rails-html-sanitizer 1.0.4 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/README.md +11 -11
- data/lib/rails-html-sanitizer.rb +9 -3
- data/lib/rails/html/sanitizer.rb +27 -21
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +19 -19
- data/test/sanitizer_test.rb +48 -44
- metadata +5 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 78b391f62382bca60620a37a2b7a1fe6cd8e81545210d308bc56991d11b39b6e
|
|
4
|
+
data.tar.gz: a8065b0d76a88caadeb594ac9e70857aaf061cdceab106781af41285c2e7302f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b2a15acaf0bf620db43645b28d44d4e75d9bb9111bf77d4c7d90f812f697cbd8e33b704694af590e2af3c5e083d600c1cf82f7234ef737a05954582d1785bebb
|
|
7
|
+
data.tar.gz: af8b02f7811544234b263bfa6dd7062f117e549a6b58271be609c827a1468131caa56afd14b4f2b34e069e5f5d088ef3ba05f11c62b7d84ed69da6794c2c7de0
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,20 @@
|
|
|
1
|
+
## 1.1.0
|
|
2
|
+
|
|
3
|
+
* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
|
|
4
|
+
in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
|
|
5
|
+
|
|
6
|
+
*Juanito Fatas*
|
|
7
|
+
|
|
8
|
+
* Remove `href` from LinkScrubber's `tags` as it's not an element.
|
|
9
|
+
https://github.com/rails/rails-html-sanitizer/pull/92
|
|
10
|
+
|
|
11
|
+
*Juanito Fatas*
|
|
12
|
+
|
|
13
|
+
* Explain that we don't need to bump Loofah here if there's CVEs.
|
|
14
|
+
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
|
|
15
|
+
|
|
16
|
+
*Kasper Timm Hansen*
|
|
17
|
+
|
|
1
18
|
## 1.0.1
|
|
2
19
|
|
|
3
20
|
* Added support for Rails 4.2.0.beta2 and above
|
data/README.md
CHANGED
|
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
|
|
|
41
41
|
# => Only the link text will be kept.
|
|
42
42
|
```
|
|
43
43
|
|
|
44
|
-
####
|
|
44
|
+
#### SafeListSanitizer
|
|
45
45
|
|
|
46
46
|
```ruby
|
|
47
|
-
|
|
47
|
+
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
48
48
|
|
|
49
|
-
# sanitize via an extensive
|
|
50
|
-
|
|
49
|
+
# sanitize via an extensive safe list of allowed elements
|
|
50
|
+
safe_list_sanitizer.sanitize(@article.body)
|
|
51
51
|
|
|
52
|
-
#
|
|
53
|
-
|
|
52
|
+
# safe list only the supplied tags and attributes
|
|
53
|
+
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
|
|
54
54
|
|
|
55
|
-
#
|
|
56
|
-
|
|
55
|
+
# safe list via a custom scrubber
|
|
56
|
+
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
57
57
|
|
|
58
|
-
#
|
|
59
|
-
|
|
58
|
+
# safe list sanitizer can also sanitize css
|
|
59
|
+
safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
60
60
|
```
|
|
61
61
|
|
|
62
62
|
### Scrubbers
|
|
@@ -127,7 +127,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
|
|
127
127
|
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
|
|
128
128
|
|
|
129
129
|
The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
|
|
130
|
-
- [`Nokogiri::XML::Node`](
|
|
130
|
+
- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
|
|
131
131
|
- [Nokogiri](http://nokogiri.org)
|
|
132
132
|
|
|
133
133
|
## Contributing to Rails Html Sanitizers
|
data/lib/rails-html-sanitizer.rb
CHANGED
|
@@ -15,8 +15,14 @@ module Rails
|
|
|
15
15
|
Html::LinkSanitizer
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
def safe_list_sanitizer
|
|
19
|
+
Html::SafeListSanitizer
|
|
20
|
+
end
|
|
21
|
+
|
|
18
22
|
def white_list_sanitizer
|
|
19
|
-
|
|
23
|
+
ActiveSupport::Deprecation.warn "warning: white_list_sanitizer is" \
|
|
24
|
+
"deprecated, please use safe_list_sanitizer instead."
|
|
25
|
+
safe_list_sanitizer
|
|
20
26
|
end
|
|
21
27
|
end
|
|
22
28
|
end
|
|
@@ -34,7 +40,7 @@ module ActionView
|
|
|
34
40
|
# end
|
|
35
41
|
#
|
|
36
42
|
def sanitized_allowed_tags=(tags)
|
|
37
|
-
sanitizer_vendor.
