loofah 2.8.0 → 2.11.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +38 -1
- data/README.md +3 -4
- data/lib/loofah/html5/safelist.rb +11 -7
- data/lib/loofah/html5/scrub.rb +45 -23
- data/lib/loofah/version.rb +1 -1
- metadata +36 -50
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 522ebc47f9d42ec64069bb77099c6eb6e96de6d70f73ba62f126227a38f1cdb4
|
4
|
+
data.tar.gz: d558598dfe8cf3af9fa6b7075faf463dcffa68611404869334d3c66a81587074
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 13254497bb7b9b04b72aaabdf7c1297a0f732612e85c241b820c8e21861acfa9716d51b205aa972281602ce5582e85913ed682761f4ca228b1bd5919c23e10e4
|
7
|
+
data.tar.gz: d7d9e41f40f65b93aeeed8561d058df6fb0757cdb80f0380d1db19b2c705cfae032f7f254c1a58142b8c8e32cda27d9e3c1b501859ff1714ed30f2c5c0e107d2
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,43 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
-
|
3
|
+
## 2.11.0 / 2021-07-31
|
4
|
+
|
5
|
+
### Features
|
6
|
+
|
7
|
+
* Allow HTML5 element `wbr`.
|
8
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
9
|
+
|
10
|
+
|
11
|
+
### Changes
|
12
|
+
|
13
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
14
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
15
|
+
|
16
|
+
|
17
|
+
## 2.10.0 / 2021-06-06
|
18
|
+
|
19
|
+
### Features
|
20
|
+
|
21
|
+
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
|
22
|
+
|
23
|
+
|
24
|
+
## 2.9.1 / 2021-04-07
|
25
|
+
|
26
|
+
### Bug fixes
|
27
|
+
|
28
|
+
* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
|
29
|
+
|
30
|
+
|
31
|
+
## 2.9.0 / 2021-01-14
|
32
|
+
|
33
|
+
### Features
|
34
|
+
|
35
|
+
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
|
36
|
+
|
37
|
+
|
38
|
+
## 2.8.0 / 2020-11-25
|
39
|
+
|
40
|
+
### Features
|
4
41
|
|
5
42
|
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
|
6
43
|
|
data/README.md
CHANGED
@@ -1,13 +1,12 @@
|
|
1
1
|
# Loofah
|
2
2
|
|
3
3
|
* https://github.com/flavorjones/loofah
|
4
|
-
* Docs: http://rubydoc.info/github/flavorjones/loofah/
|
4
|
+
* Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
|
5
5
|
* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
[![
|
10
|
-
[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
11
10
|
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
12
11
|
|
13
12
|
|
@@ -211,7 +210,7 @@ end
|
|
211
210
|
Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
|
212
211
|
```
|
213
212
|
|
214
|
-
|
213
|
+
### Built-In HTML Scrubbers
|
215
214
|
|
216
215
|
Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
|
217
216
|
safelist algorithm:
|
@@ -140,6 +140,7 @@ module Loofah
|
|
140
140
|
"ul",
|
141
141
|
"var",
|
142
142
|
"video",
|
143
|
+
"wbr",
|
143
144
|
])
|
144
145
|
|
145
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -588,6 +589,8 @@ module Loofah
|
|
588
589
|
"max-width",
|
589
590
|
"order",
|
590
591
|
"overflow",
|
592
|
+
"overflow-x",
|
593
|
+
"overflow-y",
|
591
594
|
"page-break-after",
|
592
595
|
"page-break-before",
|
593
596
|
"page-break-inside",
|
@@ -635,6 +638,8 @@ module Loofah
|
|
635
638
|
"green",
|
636
639
|
"groove",
|
637
640
|
"hidden",
|
641
|
+
"inherit",
|
642
|
+
"initial",
|
638
643
|
"inset",
|
639
644
|
"italic",
|
640
645
|
"left",
|
@@ -650,16 +655,19 @@ module Loofah
|
|
650
655
|
"pointer",
|
651
656
|
"purple",
|
652
657
|
"red",
|
658
|
+
"revert",
|
653
659
|
"ridge",
|
654
660
|
"right",
|
661
|
+
"separate",
|
655
662
|
"silver",
|
656
663
|
"solid",
|
657
664
|
"teal",
|
658
|
-
"thin",
|
659
665
|
"thick",
|
666
|
+
"thin",
|
660
667
|
"top",
|
661
668
|
"transparent",
|
662
669
|
"underline",
|
670
|
+
"unset",
|
663
671
|
"white",
|
664
672
|
"yellow",
|
665
673
|
])
|
@@ -786,18 +794,14 @@ module Loofah
|
|
786
794
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
787
795
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
