rails-deprecated_sanitizer 1.0.2 → 1.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +7 -6
- data/lib/rails/deprecated_sanitizer.rb +118 -129
- data/lib/rails/deprecated_sanitizer/version.rb +1 -1
- data/test/deprecated_sanitizer_test.rb +3 -3
- data/test/test_helper.rb +3 -0
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b097d32525518131104c3ec6e0de67a37278429a
|
4
|
+
data.tar.gz: 0bb4d49a13c78b74411bc9cd4c3ba09bc7cc34c2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 38a89e6806634dd8e5a1b42ffbb81c19c6825ab1bef6f7bcb11c223032a997d1b5ab539ee7280e53700243dd9633477e93a93e59de976a5d6b50cbbed9e5a447
|
7
|
+
data.tar.gz: c60bf16b418b3411f263ad8f942a11460eea8b259371c32650e3987b26c850d51bd3eb19a7c194729ff837d923303ce4d57119e299dbd7f6900440d095cfc2d5
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -1,14 +1,15 @@
|
|
1
1
|
# Rails::Deprecated::Sanitizer
|
2
2
|
|
3
|
-
In Rails 4.2
|
4
|
-
Previously html-scanner was used for this.
|
5
|
-
This gem includes that old behavior for easier migration and it will be supported until Rails 5.
|
3
|
+
In Rails 4.2 HTML sanitization has been rewritten using a more secure library.
|
6
4
|
|
7
|
-
|
5
|
+
This gem includes the old behavior shipping with Rails 4.2 and before. It is
|
6
|
+
strictly provided to ease migration. It will be supported until Rails 5.
|
8
7
|
|
9
|
-
|
8
|
+
To downgrade add `gem 'rails-deprecated_sanitizer'` to your Gemfile.
|
10
9
|
|
11
|
-
|
10
|
+
See the Rails 4.2 upgrade guide for more information.
|
11
|
+
|
12
|
+
You can read more about the new sanitization implementation here: [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer).
|
12
13
|
|
13
14
|
# Reporting XSS Security Issues
|
14
15
|
|
@@ -1,6 +1,7 @@
|
|
1
1
|
require "rails/deprecated_sanitizer/version"
|
2
2
|
require "rails/deprecated_sanitizer/html-scanner"
|
3
|
-
require "rails/deprecated_sanitizer/railtie"
|
3
|
+
require "rails/deprecated_sanitizer/railtie" if defined?(Rails::Railtie)
|
4
|
+
require "active_support/core_ext/module/remove_method"
|
4
5
|
|
5
6
|
module Rails
|
6
7
|
module DeprecatedSanitizer
|
@@ -23,134 +24,122 @@ end
|
|
23
24
|
module ActionView
|
24
25
|
module Helpers
|
25
26
|
module SanitizeHelper
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
HTML
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
def sanitized_shorthand_css_properties=(attributes)
|
143
|
-
HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
|
144
|
-
end
|
145
|
-
|
146
|
-
# Adds to the Set of allowed protocols for the +sanitize+ helper.
|
147
|
-
#
|
148
|
-
# class Application < Rails::Application
|
149
|
-
# config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
|
150
|
-
# end
|
151
|
-
#
|
152
|
-
def sanitized_allowed_protocols=(attributes)
|
153
|
-
HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
|
27
|
+
module ClassMethods
|
28
|
+
redefine_method :sanitizer_vendor do
|
29
|
+
Rails::DeprecatedSanitizer
|
30
|
+
end
|
31
|
+
|
32
|
+
redefine_method :sanitized_protocol_separator do
|
33
|
+
white_list_sanitizer.protocol_separator
|
34
|
+
end
|
35
|
+
|
36
|
+
redefine_method :sanitized_uri_attributes do
|
37
|
+
white_list_sanitizer.uri_attributes
|
38
|
+
end
|
39
|
+
|
40
|
+
redefine_method :sanitized_bad_tags do
|
41
|
+
white_list_sanitizer.bad_tags
|
42
|
+
end
|
43
|
+
|
44
|
+
redefine_method :sanitized_allowed_css_properties do
|
45
|
+
white_list_sanitizer.allowed_css_properties
|
46
|
+
end
|
47
|
+
|
48
|
+
redefine_method :sanitized_allowed_css_keywords do
|
49
|
+
white_list_sanitizer.allowed_css_keywords
|
50
|
+
end
|
51
|
+
|
52
|
+
redefine_method :sanitized_shorthand_css_properties do
|
53
|
+
white_list_sanitizer.shorthand_css_properties
|
54
|
+
end
|
55
|
+
|
56
|
+
redefine_method :sanitized_allowed_protocols do
|
57
|
+
white_list_sanitizer.allowed_protocols
|
58
|
+
end
|
59
|
+
|
60
|
+
redefine_method :sanitized_protocol_separator= do |value|
|
61
|
+
white_list_sanitizer.protocol_separator = value
|
62
|
+
end
|
63
|
+
|
64
|
+
# Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
|
65
|
+
#
|
66
|
+
# class Application < Rails::Application
|
67
|
+
# config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
|
68
|
+
# end
|
69
|
+
#
|
70
|
+
redefine_method :sanitized_uri_attributes= do |attributes|
|
71
|
+
HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
|
72
|
+
end
|
73
|
+
|
74
|
+
# Adds to the Set of 'bad' tags for the +sanitize+ helper.
|
75
|
+
#
|
76
|
+
# class Application < Rails::Application
|
77
|
+
# config.action_view.sanitized_bad_tags = 'embed', 'object'
|
78
|
+
# end
|
79
|
+
#
|
80
|
+
redefine_method :sanitized_bad_tags= do |attributes|
|
81
|
+
HTML::WhiteListSanitizer.bad_tags.merge(attributes)
|
82
|
+
end
|
83
|
+
|
84
|
+
# Adds to the Set of allowed tags for the +sanitize+ helper.
|
85
|
+
#
|
86
|
+
# class Application < Rails::Application
|
87
|
+
# config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
|
88
|
+
# end
|
89
|
+
#
|
90
|
+
redefine_method :sanitized_allowed_tags= do |attributes|
|
91
|
+
HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
|
92
|
+
end
|
93
|
+
|
94
|
+
# Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
|
95
|
+
#
|
96
|
+
# class Application < Rails::Application
|
97
|
+
# config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
|
98
|
+
# end
|
99
|
+
#
|
100
|
+
redefine_method :sanitized_allowed_attributes= do |attributes|
|
101
|
+
HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
|
102
|
+
end
|
103
|
+
|
104
|
+
# Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
|
105
|
+
#
|
106
|
+
# class Application < Rails::Application
|
107
|
+
# config.action_view.sanitized_allowed_css_properties = 'expression'
|
108
|
+
# end
|
109
|
+
#
|
110
|
+
redefine_method :sanitized_allowed_css_properties= do |attributes|
|
111
|
+
HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
|
112
|
+
end
|
113
|
+
|
114
|
+
# Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
|
115
|
+
#
|
116
|
+
# class Application < Rails::Application
|
117
|
+
# config.action_view.sanitized_allowed_css_keywords = 'expression'
|
118
|
+
# end
|
119
|
+
#
|
120
|
+
redefine_method :sanitized_allowed_css_keywords= do |attributes|
|
121
|
+
HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
|
122
|
+
end
|
123
|
+
|
124
|
+
# Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
|
125
|
+
#
|
126
|
+
# class Application < Rails::Application
|
127
|
+
# config.action_view.sanitized_shorthand_css_properties = 'expression'
|
128
|
+
# end
|
129
|
+
#
|
130
|
+
redefine_method :sanitized_shorthand_css_properties= do |attributes|
|
131
|
+
HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
|
132
|
+
end
|
133
|
+
|
134
|
+
# Adds to the Set of allowed protocols for the +sanitize+ helper.
|
135
|
+
#
|
136
|
+
# class Application < Rails::Application
|
137
|
+
# config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
|
138
|
+
# end
|
139
|
+
#
|
140
|
+
redefine_method :sanitized_allowed_protocols= do |attributes|
|
141
|
+
HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
|
142
|
+
end
|
154
143
|
end
|
155
144
|
end
|
156
145
|
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
require 'test_helper'
|
2
|
-
require 'action_view'
|
3
|
-
require 'action_view/helpers/sanitize_helper'
|
4
2
|
|
5
3
|
class DeprecatedSanitizerTest < ActiveSupport::TestCase
|
6
4
|
def sanitize_helper
|
7
|
-
|
5
|
+
Class.new do
|
6
|
+
include ActionView::Helpers::SanitizeHelper
|
7
|
+
end
|
8
8
|
end
|
9
9
|
|
10
10
|
test 'Action View sanitizer vendor is set to deprecated sanitizer' do
|
data/test/test_helper.rb
CHANGED
@@ -4,7 +4,10 @@ require 'active_support'
|
|
4
4
|
require 'active_support/test_case'
|
5
5
|
require 'active_support/testing/autorun'
|
6
6
|
|
7
|
+
require 'action_view/helpers/sanitize_helper'
|
8
|
+
|
7
9
|
require 'rails/deprecated_sanitizer'
|
8
10
|
|
9
11
|
# Show backtraces for deprecated behavior for quicker cleanup.
|
10
12
|
ActiveSupport::Deprecation.debug = true
|
13
|
+
ActiveSupport::TestCase.test_order = :random
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-deprecated_sanitizer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Kasper Timm Hansen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-09-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -100,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
100
100
|
version: '0'
|
101
101
|
requirements: []
|
102
102
|
rubyforge_project:
|
103
|
-
rubygems_version: 2.
|
103
|
+
rubygems_version: 2.2.1
|
104
104
|
signing_key:
|
105
105
|
specification_version: 4
|
106
106
|
summary: Deprecated sanitizer API extracted from Action View.
|
@@ -113,4 +113,3 @@ test_files:
|
|
113
113
|
- test/test_helper.rb
|
114
114
|
- test/text_node_test.rb
|
115
115
|
- test/tokenizer_test.rb
|
116
|
-
has_rdoc:
|