loofah 2.0.2 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fe26253679940dacafe8041f66b983b3bcbf52a0
-  data.tar.gz: 1e871815f543b062b2b128a195c6e6068b18241d
+  metadata.gz: 1ede2fa4b15b118b6040d43ec57d90782e6a8234
+  data.tar.gz: e0e4ed5ebb391793549d27245834bb67189e83c3
 SHA512:
-  metadata.gz: 40893992f92d5a29c7bd40de6b6b7190d823237803d4245f8b66b1dea0b884dabf11578e061ba73fef6b89df6828e8eb8fd47618385583880b2f6953cc98b022
-  data.tar.gz: 55ca03dd4ea01c46ff6e7a932a8eb6c2a6bb106223c46f1ea74f06a99847f9780a23ae1752950249407567f9e42fee7fecc42d6c2cbe4e06baeb3f1f2d5751fd
+  metadata.gz: ca75adb9b1dad4f99f7182767518a4a935bc960ec81db86eb848f30bb918089f570ab29bfa9f2973e0bd3608876cd47c8af1fcb01a6596e5e845307b21caffd9
+  data.tar.gz: 42fea8ec3d59389976f2613d4dd763f9f7c7260069f113d7044d55daeb83850750f2d5803354b0d431f2fef25e7a65c0e5cbe2b916d1e26072c6ccd531183d6a

data/CHANGELOG.rdoc

@@ -1,5 +1,12 @@
 = Changelog
 
+== 2.0.3 / 2015-08-17
+
+Bug fixes:
+
+* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
+
+
 == 2.0.2 / 2015-05-05
 
 Bug fixes:

data/lib/loofah.rb

@@ -27,7 +27,7 @@ require 'loofah/html/document_fragment'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '2.0.2'
+  VERSION = '2.0.3'
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html5/scrub.rb

@@ -67,7 +67,7 @@ module Loofah
           style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
 
           # gauntlet
-          return '' unless style =~ /\A([-:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
+          return '' unless style =~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
           return '' unless style =~ /\A\s*([-\w]+\s*:[^:;]*(;\s*|$))*\z/
 
           clean = []

data/test/html5/test_sanitizer.rb

@@ -31,6 +31,12 @@ class Html5TestSanitizer < Loofah::TestCase
       %Q{given:    "#{input}"\nexpected: "#{htmloutput}"\ngot:      "#{sane}"})
   end
 
+  def assert_completes_in_reasonable_time &block
+    t0 = Time.now
+    block.call
+    assert_in_delta t0, Time.now, 0.01 # arbitrary seconds
+  end
+
   (HTML5::WhiteList::ALLOWED_ELEMENTS).each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       input       = "<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>"
@@ -223,16 +229,26 @@ class Html5TestSanitizer < Loofah::TestCase
   end
 
   def test_css_negative_value_sanitization
+    skip "pending better CSS parsing, see https://github.com/flavorjones/loofah/issues/90"
     html = "<span style=\"letter-spacing:-0.03em;\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
     assert_match %r/-0.03em/, sane.inner_html
   end
 
   def test_css_negative_value_sanitization_shorthand_css_properties
+    skip "pending better CSS parsing, see https://github.com/flavorjones/loofah/issues/90"
     html = "<span style=\"margin-left:-0.05em;\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
     assert_match %r/-0.05em/, sane.inner_html
   end
+
+  def test_issue_90_slow_regex
+    html = %q{<span style="background: url('data:image/svg&#43;xml;charset=utf-8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%2232%22%20height%3D%2232%22%20viewBox%3D%220%200%2032%2032%22%3E%3Cpath%20fill%3D%22%23D4C8AE%22%20d%3D%22M0%200h32v32h-32z%22%2F%3E%3Cpath%20fill%3D%22%2383604B%22%20d%3D%22M0%200h31.99v11.75h-31.99z%22%2F%3E%3Cpath%20fill%3D%22%233D2319%22%20d%3D%22M0%2011.5h32v.5h-32z%22%2F%3E%3Cpath%20fill%3D%22%23F83651%22%20d%3D%22M5%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%23FCD050%22%20d%3D%22M6%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%2371C797%22%20d%3D%22M7%200h1v10.5h-1z%22%2F%3E%3Cpath%20fill%3D%22%23509CF9%22%20d%3D%22M8%200h1v10.5h-1z%22%2F%3E%3ClinearGradient%20id%3D%22a%22%20gradientUnits%3D%22userSpaceOnUse%22%20x1%3D%2224.996%22%20y1%3D%2210.5%22%20x2%3D%2224.996%22%20y2%3D%224.5%22%3E%3Cstop%20offset%3D%220%22%20stop-color%3D%22%23796055%22%2F%3E%3Cstop%20offset%3D%22.434%22%20stop-color%3D%22%23614C43%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%233D2D28%22%2F%3E%3C%2FlinearGradient%3E%3Cpath%20fill%3D%22url(%23a)%22%20d%3D%22M28%208.5c0%201.1-.9%202-2%202h-2c-1.1%200-2-.9-2-2v-2c0-1.1.9-2%202-2h2c1.1%200%202%20.9%202%202v2z%22%2F%3E%3Cpath%20fill%3D%22%235F402E%22%20d%3D%22M28%208c0%201.1-.9%202-2%202h-2c-1.1%200-2-.9-2-2v-2c0-1.1.9-2%202-2h2c1.1%200%202%20.9%202%202v2z%22%2F%3E%3C');"></span>}
+
+    assert_completes_in_reasonable_time {
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    }
+  end
 end
 
 # <html5_license>

metadata

@@ -1,170 +1,170 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.0.3
 platform: ruby
 authors:
 - Mike Dalessio
 - Bryan Helmkamp
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-05 00:00:00.000000000 Z
+date: 2015-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: 1.5.9
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.9
-  prerelease: false
   type: :runtime
-- !ruby/object:Gem::Dependency
-  name: rdoc
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 1.5.9
+- !ruby/object:Gem::Dependency
+  name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '4.0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: rake
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: minitest
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: rr
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: rr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 1.1.0
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: json
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: hoe-gemspec
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe-gemspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: hoe-debugging
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe-debugging
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: hoe-bundler
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe-bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: hoe-git
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe-git
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  prerelease: false
   type: :development
-- !ruby/object:Gem::Dependency
-  name: hoe
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.13'
-  prerelease: false
   type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML
   documents and fragments. It's built on top of Nokogiri and libxml2, so
@@ -189,7 +189,7 @@ extra_rdoc_files:
 - Manifest.txt
 - README.rdoc
 files:
-- .gemtest
+- ".gemtest"
 - CHANGELOG.rdoc
 - Gemfile
 - MIT-LICENSE.txt
@@ -230,26 +230,27 @@ homepage: https://github.com/flavorjones/loofah
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options:
-- --main
+- "--main"
 - README.rdoc
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.4.5
-signing_key:
+rubyforge_project: 
+rubygems_version: 2.4.6
+signing_key: 
 specification_version: 4
-summary: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments
+summary: Loofah is a general library for manipulating and transforming HTML/XML documents
+  and fragments
 test_files: []