788
796
|
|
797
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
798
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
789
799
|
VOID_ELEMENTS = Set.new([
|
790
800
|
"area",
|
791
|
-
"base",
|
792
801
|
"br",
|
793
|
-
"col",
|
794
|
-
"embed",
|
795
802
|
"hr",
|
796
803
|
"img",
|
797
804
|
"input",
|
798
|
-
"link",
|
799
|
-
"meta",
|
800
|
-
"param",
|
801
805
|
])
|
802
806
|
|
803
807
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -7,22 +7,23 @@ module Loofah
|
|
7
7
|
module Scrub
|
8
8
|
CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
|
9
9
|
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
|
10
|
-
CRASS_SEMICOLON = { :
|
10
|
+
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
11
11
|
CSS_IMPORTANT = '!important'
|
12
|
+
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
12
13
|
|
13
14
|
class << self
|
14
15
|
def allowed_element?(element_name)
|
15
|
-
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?
|
16
|
+
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
|
16
17
|
end
|
17
18
|
|
18
19
|
# alternative implementation of the html5lib attribute scrubbing algorithm
|
19
20
|
def scrub_attributes(node)
|
20
21
|
node.attribute_nodes.each do |attr_node|
|
21
22
|
attr_name = if attr_node.namespace
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
23
|
+
"#{attr_node.namespace.prefix}:#{attr_node.node_name}"
|
24
|
+
else
|
25
|
+
attr_node.node_name
|
26
|
+
end
|
26
27
|
|
27
28
|
if attr_name =~ /\Adata-[\w-]+\z/
|
28
29
|
next
|
@@ -58,13 +59,13 @@ module Loofah
|
|
58
59
|
end
|
59
60
|
end
|
60
61
|
|
61
|
-
scrub_css_attribute
|
62
|
+
scrub_css_attribute(node)
|
62
63
|
|
63
64
|
node.attribute_nodes.each do |attr_node|
|
64
65
|
node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
|
65
66
|
end
|
66
67
|
|
67
|
-
force_correct_attribute_escaping!
|
68
|
+
force_correct_attribute_escaping!(node)
|
68
69
|
end
|
69
70
|
|
70
71
|
def scrub_css_attribute(node)
|
@@ -73,33 +74,54 @@ module Loofah
|
|
73
74
|
end
|
74
75
|
|
75
76
|
def scrub_css(style)
|
76
|
-
style_tree = Crass.parse_properties
|
77
|
+
style_tree = Crass.parse_properties(style)
|
77
78
|
sanitized_tree = []
|
78
79
|
|
79
80
|
style_tree.each do |node|
|
80
81
|
next unless node[:node] == :property
|
81
82
|
next if node[:children].any? do |child|
|
82
|
-
[:url, :bad_url].include?(child[:node])
|
83
|
+
[:url, :bad_url].include?(child[:node])
|
83
84
|
end
|
85
|
+
|
84
86
|
name = node[:name].downcase
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
87
|
+
next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) ||
|
88
|
+
SafeList::ALLOWED_SVG_PROPERTIES.include?(name) ||
|
89
|
+
SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
|
90
|
+
|
91
|
+
value = node[:children].map do |child|
|
92
|
+
case child[:node]
|
93
|
+
when :whitespace
|
94
|
+
nil
|
95
|
+
when :string
|
96
|
+
if child[:raw] =~ CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES
|
97
|
+
Crass::Parser.stringify(child)
|
98
|
+
else
|
99
|
+
nil
|
100
|
+
end
|
101
|
+
when :function
|
102
|
+
if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
|
103
|
+
Crass::Parser.stringify(child)
|
104
|
+
end
|
105
|
+
when :ident
|
106
|
+
keyword = child[:value]
|
107
|
+
if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) ||
|
108
|
+
SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) ||
|
109
|
+
(keyword =~ CSS_KEYWORDISH)
|
90
110
|
keyword
|
91
111
|
end
|
92
|
-
|
93
|
-
|
94
|
-
value << CSS_IMPORTANT if node[:important]
|
95
|
-
propstring = sprintf "%s:%s", name, value.join(" ")
|
96
|
-
sanitized_node = Crass.parse_properties(propstring).first
|
97
|
-
sanitized_tree << sanitized_node << CRASS_SEMICOLON
|
112
|
+
else
|
113
|
+
child[:raw]
|
98
114
|
end
|
99
|
-
end
|
115
|
+
end.compact
|
116
|
+
|
117
|
+
next if value.empty?
