rails-html-sanitizer 1.0.4 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/README.md +11 -11
- data/lib/rails-html-sanitizer.rb +9 -3
- data/lib/rails/html/sanitizer.rb +27 -21
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +19 -19
- data/test/sanitizer_test.rb +48 -44
- metadata +5 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 78b391f62382bca60620a37a2b7a1fe6cd8e81545210d308bc56991d11b39b6e
|
|
4
|
+
data.tar.gz: a8065b0d76a88caadeb594ac9e70857aaf061cdceab106781af41285c2e7302f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b2a15acaf0bf620db43645b28d44d4e75d9bb9111bf77d4c7d90f812f697cbd8e33b704694af590e2af3c5e083d600c1cf82f7234ef737a05954582d1785bebb
|
|
7
|
+
data.tar.gz: af8b02f7811544234b263bfa6dd7062f117e549a6b58271be609c827a1468131caa56afd14b4f2b34e069e5f5d088ef3ba05f11c62b7d84ed69da6794c2c7de0
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,20 @@
|
|
|
1
|
+
## 1.1.0
|
|
2
|
+
|
|
3
|
+
* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
|
|
4
|
+
in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
|
|
5
|
+
|
|
6
|
+
*Juanito Fatas*
|
|
7
|
+
|
|
8
|
+
* Remove `href` from LinkScrubber's `tags` as it's not an element.
|
|
9
|
+
https://github.com/rails/rails-html-sanitizer/pull/92
|
|
10
|
+
|
|
11
|
+
*Juanito Fatas*
|
|
12
|
+
|
|
13
|
+
* Explain that we don't need to bump Loofah here if there's CVEs.
|
|
14
|
+
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
|
|
15
|
+
|
|
16
|
+
*Kasper Timm Hansen*
|
|
17
|
+
|
|
1
18
|
## 1.0.1
|
|
2
19
|
|
|
3
20
|
* Added support for Rails 4.2.0.beta2 and above
|
data/README.md
CHANGED
|
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
|
|
|
41
41
|
# => Only the link text will be kept.
|
|
42
42
|
```
|
|
43
43
|
|
|
44
|
-
####
|
|
44
|
+
#### SafeListSanitizer
|
|
45
45
|
|
|
46
46
|
```ruby
|
|
47
|
-
|
|
47
|
+
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
48
48
|
|
|
49
|
-
# sanitize via an extensive
|
|
50
|
-
|
|
49
|
+
# sanitize via an extensive safe list of allowed elements
|
|
50
|
+
safe_list_sanitizer.sanitize(@article.body)
|
|
51
51
|
|
|
52
|
-
#
|
|
53
|
-
|
|
52
|
+
# safe list only the supplied tags and attributes
|
|
53
|
+
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
|
|
54
54
|
|
|
55
|
-
#
|
|
56
|
-
|
|
55
|
+
# safe list via a custom scrubber
|
|
56
|
+
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
57
57
|
|
|
58
|
-
#
|
|
59
|
-
|
|
58
|
+
# safe list sanitizer can also sanitize css
|
|
59
|
+
safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
60
60
|
```
|
|
61
61
|
|
|
62
62
|
### Scrubbers
|
|
@@ -127,7 +127,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
|
|
127
127
|
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
|
|
128
128
|
|
|
129
129
|
The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
|
|
130
|
-
- [`Nokogiri::XML::Node`](
|
|
130
|
+
- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
|
|
131
131
|
- [Nokogiri](http://nokogiri.org)
|
|
132
132
|
|
|
133
133
|
## Contributing to Rails Html Sanitizers
|
data/lib/rails-html-sanitizer.rb
CHANGED
|
@@ -15,8 +15,14 @@ module Rails
|
|
|
15
15
|
Html::LinkSanitizer
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
def safe_list_sanitizer
|
|
19
|
+
Html::SafeListSanitizer
|
|
20
|
+
end
|
|
21
|
+
|
|
18
22
|
def white_list_sanitizer
|
|
19
|
-
|
|
23
|
+
ActiveSupport::Deprecation.warn "warning: white_list_sanitizer is" \
|
|
24
|
+
"deprecated, please use safe_list_sanitizer instead."