|
|
43
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
|
|
38
44
|
end
|
|
39
45
|
|
|
40
46
|
# Replaces the allowed HTML attributes for the +sanitize+ helper.
|
|
@@ -44,7 +50,7 @@ module ActionView
|
|
|
44
50
|
# end
|
|
45
51
|
#
|
|
46
52
|
def sanitized_allowed_attributes=(attributes)
|
|
47
|
-
sanitizer_vendor.
|
|
53
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
|
|
48
54
|
end
|
|
49
55
|
|
|
50
56
|
[:protocol_separator,
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -40,15 +40,16 @@ module Rails
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
# === Rails::Html::LinkSanitizer
|
|
43
|
-
# Removes a tags and href attributes leaving only the link text
|
|
43
|
+
# Removes +a+ tags and +href+ attributes leaving only the link text.
|
|
44
44
|
#
|
|
45
|
-
#
|
|
46
|
-
#
|
|
47
|
-
#
|
|
45
|
+
# link_sanitizer = Rails::Html::LinkSanitizer.new
|
|
46
|
+
# link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
|
47
|
+
#
|
|
48
|
+
# => 'Only the link text will be kept.'
|
|
48
49
|
class LinkSanitizer < Sanitizer
|
|
49
50
|
def initialize
|
|
50
51
|
@link_scrubber = TargetScrubber.new
|
|
51
|
-
@link_scrubber.tags = %w(a
|
|
52
|
+
@link_scrubber.tags = %w(a)
|
|
52
53
|
@link_scrubber.attributes = %w(href)
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -57,8 +58,8 @@ module Rails
|
|
|
57
58
|
end
|
|
58
59
|
end
|
|
59
60
|
|
|
60
|
-
# === Rails::Html::
|
|
61
|
-
# Sanitizes html and css from an extensive
|
|
61
|
+
# === Rails::Html::SafeListSanitizer
|
|
62
|
+
# Sanitizes html and css from an extensive safe list (see link further down).
|
|
62
63
|
#
|
|
63
64
|
# === Whitespace
|
|
64
65
|
# We can't make any guarantees about whitespace being kept or stripped.
|
|
@@ -72,34 +73,34 @@ module Rails
|
|
|
72
73
|
# so automatically.
|
|
73
74
|
#
|
|
74
75
|
# === Options
|
|
75
|
-
# Sanitizes both html and css via the
|
|
76
|
+
# Sanitizes both html and css via the safe lists found here:
|
|
76
77
|
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
|
|
77
78
|
#
|
|
78
|
-
#
|
|
79
|
-
# the
|
|
79
|
+
# SafeListSanitizer also accepts options to configure
|
|
80
|
+
# the safe list used when sanitizing html.
|
|
80
81
|
# There's a class level option:
|
|
81
|
-
# Rails::Html::
|
|
82
|
-
# Rails::Html::
|
|
82
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
|
|
83
|
+
# Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
|
|
83
84
|
#
|
|
84
85
|
# Tags and attributes can also be passed to +sanitize+.
|
|
85
86
|
# Passed options take precedence over the class level options.
|
|
86
87
|
#
|
|
87
88
|
# === Examples
|
|
88
|
-
#
|
|
89
|
+
# safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
89
90
|
#
|
|
90
91
|
# Sanitize css doesn't take options
|
|
91
|
-
#
|
|
92
|
+
# safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
92
93
|
#
|
|
93
|
-
# Default: sanitize via a extensive
|
|
94
|
-
#
|
|
94
|
+
# Default: sanitize via a extensive safe list of allowed elements
|
|
95
|
+
# safe_list_sanitizer.sanitize(@article.body)
|
|
95
96
|
#
|
|
96
|
-
#
|
|
97
|
-
#
|
|
97
|
+
# Safe list via the supplied tags and attributes
|
|
98
|
+
# safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
|
|
98
99
|
# attributes: %w(id class style))
|
|
99
100
|
#
|
|
100
|
-
#
|
|
101
|
-
#
|
|
102
|
-
class
|
|
101
|
+
# Safe list via a custom scrubber
|
|
102
|
+
# safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
103
|
+
class SafeListSanitizer < Sanitizer
|
|
103
104
|
class << self
|
|
104
105
|
attr_accessor :allowed_tags
|
|
105
106
|
attr_accessor :allowed_attributes
|
|
@@ -148,5 +149,10 @@ module Rails
|
|
|
148
149
|
options[:attributes] || self.class.allowed_attributes
|
|
149
150
|
end
|
|
150
151
|
end
|
|
152
|
+
|
|
153
|
+
WhiteListSanitizer = SafeListSanitizer
|
|
154
|
+
if Object.respond_to?(:deprecate_constant)
