loofah 2.9.0 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10f6e8ff06a760da3400cdf8660e6768cfc2e7bbcb34a3ae6aaadea5e29ff924
-  data.tar.gz: 7e0accdb26147612bd7da3abc8fa98a6fac850dbb7a0ee99d20375400de4b877
+  metadata.gz: c868e8e66e94839a6486619672b3aa05b3f1b2d59987290eded52829fbe5ee9e
+  data.tar.gz: 7610aa28be173f2ad1e917fa01ef783a96189cc5ee98ce8878983f67ad46661d
 SHA512:
-  metadata.gz: 11b0f4dcad5a9f38444e9eebd45cb09705e536468c901c03d792711133536812f8b0579533eb54a305311d5303fdd4cf510761a9a0d42d0af46bb153d3402a3c
-  data.tar.gz: d6032694eaaaddd47c02868ecb037dc2673b5ebd749a7d8846c2a55e13744f9455a66b41ec16a4cf3c4905e6019df3493972ec462cd04404365ebe202e15e211
+  metadata.gz: 6676ba0100a6348670618e03015be589c207290880a91cd86c8502767cf7f6a9a91aa2d19d8cc9131a18537f74eb5440f273430f3cc27ebf4c6691259ddf3c7b
+  data.tar.gz: 4a9f90a2bf23dcb52a3b4a1ee7d8ace37ee310c14495fb749e7d4defc8b4a6dc4542b53b8cf6ea7579c70f753478ed523b29fbb13b6f1509fa47d422f0074b75

data/CHANGELOG.md

@@ -1,11 +1,50 @@
 # Changelog
 
-### 2.9.0 / 2021-01-14
+## 2.12.0 / 2021-08-11
+
+### Features
+
+* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
+
+
+## 2.11.0 / 2021-07-31
+
+### Features
+
+* Allow HTML5 element `wbr`.
+* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
+
+
+### Changes
+
+* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
+* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
+
+
+## 2.10.0 / 2021-06-06
+
+### Features
+
+* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
+
+
+## 2.9.1 / 2021-04-07
+
+### Bug fixes
+
+* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
+
+
+## 2.9.0 / 2021-01-14
+
+### Features
 
 * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
 
 
-### 2.8.0 / 2020-11-25
+## 2.8.0 / 2020-11-25
+
+### Features
 
 * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
 

data/README.md

@@ -1,13 +1,12 @@
 # Loofah
 
 * https://github.com/flavorjones/loofah
-* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
+* Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
 * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
 
 ## Status
 
-[![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master)
-[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
+[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
 [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
 
 
@@ -211,7 +210,7 @@ end
 Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
 ```
 
-=== Built-In HTML Scrubbers
+### Built-In HTML Scrubbers
 
 Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
 safelist algorithm:

data/lib/loofah/html5/safelist.rb

@@ -140,6 +140,7 @@ module Loofah
                                       "ul",
                                       "var",
                                       "video",
+                                      "wbr",
                                     ])
 
       MATHML_ELEMENTS = Set.new([
@@ -588,6 +589,8 @@ module Loofah
                                             "max-width",
                                             "order",
                                             "overflow",
+                                            "overflow-x",
+                                            "overflow-y",
                                             "page-break-after",
                                             "page-break-before",
                                             "page-break-inside",
@@ -635,6 +638,8 @@ module Loofah
                                           "green",
                                           "groove",
                                           "hidden",
+                                          "inherit",
+                                          "initial",
                                           "inset",
                                           "italic",
                                           "left",
@@ -650,16 +655,19 @@ module Loofah
                                           "pointer",
                                           "purple",
                                           "red",
+                                          "revert",
                                           "ridge",
                                           "right",
+                                          "separate",
                                           "silver",
                                           "solid",
                                           "teal",
-                                          "thin",
                                           "thick",
+                                          "thin",
                                           "top",
                                           "transparent",
                                           "underline",
+                                          "unset",
                                           "white",
                                           "yellow",
                                         ])
@@ -786,18 +794,14 @@ module Loofah
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
 
+      # TODO: remove VOID_ELEMENTS in a future major release
+      # and put it in the tests (it is used only for testing, not for functional behavior)
       VOID_ELEMENTS = Set.new([
                                 "area",
-                                "base",
                                 "br",
-                                "col",
-                                "embed",
                                 "hr",
                                 "img",
                                 "input",
-                                "link",
-                                "meta",
-                                "param",
                               ])
 
       # additional tags we should consider safe since we have libxml2 fixing up our documents.

data/lib/loofah/html5/scrub.rb

@@ -9,6 +9,8 @@ module Loofah
       CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
       CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
       CSS_IMPORTANT = '!important'
+      CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
+      DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
 
       class << self
         def allowed_element?(element_name)
@@ -24,7 +26,7 @@ module Loofah
               attr_node.node_name
             end
 
-            if attr_name =~ /\Adata-[\w-]+\z/
+            if attr_name =~ DATA_ATTRIBUTE_NAME
               next
             end
 
@@ -61,7 +63,9 @@ module Loofah
           scrub_css_attribute(node)
 
           node.attribute_nodes.each do |attr_node|
-            node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+            if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
+              node.remove_attribute(attr_node.name)
+            end
           end
 
           force_correct_attribute_escaping!(node)
@@ -92,7 +96,11 @@ module Loofah
               when :whitespace
                 nil
               when :string
-                nil
+                if child[:raw] =~ CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES
+                  Crass::Parser.stringify(child)
+                else
+                  nil
+                end
               when :function
                 if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
                   Crass::Parser.stringify(child)

data/lib/loofah/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.9.0"
+  VERSION = "2.12.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.9.0
+  version: 2.12.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,22 +9,8 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-14 00:00:00.000000000 Z
+date: 2021-08-11 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: nokogiri
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.9
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.9
 - !ruby/object:Gem::Dependency
   name: crass
   requirement: !ruby/object:Gem::Requirement
@@ -40,47 +26,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.0.2
 - !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.14'
-  type: :development
+        version: 1.5.9
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.14'
+        version: 1.5.9
 - !ruby/object:Gem::Dependency
-  name: rr
+  name: hoe-markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -96,33 +68,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.2'
 - !ruby/object:Gem::Dependency
-  name: concourse
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.33'
+        version: '5.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.33'
+        version: '5.14'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -144,19 +116,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '7'
 - !ruby/object:Gem::Dependency
-  name: hoe-markdown
+  name: rr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
@@ -196,7 +182,7 @@ metadata:
   homepage_uri: https://github.com/flavorjones/loofah
   source_code_uri: https://github.com/flavorjones/loofah
   bug_tracker_uri: https://github.com/flavorjones/loofah/issues
-  changelog_uri: https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md
   documentation_uri: https://www.rubydoc.info/gems/loofah/
 post_install_message: 
 rdoc_options: []
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents