentation_uri: https://www.rubydoc.info/gems/loofah/
201
187
  post_install_message:
202
188
  rdoc_options: []
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
213
199
  - !ruby/object:Gem::Version
214
200
  version: '0'
215
201
  requirements: []
216
- rubygems_version: 3.1.4
202
+ rubygems_version: 3.2.15
217
203
  signing_key:
218
204
  specification_version: 4
219
205
  summary: Loofah is a general library for manipulating and transforming HTML/XML documents