rails-html-sanitizer 1.0.3 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +37 -0
- data/MIT-LICENSE +23 -0
- data/README.md +15 -17
- data/lib/rails-html-sanitizer.rb +7 -3
- data/lib/rails/html/sanitizer.rb +26 -23
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +25 -22
- data/test/sanitizer_test.rb +82 -44
- metadata +9 -9
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 8eba1aac52c80be280f186c5d378150709b7d4cd2a5d5b2367e6d2c036648d52
|
|
4
|
+
data.tar.gz: 96408eae2efee778a704f7caf246b64868a63bfdbbb81905b294bcca731a9289
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c4209cebc841299143a466143f4b776461fc1cc8bba112dc603e86835b68ee44a800566f64224b27f5a45d164d0b004049b228dc405c3de59068800ec7a5d564
|
|
7
|
+
data.tar.gz: c899472b8dffe9f9fd4d15ae4739f07a775d74b9ed14143beb688bb546b6a82ec469add036747b81aff33510e6e241379e21458cb39d9b2a8e797824066e24e5
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,40 @@
|
|
|
1
|
+
## 1.3.0
|
|
2
|
+
|
|
3
|
+
* Address deprecations in Loofah 2.3.0.
|
|
4
|
+
|
|
5
|
+
*Josh Goodall*
|
|
6
|
+
|
|
7
|
+
## 1.2.0
|
|
8
|
+
|
|
9
|
+
* Remove needless `white_list_sanitizer` deprecation.
|
|
10
|
+
|
|
11
|
+
By deprecating this, we were forcing Rails 5.2 to be updated or spew
|
|
12
|
+
deprecations that users could do nothing about.
|
|
13
|
+
|
|
14
|
+
That's pointless and I'm sorry for adding that!
|
|
15
|
+
|
|
16
|
+
Now there's no deprecation warning and Rails 5.2 works out of the box, while
|
|
17
|
+
Rails 6 can use the updated naming.
|
|
18
|
+
|
|
19
|
+
*Kasper Timm Hansen*
|
|
20
|
+
|
|
21
|
+
## 1.1.0
|
|
22
|
+
|
|
23
|
+
* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
|
|
24
|
+
in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
|
|
25
|
+
|
|
26
|
+
*Juanito Fatas*
|
|
27
|
+
|
|
28
|
+
* Remove `href` from LinkScrubber's `tags` as it's not an element.
|
|
29
|
+
https://github.com/rails/rails-html-sanitizer/pull/92
|
|
30
|
+
|
|
31
|
+
*Juanito Fatas*
|
|
32
|
+
|
|
33
|
+
* Explain that we don't need to bump Loofah here if there's CVEs.
|
|
34
|
+
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
|
|
35
|
+
|
|
36
|
+
*Kasper Timm Hansen*
|
|
37
|
+
|
|
1
38
|
## 1.0.1
|
|
2
39
|
|
|
3
40
|
* Added support for Rails 4.2.0.beta2 and above
|
data/MIT-LICENSE
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
Copyright (c) 2013-2015 Rafael Mendonça França, Kasper Timm Hansen
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
23
|
+
|
data/README.md
CHANGED
|
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
|
|
|
41
41
|
# => Only the link text will be kept.
|
|
42
42
|
```
|
|
43
43
|
|
|
44
|
-
####
|
|
44
|
+
#### SafeListSanitizer
|
|
45
45
|
|
|
46
46
|
```ruby
|
|
47
|
-
|
|
47
|
+
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
48
48
|
|
|
49
|
-
# sanitize via an extensive
|
|
50
|
-
|
|
49
|
+
# sanitize via an extensive safe list of allowed elements
|
|
50
|
+
safe_list_sanitizer.sanitize(@article.body)
|
|
51
51
|
|
|
52
|
-
#
|
|
53
|
-
|
|
52
|
+
# safe list only the supplied tags and attributes
|
|
53
|
+
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
|
|
54
54
|
|
|
55
|
-
#
|
|
56
|
-
|
|
55
|
+
# safe list via a custom scrubber
|
|
56
|
+
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
57
57
|
|
|
58
|
-
#
|
|
59
|
-
|
|
58
|
+
# safe list sanitizer can also sanitize css
|
|
59
|
+
safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
60
60
|
```
|
|
61
61
|
|
|
62
62
|
### Scrubbers
|
|
@@ -99,17 +99,15 @@ You can also create custom scrubbers in your application if you want to.
|
|
|
99
99
|
|
|
100
100
|
```ruby
|
|
101
101
|
class CommentScrubber < Rails::Html::PermitScrubber
|
|
102
|
-
def
|
|
103
|
-
|
|
102
|
+
def initialize
|
|
103
|
+
super
|
|
104
|
+
self.tags = %w( form script comment blockquote )
|
|
105
|
+
self.attributes = %w( style )
|
|
104
106
|
end
|
|
105
107
|
|
|
106
108
|
def skip_node?(node)
|
|
107
109
|
node.text?
|
|
108
110
|
end
|
|
109
|
-
|
|
110
|
-
def scrub_attribute?(name)
|
|
111
|
-
name == "style"
|
|
112
|
-
end
|
|
113
111
|
end
|
|
114
112
|
```
|
|
115
113
|
|
|
@@ -129,7 +127,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
|
|
129
127
|
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
|
|
130
128
|
|
|
131
129
|
The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
|
|
132
|
-
- [`Nokogiri::XML::Node`](
|
|
130
|
+
- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
|
|
133
131
|
- [Nokogiri](http://nokogiri.org)
|
|
134
132
|
|
|
135
133
|
## Contributing to Rails Html Sanitizers
|
data/lib/rails-html-sanitizer.rb
CHANGED
|
@@ -15,8 +15,12 @@ module Rails
|
|
|
15
15
|
Html::LinkSanitizer
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
def safe_list_sanitizer
|
|
19
|
+
Html::SafeListSanitizer
|
|
20
|
+
end
|
|
21
|
+
|
|
18
22
|
def white_list_sanitizer
|
|
19
|
-
|
|
23
|
+
safe_list_sanitizer
|
|
20
24
|
end
|
|
21
25
|
end
|
|
22
26
|
end
|
|
@@ -34,7 +38,7 @@ module ActionView
|
|
|
34
38
|
# end
|
|
35
39
|
#
|
|
36
40
|
def sanitized_allowed_tags=(tags)
|
|
37
|
-
sanitizer_vendor.
|
|
41
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
|
|
38
42
|
end
|
|
39
43
|
|
|
40
44
|
# Replaces the allowed HTML attributes for the +sanitize+ helper.
|
|
@@ -44,7 +48,7 @@ module ActionView
|
|
|
44
48
|
# end
|
|
45
49
|
#
|
|
46
50
|
def sanitized_allowed_attributes=(attributes)
|
|
47
|
-
sanitizer_vendor.
|
|
51
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
|
|
48
52
|
end
|
|
49
53
|
|
|
50
54
|
[:protocol_separator,
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -40,15 +40,16 @@ module Rails
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
# === Rails::Html::LinkSanitizer
|
|
43
|
-
# Removes a tags and href attributes leaving only the link text
|
|
43
|
+
# Removes +a+ tags and +href+ attributes leaving only the link text.
|
|
44
44
|
#
|
|
45
|
-
#
|
|
46
|
-
#
|
|
47
|
-
#
|
|
45
|
+
# link_sanitizer = Rails::Html::LinkSanitizer.new
|
|
46
|
+
# link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
|
47
|
+
#
|
|
48
|
+
# => 'Only the link text will be kept.'
|
|
48
49
|
class LinkSanitizer < Sanitizer
|
|
49
50
|
def initialize
|
|
50
51
|
@link_scrubber = TargetScrubber.new
|
|
51
|
-
@link_scrubber.tags = %w(a
|
|
52
|
+
@link_scrubber.tags = %w(a)
|
|
52
53
|
@link_scrubber.attributes = %w(href)
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -57,11 +58,11 @@ module Rails
|
|
|
57
58
|
end
|
|
58
59
|
end
|
|
59
60
|
|
|
60
|
-
# === Rails::Html::
|
|
61
|
-
# Sanitizes html and css from an extensive
|
|
61
|
+
# === Rails::Html::SafeListSanitizer
|
|
62
|
+
# Sanitizes html and css from an extensive safe list (see link further down).
|
|
62
63
|
#
|
|
63
64
|
# === Whitespace
|
|
64
|
-
# We can't make any
|
|
65
|
+
# We can't make any guarantees about whitespace being kept or stripped.
|
|
65
66
|
# Loofah uses Nokogiri, which wraps either a C or Java parser for the
|
|
66
67
|
# respective Ruby implementation.
|
|
67
68
|
# Those two parsers determine how whitespace is ultimately handled.
|
|
@@ -72,34 +73,34 @@ module Rails
|
|
|
72
73
|
# so automatically.
|
|
73
74
|
#
|
|
74
75
|
# === Options
|
|
75
|
-
# Sanitizes both html and css via the
|
|
76
|
-
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/
|
|
76
|
+
# Sanitizes both html and css via the safe lists found here:
|
|
77
|
+
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
|
|
77
78
|
#
|
|
78
|
-
#
|
|
79
|
-
# the
|
|
79
|
+
# SafeListSanitizer also accepts options to configure
|
|
80
|
+
# the safe list used when sanitizing html.
|
|
80
81
|
# There's a class level option:
|
|
81
|
-
# Rails::Html::
|
|
82
|
-
# Rails::Html::
|
|
82
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
|
|
83
|
+
# Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
|
|
83
84
|
#
|
|
84
85
|
# Tags and attributes can also be passed to +sanitize+.
|
|
85
86
|
# Passed options take precedence over the class level options.
|
|
86
87
|
#
|
|
87
88
|
# === Examples
|
|
88
|
-
#
|
|
89
|
+
# safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
89
90
|
#
|
|
90
91
|
# Sanitize css doesn't take options
|
|
91
|
-
#
|
|
92
|
+
# safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
92
93
|
#
|
|
93
|
-
# Default: sanitize via a extensive
|
|
94
|
-
#
|
|
94
|
+
# Default: sanitize via a extensive safe list of allowed elements
|
|
95
|
+
# safe_list_sanitizer.sanitize(@article.body)
|
|
95
96
|
#
|
|
96
|
-
#
|
|
97
|
-
#
|
|
97
|
+
# Safe list via the supplied tags and attributes
|
|
98
|
+
# safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
|
|
98
99
|
# attributes: %w(id class style))
|
|
99
100
|
#
|
|
100
|
-
#
|
|
101
|
-
#
|
|
102
|
-
class
|
|
101
|
+
# Safe list via a custom scrubber
|
|
102
|
+
# safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
103
|
+
class SafeListSanitizer < Sanitizer
|
|
103
104
|
class << self
|
|
104
105
|
attr_accessor :allowed_tags
|
|
105
106
|
attr_accessor :allowed_attributes
|
|
@@ -148,5 +149,7 @@ module Rails
|
|
|
148
149
|
options[:attributes] || self.class.allowed_attributes
|
|
149
150
|
end
|
|
150
151
|
end
|
|
152
|
+
|
|
153
|
+
WhiteListSanitizer = SafeListSanitizer
|
|
151
154
|
end
|
|
152
155
|
end
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -2,9 +2,9 @@ module Rails
|
|
|
2
2
|
module Html
|
|
3
3
|
# === Rails::Html::PermitScrubber
|
|
4
4
|
#
|
|
5
|
-
# Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
|
|
5
|
+
# +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
|
|
6
6
|
#
|
|
7
|
-
# Rails::Html::PermitScrubber can be subclassed to determine:
|
|
7
|
+
# +Rails::Html::PermitScrubber+ can be subclassed to determine:
|
|
8
8
|
# - When a node should be skipped via +skip_node?+.
|
|
9
9
|
# - When a node is allowed via +allowed_node?+.
|
|
10
10
|
# - When an attribute should be scrubbed via +scrub_attribute?+.
|
|
@@ -27,22 +27,23 @@ module Rails
|
|
|
27
27
|
# If set, attributes excluded will be removed.
|
|
28
28
|
# If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
|
|
29
29
|
#
|
|
30
|
-
#
|
|
31
|
-
#
|
|
32
|
-
#
|
|
33
|
-
#
|
|
30
|
+
# class CommentScrubber < Html::PermitScrubber
|
|
31
|
+
# def initialize
|
|
32
|
+
# super
|
|
33
|
+
# self.tags = %w(form script comment blockquote)
|
|
34
|
+
# end
|
|
34
35
|
#
|
|
35
|
-
#
|
|
36
|
-
#
|
|
37
|
-
#
|
|
36
|
+
# def skip_node?(node)
|
|
37
|
+
# node.text?
|
|
38
|
+
# end
|
|
38
39
|
#
|
|
39
|
-
#
|
|
40
|
-
#
|
|
41
|
-
#
|
|
42
|
-
#
|
|
40
|
+
# def scrub_attribute?(name)
|
|
41
|
+
# name == "style"
|
|
42
|
+
# end
|
|
43
|
+
# end
|
|
43
44
|
#
|
|
44
|
-
# See the documentation for Nokogiri::XML::Node to understand what's possible
|
|
45
|
-
# with nodes:
|
|
45
|
+
# See the documentation for +Nokogiri::XML::Node+ to understand what's possible
|
|
46
|
+
# with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
|
|
46
47
|
class PermitScrubber < Loofah::Scrubber
|
|
47
48
|
attr_reader :tags, :attributes
|
|
48
49
|
|
|
@@ -137,28 +138,30 @@ module Rails
|
|
|
137
138
|
attr_node.node_name
|
|
138
139
|
end
|
|
139
140
|
|
|
140
|
-
if Loofah::HTML5::
|
|
141
|
+
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
|
|
141
142
|
# this block lifted nearly verbatim from HTML5 sanitization
|
|
142
143
|
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
|
|
143
|
-
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::
|
|
144
|
+
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
|
|
144
145
|
attr_node.remove
|
|
145
146
|
end
|
|
146
147
|
end
|
|
147
|
-
if Loofah::HTML5::
|
|
148
|
+
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
|
|
148
149
|
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
|
|
149
150
|
end
|
|
150
|
-
if Loofah::HTML5::
|
|
151
|
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
|
|
151
152
|
attr_node.remove
|
|
152
153
|
end
|
|
153
154
|
|
|
154
155
|
node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
|
|
156
|
+
|
|
157
|
+
Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
|
|
155
158
|
end
|
|
156
159
|
end
|
|
157
160
|
|
|
158
161
|
# === Rails::Html::TargetScrubber
|
|
159
162
|
#
|
|
160
|
-
# Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
|
|
161
|
-
# sanitization, Rails::Html::TargetScrubber targets them for removal.
|
|
163
|
+
# Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
|
|
164
|
+
# sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
|
|
162
165
|
#
|
|
163
166
|
# +tags=+
|
|
164
167
|
# If set, elements included will be stripped.
|
|
@@ -177,7 +180,7 @@ module Rails
|
|
|
177
180
|
|
|
178
181
|
# === Rails::Html::TextOnlyScrubber
|
|
179
182
|
#
|
|
180
|
-
# Rails::Html::TextOnlyScrubber allows you to permit text nodes.
|
|
183
|
+
# +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
|
|
181
184
|
#
|
|
182
185
|
# Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
|
|
183
186
|
class TextOnlyScrubber < Loofah::Scrubber
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def test_sanitize_nested_script
|
|
15
|
-
sanitizer = Rails::Html::
|
|
15
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
16
16
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def test_sanitize_nested_script_in_style
|
|
20
|
-
sanitizer = Rails::Html::
|
|
20
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
21
21
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
|
|
22
22
|
end
|
|
23
23
|
|
|
@@ -33,7 +33,7 @@ class SanitizersTest < Minitest::Test
|
|
|
33
33
|
assert_equal %(<h1>hello </h1>), xpath_sanitize(html, xpaths: %w(.//script))
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
-
def
|
|
36
|
+
def test_remove_xpaths_removes_all_occurrences_of_xpath
|
|
37
37
|
html = %(<section><header><script>code!</script></header><p>hello <script>code!</script></p></section>)
|
|
38
38
|
assert_equal %(<section><header></header><p>hello </p></section>), xpath_sanitize(html, xpaths: %w(.//script))
|
|
39
39
|
end
|
|
@@ -58,11 +58,11 @@ class SanitizersTest < Minitest::Test
|
|
|
58
58
|
end
|
|
59
59
|
|
|
60
60
|
def test_strip_invalid_html
|
|
61
|
-
assert_equal "", full_sanitize("<<<bad html")
|
|
61
|
+
assert_equal "<<", full_sanitize("<<<bad html")
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
def test_strip_nested_tags
|
|
65
|
-
expected = "
|
|
65
|
+
expected = "Wei<a onclick='alert(document.cookie);'/>rdos"
|
|
66
66
|
input = "Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"
|
|
67
67
|
assert_equal expected, full_sanitize(input)
|
|
68
68
|
end
|
|
@@ -74,7 +74,7 @@ class SanitizersTest < Minitest::Test
|
|
|
74
74
|
assert_equal expected, full_sanitize(input)
|
|
75
75
|
end
|
|
76
76
|
|
|
77
|
-
def
|
|
77
|
+
def test_remove_unclosed_tags
|
|
78
78
|
assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
|
|
79
79
|
end
|
|
80
80
|
|
|
@@ -87,7 +87,9 @@ class SanitizersTest < Minitest::Test
|
|
|
87
87
|
end
|
|
88
88
|
|
|
89
89
|
def test_strip_blank_string
|
|
90
|
-
|
|
90
|
+
assert_nil full_sanitize(nil)
|
|
91
|
+
assert_equal "", full_sanitize("")
|
|
92
|
+
assert_equal " ", full_sanitize(" ")
|
|
91
93
|
end
|
|
92
94
|
|
|
93
95
|
def test_strip_tags_with_plaintext
|
|
@@ -98,8 +100,8 @@ class SanitizersTest < Minitest::Test
|
|
|
98
100
|
assert_equal "This is a test.", full_sanitize("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>")
|
|
99
101
|
end
|
|
100
102
|
|
|
101
|
-
def
|
|
102
|
-
assert_equal "", full_sanitize("<<<bad html>")
|
|
103
|
+
def test_escape_tags_with_many_open_quotes
|
|
104
|
+
assert_equal "<<", full_sanitize("<<<bad html>")
|
|
103
105
|
end
|
|
104
106
|
|
|
105
107
|
def test_strip_tags_with_sentence
|
|
@@ -123,7 +125,7 @@ class SanitizersTest < Minitest::Test
|
|
|
123
125
|
end
|
|
124
126
|
|
|
125
127
|
def test_strip_links_with_tags_in_tags
|
|
126
|
-
expected = "a href='hello'>all <b>day</b> long
|
|
128
|
+
expected = "<a href='hello'>all <b>day</b> long</a>"
|
|
127
129
|
input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
|
|
128
130
|
assert_equal expected, link_sanitize(input)
|
|
129
131
|
end
|
|
@@ -152,10 +154,6 @@ class SanitizersTest < Minitest::Test
|
|
|
152
154
|
assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
|
|
153
155
|
end
|
|
154
156
|
|
|
155
|
-
def test_strip_links_with_a_tag_in_href
|
|
156
|
-
assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
|
|
157
|
-
end
|
|
158
|
-
|
|
159
157
|
def test_sanitize_form
|
|
160
158
|
assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
|
|
161
159
|
end
|
|
@@ -183,7 +181,7 @@ class SanitizersTest < Minitest::Test
|
|
|
183
181
|
assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
|
|
184
182
|
end
|
|
185
183
|
|
|
186
|
-
tags = Loofah::HTML5::
|
|
184
|
+
tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
|
|
187
185
|
tags.each do |tag_name|
|
|
188
186
|
define_method "test_should_allow_#{tag_name}_tag" do
|
|
189
187
|
scope_allowed_tags(tags) do
|
|
@@ -253,38 +251,38 @@ class SanitizersTest < Minitest::Test
|
|
|
253
251
|
|
|
254
252
|
def test_should_allow_custom_tags
|
|
255
253
|
text = "<u>foo</u>"
|
|
256
|
-
assert_equal text,
|
|
254
|
+
assert_equal text, safe_list_sanitize(text, tags: %w(u))
|
|
257
255
|
end
|
|
258
256
|
|
|
259
257
|
def test_should_allow_only_custom_tags
|
|
260
258
|
text = "<u>foo</u> with <i>bar</i>"
|
|
261
|
-
assert_equal "<u>foo</u> with bar",
|
|
259
|
+
assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
|
|
262
260
|
end
|
|
263
261
|
|
|
264
262
|
def test_should_allow_custom_tags_with_attributes
|
|
265
263
|
text = %(<blockquote cite="http://example.com/">foo</blockquote>)
|
|
266
|
-
assert_equal text,
|
|
264
|
+
assert_equal text, safe_list_sanitize(text)
|
|
267
265
|
end
|
|
268
266
|
|
|
269
267
|
def test_should_allow_custom_tags_with_custom_attributes
|
|
270
268
|
text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
|
|
271
|
-
assert_equal text,
|
|
269
|
+
assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
|
|
272
270
|
end
|
|
273
271
|
|
|
274
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
275
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
276
|
-
assert_equal '<p style="color: #000;"></p>',
|
|
274
|
+
assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
|
|
277
275
|
end
|
|
278
276
|
|
|
279
277
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
280
278
|
assert_raises ArgumentError do
|
|
281
|
-
|
|
279
|
+
safe_list_sanitize('<a>some html</a>', tags: 'foo')
|
|
282
280
|
end
|
|
283
281
|
end
|
|
284
282
|
|
|
285
283
|
def test_should_raise_argument_error_if_attributes_is_not_enumerable
|
|
286
284
|
assert_raises ArgumentError do
|
|
287
|
-
|
|
285
|
+
safe_list_sanitize('<a>some html</a>', attributes: 'foo')
|
|
288
286
|
end
|
|
289
287
|
end
|
|
290
288
|
|
|
@@ -293,7 +291,7 @@ class SanitizersTest < Minitest::Test
|
|
|
293
291
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
294
292
|
|
|
295
293
|
assert_raises Loofah::ScrubberNotFound do
|
|
296
|
-
|
|
294
|
+
safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
|
|
297
295
|
end
|
|
298
296
|
end
|
|
299
297
|
|
|
@@ -302,19 +300,19 @@ class SanitizersTest < Minitest::Test
|
|
|
302
300
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
303
301
|
|
|
304
302
|
html = "<script>hello!</script>"
|
|
305
|
-
assert_equal "<h1>hello!</h1>",
|
|
303
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
306
304
|
end
|
|
307
305
|
|
|
308
306
|
def test_should_accept_loofah_scrubber_that_wraps_a_block
|
|
309
307
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
310
308
|
html = "<script>hello!</script>"
|
|
311
|
-
assert_equal "<h1>hello!</h1>",
|
|
309
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
312
310
|
end
|
|
313
311
|
|
|
314
312
|
def test_custom_scrubber_takes_precedence_over_other_options
|
|
315
313
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
316
314
|
html = "<script>hello!</script>"
|
|
317
|
-
assert_equal "<h1>hello!</h1>",
|
|
315
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
|
|
318
316
|
end
|
|
319
317
|
|
|
320
318
|
[%w(img src), %w(a href)].each do |(tag, attr)|
|
|
@@ -360,7 +358,7 @@ class SanitizersTest < Minitest::Test
|
|
|
360
358
|
end
|
|
361
359
|
|
|
362
360
|
def test_should_sanitize_script_tag_with_multiple_open_brackets
|
|
363
|
-
assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "alert(\"XSS\")
|
|
361
|
+
assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "<alert(\"XSS\");//<"
|
|
364
362
|
assert_sanitized %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), ""
|
|
365
363
|
end
|
|
366
364
|
|
|
@@ -383,13 +381,13 @@ class SanitizersTest < Minitest::Test
|
|
|
383
381
|
|
|
384
382
|
def test_should_sanitize_illegal_style_properties
|
|
385
383
|
raw = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
|
|
386
|
-
expected = %(display:
|
|
384
|
+
expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
|
|
387
385
|
assert_equal expected, sanitize_css(raw)
|
|
388
386
|
end
|
|
389
387
|
|
|
390
388
|
def test_should_sanitize_with_trailing_space
|
|
391
389
|
raw = "display:block; "
|
|
392
|
-
expected = "display:
|
|
390
|
+
expected = "display:block;"
|
|
393
391
|
assert_equal expected, sanitize_css(raw)
|
|
394
392
|
end
|
|
395
393
|
|
|
@@ -466,7 +464,7 @@ class SanitizersTest < Minitest::Test
|
|
|
466
464
|
end
|
|
467
465
|
|
|
468
466
|
def test_sanitize_ascii_8bit_string
|
|
469
|
-
|
|
467
|
+
safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
|
|
470
468
|
assert_equal '<a>hello</a>', sanitized
|
|
471
469
|
assert_equal Encoding::UTF_8, sanitized.encoding
|
|
472
470
|
end
|
|
@@ -479,7 +477,47 @@ class SanitizersTest < Minitest::Test
|
|
|
479
477
|
|
|
480
478
|
def test_allow_data_attribute_if_requested
|
|
481
479
|
text = %(<a data-foo="foo">foo</a>)
|
|
482
|
-
assert_equal %(<a data-foo="foo">foo</a>),
|
|
480
|
+
assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
|
|
481
|
+
end
|
|
482
|
+
|
|
483
|
+
def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
|
|
484
|
+
skip if RUBY_VERSION < "2.3"
|
|
485
|
+
|
|
486
|
+
html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
487
|
+
|
|
488
|
+
text = safe_list_sanitize(html)
|
|
489
|
+
|
|
490
|
+
assert_equal %{<a href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
491
|
+
end
|
|
492
|
+
|
|
493
|
+
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
|
|
494
|
+
skip if RUBY_VERSION < "2.3"
|
|
495
|
+
|
|
496
|
+
html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
497
|
+
|
|
498
|
+
text = safe_list_sanitize(html)
|
|
499
|
+
|
|
500
|
+
assert_equal %{<a src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
501
|
+
end
|
|
502
|
+
|
|
503
|
+
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
|
|
504
|
+
skip if RUBY_VERSION < "2.3"
|
|
505
|
+
|
|
506
|
+
html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
507
|
+
|
|
508
|
+
text = safe_list_sanitize(html)
|
|
509
|
+
|
|
510
|
+
assert_equal %{<a name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
511
|
+
end
|
|
512
|
+
|
|
513
|
+
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
|
|
514
|
+
skip if RUBY_VERSION < "2.3"
|
|
515
|
+
|
|
516
|
+
html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
517
|
+
|
|
518
|
+
text = safe_list_sanitize(html, attributes: ['action'])
|
|
519
|
+
|
|
520
|
+
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
483
521
|
end
|
|
484
522
|
|
|
485
523
|
protected
|
|
@@ -496,35 +534,35 @@ protected
|
|
|
496
534
|
Rails::Html::LinkSanitizer.new.sanitize(input, options)
|
|
497
535
|
end
|
|
498
536
|
|
|
499
|
-
def
|
|
500
|
-
Rails::Html::
|
|
537
|
+
def safe_list_sanitize(input, options = {})
|
|
538
|
+
Rails::Html::SafeListSanitizer.new.sanitize(input, options)
|
|
501
539
|
end
|
|
502
540
|
|
|
503
541
|
def assert_sanitized(input, expected = nil)
|
|
504
542
|
if input
|
|
505
|
-
assert_dom_equal expected || input,
|
|
543
|
+
assert_dom_equal expected || input, safe_list_sanitize(input)
|
|
506
544
|
else
|
|
507
|
-
assert_nil
|
|
545
|
+
assert_nil safe_list_sanitize(input)
|
|
508
546
|
end
|
|
509
547
|
end
|
|
510
548
|
|
|
511
549
|
def sanitize_css(input)
|
|
512
|
-
Rails::Html::
|
|
550
|
+
Rails::Html::SafeListSanitizer.new.sanitize_css(input)
|
|
513
551
|
end
|
|
514
552
|
|
|
515
553
|
def scope_allowed_tags(tags)
|
|
516
|
-
old_tags = Rails::Html::
|
|
517
|
-
Rails::Html::
|
|
518
|
-
yield Rails::Html::
|
|
554
|
+
old_tags = Rails::Html::SafeListSanitizer.allowed_tags
|
|
555
|
+
Rails::Html::SafeListSanitizer.allowed_tags = tags
|
|
556
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
519
557
|
ensure
|
|
520
|
-
Rails::Html::
|
|
558
|
+
Rails::Html::SafeListSanitizer.allowed_tags = old_tags
|
|
521
559
|
end
|
|
522
560
|
|
|
523
561
|
def scope_allowed_attributes(attributes)
|
|
524
|
-
old_attributes = Rails::Html::
|
|
525
|
-
Rails::Html::
|
|
526
|
-
yield Rails::Html::
|
|
562
|
+
old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
|
563
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = attributes
|
|
564
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
527
565
|
ensure
|
|
528
|
-
Rails::Html::
|
|
566
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
|
|
529
567
|
end
|
|
530
568
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2019-10-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -17,26 +17,26 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - "~>"
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: '2.
|
|
20
|
+
version: '2.3'
|
|
21
21
|
type: :runtime
|
|
22
22
|
prerelease: false
|
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
24
|
requirements:
|
|
25
25
|
- - "~>"
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: '2.
|
|
27
|
+
version: '2.3'
|
|
28
28
|
- !ruby/object:Gem::Dependency
|
|
29
29
|
name: bundler
|
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
|
31
31
|
requirements:
|
|
32
|
-
- - "
|
|
32
|
+
- - ">="
|
|
33
33
|
- !ruby/object:Gem::Version
|
|
34
34
|
version: '1.3'
|
|
35
35
|
type: :development
|
|
36
36
|
prerelease: false
|
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
|
38
38
|
requirements:
|
|
39
|
-
- - "
|
|
39
|
+
- - ">="
|
|
40
40
|
- !ruby/object:Gem::Version
|
|
41
41
|
version: '1.3'
|
|
42
42
|
- !ruby/object:Gem::Dependency
|
|
@@ -90,6 +90,7 @@ extensions: []
|
|
|
90
90
|
extra_rdoc_files: []
|
|
91
91
|
files:
|
|
92
92
|
- CHANGELOG.md
|
|
93
|
+
- MIT-LICENSE
|
|
93
94
|
- README.md
|
|
94
95
|
- lib/rails-html-sanitizer.rb
|
|
95
96
|
- lib/rails/html/sanitizer.rb
|
|
@@ -116,11 +117,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
116
117
|
- !ruby/object:Gem::Version
|
|
117
118
|
version: '0'
|
|
118
119
|
requirements: []
|
|
119
|
-
|
|
120
|
-
rubygems_version: 2.5.1
|
|
120
|
+
rubygems_version: 3.0.3
|
|
121
121
|
signing_key:
|
|
122
122
|
specification_version: 4
|
|
123
123
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
124
124
|
test_files:
|
|
125
|
-
- test/sanitizer_test.rb
|
|
126
125
|
- test/scrubbers_test.rb
|
|
126
|
+
- test/sanitizer_test.rb
|