nokogiri 1.8.2 → 1.8.3

data/test/css/test_parser.rb

@@ -255,6 +255,23 @@ module Nokogiri
       def test_attribute
         assert_xpath  "//h1[@a = 'Tender Lovemaking']",
                       @parser.parse("h1[a='Tender Lovemaking']")
+        assert_xpath "//h1[@a]",
+                      @parser.parse("h1[a]")
+        assert_xpath %q{//h1[@a = 'gnewline\n']},
+                     @parser.parse("h1[a='\\gnew\\\nline\\\\n']")
+        assert_xpath "//h1[@a = 'test']",
+                     @parser.parse(%q{h1[a=\te\st]})
+        assert_xpath %q{//h1[@a = "'"]},
+                     @parser.parse(%q{h1[a="'"]})
+        assert_xpath %q{//h1[@a = concat("'", "")]},
+                     @parser.parse(%q{h1[a='\\'']})
+        assert_xpath %q{//h1[@a = concat("", '"', "'", "")]},
+                     @parser.parse(%q{h1[a='"\'']})
+      end
+
+      def test_attribute_with_number_or_string
+        assert_xpath "//img[@width = '200']", @parser.parse("img[width='200']")
+        assert_xpath "//img[@width = '200']", @parser.parse("img[width=200]")
       end
 
       def test_id

data/test/html/test_attributes.rb

@@ -0,0 +1,85 @@
+require "helper"
+
+module Nokogiri
+  module HTML
+    class TestAttr < Nokogiri::TestCase
+      unless Nokogiri::VersionInfo.instance.libxml2? && Nokogiri::VersionInfo.instance.libxml2_using_system?
+        #
+        #  libxml2 >= 2.9.2 fails to escape comments within some attributes. It
+        #  wants to ensure these comments can be treated as "server-side includes",
+        #  but as a result fails to ensure that serialization is well-formed,
+        #  resulting in an opportunity for XSS injection of code into a final
+        #  re-parsed document (presumably in a browser).
+        #
+        #  the offending commit is:
+        #
+        #    https://github.com/GNOME/libxml2/commit/960f0e2
+        #
+        #  we'll test this by parsing the HTML, serializing it, then
+        #  re-parsing it to ensure there isn't any ambiguity in the output
+        #  that might allow code injection into a browser consuming
+        #  "sanitized" output.
+        #
+        #  complaints have been made upstream about this behavior, notably at
+        #
+        #    https://bugzilla.gnome.org/show_bug.cgi?id=769760
+        #
+        #  and multiple CVEs have been declared and fixed in downstream
+        #  libraries as a result, a list is being kept up to date here:
+        #
+        #    https://github.com/flavorjones/loofah/issues/144
+        #
+        [
+          #
+          #  these tags and attributes are determined by the code at:
+          #
+          #    https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
+          #
+          {tag: "a",   attr: "href"},
+          {tag: "div", attr: "href"},
+          {tag: "a",   attr: "action"},
+          {tag: "div", attr: "action"},
+          {tag: "a",   attr: "src"},
+          {tag: "div", attr: "src"},
+          {tag: "a",   attr: "name"},
+          #
+          #  note that div+name is _not_ affected by the libxml2 issue.
+          #  but we test it anyway to ensure our logic isn't modifying
+          #  attributes that don't need modifying.
+          #
+          {tag: "div", attr: "name", unescaped: true},
+        ].each do |config|
+
+          define_method "test_uri_escaping_of_#{config[:attr]}_attr_in_#{config[:tag]}_tag" do
+            html = %{<#{config[:tag]} #{config[:attr]}='examp<!--" unsafeattr=unsafevalue()>-->le.com'>test</#{config[:tag]}>}
+
+            reparsed = HTML.fragment(HTML.fragment(html).to_html)
+            attributes = reparsed.at_css(config[:tag]).attribute_nodes
+
+            assert_equal [config[:attr]], attributes.collect(&:name)
+            if Nokogiri::VersionInfo.instance.libxml2?
+              if config[:unescaped]
+                #
+                #  this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
+                #  assert that this attribute's serialization is unaffected.
+                #
+                assert_equal %{examp<!--" unsafeattr=unsafevalue()>-->le.com}, attributes.first.value
+              else
+                #
+                #  let's match the behavior in libxml < 2.9.2.
+                #  test that this attribute's serialization is well-formed and sanitized.
+                #
+                assert_equal %{examp<!--%22%20unsafeattr=unsafevalue()>-->le.com}, attributes.first.value
+              end
+            else
+              #
+              #  yay for consistency in javaland. move along, nothing to see here.
+              #
+              assert_equal %{examp<!--%22 unsafeattr=unsafevalue()>-->le.com}, attributes.first.value
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/test/html/test_document_fragment.rb

@@ -9,6 +9,12 @@ module Nokogiri
         @html = Nokogiri::HTML.parse(File.read(HTML_FILE), HTML_FILE)
       end
 
+      def test_ascii_8bit_encoding
+        s = String.new 'hello'
+        s.force_encoding ::Encoding::ASCII_8BIT
+        assert_equal "hello", Nokogiri::HTML::DocumentFragment.parse(s).to_html
+      end
+
       def test_inspect_encoding
         fragment = "<div>こんにちは！</div>".encode('EUC-JP')
         f = Nokogiri::HTML::DocumentFragment.parse fragment
@@ -21,7 +27,7 @@ module Nokogiri
         assert_equal 'EUC-JP', f.document.encoding
         assert_equal "こんにちは！", f.content
       end
-      
+
       def test_unlink_empty_document
         frag = Nokogiri::HTML::DocumentFragment.parse('').unlink # must_not_raise
         assert_nil frag.parent

data/test/test_css_cache.rb

@@ -28,8 +28,6 @@ class TestCssCache < Nokogiri::TestCase
 
   [ false, true ].each do |cache_setting|
     define_method "test_css_cache_#{cache_setting ? "true" : "false"}" do
-      times = cache_setting ? 4 : nil
-
       Nokogiri::CSS::Parser.set_cache cache_setting
 
       Nokogiri::CSS.xpath_for(@css)
@@ -37,7 +35,11 @@ class TestCssCache < Nokogiri::TestCase
       Nokogiri::CSS::Parser.new.xpath_for(@css)
       Nokogiri::CSS::Parser.new.xpath_for(@css)
 
-      assert_equal(times, Nokogiri::CSS::Parser.class_eval { @cache.count })
+      if cache_setting
+        assert_equal(4, Nokogiri::CSS::Parser.class_eval { @cache.count })
+      else
+        assert_nil(Nokogiri::CSS::Parser.class_eval { @cache.count })
+      end
     end
   end
 

data/test/xml/sax/test_parser.rb

@@ -43,9 +43,17 @@ module Nokogiri
           assert_equal [['foo', [['a', '&b']]]], doc.start_elements
         end
 
+        def test_empty_decl
+          parser = XML::SAX::Parser.new(Doc.new)
+
+          xml = "<root />"
+          parser.parse xml
+          assert parser.document.start_document_called, xml
+          assert_nil parser.document.xmldecls, xml
+        end
+
         def test_xml_decl
           [
-            ['', nil],
             ['<?xml version="1.0" ?>',
               ['1.0']],
             ['<?xml version="1.0" encoding="UTF-8" ?>',

data/test/xml/sax/test_push_parser.rb

@@ -21,6 +21,66 @@ module Nokogiri
           end
         end
 
+        def test_early_finish
+          @parser << "<foo>"
+          assert_raises(SyntaxError) do
+            @parser.finish
+          end
+        end
+
+        def test_write_last_chunk
+          @parser << "<foo>"
+          @parser.write "</foo>", true
+          assert_equal [["foo", []]], @parser.document.start_elements
+          assert_equal [["foo"]], @parser.document.end_elements
+        end
+
+        def test_empty_doc
+          @parser.options |= XML::ParseOptions::RECOVER
+          @parser.write "", true
+          assert_nil @parser.document.start_elements
+          assert_nil @parser.document.end_elements
+        end
+
+
+        def test_finish_should_rethrow_last_error
+          begin
+            @parser << "</foo>"
+          rescue => e
+            expected = e
+          end
+
+          begin
+            @parser.finish
+          rescue => e
+            actual = e
+          end
+
+          assert_equal actual.message, expected.message
+        end
+
+        def test_should_throw_error_returned_by_document
+          doc = Doc.new
+          class << doc
+            def error msg
+              raise "parse error"
+            end
+          end
+
+          @parser = XML::SAX::PushParser.new(doc)
+          begin
+            @parser << "</foo>"
+          rescue => e
+            actual = e
+          end
+
+          assert_equal actual.message, "parse error"
+        end
+
+        def test_writing_nil
+          assert_equal @parser.write(nil), @parser
+        end
+
         def test_end_document_called
           @parser.<<(<<-eoxml)
             <p id="asdfasdf">