|
118
|
+
value << CSS_IMPORTANT if node[:important]
|
119
|
+
propstring = format("%s:%s", name, value.join(" "))
|
120
|
+
sanitized_node = Crass.parse_properties(propstring).first
|
121
|
+
sanitized_tree << sanitized_node << CRASS_SEMICOLON
|
100
122
|
end
|
101
123
|
|
102
|
-
Crass::Parser.stringify
|
124
|
+
Crass::Parser.stringify(sanitized_tree)
|
103
125
|
end
|
104
126
|
|
105
127
|
#
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.11.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,22 +9,8 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2021-07-31 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
|
-
- !ruby/object:Gem::Dependency
|
15
|
-
name: nokogiri
|
16
|
-
requirement: !ruby/object:Gem::Requirement
|
17
|
-
requirements:
|
18
|
-
- - ">="
|
19
|
-
- !ruby/object:Gem::Version
|
20
|
-
version: 1.5.9
|
21
|
-
type: :runtime
|
22
|
-
prerelease: false
|
23
|
-
version_requirements: !ruby/object:Gem::Requirement
|
24
|
-
requirements:
|
25
|
-
- - ">="
|
26
|
-
- !ruby/object:Gem::Version
|
27
|
-
version: 1.5.9
|
28
14
|
- !ruby/object:Gem::Dependency
|
29
15
|
name: crass
|
30
16
|
requirement: !ruby/object:Gem::Requirement
|
@@ -40,47 +26,33 @@ dependencies:
|
|
40
26
|
- !ruby/object:Gem::Version
|
41
27
|
version: 1.0.2
|
42
28
|
- !ruby/object:Gem::Dependency
|
43
|
-
name:
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
45
|
-
requirements:
|
46
|
-
- - "~>"
|
47
|
-
- !ruby/object:Gem::Version
|
48
|
-
version: '13.0'
|
49
|
-
type: :development
|
50
|
-
prerelease: false
|
51
|
-
version_requirements: !ruby/object:Gem::Requirement
|
52
|
-
requirements:
|
53
|
-
- - "~>"
|
54
|
-
- !ruby/object:Gem::Version
|
55
|
-
version: '13.0'
|
56
|
-
- !ruby/object:Gem::Dependency
|
57
|
-
name: minitest
|
29
|
+
name: nokogiri
|
58
30
|
requirement: !ruby/object:Gem::Requirement
|
59
31
|
requirements:
|
60
|
-
- - "
|
32
|
+
- - ">="
|
61
33
|
- !ruby/object:Gem::Version
|
62
|
-
version:
|
63
|
-
type: :
|
34
|
+
version: 1.5.9
|
35
|
+
type: :runtime
|
64
36
|
prerelease: false
|
65
37
|
version_requirements: !ruby/object:Gem::Requirement
|
66
38
|
requirements:
|
67
|
-
- - "
|
39
|
+
- - ">="
|
68
40
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
41
|
+
version: 1.5.9
|
70
42
|
- !ruby/object:Gem::Dependency
|
71
|
-
name:
|
43
|
+
name: hoe-markdown
|
72
44
|
requirement: !ruby/object:Gem::Requirement
|
73
45
|
requirements:
|
74
46
|
- - "~>"
|
75
47
|
- !ruby/object:Gem::Version
|
76
|
-
version: 1.
