loofah 2.9.1 → 2.14.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +42 -0
- data/README.md +5 -7
- data/lib/loofah/elements.rb +5 -2
- data/lib/loofah/html5/safelist.rb +11 -7
- data/lib/loofah/html5/scrub.rb +5 -2
- data/lib/loofah/instance_methods.rb +9 -5
- data/lib/loofah/scrubbers.rb +7 -2
- data/lib/loofah/version.rb +1 -1
- metadata +35 -49
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 95836cdfac672774704d62557836c319edf8c1ffd17323b61c749aabbb71f6b6
|
4
|
+
data.tar.gz: ddc0bc8f3dc588cc4a69651debacb404cedc02e047f585bde0758ec4186d6018
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 05b043ea1e8de851488dc084cae3f596816b54549cfc4f9a1d5fd675093d8dc06956e6880286adcdcffe5aca6d29e46a97052cc526cc7b3667277ff8a9575ba7
|
7
|
+
data.tar.gz: fd0fbee37a8150709ba178889d96532a4b2efdd402ccc2d922c2022a88f04188ebc221037d522cf7af67eaf3f1c4d74acba1de37ca2f70e1d0214afff69f6f85
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,47 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.14.0 / 2022-02-11
|
4
|
+
|
5
|
+
### Features
|
6
|
+
|
7
|
+
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
|
8
|
+
|
9
|
+
|
10
|
+
## 2.13.0 / 2021-12-10
|
11
|
+
|
12
|
+
### Bug fixes
|
13
|
+
|
14
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
15
|
+
|
16
|
+
|
17
|
+
## 2.12.0 / 2021-08-11
|
18
|
+
|
19
|
+
### Features
|
20
|
+
|
21
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
22
|
+
|
23
|
+
|
24
|
+
## 2.11.0 / 2021-07-31
|
25
|
+
|
26
|
+
### Features
|
27
|
+
|
28
|
+
* Allow HTML5 element `wbr`.
|
29
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
30
|
+
|
31
|
+
|
32
|
+
### Changes
|
33
|
+
|
34
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
35
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
36
|
+
|
37
|
+
|
38
|
+
## 2.10.0 / 2021-06-06
|
39
|
+
|
40
|
+
### Features
|
41
|
+
|
42
|
+
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
|
43
|
+
|
44
|
+
|
3
45
|
## 2.9.1 / 2021-04-07
|
4
46
|
|
5
47
|
### Bug fixes
|
data/README.md
CHANGED
@@ -6,8 +6,7 @@
|
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
[![
|
10
|
-
[![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
11
10
|
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
12
11
|
|
13
12
|
|
@@ -134,13 +133,12 @@ and `text` to return plain text:
|
|
134
133
|
doc.text # => "ohai! div is safe "
|
135
134
|
```
|
136
135
|
|
137
|
-
Also, `to_text` is available, which does the right thing with
|
138
|
-
whitespace around block-level elements.
|
136
|
+
Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
|
139
137
|
|
140
138
|
``` ruby
|
141
|
-
doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
|
142
|
-
doc.text # => "
|
143
|
-
doc.to_text # => "\nTitle\n\nContent\n"
|
139
|
+
doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
|
140
|
+
doc.text # => "TitleContentNext line" # probably not what you want
|
141
|
+
doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
|
144
142
|
```
|
145
143
|
|
146
144
|
### Loofah::XML::Document and Loofah::XML::DocumentFragment
|
data/lib/loofah/elements.rb
CHANGED
@@ -70,8 +70,6 @@ module Loofah
|
|
70
70
|
video
|
71
71
|
]
|
72
72
|
|
73
|
-
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
74
|
-
|
75
73
|
# The following elements may also be considered block-level
|
76
74
|
# elements since they may contain block-level elements
|
77
75
|
LOOSE_BLOCK_LEVEL = Set.new %w[dd
|
@@ -86,7 +84,12 @@ module Loofah
|
|
86
84
|
tr
|
87
85
|
]
|
88
86
