rails-html-sanitizer 1.0.4 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of rails-html-sanitizer might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f1aa629ae03d828f900932e2272c2d13baf2eae94adb214896cdf2eb959e4172
4
- data.tar.gz: 970c65b32aa93c659e6483e8b798ea23fa8b8eadb1963fba813dd33ba6432ae2
3
+ metadata.gz: 78b391f62382bca60620a37a2b7a1fe6cd8e81545210d308bc56991d11b39b6e
4
+ data.tar.gz: a8065b0d76a88caadeb594ac9e70857aaf061cdceab106781af41285c2e7302f
5
5
  SHA512:
6
- metadata.gz: c97587f6427b9e67e76050f21ab8f39148fd0ff47e87282a4a13802a6ae02ffa62034a187a8e5cfd0577e53d0f0cbc8e2e72abce3171d7f6139f186f1b75e1a2
7
- data.tar.gz: 411f2f9593fda42880b3ed9fcb99431e353c133d36a74e0aed52fa3959efa4bd8cc6aad5d90dddfc4565b0fabc80d68e9cfbf8cea055ae9463cba326f0735dc2
6
+ metadata.gz: b2a15acaf0bf620db43645b28d44d4e75d9bb9111bf77d4c7d90f812f697cbd8e33b704694af590e2af3c5e083d600c1cf82f7234ef737a05954582d1785bebb
7
+ data.tar.gz: af8b02f7811544234b263bfa6dd7062f117e549a6b58271be609c827a1468131caa56afd14b4f2b34e069e5f5d088ef3ba05f11c62b7d84ed69da6794c2c7de0
@@ -1,3 +1,20 @@
1
+ ## 1.1.0
2
+
3
+ * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
4
+ in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
5
+
6
+ *Juanito Fatas*
7
+
8
+ * Remove `href` from LinkScrubber's `tags` as it's not an element.
9
+ https://github.com/rails/rails-html-sanitizer/pull/92
10
+
11
+ *Juanito Fatas*
12
+
13
+ * Explain that we don't need to bump Loofah here if there's CVEs.
14
+ https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
15
+
16
+ *Kasper Timm Hansen*
17
+
1
18
  ## 1.0.1
2
19
 
3
20
  * Added support for Rails 4.2.0.beta2 and above
data/README.md CHANGED
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
41
41
  # => Only the link text will be kept.
42
42
  ```
43
43
 
44
- #### WhiteListSanitizer
44
+ #### SafeListSanitizer
45
45
 
46
46
  ```ruby
47
- white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
47
+ safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
48
48
 
49
- # sanitize via an extensive white list of allowed elements
50
- white_list_sanitizer.sanitize(@article.body)
49
+ # sanitize via an extensive safe list of allowed elements
50
+ safe_list_sanitizer.sanitize(@article.body)
51
51
 
52
- # white list only the supplied tags and attributes
53
- white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
52
+ # safe list only the supplied tags and attributes
53
+ safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
54
54
 
55
- # white list via a custom scrubber
56
- white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
55
+ # safe list via a custom scrubber
56
+ safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
57
57
 
58
- # white list sanitizer can also sanitize css
59
- white_list_sanitizer.sanitize_css('background-color: #000;')
58
+ # safe list sanitizer can also sanitize css
59
+ safe_list_sanitizer.sanitize_css('background-color: #000;')
60
60
  ```
61
61
 
62
62
  ### Scrubbers
@@ -127,7 +127,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
127
127
  - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
128
128
 
129
129
  The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
130
- - [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
130
+ - [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
131
131
  - [Nokogiri](http://nokogiri.org)
132
132
 
133
133
  ## Contributing to Rails Html Sanitizers
@@ -15,8 +15,14 @@ module Rails
15
15
  Html::LinkSanitizer
16
16
  end
17
17
 
18
+ def safe_list_sanitizer
19
+ Html::SafeListSanitizer
20
+ end
21
+
18
22
  def white_list_sanitizer
19
- Html::WhiteListSanitizer
23
+ ActiveSupport::Deprecation.warn "warning: white_list_sanitizer is" \
24
+ "deprecated, please use safe_list_sanitizer instead."