data/test/xml/test_cdata.rb

@@ -25,7 +25,7 @@ module Nokogiri
 
       def test_new_with_nil
         node = CDATA.new(@xml, nil)
-        assert_equal nil, node.content
+        assert_nil node.content
       end
 
       def test_new_with_non_string

data/test/xml/test_document.rb

@@ -69,7 +69,7 @@ module Nokogiri
 
       def test_root_set_to_nil
         @xml.root = nil
-        assert_equal nil, @xml.root
+        assert_nil @xml.root
       end
 
       def test_million_laugh_attach
@@ -869,9 +869,9 @@ module Nokogiri
         assert_equal 1, doc.xpath("//x:foo", "x" => "http://c.flavorjon.es/").length
         assert_match %r{foo c:attr}, doc.to_xml
         doc.at_xpath("//x:foo", "x" => "http://c.flavorjon.es/").tap do |node|
-          assert_equal nil,          node["attr"]
+          assert_nil          node["attr"]
           assert_equal "attr-value", node["c:attr"]
-          assert_equal nil,          node.attribute_with_ns("attr", nil)
+          assert_nil          node.attribute_with_ns("attr", nil)
           assert_equal "attr-value", node.attribute_with_ns("attr", "http://c.flavorjon.es/").value
           assert_equal "attr-value", node.attributes["attr"].value
         end
@@ -887,9 +887,9 @@ module Nokogiri
         assert_match %r{foo attr}, doc.to_xml
         doc.at_xpath("//container/foo").tap do |node|
           assert_equal "attr-value", node["attr"]
-          assert_equal nil,          node["c:attr"]
+          assert_nil          node["c:attr"]
           assert_equal "attr-value", node.attribute_with_ns("attr", nil).value
-          assert_equal nil,          node.attribute_with_ns("attr", "http://c.flavorjon.es/")
+          assert_nil          node.attribute_with_ns("attr", "http://c.flavorjon.es/")
           assert_equal "attr-value", node.attributes["attr"].value # doesn't change!
         end
       end

data/test/xml/test_dtd.rb

@@ -91,14 +91,14 @@ module Nokogiri
           dtd = doc.internal_subset
           assert_instance_of Nokogiri::XML::DTD, dtd, name
           if html_p
-            assert_send [dtd, :html_dtd?], name
+            assert dtd.html_dtd?, name
           else
-            assert_not_send [dtd, :html_dtd?], name
+            refute dtd.html_dtd?, name
           end
           if html5_p
-            assert_send [dtd, :html5_dtd?], name
+            assert dtd.html5_dtd?, name
           else
-            assert_not_send [dtd, :html5_dtd?], name
+            refute dtd.html5_dtd?, name
           end
         }
       end

data/test/xml/test_node.rb

@@ -680,6 +680,89 @@ module Nokogiri
         assert_nil address['domestic']
       end
 
+      def test_classes
+        xml = Nokogiri::XML(<<-eoxml)
+        <div>
+          <p class=" foo  bar foo ">test</p>
+          <p class="">test</p>
+        </div>
+        eoxml
+        div = xml.at_xpath('//div')
+        p1, p2 = xml.xpath('//p')
+
+        assert_equal [], div.classes
+        assert_equal %w[foo bar foo], p1.classes
+        assert_equal [], p2.classes
+      end
+
+      def test_add_class
+        xml = Nokogiri::XML(<<-eoxml)
+        <div>
+          <p class=" foo  bar foo ">test</p>
+          <p class="">test</p>
+        </div>
+        eoxml
+        div = xml.at_xpath('//div')
+        p1, p2 = xml.xpath('//p')
+
+        assert_same div, div.add_class('main')
+        assert_equal 'main', div['class']
+
+        assert_same p1, p1.add_class('baz foo')
+        assert_equal 'foo bar foo baz', p1['class']
+
+        assert_same p2, p2.add_class('foo baz foo')
+        assert_equal 'foo baz foo', p2['class']
+      end
+
+      def test_append_class
+        xml = Nokogiri::XML(<<-eoxml)
+        <div>
+          <p class=" foo  bar foo ">test</p>
+          <p class="">test</p>
+        </div>
+        eoxml
+        div = xml.at_xpath('//div')
+        p1, p2 = xml.xpath('//p')
+
+        assert_same div, div.append_class('main')
+        assert_equal 'main', div['class']
+
+        assert_same p1, p1.append_class('baz foo')
+        assert_equal 'foo bar foo baz foo', p1['class']
+
+        assert_same p2, p2.append_class('foo baz foo')
+        assert_equal 'foo baz foo', p2['class']
+      end
+
+      def test_remove_class
+        xml = Nokogiri::XML(<<-eoxml)
+        <div>
+          <p class=" foo  bar baz foo ">test</p>
+          <p class=" foo  bar baz foo ">test</p>
+          <p class="foo foo">test</p>
+          <p class="">test</p>
+        </div>
+        eoxml
+        div = xml.at_xpath('//div')
+        p1, p2, p3, p4 = xml.xpath('//p')
+
+        assert_same div, div.remove_class('main')
+        assert_nil div['class']
+
+        assert_same p1, p1.remove_class('bar baz')
+        assert_equal 'foo foo', p1['class']
+
+        assert_same p2, p2.remove_class()
+        assert_nil p2['class']
+
+        assert_same p3, p3.remove_class('foo')
+        assert_nil p3['class']
+
+        assert_same p4, p4.remove_class('foo')
+        assert_nil p4['class']
+      end
+
       def test_set_content_with_symbol
         node = @xml.at('//name')
         node.content = :foo
@@ -1054,15 +1137,15 @@ EOXML
         assert_equal 'http://bar.com/', set[1].namespace.href
         assert_equal "c", set[2].namespace.prefix
         assert_equal 'http://bazz.com/', set[2].namespace.href
-        assert_equal nil, set[3].namespace.prefix # default namespace
+        assert_nil set[3].namespace.prefix # default namespace
         assert_equal 'http://ns.example.com/d', set[3].namespace.href
-        assert_equal nil, set[4].namespace # no namespace
+        assert_nil set[4].namespace # no namespace
 
         assert_equal 'b', set[2].attributes['y'].namespace.prefix
         assert_equal 'http://bar.com/', set[2].attributes['y'].namespace.href
-        assert_equal nil, set[2].attributes['x'].namespace
-        assert_equal nil, set[3].attributes['x'].namespace
-        assert_equal nil, set[4].attributes['x'].namespace
+        assert_nil set[2].attributes['x'].namespace
+        assert_nil set[3].attributes['x'].namespace
+        assert_nil set[4].attributes['x'].namespace
       end
 
       if Nokogiri.uses_libxml?
@@ -1076,7 +1159,7 @@ EOXML
 
           assert_equal 1, node.namespaces.keys.size
           assert       node.namespaces.has_key?('xmlns:o')
-          assert_equal nil, node.namespaces['xmlns:o']
+          assert_nil node.namespaces['xmlns:o']
         end
       end
 

data/test/xml/test_node_attributes.rb

@@ -23,7 +23,7 @@ module Nokogiri
 
         assert_equal 'en-GB', node['xml:lang']
         assert_equal 'en-GB', node.attributes['lang'].value
-        assert_equal nil, node['lang']
+        assert_nil node['lang']
       end
 
       def test_unknown_namespace_prefix_should_not_be_removed
@@ -42,12 +42,12 @@ module Nokogiri
 
         assert_equal 'en-GB', node['xml:lang']
         assert_equal 'en-GB', node.attributes['lang'].value
-        assert_equal nil, node['lang']
+        assert_nil node['lang']
         assert_equal 'http://www.w3.org/XML/1998/namespace', node.attributes['lang'].namespace.href
 
         assert_equal 'bazz', node['foo:bar']
         assert_equal 'bazz', node.attributes['bar'].value
-        assert_equal nil, node['bar']
+        assert_nil node['bar']
         assert_equal 'x', node.attributes['bar'].namespace.href
       end
 

data/test/xml/test_node_reparenting.rb

@@ -459,6 +459,24 @@ module Nokogiri
             end
           end
 
+          it "can replace with a comment node" do
+            doc = Nokogiri::XML %Q{<parent><child>text}
+            replacee = doc.at_css("child")
+            replacer = doc.create_comment("<b>text</b>")
+            replacee.replace replacer
+            assert_equal 1, doc.root.children.length
+            assert_equal replacer, doc.root.children.first
+          end
+
+          it "can replace with a CDATA node" do
+            doc = Nokogiri::XML %Q{<parent><child>text}
+            replacee = doc.at_css("child")
+            replacer = doc.create_cdata("<b>text</b>")
+            replacee.replace replacer
+            assert_equal 1, doc.root.children.length
+            assert_equal replacer, doc.root.children.first
+          end
+
           describe "when a document has a default namespace" do
             before do
               @fruits = Nokogiri::XML(<<-eoxml)