|
|
87
|
+
# Elements that aren't block but should generate a newline in #to_text
|
88
|
+
INLINE_LINE_BREAK = Set.new(["br"])
|
89
|
+
|
90
|
+
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
89
91
|
BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
|
92
|
+
LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
|
90
93
|
end
|
91
94
|
|
92
95
|
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
|
@@ -140,6 +140,7 @@ module Loofah
|
|
140
140
|
"ul",
|
141
141
|
"var",
|
142
142
|
"video",
|
143
|
+
"wbr",
|
143
144
|
])
|
144
145
|
|
145
146
|
MATHML_ELEMENTS = Set.new([
|
@@ -588,6 +589,8 @@ module Loofah
|
|
588
589
|
"max-width",
|
589
590
|
"order",
|
590
591
|
"overflow",
|
592
|
+
"overflow-x",
|
593
|
+
"overflow-y",
|
591
594
|
"page-break-after",
|
592
595
|
"page-break-before",
|
593
596
|
"page-break-inside",
|
@@ -635,6 +638,8 @@ module Loofah
|
|
635
638
|
"green",
|
636
639
|
"groove",
|
637
640
|
"hidden",
|
641
|
+
"inherit",
|
642
|
+
"initial",
|
638
643
|
"inset",
|
639
644
|
"italic",
|
640
645
|
"left",
|
@@ -650,16 +655,19 @@ module Loofah
|
|
650
655
|
"pointer",
|
651
656
|
"purple",
|
652
657
|
"red",
|
658
|
+
"revert",
|
653
659
|
"ridge",
|
654
660
|
"right",
|
661
|
+
"separate",
|
655
662
|
"silver",
|
656
663
|
"solid",
|
657
664
|
"teal",
|
658
|
-
"thin",
|
659
665
|
"thick",
|
666
|
+
"thin",
|
660
667
|
"top",
|
661
668
|
"transparent",
|
662
669
|
"underline",
|
670
|
+
"unset",
|
663
671
|
"white",
|
664
672
|
"yellow",
|
665
673
|
])
|
@@ -786,18 +794,14 @@ module Loofah
|
|
786
794
|
ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
|
787
795
|
ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
|
788
796
|
|
797
|
+
# TODO: remove VOID_ELEMENTS in a future major release
|
798
|
+
# and put it in the tests (it is used only for testing, not for functional behavior)
|
789
799
|
VOID_ELEMENTS = Set.new([
|
790
800
|
"area",
|
791
|
-
"base",
|
792
801
|
"br",
|
793
|
-
"col",
|
794
|
-
"embed",
|
795
802
|
"hr",
|
796
803
|
"img",
|
797
804
|
"input",
|
798
|
-
"link",
|
799
|
-
"meta",
|
800
|
-
"param",
|
801
805
|
])
|
802
806
|
|
803
807
|
# additional tags we should consider safe since we have libxml2 fixing up our documents.
|
data/lib/loofah/html5/scrub.rb
CHANGED
@@ -10,6 +10,7 @@ module Loofah
|
|
10
10
|
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
11
11
|
CSS_IMPORTANT = '!important'
|
12
12
|
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
|
13
|
+
DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
|
13
14
|
|
14
15
|
class << self
|
15
16
|
def allowed_element?(element_name)
|
@@ -25,7 +26,7 @@ module Loofah
|
|
25
26
|
attr_node.node_name
|
26
27
|
end
|
27
28
|
|
28
|
-
if attr_name =~
|
29
|
+
if attr_name =~ DATA_ATTRIBUTE_NAME
|
29
30
|
next
|
30
31
|
end
|
31
32
|
|
@@ -62,7 +63,9 @@ module Loofah
|
|
62
63
|
scrub_css_attribute(node)
|
63
64
|
|
64
65
|
node.attribute_nodes.each do |attr_node|
|
65
|
-
|
66
|
+
if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
|
67
|
+
node.remove_attribute(attr_node.name)
|
68
|
+
end
|
66
69
|
end
|
67
70
|
|
68
71
|
force_correct_attribute_escaping!(node)
|
@@ -93,7 +93,11 @@ module Loofah
|
|
93
93
|
# frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
|
94
94
|
#
|
95
95
|
def text(options = {})
|
96
|
-
result = serialize_root
|
96
|
+
result = if serialize_root
|
97
|
+
serialize_root.children.reject(&:comment?).map(&:inner_text).join("")
|
98
|
+
else
|
99
|
+
""
|
100
|
+
end
|
97
101
|
if options[:encode_special_chars] == false
|
98
102
|
result # possibly dangerous if rendered in a browser
|
99
103
|
else
|
@@ -108,11 +112,11 @@ module Loofah
|
|
108
112
|
# Returns a plain-text version of the markup contained by the
|
109
113
|
# fragment, with HTML entities encoded.
|
110
114
|
#
|
111
|
-
# This method is slower than #
|
112
|
-
# whitespace around block elements.
|
115
|
+
# This method is slower than #text, but is clever about
|
116
|
+
# whitespace around block elements and line break elements.
|
113
117
|
#
|
114
|
-
# Loofah.document("<h1>Title</h1><div>Content</div>").to_text
|
115
|
-
# # => "\nTitle\n\nContent\n"
|
118
|
+
# Loofah.document("<h1>Title</h1><div>Content<br>Next line</div>").to_text
|
119
|
+
# # => "\nTitle\n\nContent\nNext line\n"
|
116
120
|
#
|
117
121
|
def to_text(options = {})
|
118
122
|
Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
|
data/lib/loofah/scrubbers.rb
CHANGED
@@ -240,8 +240,13 @@ module Loofah
|
|
240
240
|
end
|
241
241
|
|
242
242
|
def scrub(node)
|
243
|
-
return CONTINUE unless Loofah::Elements::
|
244
|
-
|
243
|
+
return CONTINUE unless Loofah::Elements::LINEBREAKERS.include?(node.name)
|
244
|
+
replacement = if Loofah::Elements::INLINE_LINE_BREAK.include?(node.name)
|
245
|
+
"\n"
|
246
|
+
else
|
247
|
+
"\n#{node.content}\n"
|
248
|
+
end
|
249
|
+
node.add_next_sibling Nokogiri::XML::Text.new(replacement, node.document)
|
245
250
|
node.remove
|
246
251
|
end
|
247
252
|
end
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: loofah
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.14.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike Dalessio
|
@@ -9,22 +9,8 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
|
-
- !ruby/object:Gem::Dependency
|
15
|
-
name: nokogiri
|
16
|
-
requirement: !ruby/object:Gem::Requirement
|
17
|
-
requirements:
|
18
|
-
- - ">="
|
19
|
-
- !ruby/object:Gem::Version
|
20
|
-
version: 1.5.9
|
21
|
-
type: :runtime
|
22
|
-
prerelease: false
|
23
|
-
version_requirements: !ruby/object:Gem::Requirement
|
24
|
-
requirements:
|
25
|
-
- - ">="
|
26
|
-
- !ruby/object:Gem::Version
|
27
|
-
version: 1.5.9
|
28
14
|
- !ruby/object:Gem::Dependency
|
29
15
|
name: crass
|
30
16
|
requirement: !ruby/object:Gem::Requirement
|
@@ -40,47 +26,33 @@ dependencies:
|
|
40
26
|
- !ruby/object:Gem::Version
|
41
27
|
version: 1.0.2
|
42
28
|
- !ruby/object:Gem::Dependency
|
43
|
-
name:
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
45
|
-
requirements:
|
46
|
-
- - "~>"
|
47
|
-
- !ruby/object:Gem::Version
|
48
|
-
version: '13.0'
|
49
|
-
type: :development
|
50
|
-
prerelease: false
|
51
|
-
version_requirements: !ruby/object:Gem::Requirement
|
52
|
-
requirements:
|
53
|
-
- - "~>"
|
54
|
-
- !ruby/object:Gem::Version
|
55
|
-
version: '13.0'
|
56
|
-
- !ruby/object:Gem::Dependency
|
57
|
-
name: minitest
|
29
|
+
name: nokogiri
|
58
30
|
requirement: !ruby/object:Gem::Requirement
|
59
31
|
requirements:
|
60
|
-
- - "
|
32
|
+
- - ">="
|
61
33
|
- !ruby/object:Gem::Version
|
62
|
-
version:
|
63
|
-
type: :
|
34
|
+
version: 1.5.9
|
35
|
+
type: :runtime
|
64
36
|
prerelease: false
|
65
37
|
version_requirements: !ruby/object:Gem::Requirement
|
66
38
|
requirements:
|
67
|
-
- - "
|
39
|
+
- - ">="
|
68
40
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
41
|
+
version: 1.5.9
|
70
42
|
- !ruby/object:Gem::Dependency
|
71
|
-
name:
|
43
|
+
name: hoe-markdown
|
72
44
|
requirement: !ruby/object:Gem::Requirement
|
73
45
|
requirements:
|
74
46
|
- - "~>"
|
75
47
|
- !ruby/object:Gem::Version
|
76
|
-
version: 1.
|
48
|
+
version: '1.3'
|
77
49
|
type: :development
|
78
50
|
prerelease: false
|
79
51
|
version_requirements: !ruby/object:Gem::Requirement
|
80
52
|
requirements:
|
81
53
|
- - "~>"
|
82
54
|
- !ruby/object:Gem::Version
|
83
|
-
version: 1.
|
55
|
+
version: '1.3'
|
84
56
|
- !ruby/object:Gem::Dependency
|
85
57
|
name: json
|
86
58
|
requirement: !ruby/object:Gem::Requirement
|
@@ -96,33 +68,33 @@ dependencies:
|
|
96
68
|
- !ruby/object:Gem::Version
|
97
69
|
version: '2.2'
|
98
70
|
- !ruby/object:Gem::Dependency
|
99
|
-
name:
|
71
|
+
name: minitest
|
100
72
|
requirement: !ruby/object:Gem::Requirement
|
101
73
|
requirements:
|
102
74
|
- - "~>"
|
103
75
|
- !ruby/object:Gem::Version
|
104
|
-
version: '
|
76
|
+
version: '5.14'
|
105
77
|
type: :development
|
106
78
|
prerelease: false
|
107
79
|
version_requirements: !ruby/object:Gem::Requirement
|
108
80
|
requirements:
|
109
81
|
- - "~>"
|
110
82
|
- !ruby/object:Gem::Version
|
111
|
-
version: '
|
83
|
+
version: '5.14'
|
112
84
|
- !ruby/object:Gem::Dependency
|
113
|
-
name:
|
85
|
+
name: rake
|
114
86
|
requirement: !ruby/object:Gem::Requirement
|
115
87
|
requirements:
|
116
88
|
- - "~>"
|
117
89
|
- !ruby/object:Gem::Version
|
118
|
-
version: '
|
90
|
+
version: '13.0'
|
119
91
|
type: :development
|
120
92
|
prerelease: false
|
121
93
|
version_requirements: !ruby/object:Gem::Requirement
|
122
94
|
requirements:
|
123
95
|
- - "~>"
|
124
96
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
97
|
+
version: '13.0'
|
126
98
|
- !ruby/object:Gem::Dependency
|
127
99
|
name: rdoc
|
128
100
|
requirement: !ruby/object:Gem::Requirement
|
@@ -144,19 +116,33 @@ dependencies:
|
|
144
116
|
- !ruby/object:Gem::Version
|
145
117
|
version: '7'
|
146
118
|
- !ruby/object:Gem::Dependency
|
147
|
-
name:
|
119
|
+
name: rr
|
148
120
|
requirement: !ruby/object:Gem::Requirement
|
149
121
|
requirements:
|
150
122
|
- - "~>"
|
151
123
|
- !ruby/object:Gem::Version
|
152
|
-
version:
|
124
|
+
version: 1.2.0
|
153
125
|
type: :development
|
154
126
|
prerelease: false
|
155
127
|
version_requirements: !ruby/object:Gem::Requirement
|
156
128
|
requirements:
|
157
129
|
- - "~>"
|
158
130
|
- !ruby/object:Gem::Version
|
159
|
-
version:
|
131
|
+
version: 1.2.0
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: rubocop
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - "~>"
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '1.1'
|
139
|
+
type: :development
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '1.1'
|
160
146
|
description: |-
|
161
147
|
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
|
162
148
|
|
@@ -213,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
213
199
|
- !ruby/object:Gem::Version
|
214
200
|
version: '0'
|
215
201
|
requirements: []
|
216
|
-
rubygems_version: 3.
|
202
|
+
rubygems_version: 3.3.5
|
217
203
|
signing_key:
|
218
204
|
specification_version: 4
|
219
205
|
summary: Loofah is a general library for manipulating and transforming HTML/XML documents
|