|
|
155
|
+
deprecate_constant :WhiteListSanitizer
|
|
156
|
+
end
|
|
151
157
|
end
|
|
152
158
|
end
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -2,9 +2,9 @@ module Rails
|
|
|
2
2
|
module Html
|
|
3
3
|
# === Rails::Html::PermitScrubber
|
|
4
4
|
#
|
|
5
|
-
# Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
|
|
5
|
+
# +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
|
|
6
6
|
#
|
|
7
|
-
# Rails::Html::PermitScrubber can be subclassed to determine:
|
|
7
|
+
# +Rails::Html::PermitScrubber+ can be subclassed to determine:
|
|
8
8
|
# - When a node should be skipped via +skip_node?+.
|
|
9
9
|
# - When a node is allowed via +allowed_node?+.
|
|
10
10
|
# - When an attribute should be scrubbed via +scrub_attribute?+.
|
|
@@ -27,23 +27,23 @@ module Rails
|
|
|
27
27
|
# If set, attributes excluded will be removed.
|
|
28
28
|
# If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
|
|
29
29
|
#
|
|
30
|
-
#
|
|
31
|
-
#
|
|
32
|
-
#
|
|
33
|
-
#
|
|
34
|
-
#
|
|
30
|
+
# class CommentScrubber < Html::PermitScrubber
|
|
31
|
+
# def initialize
|
|
32
|
+
# super
|
|
33
|
+
# self.tags = %w(form script comment blockquote)
|
|
34
|
+
# end
|
|
35
35
|
#
|
|
36
|
-
#
|
|
37
|
-
#
|
|
38
|
-
#
|
|
36
|
+
# def skip_node?(node)
|
|
37
|
+
# node.text?
|
|
38
|
+
# end
|
|
39
39
|
#
|
|
40
|
-
#
|
|
41
|
-
#
|
|
42
|
-
#
|
|
43
|
-
#
|
|
40
|
+
# def scrub_attribute?(name)
|
|
41
|
+
# name == "style"
|
|
42
|
+
# end
|
|
43
|
+
# end
|
|
44
44
|
#
|
|
45
|
-
# See the documentation for Nokogiri::XML::Node to understand what's possible
|
|
46
|
-
# with nodes:
|
|
45
|
+
# See the documentation for +Nokogiri::XML::Node+ to understand what's possible
|
|
46
|
+
# with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
|
|
47
47
|
class PermitScrubber < Loofah::Scrubber
|
|
48
48
|
attr_reader :tags, :attributes
|
|
49
49
|
|
|
@@ -160,8 +160,8 @@ module Rails
|
|
|
160
160
|
|
|
161
161
|
# === Rails::Html::TargetScrubber
|
|
162
162
|
#
|
|
163
|
-
# Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
|
|
164
|
-
# sanitization, Rails::Html::TargetScrubber targets them for removal.
|
|
163
|
+
# Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
|
|
164
|
+
# sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
|
|
165
165
|
#
|
|
166
166
|
# +tags=+
|
|
167
167
|
# If set, elements included will be stripped.
|
|
@@ -180,7 +180,7 @@ module Rails
|
|
|
180
180
|
|
|
181
181
|
# === Rails::Html::TextOnlyScrubber
|
|
182
182
|
#
|
|
183
|
-
# Rails::Html::TextOnlyScrubber allows you to permit text nodes.
|
|
183
|
+
# +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
|
|
184
184
|
#
|
|
185
185
|
# Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
|
|
186
186
|
class TextOnlyScrubber < Loofah::Scrubber
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def test_sanitize_nested_script
|
|
15
|
-
sanitizer = Rails::Html::
|
|
15
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
16
16
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def test_sanitize_nested_script_in_style
|
|
20
|
-
sanitizer = Rails::Html::
|
|
20
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
21
21
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
|
|
22
22
|
end
|
|
23
23
|
|
|
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
|
|
|
154
154
|
assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
|
|
155
155
|
end
|
|
156
156
|
|
|
157
|
-
def test_strip_links_with_a_tag_in_href
|
|
158
|
-
assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
|
|
159
|
-
end
|
|
160
|
-
|
|
161
157
|
def test_sanitize_form
|
|
162
158
|
assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
|
|
163
159
|
end
|
|
@@ -255,38 +251,38 @@ class SanitizersTest < Minitest::Test
|
|
|
255
251
|
|
|
256
252
|
def test_should_allow_custom_tags
|
|
257
253
|
text = "<u>foo</u>"
|
|
258
|
-
assert_equal text,
|
|
254
|
+
assert_equal text, safe_list_sanitize(text, tags: %w(u))
|
|
259
255
|
end
|
|
260
256
|
|
|
261
257
|
def test_should_allow_only_custom_tags
|
|
262
258
|
text = "<u>foo</u> with <i>bar</i>"
|
|
263
|
-
assert_equal "<u>foo</u> with bar",
|
|
259
|
+
assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
|
|
264
260
|
end
|
|
265
261
|
|
|
266
262
|
def test_should_allow_custom_tags_with_attributes
|
|
267
263
|
text = %(<blockquote cite="http://example.com/">foo</blockquote>)
|
|
268
|
-
assert_equal text,
|
|
264
|
+
assert_equal text, safe_list_sanitize(text)
|
|
269
265
|
end
|
|
270
266
|
|
|
271
267
|
def test_should_allow_custom_tags_with_custom_attributes
|
|
272
268
|
text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
|
|
273
|
-
assert_equal text,
|
|
269
|
+
assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
|
|
274
270
|
end
|
|
275
271
|
|
|
276
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
277
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
278
|
-
assert_equal '<p style="color: #000;"></p>',
|
|
274
|
+
assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
|
|
279
275
|
end
|
|
280
276
|
|
|
281
277
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
282
278
|
assert_raises ArgumentError do
|
|
283
|
-
|
|
279
|
+
safe_list_sanitize('<a>some html</a>', tags: 'foo')
|
|
284
280
|
end
|
|
285
281
|
end
|
|
286
282
|
|
|
287
283
|
def test_should_raise_argument_error_if_attributes_is_not_enumerable
|
|
288
284
|
assert_raises ArgumentError do
|
|
289
|
-
|
|
285
|
+
safe_list_sanitize('<a>some html</a>', attributes: 'foo')
|
|
290
286
|
end
|
|
291
287
|
end
|
|
292
288
|
|
|
@@ -295,7 +291,7 @@ class SanitizersTest < Minitest::Test
|
|
|
295
291
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
296
292
|
|
|
297
293
|
assert_raises Loofah::ScrubberNotFound do
|
|
298
|
-
|
|
294
|
+
safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
|
|
299
295
|
end
|
|
300
296
|
end
|
|
301
297
|
|
|
@@ -304,19 +300,19 @@ class SanitizersTest < Minitest::Test
|
|
|
304
300
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
305
301
|
|
|
306
302
|
html = "<script>hello!</script>"
|
|
307
|
-
assert_equal "<h1>hello!</h1>",
|
|
303
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
308
304
|
end
|
|
309
305
|
|
|
310
306
|
def test_should_accept_loofah_scrubber_that_wraps_a_block
|
|
311
307
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
312
308
|
html = "<script>hello!</script>"
|
|
313
|
-
assert_equal "<h1>hello!</h1>",
|
|
309
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
314
310
|
end
|
|
315
311
|
|
|
316
312
|
def test_custom_scrubber_takes_precedence_over_other_options
|
|
317
313
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
318
314
|
html = "<script>hello!</script>"
|
|
319
|
-
assert_equal "<h1>hello!</h1>",
|
|
315
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
|
|
320
316
|
end
|
|
321
317
|
|
|
322
318
|
[%w(img src), %w(a href)].each do |(tag, attr)|
|
|
@@ -468,7 +464,7 @@ class SanitizersTest < Minitest::Test
|
|
|
468
464
|
end
|
|
469
465
|
|
|
470
466
|
def test_sanitize_ascii_8bit_string
|
|
471
|
-
|
|
467
|
+
safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
|
|
472
468
|
assert_equal '<a>hello</a>', sanitized
|
|
473
469
|
assert_equal Encoding::UTF_8, sanitized.encoding
|
|
474
470
|
end
|
|
@@ -481,39 +477,47 @@ class SanitizersTest < Minitest::Test
|
|
|
481
477
|
|
|
482
478
|
def test_allow_data_attribute_if_requested
|
|
483
479
|
text = %(<a data-foo="foo">foo</a>)
|
|
484
|
-
assert_equal %(<a data-foo="foo">foo</a>),
|
|
480
|
+
assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
|
|
485
481
|
end
|
|
486
482
|
|
|
487
|
-
def
|
|
483
|
+
def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
|
|
484
|
+
skip if RUBY_VERSION < "2.3"
|
|
485
|
+
|
|
488
486
|
html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
489
487
|
|
|
490
|
-
text =
|
|
488
|
+
text = safe_list_sanitize(html)
|
|
491
489
|
|
|
492
|
-
assert_equal %{<a href
|
|
490
|
+
assert_equal %{<a href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
493
491
|
end
|
|
494
492
|
|
|
495
|
-
def
|
|
493
|
+
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
|
|
494
|
+
skip if RUBY_VERSION < "2.3"
|
|
495
|
+
|
|
496
496
|
html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
497
497
|
|
|
498
|
-
text =
|
|
498
|
+
text = safe_list_sanitize(html)
|
|
499
499
|
|
|
500
|
-
assert_equal %{<a src
|
|
500
|
+
assert_equal %{<a src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
501
501
|
end
|
|
502
502
|
|
|
503
|
-
def
|
|
503
|
+
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
|
|
504
|
+
skip if RUBY_VERSION < "2.3"
|
|
505
|
+
|
|
504
506
|
html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
505
507
|
|
|
506
|
-
text =
|
|
508
|
+
text = safe_list_sanitize(html)
|
|
507
509
|
|
|
508
|
-
assert_equal %{<a name
|
|
510
|
+
assert_equal %{<a name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
509
511
|
end
|
|
510
512
|
|
|
511
|
-
def
|
|
513
|
+
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
|
|
514
|
+
skip if RUBY_VERSION < "2.3"
|
|
515
|
+
|
|
512
516
|
html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
513
517
|
|
|
514
|
-
text =
|
|
518
|
+
text = safe_list_sanitize(html, attributes: ['action'])
|
|
515
519
|
|
|
516
|
-
assert_equal %{<a action
|
|
520
|
+
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
517
521
|
end
|
|
518
522
|
|
|
519
523
|
protected
|
|
@@ -530,35 +534,35 @@ protected
|
|
|
530
534
|
Rails::Html::LinkSanitizer.new.sanitize(input, options)
|
|
531
535
|
end
|
|
532
536
|
|
|
533
|
-
def
|
|
534
|
-
Rails::Html::
|
|
537
|
+
def safe_list_sanitize(input, options = {})
|
|
538
|
+
Rails::Html::SafeListSanitizer.new.sanitize(input, options)
|
|
535
539
|
end
|
|
536
540
|
|
|
537
541
|
def assert_sanitized(input, expected = nil)
|
|
538
542
|
if input
|
|
539
|
-
assert_dom_equal expected || input,
|
|
543
|
+
assert_dom_equal expected || input, safe_list_sanitize(input)
|
|
540
544
|
else
|
|
541
|
-
assert_nil
|
|
545
|
+
assert_nil safe_list_sanitize(input)
|
|
542
546
|
end
|
|
543
547
|
end
|
|
544
548
|
|
|
545
549
|
def sanitize_css(input)
|
|
546
|
-
Rails::Html::
|
|
550
|
+
Rails::Html::SafeListSanitizer.new.sanitize_css(input)
|
|
547
551
|
end
|
|
548
552
|
|
|
549
553
|
def scope_allowed_tags(tags)
|
|
550
|
-
old_tags = Rails::Html::
|
|
551
|
-
Rails::Html::
|
|
552
|
-
yield Rails::Html::
|
|
554
|
+
old_tags = Rails::Html::SafeListSanitizer.allowed_tags
|
|
555
|
+
Rails::Html::SafeListSanitizer.allowed_tags = tags
|
|
556
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
553
557
|
ensure
|
|
554
|
-
Rails::Html::
|
|
558
|
+
Rails::Html::SafeListSanitizer.allowed_tags = old_tags
|
|
555
559
|
end
|
|
556
560
|
|
|
557
561
|
def scope_allowed_attributes(attributes)
|
|
558
|
-
old_attributes = Rails::Html::
|
|
559
|
-
Rails::Html::
|
|
560
|
-
yield Rails::Html::
|
|
562
|
+
old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
|
563
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = attributes
|
|
564
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
561
565
|
ensure
|
|
562
|
-
Rails::Html::
|
|
566
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
|
|
563
567
|
end
|
|
564
568
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2019-08-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -35,14 +35,14 @@ dependencies:
|
|
|
35
35
|
name: bundler
|
|
36
36
|
requirement: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- - "
|
|
38
|
+
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '1.3'
|
|
41
41
|
type: :development
|
|
42
42
|
prerelease: false
|
|
43
43
|
version_requirements: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- - "
|
|
45
|
+
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
47
|
version: '1.3'
|
|
48
48
|
- !ruby/object:Gem::Dependency
|
|
@@ -123,8 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
|
-
|
|
127
|
-
rubygems_version: 2.7.6
|
|
126
|
+
rubygems_version: 3.0.4
|
|
128
127
|
signing_key:
|
|
129
128
|
specification_version: 4
|
|
130
129
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|