|
|
25
|
+
safe_list_sanitizer
|
|
20
26
|
end
|
|
21
27
|
end
|
|
22
28
|
end
|
|
@@ -34,7 +40,7 @@ module ActionView
|
|
|
34
40
|
# end
|
|
35
41
|
#
|
|
36
42
|
def sanitized_allowed_tags=(tags)
|
|
37
|
-
sanitizer_vendor.
|
|
43
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
|
|
38
44
|
end
|
|
39
45
|
|
|
40
46
|
# Replaces the allowed HTML attributes for the +sanitize+ helper.
|
|
@@ -44,7 +50,7 @@ module ActionView
|
|
|
44
50
|
# end
|
|
45
51
|
#
|
|
46
52
|
def sanitized_allowed_attributes=(attributes)
|
|
47
|
-
sanitizer_vendor.
|
|
53
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
|
|
48
54
|
end
|
|
49
55
|
|
|
50
56
|
[:protocol_separator,
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -40,15 +40,16 @@ module Rails
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
# === Rails::Html::LinkSanitizer
|
|
43
|
-
# Removes a tags and href attributes leaving only the link text
|
|
43
|
+
# Removes +a+ tags and +href+ attributes leaving only the link text.
|
|
44
44
|
#
|
|
45
|
-
#
|
|
46
|
-
#
|
|
47
|
-
#
|
|
45
|
+
# link_sanitizer = Rails::Html::LinkSanitizer.new
|
|
46
|
+
# link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
|
47
|
+
#
|
|
48
|
+
# => 'Only the link text will be kept.'
|
|
48
49
|
class LinkSanitizer < Sanitizer
|
|
49
50
|
def initialize
|
|
50
51
|
@link_scrubber = TargetScrubber.new
|
|
51
|
-
@link_scrubber.tags = %w(a
|
|
52
|
+
@link_scrubber.tags = %w(a)
|
|
52
53
|
@link_scrubber.attributes = %w(href)
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -57,8 +58,8 @@ module Rails
|
|
|
57
58
|
end
|
|
58
59
|
end
|
|
59
60
|
|
|
60
|
-
# === Rails::Html::
|
|
61
|
-
# Sanitizes html and css from an extensive
|
|
61
|
+
# === Rails::Html::SafeListSanitizer
|
|
62
|
+
# Sanitizes html and css from an extensive safe list (see link further down).
|
|
62
63
|
#
|
|
63
64
|
# === Whitespace
|
|
64
65
|
# We can't make any guarantees about whitespace being kept or stripped.
|
|
@@ -72,34 +73,34 @@ module Rails
|
|
|
72
73
|
# so automatically.
|
|
73
74
|
#
|
|
74
75
|
# === Options
|
|
75
|
-
# Sanitizes both html and css via the
|
|
76
|
+
# Sanitizes both html and css via the safe lists found here:
|
|
76
77
|
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
|
|
77
78
|
#
|
|
78
|
-
#
|
|
79
|
-
# the
|
|
79
|
+
# SafeListSanitizer also accepts options to configure
|
|
80
|
+
# the safe list used when sanitizing html.
|
|
80
81
|
# There's a class level option:
|
|
81
|
-
# Rails::Html::
|
|
82
|
-
# Rails::Html::
|
|
82
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
|
|
83
|
+
# Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
|
|
83
84
|
#
|
|
84
85
|
# Tags and attributes can also be passed to +sanitize+.
|
|
85
86
|
# Passed options take precedence over the class level options.
|
|
86
87
|
#
|
|
87
88
|
# === Examples
|
|
88
|
-
#
|
|
89
|
+
# safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
|
89
90
|
#
|
|
90
91
|
# Sanitize css doesn't take options
|
|
91
|
-
#
|
|
92
|
+
# safe_list_sanitizer.sanitize_css('background-color: #000;')
|
|
92
93
|
#
|
|
93
|
-
# Default: sanitize via a extensive
|
|
94
|
-
#
|
|
94
|
+
# Default: sanitize via a extensive safe list of allowed elements
|
|
95
|
+
# safe_list_sanitizer.sanitize(@article.body)
|
|
95
96
|
#
|
|
96
|
-
#
|
|
97
|
-
#
|
|
97
|
+
# Safe list via the supplied tags and attributes
|
|
98
|
+
# safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
|
|
98
99
|
# attributes: %w(id class style))
|
|
99
100
|
#
|
|
100
|
-
#
|
|
101
|
-
#
|
|
102
|
-
class
|
|
101
|
+
# Safe list via a custom scrubber
|
|
102
|
+
# safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
|
103
|
+
class SafeListSanitizer < Sanitizer
|
|
103
104
|
class << self
|
|
104
105
|
attr_accessor :allowed_tags
|
|
105
106
|
attr_accessor :allowed_attributes
|
|
@@ -148,5 +149,10 @@ module Rails
|
|
|
148
149
|
options[:attributes] || self.class.allowed_attributes
|
|
149
150
|
end
|
|
150
151
|
end
|
|
152
|
+
|
|
153
|
+
WhiteListSanitizer = SafeListSanitizer
|
|
154
|
+
if Object.respond_to?(:deprecate_constant)