|
48
|
+
version: '1.3'
|
77
49
|
type: :development
|
78
50
|
prerelease: false
|
79
51
|
version_requirements: !ruby/object:Gem::Requirement
|
80
52
|
requirements:
|
81
53
|
- - "~>"
|
82
54
|
- !ruby/object:Gem::Version
|
83
|
-
version: 1.
|
55
|
+
version: '1.3'
|
84
56
|
- !ruby/object:Gem::Dependency
|
85
57
|
name: json
|
86
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -96,33 +68,33 @@ dependencies:
|
|
96
68
|
- !ruby/object:Gem::Version
|
97
69
|
version: '2.2'
|
98
70
|
- !ruby/object:Gem::Dependency
|
99
|
-
name:
|
71
|
+
name: minitest
|
100
72
|
requirement: !ruby/object:Gem::Requirement
|
101
73
|
requirements:
|
102
74
|
- - "~>"
|
103
75
|
- !ruby/object:Gem::Version
|
104
|
-
version: '
|
76
|
+
version: '5.14'
|
105
77
|
type: :development
|
106
78
|
prerelease: false
|
107
79
|
version_requirements: !ruby/object:Gem::Requirement
|
108
80
|
requirements:
|
109
81
|
- - "~>"
|
110
82
|
- !ruby/object:Gem::Version
|
111
|
-
version: '
|
83
|
+
version: '5.14'
|
112
84
|
- !ruby/object:Gem::Dependency
|
113
|
-
name:
|
85
|
+
name: rake
|
114
86
|
requirement: !ruby/object:Gem::Requirement
|
115
87
|
requirements:
|
116
88
|
- - "~>"
|
117
89
|
- !ruby/object:Gem::Version
|
118
|
-
version: '
|
90
|
+
version: '13.0'
|
119
91
|
type: :development
|
120
92
|
prerelease: false
|
121
93
|
version_requirements: !ruby/object:Gem::Requirement
|
122
94
|
requirements:
|
123
95
|
- - "~>"
|
124
96
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
97
|
+
version: '13.0'
|
126
98
|
- !ruby/object:Gem::Dependency
|
127
99
|
name: rdoc
|
128
100
|
requirement: !ruby/object:Gem::Requirement
|
@@ -144,19 +116,33 @@ dependencies:
|
|
144
116
|
- !ruby/object:Gem::Version
|
145
117
|
version: '7'
|
146
118
|
- !ruby/object:Gem::Dependency
|
147
|
-
name:
|
119
|
+
name: rr
|
148
120
|
requirement: !ruby/object:Gem::Requirement
|
149
121
|
requirements:
|
150
122
|
- - "~>"
|
151
123
|
- !ruby/object:Gem::Version
|
152
|
-
version:
|
124
|
+
version: 1.2.0
|
153
125
|
type: :development
|
154
126
|
prerelease: false
|
155
127
|
version_requirements: !ruby/object:Gem::Requirement
|
156
128
|
requirements:
|
157
129
|
- - "~>"
|
158
130
|
- !ruby/object:Gem::Version
|
159
|
-
version:
|
131
|
+
version: 1.2.0
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: rubocop
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - "~>"
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '1.1'
|
139
|
+
type: :development
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '1.1'
|
160
146
|
description: |-
|
161
147
|
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
|
162
148
|
|
@@ -196,7 +182,7 @@ metadata:
|
|
196
182
|
homepage_uri: https://github.com/flavorjones/loofah
|
197
183
|
source_code_uri: https://github.com/flavorjones/loofah
|
198
184
|
bug_tracker_uri: https://github.com/flavorjones/loofah/issues
|
199
|
-
changelog_uri: https://github.com/flavorjones/loofah/blob/
|
185
|
+
changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
|
200
186
|
documentation_uri: https://www.rubydoc.info/gems/loofah/
|
201
187
|
post_install_message:
|
202
188
|
rdoc_options: []
|
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
213
199
|
- !ruby/object:Gem::Version
|
214
200
|
version: '0'
|
215
201
|
requirements: []
|
216
|
-
rubygems_version: 3.
|
202
|
+
rubygems_version: 3.2.15
|
217
203
|
signing_key:
|
218
204
|
specification_version: 4
|
219
205
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|