25
+ safe_list_sanitizer
20
26
  end
21
27
  end
22
28
  end
@@ -34,7 +40,7 @@ module ActionView
34
40
  # end
35
41
  #
36
42
  def sanitized_allowed_tags=(tags)
37
- sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
43
+ sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
38
44
  end
39
45
 
40
46
  # Replaces the allowed HTML attributes for the +sanitize+ helper.
@@ -44,7 +50,7 @@ module ActionView
44
50
  # end
45
51
  #
46
52
  def sanitized_allowed_attributes=(attributes)
47
- sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
53
+ sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
48
54
  end
49
55
 
50
56
  [:protocol_separator,
@@ -40,15 +40,16 @@ module Rails
40
40
  end
41
41
 
42
42
  # === Rails::Html::LinkSanitizer
43
- # Removes a tags and href attributes leaving only the link text
43
+ # Removes +a+ tags and +href+ attributes leaving only the link text.
44
44
  #
45
- # link_sanitizer = Rails::Html::LinkSanitizer.new
46
- # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
- # # => Only the link text will be kept.
45
+ # link_sanitizer = Rails::Html::LinkSanitizer.new
46
+ # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
+ #
48
+ # => 'Only the link text will be kept.'
48
49
  class LinkSanitizer < Sanitizer
49
50
  def initialize
50
51
  @link_scrubber = TargetScrubber.new
51
- @link_scrubber.tags = %w(a href)
52
+ @link_scrubber.tags = %w(a)
52
53
  @link_scrubber.attributes = %w(href)
53
54
  end
54
55
 
@@ -57,8 +58,8 @@ module Rails
57
58
  end
58
59
  end
59
60
 
60
- # === Rails::Html::WhiteListSanitizer
61
- # Sanitizes html and css from an extensive white list (see link further down).
61
+ # === Rails::Html::SafeListSanitizer
62
+ # Sanitizes html and css from an extensive safe list (see link further down).
62
63
  #
63
64
  # === Whitespace
64
65
  # We can't make any guarantees about whitespace being kept or stripped.
@@ -72,34 +73,34 @@ module Rails
72
73
  # so automatically.
73
74
  #
74
75
  # === Options
75
- # Sanitizes both html and css via the white lists found here:
76
+ # Sanitizes both html and css via the safe lists found here:
76
77
  # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
77
78
  #
78
- # WhiteListSanitizer also accepts options to configure
79
- # the white list used when sanitizing html.
79
+ # SafeListSanitizer also accepts options to configure
80
+ # the safe list used when sanitizing html.
80
81
  # There's a class level option:
81
- # Rails::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
82
- # Rails::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
82
+ # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
83
+ # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
83
84
  #
84
85
  # Tags and attributes can also be passed to +sanitize+.
85
86
  # Passed options take precedence over the class level options.
86
87
  #
87
88
  # === Examples
88
- # white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
89
+ # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
89
90
  #
90
91
  # Sanitize css doesn't take options
91
- # white_list_sanitizer.sanitize_css('background-color: #000;')
92
+ # safe_list_sanitizer.sanitize_css('background-color: #000;')
92
93
  #
93
- # Default: sanitize via a extensive white list of allowed elements
94
- # white_list_sanitizer.sanitize(@article.body)
94
+ # Default: sanitize via a extensive safe list of allowed elements
95
+ # safe_list_sanitizer.sanitize(@article.body)
95
96
  #
96
- # White list via the supplied tags and attributes
97
- # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
97
+ # Safe list via the supplied tags and attributes
98
+ # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
98
99
  # attributes: %w(id class style))
99
100
  #
100
- # White list via a custom scrubber
101
- # white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
102
- class WhiteListSanitizer < Sanitizer
101
+ # Safe list via a custom scrubber
102
+ # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
103
+ class SafeListSanitizer < Sanitizer
103
104
  class << self
104
105
  attr_accessor :allowed_tags
105
106
  attr_accessor :allowed_attributes
@@ -148,5 +149,10 @@ module Rails
148
149
  options[:attributes] || self.class.allowed_attributes
149
150
  end
150
151
  end
152
+
153
+ WhiteListSanitizer = SafeListSanitizer
154
+ if Object.respond_to?(:deprecate_constant)
155
+ deprecate_constant :WhiteListSanitizer
156
+ end
151
157
  end
152
158
  end
@@ -1,7 +1,7 @@
1
1
  module Rails
2
2
  module Html
3
3
  class Sanitizer
4
- VERSION = "1.0.4"
4
+ VERSION = "1.1.0"
5
5
  end
6
6
  end
7
7
  end
@@ -2,9 +2,9 @@ module Rails
2
2
  module Html
3
3
  # === Rails::Html::PermitScrubber
4
4
  #
5
- # Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
5
+ # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
6
6
  #
7
- # Rails::Html::PermitScrubber can be subclassed to determine:
7
+ # +Rails::Html::PermitScrubber+ can be subclassed to determine:
8
8
  # - When a node should be skipped via +skip_node?+.
9
9
  # - When a node is allowed via +allowed_node?+.
10
10
  # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,23 +27,23 @@ module Rails
27
27
  # If set, attributes excluded will be removed.
28
28
  # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
29
29
  #
30
- # class CommentScrubber < Html::PermitScrubber
31
- # def initialize
32
- # super
33
- # self.tags = %w(form script comment blockquote)
34
- # end
30
+ # class CommentScrubber < Html::PermitScrubber
31
+ # def initialize
32
+ # super
33
+ # self.tags = %w(form script comment blockquote)
34
+ # end
35
35
  #
36
- # def skip_node?(node)
37
- # node.text?
38
- # end
36
+ # def skip_node?(node)
37
+ # node.text?
38
+ # end
39
39
  #
40
- # def scrub_attribute?(name)
41
- # name == "style"
42
- # end
43
- # end
40
+ # def scrub_attribute?(name)
41
+ # name == "style"
42
+ # end
43
+ # end
44
44
  #
45
- # See the documentation for Nokogiri::XML::Node to understand what's possible
46
- # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
45
+ # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
46
+ # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
47
47
  class PermitScrubber < Loofah::Scrubber
48
48
  attr_reader :tags, :attributes
49
49
 
@@ -160,8 +160,8 @@ module Rails
160
160
 
161
161
  # === Rails::Html::TargetScrubber
162
162
  #
163
- # Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
164
- # sanitization, Rails::Html::TargetScrubber targets them for removal.
163
+ # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
164
+ # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
165
165
  #
166
166
  # +tags=+
167
167
  # If set, elements included will be stripped.
@@ -180,7 +180,7 @@ module Rails
180
180
 
181
181
  # === Rails::Html::TextOnlyScrubber
182
182
  #
183
- # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
183
+ # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
184
184
  #
185
185
  # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
186
186
  class TextOnlyScrubber < Loofah::Scrubber
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
12
12
  end
13
13
 
14
14
  def test_sanitize_nested_script
15
- sanitizer = Rails::Html::WhiteListSanitizer.new
15
+ sanitizer = Rails::Html::SafeListSanitizer.new
16
16
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
17
17
  end
18
18
 
19
19
  def test_sanitize_nested_script_in_style
20
- sanitizer = Rails::Html::WhiteListSanitizer.new
20
+ sanitizer = Rails::Html::SafeListSanitizer.new
21
21
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
22
22
  end
23
23
 
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
154
154
  assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
155
155
  end
156
156
 
157
- def test_strip_links_with_a_tag_in_href
158
- assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
159
- end
160
-
161
157
  def test_sanitize_form
162
158
  assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
163
159
  end
@@ -255,38 +251,38 @@ class SanitizersTest < Minitest::Test
255
251
 
256
252
  def test_should_allow_custom_tags
257
253
  text = "<u>foo</u>"
258
- assert_equal text, white_list_sanitize(text, tags: %w(u))
254
+ assert_equal text, safe_list_sanitize(text, tags: %w(u))
259
255
  end
260
256
 
261
257
  def test_should_allow_only_custom_tags
262
258
  text = "<u>foo</u> with <i>bar</i>"
263
- assert_equal "<u>foo</u> with bar", white_list_sanitize(text, tags: %w(u))
259
+ assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
264
260
  end
265
261
 
266
262
  def test_should_allow_custom_tags_with_attributes
267
263
  text = %(<blockquote cite="http://example.com/">foo</blockquote>)
268
- assert_equal text, white_list_sanitize(text)
264
+ assert_equal text, safe_list_sanitize(text)
269
265
  end
270
266
 
271
267
  def test_should_allow_custom_tags_with_custom_attributes
272
268
  text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
273
- assert_equal text, white_list_sanitize(text, attributes: ['foo'])
269
+ assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
274
270
  end
275
271
 
276
272
  def test_scrub_style_if_style_attribute_option_is_passed
277
273
  input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
278
- assert_equal '<p style="color: #000;"></p>', white_list_sanitize(input, attributes: %w(style))
274
+ assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
279
275
  end
280
276
 
281
277
  def test_should_raise_argument_error_if_tags_is_not_enumerable
282
278
  assert_raises ArgumentError do
283
- white_list_sanitize('<a>some html</a>', tags: 'foo')
279
+ safe_list_sanitize('<a>some html</a>', tags: 'foo')
284
280
  end
285
281
  end
286
282
 
287
283
  def test_should_raise_argument_error_if_attributes_is_not_enumerable
288
284
  assert_raises ArgumentError do
289
- white_list_sanitize('<a>some html</a>', attributes: 'foo')
285
+ safe_list_sanitize('<a>some html</a>', attributes: 'foo')
290
286
  end
291
287
  end
292
288
 
@@ -295,7 +291,7 @@ class SanitizersTest < Minitest::Test
295
291
  def scrubber.scrub(node); node.name = 'h1'; end
296
292
 
297
293
  assert_raises Loofah::ScrubberNotFound do
298
- white_list_sanitize('<a>some html</a>', scrubber: scrubber)
294
+ safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
299
295
  end
300
296
  end
301
297
 
@@ -304,19 +300,19 @@ class SanitizersTest < Minitest::Test
304
300
  def scrubber.scrub(node); node.name = 'h1'; end
305
301
 
306
302
  html = "<script>hello!</script>"
307
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
303
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
308
304
  end
309
305
 
310
306
  def test_should_accept_loofah_scrubber_that_wraps_a_block
311
307
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
312
308
  html = "<script>hello!</script>"
313
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
309
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
314
310
  end
315
311
 
316
312
  def test_custom_scrubber_takes_precedence_over_other_options
317
313
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
318
314
  html = "<script>hello!</script>"
319
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
315
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
320
316
  end
321
317
 
322
318
  [%w(img src), %w(a href)].each do |(tag, attr)|
@@ -468,7 +464,7 @@ class SanitizersTest < Minitest::Test
468
464
  end
469
465
 
470
466
  def test_sanitize_ascii_8bit_string
471
- white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
467
+ safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
472
468
  assert_equal '<a>hello</a>', sanitized
473
469
  assert_equal Encoding::UTF_8, sanitized.encoding
474
470
  end
@@ -481,39 +477,47 @@ class SanitizersTest < Minitest::Test
481
477
 
482
478
  def test_allow_data_attribute_if_requested
483
479
  text = %(<a data-foo="foo">foo</a>)
484
- assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
480
+ assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
485
481
  end
486
482
 
487
- def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
483
+ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
484
+ skip if RUBY_VERSION < "2.3"
485
+
488
486
  html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
489
487
 
490
- text = white_list_sanitize(html)
488
+ text = safe_list_sanitize(html)
491
489
 
492
- assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
490
+ assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
493
491
  end
494
492
 
495
- def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
493
+ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
494
+ skip if RUBY_VERSION < "2.3"
495
+
496
496
  html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
497
497
 
498
- text = white_list_sanitize(html)
498
+ text = safe_list_sanitize(html)
499
499
 
500
- assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
500
+ assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
501
501
  end
502
502
 
503
- def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
503
+ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
504
+ skip if RUBY_VERSION < "2.3"
505
+
504
506
  html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
505
507
 
506
- text = white_list_sanitize(html)
508
+ text = safe_list_sanitize(html)
507
509
 
508
- assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
510
+ assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
509
511
  end
510
512
 
511
- def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
513
+ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
514
+ skip if RUBY_VERSION < "2.3"
515
+
512
516
  html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
513
517
 
514
- text = white_list_sanitize(html, attributes: ['action'])
518
+ text = safe_list_sanitize(html, attributes: ['action'])
515
519
 
516
- assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
520
+ assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
517
521
  end
518
522
 
519
523
  protected
@@ -530,35 +534,35 @@ protected
530
534
  Rails::Html::LinkSanitizer.new.sanitize(input, options)
531
535
  end
532
536
 
533
- def white_list_sanitize(input, options = {})
534
- Rails::Html::WhiteListSanitizer.new.sanitize(input, options)
537
+ def safe_list_sanitize(input, options = {})
538
+ Rails::Html::SafeListSanitizer.new.sanitize(input, options)
535
539
  end
536
540
 
537
541
  def assert_sanitized(input, expected = nil)
538
542
  if input
539
- assert_dom_equal expected || input, white_list_sanitize(input)
543
+ assert_dom_equal expected || input, safe_list_sanitize(input)
540
544
  else
541
- assert_nil white_list_sanitize(input)
545
+ assert_nil safe_list_sanitize(input)
542
546
  end
543
547
  end
544
548
 
545
549
  def sanitize_css(input)
546
- Rails::Html::WhiteListSanitizer.new.sanitize_css(input)
550
+ Rails::Html::SafeListSanitizer.new.sanitize_css(input)
547
551
  end
548
552
 
549
553
  def scope_allowed_tags(tags)
550
- old_tags = Rails::Html::WhiteListSanitizer.allowed_tags
551
- Rails::Html::WhiteListSanitizer.allowed_tags = tags
552
- yield Rails::Html::WhiteListSanitizer.new
554
+ old_tags = Rails::Html::SafeListSanitizer.allowed_tags
555
+ Rails::Html::SafeListSanitizer.allowed_tags = tags
556
+ yield Rails::Html::SafeListSanitizer.new
553
557
  ensure
554
- Rails::Html::WhiteListSanitizer.allowed_tags = old_tags
558
+ Rails::Html::SafeListSanitizer.allowed_tags = old_tags
555
559
  end
556
560
 
557
561
  def scope_allowed_attributes(attributes)
558
- old_attributes = Rails::Html::WhiteListSanitizer.allowed_attributes
559
- Rails::Html::WhiteListSanitizer.allowed_attributes = attributes
560
- yield Rails::Html::WhiteListSanitizer.new
562
+ old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
563
+ Rails::Html::SafeListSanitizer.allowed_attributes = attributes
564
+ yield Rails::Html::SafeListSanitizer.new
561
565
  ensure
562
- Rails::Html::WhiteListSanitizer.allowed_attributes = old_attributes
566
+ Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
563
567
  end
564
568
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-03-22 00:00:00.000000000 Z
12
+ date: 2019-08-05 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: loofah
@@ -35,14 +35,14 @@ dependencies:
35
35
  name: bundler
36
36
  requirement: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '1.3'
41
41
  type: :development
42
42
  prerelease: false
43
43
  version_requirements: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - "~>"
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
47
  version: '1.3'
48
48
  - !ruby/object:Gem::Dependency
@@ -123,8 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
123
123
  - !ruby/object:Gem::Version
124
124
  version: '0'
125
125
  requirements: []
126
- rubyforge_project:
127
- rubygems_version: 2.7.6
126
+ rubygems_version: 3.0.4
128
127
  signing_key:
129
128
  specification_version: 4
130
129
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.