loofah 2.4.0 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29f0764dd4fc0eed44139b573bd3708917cab618126b094b9faa42d26a29d949
-  data.tar.gz: e1e9cc2ecbd68de48d1f2554a65b86bed0756616008cf9c9a7ed62af1197afa4
+  metadata.gz: 052a847ba3f873261fa917f028171997ba40b96a5afc4339d98dbfd252905a91
+  data.tar.gz: 1e348bd51955411df0ed0b170460b30fa150594b8c7a60a40c80de0d485f9e94
 SHA512:
-  metadata.gz: 05bc54adcab4ee55e52f69685366ba81e492a6b6c25c8e282d79d4ec85349f8ac37c3e34b74ed81089bda662ebed620c208a7a46bc64f4a504ec1bf51f7c8bf9
-  data.tar.gz: 8b0e5d75ab88d683240183b5b3e4ed3d1a1fd26bac0d89780ce64722a3d05cba95c42376208e294ad1b3b215fcb90a795e479a2d0e8a3fd643d3b136e88bb562
+  metadata.gz: 013d4c78bbaedf2b845d33b4bca6c6e483a36b8b774931dea2071e080657e34e2725ee4dffa48db6eb389898640b8b475009ac70efc5e0b319646ae5b7822a85
+  data.tar.gz: 26742f775c503fbe56255e46963887ae769182574bc6cd7070168c50e92a5ddefa83208ff8930346f6ce7bad74624913221b84f5f3abbc60254c1530595c858e

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 2.5.0 / 2020-04-05
+
+### Features
+
+* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)
+
+
+### Fixes
+
+* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [#80]
+
+
+### Other changes
+
+* Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
+* Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)
+
+
 ## 2.4.0 / 2019-11-25
 
 ### Features

data/Manifest.txt

@@ -1,4 +1,3 @@
-.gemtest
 CHANGELOG.md
 Gemfile
 MIT-LICENSE.txt
@@ -24,18 +23,3 @@ lib/loofah/scrubber.rb
 lib/loofah/scrubbers.rb
 lib/loofah/xml/document.rb
 lib/loofah/xml/document_fragment.rb
-test/assets/msword.html
-test/assets/testdata_sanitizer_tests1.dat
-test/helper.rb
-test/html5/test_sanitizer.rb
-test/html5/test_scrub.rb
-test/integration/test_ad_hoc.rb
-test/integration/test_helpers.rb
-test/integration/test_html.rb
-test/integration/test_scrubbers.rb
-test/integration/test_xml.rb
-test/unit/test_api.rb
-test/unit/test_encoding.rb
-test/unit/test_helpers.rb
-test/unit/test_scrubber.rb
-test/unit/test_scrubbers.rb

data/Rakefile

@@ -11,10 +11,16 @@ Hoe.spec "loofah" do
   developer "Mike Dalessio", "mike.dalessio@gmail.com"
   developer "Bryan Helmkamp", "bryan@brynary.com"
 
-  self.extra_rdoc_files = FileList["*.md"]
   self.history_file = "CHANGELOG.md"
   self.readme_file = "README.md"
   self.license "MIT"
+  self.urls = {
+    "home" => "https://github.com/flavorjones/loofah",
+    "bugs" => "https://github.com/flavorjones/loofah/issues",
+    "doco" => "https://www.rubydoc.info/gems/loofah/",
+    "clog" => "https://github.com/flavorjones/loofah/master/CHANGELOG.md",
+    "code" => "https://github.com/flavorjones/loofah",
+  }
 
   extra_deps << ["nokogiri", ">=1.5.9"]
   extra_deps << ["crass", "~> 1.0.2"]

data/benchmark/benchmark.rb

@@ -23,7 +23,7 @@ def compare_scrub_methods
 end
 
 module TestSet
-  def test_set options={}
+  def test_set(options = {})
     scale = options[:rehearse] ? 10 : 1
     puts self.class.name
 
@@ -49,6 +49,7 @@ end
 
 class HeadToHeadRailsSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -65,6 +66,7 @@ end
 
 class HeadToHeadRailsStripTags < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -81,6 +83,7 @@ end
 
 class HeadToHeadSanitizerSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -100,6 +103,7 @@ end
 
 class HeadToHeadHtml5LibSanitize < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 
@@ -120,6 +124,7 @@ end
 
 class HeadToHeadHTMLFilter < Measure
   include TestSet
+
   def bench(content, ntimes, fragment_p)
     clear_measure
 

data/benchmark/helper.rb

@@ -1,13 +1,13 @@
-require 'rubygems'
-require 'open-uri'
-require 'hpricot'
+require "rubygems"
+require "open-uri"
+require "hpricot"
 require File.expand_path(File.dirname(__FILE__) + "/../lib/loofah")
-require 'benchmark'
+require "benchmark"
 require "action_view"
 require "action_controller/vendor/html-scanner"
 require "sanitize"
-require 'hitimes'
-require 'htmlfilter'
+require "hitimes"
+require "htmlfilter"
 
 unless defined?(HTMLFilter)
   HTMLFilter = HtmlFilter
@@ -19,20 +19,20 @@ class RailsSanitize
 end
 
 class HTML5libSanitize
-  require 'html5/html5parser'
-  require 'html5/liberalxmlparser'
-  require 'html5/treewalkers'
-  require 'html5/treebuilders'
-  require 'html5/serializer'
-  require 'html5/sanitizer'
+  require "html5/html5parser"
+  require "html5/liberalxmlparser"
+  require "html5/treewalkers"
+  require "html5/treebuilders"
+  require "html5/serializer"
+  require "html5/sanitizer"
 
   include HTML5
 
   def sanitize(html)
     HTMLParser.parse_fragment(html, {
-      :tokenizer  => HTMLSanitizer,
-      :encoding   => 'utf-8',
-      :tree       => TreeBuilders::REXML::TreeBuilder
+      :tokenizer => HTMLSanitizer,
+      :encoding => "utf-8",
+      :tree => TreeBuilders::REXML::TreeBuilder,
     }).to_s
   end
 end

data/lib/loofah.rb

@@ -29,13 +29,13 @@ require "loofah/html/document_fragment"
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.4.0"
+  VERSION = "2.5.0"
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse
     # This method accepts the same parameters as Nokogiri::HTML::Document.parse
     def document(*args, &block)
-      Loofah::HTML::Document.parse(*args, &block)
+      remove_comments_before_html_element Loofah::HTML::Document.parse(*args, &block)
     end
 
     # Shortcut for Loofah::HTML::DocumentFragment.parse
@@ -80,5 +80,23 @@ module Loofah
     def remove_extraneous_whitespace(string)
       string.gsub(/\n\s*\n\s*\n/, "\n\n")
     end
+
+    private
+
+    # remove comments that exist outside of the HTML element.
+    #
+    # these comments are allowed by the HTML spec:
+    #
+    #    https://www.w3.org/TR/html401/struct/global.html#h-7.1
+    #
+    # but are not scrubbed by Loofah because these nodes don't meet
+    # the contract that scrubbers expect of a node (e.g., it can be
+    # replaced, sibling and children nodes can be created).
+    def remove_comments_before_html_element(doc)
+      doc.children.each do |child|
+        child.unlink if child.comment?
+      end
+      doc
+    end
   end
 end

data/lib/loofah/elements.rb

@@ -1,90 +1,90 @@
 # frozen_string_literal: true
-require 'set'
+require "set"
 
 module Loofah
   module Elements
     STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-      address
-      blockquote
-      center
-      dir
-      div
-      dl
-      fieldset
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      hr
-      isindex
-      menu
-      noframes
-      noscript
-      ol
-      p
-      pre
-      table
-      ul
-    ]
+                                         address
+                                         blockquote
+                                         center
+                                         dir
+                                         div
+                                         dl
+                                         fieldset
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         hr
+                                         isindex
+                                         menu
+                                         noframes
+                                         noscript
+                                         ol
+                                         p
+                                         pre
+                                         table
+                                         ul
+                                       ]
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
     STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-      address
-      article
-      aside
-      blockquote
-      canvas
-      dd
-      div
-      dl
-      dt
-      fieldset
-      figcaption
-      figure
-      footer
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      header
-      hgroup
-      hr
-      li
-      main
-      nav
-      noscript
-      ol
-      output
-      p
-      pre
-      section
-      table
-      tfoot
-      ul
-      video
-    ]
+                                         address
+                                         article
+                                         aside
+                                         blockquote
+                                         canvas
+                                         dd
+                                         div
+                                         dl
+                                         dt
+                                         fieldset
+                                         figcaption
+                                         figure
+                                         footer
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         header
+                                         hgroup
+                                         hr
+                                         li
+                                         main
+                                         nav
+                                         noscript
+                                         ol
+                                         output
+                                         p
+                                         pre
+                                         section
+                                         table
+                                         tfoot
+                                         ul
+                                         video
+                                       ]
 
     STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
     LOOSE_BLOCK_LEVEL = Set.new %w[dd
-      dt
-      frameset
-      li
-      tbody
-      td
-      tfoot
-      th
-      thead
-      tr
-    ]
+                                   dt
+                                   frameset
+                                   li
+                                   tbody
+                                   td
+                                   tfoot
+                                   th
+                                   thead
+                                   tr
+                                ]
 
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
   end

data/lib/loofah/helpers.rb

@@ -28,7 +28,7 @@ module Loofah
       #
       #    Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
       #
-      def sanitize_css style_string
+      def sanitize_css(style_string)
         ::Loofah::HTML5::Scrub.scrub_css style_string
       end
 
@@ -69,7 +69,7 @@ module Loofah
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
       class FullSanitizer
-        def sanitize html, *args
+        def sanitize(html, *args)
           Loofah::Helpers.strip_tags html
         end
       end
@@ -86,11 +86,11 @@ module Loofah
       #    Loofah::Helpers::ActionView.set_as_default_sanitizer
       #
       class SafeListSanitizer
-        def sanitize html, *args
+        def sanitize(html, *args)
           Loofah::Helpers.sanitize html
         end
 
-        def sanitize_css style_string, *args
+        def sanitize_css(style_string, *args)
           Loofah::Helpers.sanitize_css style_string
         end
       end

data/lib/loofah/html/document_fragment.rb

@@ -15,10 +15,10 @@ module Loofah
         #  constructor. Applications should use Loofah.fragment to
         #  parse a fragment.
         #
-        def parse tags, encoding = nil
+        def parse(tags, encoding = nil)
           doc = Loofah::HTML::Document.new
 
-          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
+          encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
           doc.encoding = encoding
 
           new(doc, tags)
@@ -31,6 +31,7 @@ module Loofah
       def to_s
         serialize_root.children.to_s
       end
+
       alias :serialize :to_s
 
       def serialize_root

data/lib/loofah/html5/libxml2_workarounds.rb

@@ -1,6 +1,6 @@
 # coding: utf-8
 # frozen_string_literal: true
-require 'set'
+require "set"
 
 module Loofah
   #
@@ -17,11 +17,11 @@ module Loofah
     #  see comments about CVE-2018-8048 within the tests for more information
     #
     BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
-        href
-        action
-        src
-        name
-      ]
-    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
+                                           href
+                                           action
+                                           src
+                                           name
+                                         ]
+    BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
   end
 end