|
|
155
|
+
deprecate_constant :WhiteListSanitizer
|
|
156
|
+
end
|
|
151
157
|
end
|
|
152
158
|
end
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -2,9 +2,9 @@ module Rails
|
|
|
2
2
|
module Html
|
|
3
3
|
# === Rails::Html::PermitScrubber
|
|
4
4
|
#
|
|
5
|
-
# Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
|
|
5
|
+
# +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
|
|
6
6
|
#
|
|
7
|
-
# Rails::Html::PermitScrubber can be subclassed to determine:
|
|
7
|
+
# +Rails::Html::PermitScrubber+ can be subclassed to determine:
|
|
8
8
|
# - When a node should be skipped via +skip_node?+.
|
|
9
9
|
# - When a node is allowed via +allowed_node?+.
|
|
10
10
|
# - When an attribute should be scrubbed via +scrub_attribute?+.
|
|
@@ -27,23 +27,23 @@ module Rails
|
|
|
27
27
|
# If set, attributes excluded will be removed.
|
|
28
28
|
# If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
|
|
29
29
|
#
|
|
30
|
-
#
|
|
31
|
-
#
|
|
32
|
-
#
|
|
33
|
-
#
|
|
34
|
-
#
|
|
30
|
+
# class CommentScrubber < Html::PermitScrubber
|
|
31
|
+
# def initialize
|
|
32
|
+
# super
|
|
33
|
+
# self.tags = %w(form script comment blockquote)
|
|
34
|
+
# end
|
|
35
35
|
#
|
|
36
|
-
#
|
|
37
|
-
#
|
|
38
|
-
#
|
|
36
|
+
# def skip_node?(node)
|
|
37
|
+
# node.text?
|
|
38
|
+
# end
|
|
39
39
|
#
|
|
40
|
-
#
|
|
41
|
-
#
|
|
42
|
-
#
|
|
43
|
-
#
|
|
40
|
+
# def scrub_attribute?(name)
|
|
41
|
+
# name == "style"
|
|
42
|
+
# end
|
|
43
|
+
# end
|
|
44
44
|
#
|
|
45
|
-
# See the documentation for Nokogiri::XML::Node to understand what's possible
|
|
46
|
-
# with nodes:
|
|
45
|
+
# See the documentation for +Nokogiri::XML::Node+ to understand what's possible
|
|
46
|
+
# with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
|
|
47
47
|
class PermitScrubber < Loofah::Scrubber
|
|
48
48
|
attr_reader :tags, :attributes
|
|
49
49
|
|
|
@@ -160,8 +160,8 @@ module Rails
|
|
|
160
160
|
|
|
161
161
|
# === Rails::Html::TargetScrubber
|
|
162
162
|
#
|
|
163
|
-
# Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
|
|
164
|
-
# sanitization, Rails::Html::TargetScrubber targets them for removal.
|
|
163
|
+
# Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
|
|
164
|
+
# sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
|
|
165
165
|
#
|
|
166
166
|
# +tags=+
|
|
167
167
|
# If set, elements included will be stripped.
|
|
@@ -180,7 +180,7 @@ module Rails
|
|
|
180
180
|
|
|
181
181
|
# === Rails::Html::TextOnlyScrubber
|
|
182
182
|
#
|
|
183
|
-
# Rails::Html::TextOnlyScrubber allows you to permit text nodes.
|
|
183
|
+
# +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
|
|
184
184
|
#
|
|
185
185
|
# Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
|
|
186
186
|
class TextOnlyScrubber < Loofah::Scrubber
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def test_sanitize_nested_script
|
|
15
|
-
sanitizer = Rails::Html::
|
|
15
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
16
16
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def test_sanitize_nested_script_in_style
|
|
20
|
-
sanitizer = Rails::Html::
|
|
20
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
21
21
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
|
|
22
22
|
end
|
|
23
23
|
|
|
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
|
|
|
154
154
|
assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
|
|
155
155
|
end
|
|
156
156
|
|
|
157
|
-
def test_strip_links_with_a_tag_in_href
|
|
158
|
-
assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
|
|
159
|
-
end
|
|
160
|
-
|
|
161
157
|
def test_sanitize_form
|
|
162
158
|
assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
|
|
163
159
|
end
|
|
@@ -255,38 +251,38 @@ class SanitizersTest < Minitest::Test
|
|
|
255
251
|
|
|
256
252
|
def test_should_allow_custom_tags
|
|
257
253
|
text = "<u>foo</u>"
|
|
258
|
-
assert_equal text,
|
|
254
|
+
assert_equal text, safe_list_sanitize(text, tags: %w(u))
|
|
259
255
|
end
|
|
260
256
|
|
|
261
257
|
def test_should_allow_only_custom_tags
|
|
262
258
|
text = "<u>foo</u> with <i>bar</i>"
|
|
263
|
-
assert_equal "<u>foo</u> with bar",
|
|
259
|
+
assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
|
|
264
260
|
end
|
|
265
261
|
|
|
266
262
|
def test_should_allow_custom_tags_with_attributes
|
|
267
263
|
text = %(<blockquote cite="http://example.com/">foo</blockquote>)
|
|
268
|
-
assert_equal text,
|
|
264
|
+
assert_equal text, safe_list_sanitize(text)
|
|
269
265
|
end
|
|
270
266
|
|
|
271
267
|
def test_should_allow_custom_tags_with_custom_attributes
|
|
272
268
|
text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
|
|
273
|
-
assert_equal text,
|
|
269
|
+
assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
|
|
274
270
|
end
|
|
275
271
|
|
|
276
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
277
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
278
|
-
assert_equal '<p style="color: #000;"></p>',
|
|
274
|
+
assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
|
|
279
275
|
end
|
|
280
276
|
|
|
281
277
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
282
278
|
assert_raises ArgumentError do
|
|
283
|
-
|
|
279
|
+
safe_list_sanitize('<a>some html</a>', tags: 'foo')
|
|
284
280
|
end
|
|
285
281
|
end
|
|
286
282
|
|
|
287
283
|
def test_should_raise_argument_error_if_attributes_is_not_enumerable
|
|
288
284
|
assert_raises ArgumentError do
|
|
289
|
-
|
|
285
|
+
safe_list_sanitize('<a>some html</a>', attributes: 'foo')
|
|
290
286
|
end
|
|
291
287
|
end
|
|
292
288
|
|
|
@@ -295,7 +291,7 @@ class SanitizersTest < Minitest::Test
|
|
|
295
291
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
296
292
|
|
|
297
293
|
assert_raises Loofah::ScrubberNotFound do
|
|
298
|
-
|
|
294
|
+
safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
|
|
299
295
|
end
|
|
300
296
|
end
|
|
301
297
|
|
|
@@ -304,19 +300,19 @@ class SanitizersTest < Minitest::Test
|
|
|
304
300
|
def scrubber.scrub(node); node.name = 'h1'; end
|
|
305
301
|
|
|
306
302
|
html = "<script>hello!</script>"
|
|
307
|
-
assert_equal "<h1>hello!</h1>",
|
|
303
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
308
304
|
end
|
|
309
305
|
|
|
310
306
|
def test_should_accept_loofah_scrubber_that_wraps_a_block
|
|
311
307
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
312
308
|
html = "<script>hello!</script>"
|
|
313
|
-
assert_equal "<h1>hello!</h1>",
|
|
309
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
|
314
310
|
end
|
|
315
311
|
|
|
316
312
|
def test_custom_scrubber_takes_precedence_over_other_options
|
|
317
313
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
|
318
314
|
html = "<script>hello!</script>"
|
|
319
|
-
assert_equal "<h1>hello!</h1>",
|
|
315
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
|
|
320
316
|
end
|
|
321
317
|
|
|
322
318
|
[%w(img src), %w(a href)].each do |(tag, attr)|
|
|
@@ -468,7 +464,7 @@ class SanitizersTest < Minitest::Test
|
|
|
468
464
|
end
|
|
469
465
|
|
|
470
466
|
def test_sanitize_ascii_8bit_string
|
|
471
|
-
|
|
467
|
+
safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
|
|
472
468
|
assert_equal '<a>hello</a>', sanitized
|
|
473
469
|
assert_equal Encoding::UTF_8, sanitized.encoding
|
|
474
470
|
end
|
|
@@ -481,39 +477,47 @@ class SanitizersTest < Minitest::Test
|
|
|
481
477
|
|
|
482
478
|
def test_allow_data_attribute_if_requested
|
|
483
479
|
text = %(<a data-foo="foo">foo</a>)
|
|
484
|
-
assert_equal %(<a data-foo="foo">foo</a>),
|
|
480
|
+
assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
|
|
485
481
|
end
|
|
486
482
|
|
|
487
|
-
def
|
|
483
|
+
def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
|
|
484
|
+
skip if RUBY_VERSION < "2.3"
|
|
485
|
+
|
|
488
486
|
html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
489
487
|
|
|
490
|
-
text =
|
|
488
|
+
text = safe_list_sanitize(html)
|
|
491
489
|
|
|
492
|
-
assert_equal %{<a href
|
|
490
|
+
assert_equal %{<a href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
493
491
|
end
|
|
494
492
|
|
|
495
|
-
def
|
|
493
|
+
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
|
|
494
|
+
skip if RUBY_VERSION < "2.3"
|
|
495
|
+
|
|
496
496
|
html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
497
497
|
|
|
498
|
-
text =
|
|
498
|
+
text = safe_list_sanitize(html)
|
|
499
499
|
|
|
500
|
-
assert_equal %{<a src
|
|
500
|
+
assert_equal %{<a src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
501
501
|
end
|
|
502
502
|
|
|
503
|
-
def
|
|
503
|
+
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
|
|
504
|
+
skip if RUBY_VERSION < "2.3"
|
|
505
|
+
|
|
504
506
|
html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
505
507
|
|
|
506
|
-
text =
|
|
508
|
+
text = safe_list_sanitize(html)
|
|
507
509
|
|
|
508
|
-
assert_equal %{<a name
|
|
510
|
+
assert_equal %{<a name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
509
511
|
end
|
|
510
512
|
|
|
511
|
-
def
|
|
513
|
+
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
|
|
514
|
+
skip if RUBY_VERSION < "2.3"
|
|
515
|
+
|
|
512
516
|
html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
|
513
517
|
|
|
514
|
-
text =
|
|
518
|
+
text = safe_list_sanitize(html, attributes: ['action'])
|
|
515
519
|
|
|
516
|
-
assert_equal %{<a action
|
|
520
|
+
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
517
521
|
end
|
|
518
522
|
|
|
519
523
|
protected
|
|
@@ -530,35 +534,35 @@ protected
|
|
|
530
534
|
Rails::Html::LinkSanitizer.new.sanitize(input, options)
|
|
531
535
|
end
|
|
532
536
|
|
|
533
|
-
def
|
|
534
|
-
Rails::Html::
|
|
537
|
+
def safe_list_sanitize(input, options = {})
|
|
538
|
+
Rails::Html::SafeListSanitizer.new.sanitize(input, options)
|
|
535
539
|
end
|
|
536
540
|
|
|
537
541
|
def assert_sanitized(input, expected = nil)
|
|
538
542
|
if input
|
|
539
|
-
assert_dom_equal expected || input,
|
|
543
|
+
assert_dom_equal expected || input, safe_list_sanitize(input)
|
|
540
544
|
else
|
|
541
|
-
assert_nil
|
|
545
|
+
assert_nil safe_list_sanitize(input)
|
|
542
546
|
end
|
|
543
547
|
end
|
|
544
548
|
|
|
545
549
|
def sanitize_css(input)
|
|
546
|
-
Rails::Html::
|
|
550
|
+
Rails::Html::SafeListSanitizer.new.sanitize_css(input)
|
|
547
551
|
end
|
|
548
552
|
|
|
549
553
|
def scope_allowed_tags(tags)
|
|
550
|
-
old_tags = Rails::Html::
|
|
551
|
-
Rails::Html::
|
|
552
|
-
yield Rails::Html::
|
|
554
|
+
old_tags = Rails::Html::SafeListSanitizer.allowed_tags
|
|
555
|
+
Rails::Html::SafeListSanitizer.allowed_tags = tags
|
|
556
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
553
557
|
ensure
|
|
554
|
-
Rails::Html::
|
|
558
|
+
Rails::Html::SafeListSanitizer.allowed_tags = old_tags
|
|
555
559
|
end
|
|
556
560
|
|
|
557
561
|
def scope_allowed_attributes(attributes)
|
|
558
|
-
old_attributes = Rails::Html::
|
|
559
|
-
Rails::Html::
|
|
560
|
-
yield Rails::Html::
|
|
562
|
+
old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
|
563
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = attributes
|
|
564
|
+
yield Rails::Html::SafeListSanitizer.new
|
|
561
565
|
ensure
|
|
562
|
-
Rails::Html::
|
|
566
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
|
|
563
567
|
end
|
|
564
568
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2019-08-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -35,14 +35,14 @@ dependencies:
|
|
|
35
35
|
name: bundler
|
|
36
36
|
requirement: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- - "
|
|
38
|
+
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '1.3'
|
|
41
41
|
type: :development
|
|
42
42
|
prerelease: false
|
|
43
43
|
version_requirements: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- - "
|
|
45
|
+
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
47
|
version: '1.3'
|
|
48
48
|
- !ruby/object:Gem::Dependency
|
|
@@ -123,8 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
|
-
|
|
127
|
-
rubygems_version: 2.7.6
|
|
126
|
+
rubygems_version: 3.0.4
|
|
128
127
|
signing_key:
|
|
129
128
|
specification_version: 4
|
|
130
129
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|