loofah 2.8.0 → 2.9.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/loofah/html5/scrub.rb +40 -23
- data/lib/loofah/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10f6e8ff06a760da3400cdf8660e6768cfc2e7bbcb34a3ae6aaadea5e29ff924
|
|
4
|
+
data.tar.gz: 7e0accdb26147612bd7da3abc8fa98a6fac850dbb7a0ee99d20375400de4b877
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 11b0f4dcad5a9f38444e9eebd45cb09705e536468c901c03d792711133536812f8b0579533eb54a305311d5303fdd4cf510761a9a0d42d0af46bb153d3402a3c
|
|
7
|
+
data.tar.gz: d6032694eaaaddd47c02868ecb037dc2673b5ebd749a7d8846c2a55e13744f9455a66b41ec16a4cf3c4905e6019df3493972ec462cd04404365ebe202e15e211
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
### 2.9.0 / 2021-01-14
|
|
4
|
+
|
|
5
|
+
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
|
|
6
|
+
|
|
7
|
+
|
|
3
8
|
### 2.8.0 / 2020-11-25
|
|
4
9
|
|
|
5
10
|
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
|
data/lib/loofah/html5/scrub.rb
CHANGED
|
@@ -7,22 +7,22 @@ module Loofah
|
|
|
7
7
|
module Scrub
|
|
8
8
|
CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
|
|
9
9
|
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
|
|
10
|
-
CRASS_SEMICOLON = { :
|
|
10
|
+
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
|
|
11
11
|
CSS_IMPORTANT = '!important'
|
|
12
12
|
|
|
13
13
|
class << self
|
|
14
14
|
def allowed_element?(element_name)
|
|
15
|
-
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?
|
|
15
|
+
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
# alternative implementation of the html5lib attribute scrubbing algorithm
|
|
19
19
|
def scrub_attributes(node)
|
|
20
20
|
node.attribute_nodes.each do |attr_node|
|
|
21
21
|
attr_name = if attr_node.namespace
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
22
|
+
"#{attr_node.namespace.prefix}:#{attr_node.node_name}"
|
|
23
|
+
else
|
|
24
|
+
attr_node.node_name
|
|
25
|
+
end
|
|
26
26
|
|
|
27
27
|
if attr_name =~ /\Adata-[\w-]+\z/
|
|
28
28
|
next
|
|
@@ -58,13 +58,13 @@ module Loofah
|
|
|
58
58
|
end
|
|
59
59
|
end
|
|
60
60
|
|
|
61
|
-
scrub_css_attribute
|
|
61
|
+
scrub_css_attribute(node)
|
|
62
62
|
|
|
63
63
|
node.attribute_nodes.each do |attr_node|
|
|
64
64
|
node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
|
|
65
65
|
end
|
|
66
66
|
|
|
67
|
-
force_correct_attribute_escaping!
|
|
67
|
+
force_correct_attribute_escaping!(node)
|
|
68
68
|
end
|
|
69
69
|
|
|
70
70
|
def scrub_css_attribute(node)
|
|
@@ -73,33 +73,50 @@ module Loofah
|
|
|
73
73
|
end
|
|
74
74
|
|
|
75
75
|
def scrub_css(style)
|
|
76
|
-
style_tree = Crass.parse_properties
|
|
76
|
+
style_tree = Crass.parse_properties(style)
|
|
77
77
|
sanitized_tree = []
|
|
78
78
|
|
|
79
79
|
style_tree.each do |node|
|
|
80
80
|
next unless node[:node] == :property
|
|
81
81
|
next if node[:children].any? do |child|
|
|
82
|
-
[:url, :bad_url].include?(child[:node])
|
|
82
|
+
[:url, :bad_url].include?(child[:node])
|
|
83
83
|
end
|
|
84
|
+
|
|
84
85
|
name = node[:name].downcase
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
86
|
+
next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) ||
|
|
87
|
+
SafeList::ALLOWED_SVG_PROPERTIES.include?(name) ||
|
|
88
|
+
SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
|
|
89
|
+
|
|
90
|
+
value = node[:children].map do |child|
|
|
91
|
+
case child[:node]
|
|
92
|
+
when :whitespace
|
|
93
|
+
nil
|
|
94
|
+
when :string
|
|
95
|
+
nil
|
|
96
|
+
when :function
|
|
97
|
+
if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)
|
|
98
|
+
Crass::Parser.stringify(child)
|
|
99
|
+
end
|
|
100
|
+
when :ident
|
|
101
|
+
keyword = child[:value]
|
|
102
|
+
if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) ||
|
|
103
|
+
SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) ||
|
|
104
|
+
(keyword =~ CSS_KEYWORDISH)
|
|
90
105
|
keyword
|
|
91
106
|
end
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
value << CSS_IMPORTANT if node[:important]
|
|
95
|
-
propstring = sprintf "%s:%s", name, value.join(" ")
|
|
96
|
-
sanitized_node = Crass.parse_properties(propstring).first
|
|
97
|
-
sanitized_tree << sanitized_node << CRASS_SEMICOLON
|
|
107
|
+
else
|
|
108
|
+
child[:raw]
|
|
98
109
|
end
|
|
99
|
-
end
|
|
110
|
+
end.compact
|
|
111
|
+
|
|
112
|
+
next if value.empty?
|
|
113
|
+
value << CSS_IMPORTANT if node[:important]
|
|
114
|
+
propstring = format("%s:%s", name, value.join(" "))
|
|
115
|
+
sanitized_node = Crass.parse_properties(propstring).first
|
|
116
|
+
sanitized_tree << sanitized_node << CRASS_SEMICOLON
|
|
100
117
|
end
|
|
101
118
|
|
|
102
|
-
Crass::Parser.stringify
|
|
119
|
+
Crass::Parser.stringify(sanitized_tree)
|
|
103
120
|
end
|
|
104
121
|
|
|
105
122
|
#
|
data/lib/loofah/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: loofah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Dalessio
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2021-01-14 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: nokogiri
|