loofah 2.9.1 → 2.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 492fed0592f752787d888878678d74836accb7d07f2f778d9fdd714a9d311f5e
-  data.tar.gz: 94c3bfdf1bbf5d04f062119461bfeafa751131c780c2297bf892af6aab64607b
+  metadata.gz: 1d9193264008cab1a3f6b35a5b0c6862e781f99385a35d3f6c6714930bd18d3c
+  data.tar.gz: 0b8651064006fb2b5ac201b11e24e0bebc8ec4ab523a3b3d830514247d498e28
 SHA512:
-  metadata.gz: 58ce037d69172bb6d85acdf4faa0281e82e84ee7ef38212f6897971f7a0aeec2e4d151a6c93d8ec0bcb5e6f7522cc1d1d231c5810ce8b4875651777da3ceb3b7
-  data.tar.gz: ab4f6f053fb29ea9415683c3fa81f8ddcde147381314bc5bc87ccf105a97858846028ae7bb21987b3fc56cfa5c9beed769149b3a8cdc282db5c2bca827c5a57b
+  metadata.gz: a7929ae8c091cbf9930e9b8f0f5a16dbf3b02e9f3ab9606370dd205c1153a72b921e9d7878c96be2ad7b968273f6ebb1d297eb984fefa0ac8367140835f0a50d
+  data.tar.gz: d946f74bc710c3018f790a670290d94cc1d75d494a899d9116336a76a52e3f30ab1ba1122e18b45d22766c0e2c86a3b17c2ca0ab8dcdacf03323a80cfc493b46

data/CHANGELOG.md

@@ -1,5 +1,40 @@
 # Changelog
 
+## 2.13.0 / 2021-12-10
+
+### Bug fixes
+
+* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
+
+
+## 2.12.0 / 2021-08-11
+
+### Features
+
+* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
+
+
+## 2.11.0 / 2021-07-31
+
+### Features
+
+* Allow HTML5 element `wbr`.
+* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
+
+
+### Changes
+
+* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
+* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
+
+
+## 2.10.0 / 2021-06-06
+
+### Features
+
+* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
+
+
 ## 2.9.1 / 2021-04-07
 
 ### Bug fixes

data/README.md

@@ -6,8 +6,7 @@
 
 ## Status
 
-[![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-3.0/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah)
-[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
+[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
 [![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
 
 

data/lib/loofah/html5/safelist.rb

@@ -140,6 +140,7 @@ module Loofah
                                       "ul",
                                       "var",
                                       "video",
+                                      "wbr",
                                     ])
 
       MATHML_ELEMENTS = Set.new([
@@ -588,6 +589,8 @@ module Loofah
                                             "max-width",
                                             "order",
                                             "overflow",
+                                            "overflow-x",
+                                            "overflow-y",
                                             "page-break-after",
                                             "page-break-before",
                                             "page-break-inside",
@@ -635,6 +638,8 @@ module Loofah
                                           "green",
                                           "groove",
                                           "hidden",
+                                          "inherit",
+                                          "initial",
                                           "inset",
                                           "italic",
                                           "left",
@@ -650,16 +655,19 @@ module Loofah
                                           "pointer",
                                           "purple",
                                           "red",
+                                          "revert",
                                           "ridge",
                                           "right",
+                                          "separate",
                                           "silver",
                                           "solid",
                                           "teal",
-                                          "thin",
                                           "thick",
+                                          "thin",
                                           "top",
                                           "transparent",
                                           "underline",
+                                          "unset",
                                           "white",
                                           "yellow",
                                         ])
@@ -786,18 +794,14 @@ module Loofah
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
 
+      # TODO: remove VOID_ELEMENTS in a future major release
+      # and put it in the tests (it is used only for testing, not for functional behavior)
       VOID_ELEMENTS = Set.new([
                                 "area",
-                                "base",
                                 "br",
-                                "col",
-                                "embed",
                                 "hr",
                                 "img",
                                 "input",
-                                "link",
-                                "meta",
-                                "param",
                               ])
 
       # additional tags we should consider safe since we have libxml2 fixing up our documents.

data/lib/loofah/html5/scrub.rb

@@ -10,6 +10,7 @@ module Loofah
       CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
       CSS_IMPORTANT = '!important'
       CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
+      DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
 
       class << self
         def allowed_element?(element_name)
@@ -25,7 +26,7 @@ module Loofah
               attr_node.node_name
             end
 
-            if attr_name =~ /\Adata-[\w-]+\z/
+            if attr_name =~ DATA_ATTRIBUTE_NAME
               next
             end
 
@@ -62,7 +63,9 @@ module Loofah
           scrub_css_attribute(node)
 
           node.attribute_nodes.each do |attr_node|
-            node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+            if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
+              node.remove_attribute(attr_node.name)
+            end
           end
 
           force_correct_attribute_escaping!(node)

data/lib/loofah/instance_methods.rb

@@ -93,7 +93,11 @@ module Loofah
     #    frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
     #
     def text(options = {})
-      result = serialize_root.children.inner_text rescue ""
+      result = if serialize_root
+        serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
+      else
+        ""
+      end
       if options[:encode_special_chars] == false
         result # possibly dangerous if rendered in a browser
       else

data/lib/loofah/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.9.1"
+  VERSION = "2.13.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.9.1
+  version: 2.13.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,22 +9,8 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-07 00:00:00.000000000 Z
+date: 2021-12-10 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: nokogiri
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.9
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.9
 - !ruby/object:Gem::Dependency
   name: crass
   requirement: !ruby/object:Gem::Requirement
@@ -40,47 +26,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.0.2
 - !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.14'
-  type: :development
+        version: 1.5.9
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.14'
+        version: 1.5.9
 - !ruby/object:Gem::Dependency
-  name: rr
+  name: hoe-markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -96,33 +68,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.2'
 - !ruby/object:Gem::Dependency
-  name: concourse
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.33'
+        version: '5.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.33'
+        version: '5.14'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -144,19 +116,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '7'
 - !ruby/object:Gem::Dependency
-  name: hoe-markdown
+  name: rr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents