rails-deprecated_sanitizer 1.0.2 → 1.0.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +7 -6
  4. data/lib/rails/deprecated_sanitizer.rb +118 -129
  5. data/lib/rails/deprecated_sanitizer/version.rb +1 -1
  6. data/test/deprecated_sanitizer_test.rb +3 -3
  7. data/test/test_helper.rb +3 -0
  8. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5c439b4be22e89d93d310cb93f685b9894d42dce
4
- data.tar.gz: 8331657c4eab3c81681f04f51653ed2bf8356027
3
+ metadata.gz: b097d32525518131104c3ec6e0de67a37278429a
4
+ data.tar.gz: 0bb4d49a13c78b74411bc9cd4c3ba09bc7cc34c2
5
5
  SHA512:
6
- metadata.gz: c22abd432331f9203c7612bb68f678c2447a9b89f9a98e8dfcb346470cf78ab9725f4c3dcbc5a2293dd07fd931dea3f164216a8fd81921d50beab16ce5bd660f
7
- data.tar.gz: f5bc4b05491a581aabe99dd5c1413aa759a1d203ebd51f30c75ef51805ccbfa4d2702c24136924706032d20c96a11b5f93cd5c9ee6e990fc01a1ac0449dcf546
6
+ metadata.gz: 38a89e6806634dd8e5a1b42ffbb81c19c6825ab1bef6f7bcb11c223032a997d1b5ab539ee7280e53700243dd9633477e93a93e59de976a5d6b50cbbed9e5a447
7
+ data.tar.gz: c60bf16b418b3411f263ad8f942a11460eea8b259371c32650e3987b26c850d51bd3eb19a7c194729ff837d923303ce4d57119e299dbd7f6900440d095cfc2d5
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 1.0.3
2
+
3
+ * Improved support for Rails 4.2.0.beta2 and above.
4
+
1
5
  ## 1.0.2
2
6
 
3
7
  * Remove warning of method redefined.
data/README.md CHANGED
@@ -1,14 +1,15 @@
1
1
  # Rails::Deprecated::Sanitizer
2
2
 
3
- In Rails 4.2 the sanitization implementation uses Loofah by default.
4
- Previously html-scanner was used for this.
5
- This gem includes that old behavior for easier migration and it will be supported until Rails 5.
3
+ In Rails 4.2 HTML sanitization has been rewritten using a more secure library.
6
4
 
7
- If you need this behavior, add the gem to an applications gemfile, run `bundle` and the deprecated behavior is installed.
5
+ This gem includes the old behavior shipping with Rails 4.2 and before. It is
6
+ strictly provided to ease migration. It will be supported until Rails 5.
8
7
 
9
- gem 'rails-deprecated_sanitizer'
8
+ To downgrade add `gem 'rails-deprecated_sanitizer'` to your Gemfile.
10
9
 
11
- You can read more about the new behavior here: [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer).
10
+ See the Rails 4.2 upgrade guide for more information.
11
+
12
+ You can read more about the new sanitization implementation here: [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer).
12
13
 
13
14
  # Reporting XSS Security Issues
14
15
 
data/lib/rails/deprecated_sanitizer.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  require "rails/deprecated_sanitizer/version"
2
2
  require "rails/deprecated_sanitizer/html-scanner"
3
- require "rails/deprecated_sanitizer/railtie"
3
+ require "rails/deprecated_sanitizer/railtie" if defined?(Rails::Railtie)
4
+ require "active_support/core_ext/module/remove_method"
4
5
 
5
6
  module Rails
6
7
  module DeprecatedSanitizer
@@ -23,134 +24,122 @@ end
23
24
  module ActionView
24
25
  module Helpers
25
26
  module SanitizeHelper
26
- extend self
27
-
28
- if method_defined?(:sanitizer_vendor) || private_method_defined?(:sanitizer_vendor)
29
- undef_method(:sanitizer_vendor)
30
- end
31
-
32
- def sanitizer_vendor
33
- Rails::DeprecatedSanitizer
34
- end
35
-
36
- def sanitized_protocol_separator
37
- white_list_sanitizer.protocol_separator
38
- end
39
-
40
- def sanitized_uri_attributes
41
- white_list_sanitizer.uri_attributes
42
- end
43
-
44
- def sanitized_bad_tags
45
- white_list_sanitizer.bad_tags
46
- end
47
-
48
- def sanitized_allowed_tags
49
- white_list_sanitizer.allowed_tags
50
- end
51
-
52
- def sanitized_allowed_attributes
53
- white_list_sanitizer.allowed_attributes
54
- end
55
-
56
- def sanitized_allowed_css_properties
57
- white_list_sanitizer.allowed_css_properties
58
- end
59
-
60
- def sanitized_allowed_css_keywords
61
- white_list_sanitizer.allowed_css_keywords
62
- end
63
-
64
- def sanitized_shorthand_css_properties
65
- white_list_sanitizer.shorthand_css_properties
66
- end
67
-
68
- def sanitized_allowed_protocols
69
- white_list_sanitizer.allowed_protocols
70
- end
71
-
72
- def sanitized_protocol_separator=(value)
73
- white_list_sanitizer.protocol_separator = value
74
- end
75
-
76
- # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
77
- #
78
- # class Application < Rails::Application
79
- # config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
80
- # end
81
- #
82
- def sanitized_uri_attributes=(attributes)
83
- HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
84
- end
85
-
86
- # Adds to the Set of 'bad' tags for the +sanitize+ helper.
87
- #
88
- # class Application < Rails::Application
89
- # config.action_view.sanitized_bad_tags = 'embed', 'object'
90
- # end
91
- #
92
- def sanitized_bad_tags=(attributes)
93
- HTML::WhiteListSanitizer.bad_tags.merge(attributes)
94
- end
95
-
96
- # Adds to the Set of allowed tags for the +sanitize+ helper.
97
- #
98
- # class Application < Rails::Application
99
- # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
100
- # end
101
- #
102
- def sanitized_allowed_tags=(attributes)
103
- HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
104
- end
105
-
106
- # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
107
- #
108
- # class Application < Rails::Application
109
- # config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
110
- # end
111
- #
112
- def sanitized_allowed_attributes=(attributes)
113
- HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
114
- end
115
-
116
- # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
117
- #
118
- # class Application < Rails::Application
119
- # config.action_view.sanitized_allowed_css_properties = 'expression'
120
- # end
121
- #
122
- def sanitized_allowed_css_properties=(attributes)
123
- HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
124
- end
125
-
126
- # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
127
- #
128
- # class Application < Rails::Application
129
- # config.action_view.sanitized_allowed_css_keywords = 'expression'
130
- # end
131
- #
132
- def sanitized_allowed_css_keywords=(attributes)
133
- HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
134
- end
135
-
136
- # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
137
- #
138
- # class Application < Rails::Application
139
- # config.action_view.sanitized_shorthand_css_properties = 'expression'
140
- # end
141
- #
142
- def sanitized_shorthand_css_properties=(attributes)
143
- HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
144
- end
145
-
146
- # Adds to the Set of allowed protocols for the +sanitize+ helper.
147
- #
148
- # class Application < Rails::Application
149
- # config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
150
- # end
151
- #
152
- def sanitized_allowed_protocols=(attributes)
153
- HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
27
+ module ClassMethods
28
+ redefine_method :sanitizer_vendor do
29
+ Rails::DeprecatedSanitizer
30
+ end
31
+
32
+ redefine_method :sanitized_protocol_separator do
33
+ white_list_sanitizer.protocol_separator
34
+ end
35
+
36
+ redefine_method :sanitized_uri_attributes do
37
+ white_list_sanitizer.uri_attributes
38
+ end
39
+
40
+ redefine_method :sanitized_bad_tags do
41
+ white_list_sanitizer.bad_tags
42
+ end
43
+
44
+ redefine_method :sanitized_allowed_css_properties do
45
+ white_list_sanitizer.allowed_css_properties
46
+ end
47
+
48
+ redefine_method :sanitized_allowed_css_keywords do
49
+ white_list_sanitizer.allowed_css_keywords
50
+ end
51
+
52
+ redefine_method :sanitized_shorthand_css_properties do
53
+ white_list_sanitizer.shorthand_css_properties
54
+ end
55
+
56
+ redefine_method :sanitized_allowed_protocols do
57
+ white_list_sanitizer.allowed_protocols
58
+ end
59
+
60
+ redefine_method :sanitized_protocol_separator= do |value|
61
+ white_list_sanitizer.protocol_separator = value
62
+ end
63
+
64
+ # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
65
+ #
66
+ # class Application < Rails::Application
67
+ # config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
68
+ # end
69
+ #
70
+ redefine_method :sanitized_uri_attributes= do |attributes|
71
+ HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
72
+ end
73
+
74
+ # Adds to the Set of 'bad' tags for the +sanitize+ helper.
75
+ #
76
+ # class Application < Rails::Application
77
+ # config.action_view.sanitized_bad_tags = 'embed', 'object'
78
+ # end
79
+ #
80
+ redefine_method :sanitized_bad_tags= do |attributes|
81
+ HTML::WhiteListSanitizer.bad_tags.merge(attributes)
82
+ end
83
+
84
+ # Adds to the Set of allowed tags for the +sanitize+ helper.
85
+ #
86
+ # class Application < Rails::Application
87
+ # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
88
+ # end
89
+ #
90
+ redefine_method :sanitized_allowed_tags= do |attributes|
91
+ HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
92
+ end
93
+
94
+ # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
95
+ #
96
+ # class Application < Rails::Application
97
+ # config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
98
+ # end
99
+ #
100
+ redefine_method :sanitized_allowed_attributes= do |attributes|
101
+ HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
102
+ end
103
+
104
+ # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
105
+ #
106
+ # class Application < Rails::Application
107
+ # config.action_view.sanitized_allowed_css_properties = 'expression'
108
+ # end
109
+ #
110
+ redefine_method :sanitized_allowed_css_properties= do |attributes|
111
+ HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
112
+ end
113
+
114
+ # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
115
+ #
116
+ # class Application < Rails::Application
117
+ # config.action_view.sanitized_allowed_css_keywords = 'expression'
118
+ # end
119
+ #
120
+ redefine_method :sanitized_allowed_css_keywords= do |attributes|
121
+ HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
122
+ end
123
+
124
+ # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
125
+ #
126
+ # class Application < Rails::Application
127
+ # config.action_view.sanitized_shorthand_css_properties = 'expression'
128
+ # end
129
+ #
130
+ redefine_method :sanitized_shorthand_css_properties= do |attributes|
131
+ HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
132
+ end
133
+
134
+ # Adds to the Set of allowed protocols for the +sanitize+ helper.
135
+ #
136
+ # class Application < Rails::Application
137
+ # config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
138
+ # end
139
+ #
140
+ redefine_method :sanitized_allowed_protocols= do |attributes|
141
+ HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
142
+ end
154
143
  end
155
144
  end
156
145
  end
data/lib/rails/deprecated_sanitizer/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rails
2
2
  module DeprecatedSanitizer
3
- VERSION = "1.0.2"
3
+ VERSION = "1.0.3"
4
4
  end
5
5
  end
data/test/deprecated_sanitizer_test.rb CHANGED
@@ -1,10 +1,10 @@
1
1
  require 'test_helper'
2
- require 'action_view'
3
- require 'action_view/helpers/sanitize_helper'
4
2
 
5
3
  class DeprecatedSanitizerTest < ActiveSupport::TestCase
6
4
  def sanitize_helper
7
- ActionView::Helpers::SanitizeHelper
5
+ Class.new do
6
+ include ActionView::Helpers::SanitizeHelper
7
+ end
8
8
  end
9
9
 
10
10
  test 'Action View sanitizer vendor is set to deprecated sanitizer' do
data/test/test_helper.rb CHANGED
@@ -4,7 +4,10 @@ require 'active_support'
4
4
  require 'active_support/test_case'
5
5
  require 'active_support/testing/autorun'
6
6
 
7
+ require 'action_view/helpers/sanitize_helper'
8
+
7
9
  require 'rails/deprecated_sanitizer'
8
10
 
9
11
  # Show backtraces for deprecated behavior for quicker cleanup.
10
12
  ActiveSupport::Deprecation.debug = true
13
+ ActiveSupport::TestCase.test_order = :random
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-deprecated_sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.2
4
+ version: 1.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Kasper Timm Hansen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-19 00:00:00.000000000 Z
11
+ date: 2014-09-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -100,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
100
100
  version: '0'
101
101
  requirements: []
102
102
  rubyforge_project:
103
- rubygems_version: 2.3.0
103
+ rubygems_version: 2.2.1
104
104
  signing_key:
105
105
  specification_version: 4
106
106
  summary: Deprecated sanitizer API extracted from Action View.
@@ -113,4 +113,3 @@ test_files:
113
113
  - test/test_helper.rb
114
114
  - test/text_node_test.rb
115
115
  - test/tokenizer_test.rb
116
- has_rdoc: