rails-html-sanitizer 1.0.4 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +49 -0
- data/README.md +14 -12
- data/lib/rails-html-sanitizer.rb +7 -3
- data/lib/rails/html/sanitizer.rb +25 -22
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +24 -24
- data/test/sanitizer_test.rb +61 -48
- metadata +13 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 72ef1b871489bb5189b4010ce24714523903baa2347ca8c49c0d8d3334439a22
|
4
|
+
data.tar.gz: 8e870f37ddb730ba3bf184cd5d9ddf2c8b8bc80d1a1ff3430553959b9478edcb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 30e80f4579a449b65f0e88e1383953c17df46bd527707c37b425837980167447559a32bfe8815e6f9523727f626059f92fe55d63ac136f798bfe46f323788310
|
7
|
+
data.tar.gz: f554d91da09f669d5e4015294ec96a3431d535a60c254b5ae940227a74753eafde42d9e324009e98247c75210de3d0c6d18583550b11a63048a5adf0a4dfbd31
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,52 @@
|
|
1
|
+
## 1.4.0 / 2021-08-18
|
2
|
+
|
3
|
+
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
4
|
+
|
5
|
+
Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
|
6
|
+
are no known security issues associated with these PIs, but similar to comments it's preferred to
|
7
|
+
omit these nodes when possible from sanitized output.
|
8
|
+
|
9
|
+
Fixes #115.
|
10
|
+
|
11
|
+
*Mike Dalessio*
|
12
|
+
|
13
|
+
## 1.3.0
|
14
|
+
|
15
|
+
* Address deprecations in Loofah 2.3.0.
|
16
|
+
|
17
|
+
*Josh Goodall*
|
18
|
+
|
19
|
+
## 1.2.0
|
20
|
+
|
21
|
+
* Remove needless `white_list_sanitizer` deprecation.
|
22
|
+
|
23
|
+
By deprecating this, we were forcing Rails 5.2 to be updated or spew
|
24
|
+
deprecations that users could do nothing about.
|
25
|
+
|
26
|
+
That's pointless and I'm sorry for adding that!
|
27
|
+
|
28
|
+
Now there's no deprecation warning and Rails 5.2 works out of the box, while
|
29
|
+
Rails 6 can use the updated naming.
|
30
|
+
|
31
|
+
*Kasper Timm Hansen*
|
32
|
+
|
33
|
+
## 1.1.0
|
34
|
+
|
35
|
+
* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
|
36
|
+
in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
|
37
|
+
|
38
|
+
*Juanito Fatas*
|
39
|
+
|
40
|
+
* Remove `href` from LinkScrubber's `tags` as it's not an element.
|
41
|
+
https://github.com/rails/rails-html-sanitizer/pull/92
|
42
|
+
|
43
|
+
*Juanito Fatas*
|
44
|
+
|
45
|
+
* Explain that we don't need to bump Loofah here if there's CVEs.
|
46
|
+
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
|
47
|
+
|
48
|
+
*Kasper Timm Hansen*
|
49
|
+
|
1
50
|
## 1.0.1
|
2
51
|
|
3
52
|
* Added support for Rails 4.2.0.beta2 and above
|
data/README.md
CHANGED
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
|
|
41
41
|
# => Only the link text will be kept.
|
42
42
|
```
|
43
43
|
|
44
|
-
####
|
44
|
+
#### SafeListSanitizer
|
45
45
|
|
46
46
|
```ruby
|
47
|
-
|
47
|
+
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
48
48
|
|
49
|
-
# sanitize via an extensive
|
50
|
-
|
49
|
+
# sanitize via an extensive safe list of allowed elements
|
50
|
+
safe_list_sanitizer.sanitize(@article.body)
|
51
51
|
|
52
|
-
#
|
53
|
-
|
52
|
+
# safe list only the supplied tags and attributes
|
53
|
+
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
|
54
54
|
|
55
|
-
#
|
56
|
-
|
55
|
+
# safe list via a custom scrubber
|
56
|
+
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
57
57
|
|
58
|
-
#
|
59
|
-
|
58
|
+
# safe list sanitizer can also sanitize css
|
59
|
+
safe_list_sanitizer.sanitize_css('background-color: #000;')
|
60
60
|
```
|
61
61
|
|
62
62
|
### Scrubbers
|
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
|
|
81
81
|
#### `Rails::Html::TargetScrubber`
|
82
82
|
|
83
83
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
84
|
-
`Rails::Html::TargetScrubber` targets them for removal.
|
84
|
+
`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
85
85
|
|
86
|
+
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
87
|
+
loofah `HTML5::Scrub.allowed_element?`.
|
86
88
|
|
87
89
|
```ruby
|
88
90
|
scrubber = Rails::Html::TargetScrubber.new
|
@@ -127,7 +129,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
|
127
129
|
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
|
128
130
|
|
129
131
|
The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
|
130
|
-
- [`Nokogiri::XML::Node`](
|
132
|
+
- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
|
131
133
|
- [Nokogiri](http://nokogiri.org)
|
132
134
|
|
133
135
|
## Contributing to Rails Html Sanitizers
|
data/lib/rails-html-sanitizer.rb
CHANGED
@@ -15,8 +15,12 @@ module Rails
|
|
15
15
|
Html::LinkSanitizer
|
16
16
|
end
|
17
17
|
|
18
|
+
def safe_list_sanitizer
|
19
|
+
Html::SafeListSanitizer
|
20
|
+
end
|
21
|
+
|
18
22
|
def white_list_sanitizer
|
19
|
-
|
23
|
+
safe_list_sanitizer
|
20
24
|
end
|
21
25
|
end
|
22
26
|
end
|
@@ -34,7 +38,7 @@ module ActionView
|
|
34
38
|
# end
|
35
39
|
#
|
36
40
|
def sanitized_allowed_tags=(tags)
|
37
|
-
sanitizer_vendor.
|
41
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
|
38
42
|
end
|
39
43
|
|
40
44
|
# Replaces the allowed HTML attributes for the +sanitize+ helper.
|
@@ -44,7 +48,7 @@ module ActionView
|
|
44
48
|
# end
|
45
49
|
#
|
46
50
|
def sanitized_allowed_attributes=(attributes)
|
47
|
-
sanitizer_vendor.
|
51
|
+
sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
|
48
52
|
end
|
49
53
|
|
50
54
|
[:protocol_separator,
|
data/lib/rails/html/sanitizer.rb
CHANGED
@@ -40,15 +40,16 @@ module Rails
|
|
40
40
|
end
|
41
41
|
|
42
42
|
# === Rails::Html::LinkSanitizer
|
43
|
-
# Removes a tags and href attributes leaving only the link text
|
43
|
+
# Removes +a+ tags and +href+ attributes leaving only the link text.
|
44
44
|
#
|
45
|
-
#
|
46
|
-
#
|
47
|
-
#
|
45
|
+
# link_sanitizer = Rails::Html::LinkSanitizer.new
|
46
|
+
# link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
47
|
+
#
|
48
|
+
# => 'Only the link text will be kept.'
|
48
49
|
class LinkSanitizer < Sanitizer
|
49
50
|
def initialize
|
50
51
|
@link_scrubber = TargetScrubber.new
|
51
|
-
@link_scrubber.tags = %w(a
|
52
|
+
@link_scrubber.tags = %w(a)
|
52
53
|
@link_scrubber.attributes = %w(href)
|
53
54
|
end
|
54
55
|
|
@@ -57,8 +58,8 @@ module Rails
|
|
57
58
|
end
|
58
59
|
end
|
59
60
|
|
60
|
-
# === Rails::Html::
|
61
|
-
# Sanitizes html and css from an extensive
|
61
|
+
# === Rails::Html::SafeListSanitizer
|
62
|
+
# Sanitizes html and css from an extensive safe list (see link further down).
|
62
63
|
#
|
63
64
|
# === Whitespace
|
64
65
|
# We can't make any guarantees about whitespace being kept or stripped.
|
@@ -72,34 +73,34 @@ module Rails
|
|
72
73
|
# so automatically.
|
73
74
|
#
|
74
75
|
# === Options
|
75
|
-
# Sanitizes both html and css via the
|
76
|
-
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/
|
76
|
+
# Sanitizes both html and css via the safe lists found here:
|
77
|
+
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
|
77
78
|
#
|
78
|
-
#
|
79
|
-
# the
|
79
|
+
# SafeListSanitizer also accepts options to configure
|
80
|
+
# the safe list used when sanitizing html.
|
80
81
|
# There's a class level option:
|
81
|
-
# Rails::Html::
|
82
|
-
# Rails::Html::
|
82
|
+
# Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
|
83
|
+
# Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
|
83
84
|
#
|
84
85
|
# Tags and attributes can also be passed to +sanitize+.
|
85
86
|
# Passed options take precedence over the class level options.
|
86
87
|
#
|
87
88
|
# === Examples
|
88
|
-
#
|
89
|
+
# safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
|
89
90
|
#
|
90
91
|
# Sanitize css doesn't take options
|
91
|
-
#
|
92
|
+
# safe_list_sanitizer.sanitize_css('background-color: #000;')
|
92
93
|
#
|
93
|
-
# Default: sanitize via a extensive
|
94
|
-
#
|
94
|
+
# Default: sanitize via a extensive safe list of allowed elements
|
95
|
+
# safe_list_sanitizer.sanitize(@article.body)
|
95
96
|
#
|
96
|
-
#
|
97
|
-
#
|
97
|
+
# Safe list via the supplied tags and attributes
|
98
|
+
# safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
|
98
99
|
# attributes: %w(id class style))
|
99
100
|
#
|
100
|
-
#
|
101
|
-
#
|
102
|
-
class
|
101
|
+
# Safe list via a custom scrubber
|
102
|
+
# safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
103
|
+
class SafeListSanitizer < Sanitizer
|
103
104
|
class << self
|
104
105
|
attr_accessor :allowed_tags
|
105
106
|
attr_accessor :allowed_attributes
|
@@ -148,5 +149,7 @@ module Rails
|
|
148
149
|
options[:attributes] || self.class.allowed_attributes
|
149
150
|
end
|
150
151
|
end
|
152
|
+
|
153
|
+
WhiteListSanitizer = SafeListSanitizer
|
151
154
|
end
|
152
155
|
end
|
data/lib/rails/html/scrubbers.rb
CHANGED
@@ -2,9 +2,9 @@ module Rails
|
|
2
2
|
module Html
|
3
3
|
# === Rails::Html::PermitScrubber
|
4
4
|
#
|
5
|
-
# Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
|
5
|
+
# +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
|
6
6
|
#
|
7
|
-
# Rails::Html::PermitScrubber can be subclassed to determine:
|
7
|
+
# +Rails::Html::PermitScrubber+ can be subclassed to determine:
|
8
8
|
# - When a node should be skipped via +skip_node?+.
|
9
9
|
# - When a node is allowed via +allowed_node?+.
|
10
10
|
# - When an attribute should be scrubbed via +scrub_attribute?+.
|
@@ -27,23 +27,23 @@ module Rails
|
|
27
27
|
# If set, attributes excluded will be removed.
|
28
28
|
# If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
|
29
29
|
#
|
30
|
-
#
|
31
|
-
#
|
32
|
-
#
|
33
|
-
#
|
34
|
-
#
|
30
|
+
# class CommentScrubber < Html::PermitScrubber
|
31
|
+
# def initialize
|
32
|
+
# super
|
33
|
+
# self.tags = %w(form script comment blockquote)
|
34
|
+
# end
|
35
35
|
#
|
36
|
-
#
|
37
|
-
#
|
38
|
-
#
|
36
|
+
# def skip_node?(node)
|
37
|
+
# node.text?
|
38
|
+
# end
|
39
39
|
#
|
40
|
-
#
|
41
|
-
#
|
42
|
-
#
|
43
|
-
#
|
40
|
+
# def scrub_attribute?(name)
|
41
|
+
# name == "style"
|
42
|
+
# end
|
43
|
+
# end
|
44
44
|
#
|
45
|
-
# See the documentation for Nokogiri::XML::Node to understand what's possible
|
46
|
-
# with nodes:
|
45
|
+
# See the documentation for +Nokogiri::XML::Node+ to understand what's possible
|
46
|
+
# with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
|
47
47
|
class PermitScrubber < Loofah::Scrubber
|
48
48
|
attr_reader :tags, :attributes
|
49
49
|
|
@@ -68,7 +68,7 @@ module Rails
|
|
68
68
|
end
|
69
69
|
return CONTINUE if skip_node?(node)
|
70
70
|
|
71
|
-
unless keep_node?(node)
|
71
|
+
unless node.element? && keep_node?(node)
|
72
72
|
return STOP if scrub_node(node) == STOP
|
73
73
|
end
|
74
74
|
|
@@ -138,17 +138,17 @@ module Rails
|
|
138
138
|
attr_node.node_name
|
139
139
|
end
|
140
140
|
|
141
|
-
if Loofah::HTML5::
|
141
|
+
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
|
142
142
|
# this block lifted nearly verbatim from HTML5 sanitization
|
143
143
|
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
|
144
|
-
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::
|
144
|
+
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
|
145
145
|
attr_node.remove
|
146
146
|
end
|
147
147
|
end
|
148
|
-
if Loofah::HTML5::
|
148
|
+
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
|
149
149
|
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
|
150
150
|
end
|
151
|
-
if Loofah::HTML5::
|
151
|
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
|
152
152
|
attr_node.remove
|
153
153
|
end
|
154
154
|
|
@@ -160,8 +160,8 @@ module Rails
|
|
160
160
|
|
161
161
|
# === Rails::Html::TargetScrubber
|
162
162
|
#
|
163
|
-
# Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
|
164
|
-
# sanitization, Rails::Html::TargetScrubber targets them for removal.
|
163
|
+
# Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
|
164
|
+
# sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
|
165
165
|
#
|
166
166
|
# +tags=+
|
167
167
|
# If set, elements included will be stripped.
|
@@ -180,7 +180,7 @@ module Rails
|
|
180
180
|
|
181
181
|
# === Rails::Html::TextOnlyScrubber
|
182
182
|
#
|
183
|
-
# Rails::Html::TextOnlyScrubber allows you to permit text nodes.
|
183
|
+
# +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
|
184
184
|
#
|
185
185
|
# Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
|
186
186
|
class TextOnlyScrubber < Loofah::Scrubber
|
data/test/sanitizer_test.rb
CHANGED
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
|
|
12
12
|
end
|
13
13
|
|
14
14
|
def test_sanitize_nested_script
|
15
|
-
sanitizer = Rails::Html::
|
15
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
16
16
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
|
17
17
|
end
|
18
18
|
|
19
19
|
def test_sanitize_nested_script_in_style
|
20
|
-
sanitizer = Rails::Html::
|
20
|
+
sanitizer = Rails::Html::SafeListSanitizer.new
|
21
21
|
assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
|
22
22
|
end
|
23
23
|
|
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
|
|
93
93
|
end
|
94
94
|
|
95
95
|
def test_strip_tags_with_plaintext
|
96
|
-
assert_equal "
|
96
|
+
assert_equal "Don't touch me", full_sanitize("Don't touch me")
|
97
97
|
end
|
98
98
|
|
99
99
|
def test_strip_tags_with_tags
|
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
|
|
135
135
|
end
|
136
136
|
|
137
137
|
def test_strip_links_with_plaintext
|
138
|
-
assert_equal "
|
138
|
+
assert_equal "Don't touch me", link_sanitize("Don't touch me")
|
139
139
|
end
|
140
140
|
|
141
141
|
def test_strip_links_with_line_feed_and_uppercase_tag
|
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
|
|
154
154
|
assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
|
155
155
|
end
|
156
156
|
|
157
|
-
def test_strip_links_with_a_tag_in_href
|
158
|
-
assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
|
159
|
-
end
|
160
|
-
|
161
157
|
def test_sanitize_form
|
162
158
|
assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
|
163
159
|
end
|
@@ -185,7 +181,7 @@ class SanitizersTest < Minitest::Test
|
|
185
181
|
assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
|
186
182
|
end
|
187
183
|
|
188
|
-
tags = Loofah::HTML5::
|
184
|
+
tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
|
189
185
|
tags.each do |tag_name|
|
190
186
|
define_method "test_should_allow_#{tag_name}_tag" do
|
191
187
|
scope_allowed_tags(tags) do
|
@@ -255,38 +251,39 @@ class SanitizersTest < Minitest::Test
|
|
255
251
|
|
256
252
|
def test_should_allow_custom_tags
|
257
253
|
text = "<u>foo</u>"
|
258
|
-
assert_equal text,
|
254
|
+
assert_equal text, safe_list_sanitize(text, tags: %w(u))
|
259
255
|
end
|
260
256
|
|
261
257
|
def test_should_allow_only_custom_tags
|
262
258
|
text = "<u>foo</u> with <i>bar</i>"
|
263
|
-
assert_equal "<u>foo</u> with bar",
|
259
|
+
assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
|
264
260
|
end
|
265
261
|
|
266
262
|
def test_should_allow_custom_tags_with_attributes
|
267
263
|
text = %(<blockquote cite="http://example.com/">foo</blockquote>)
|
268
|
-
assert_equal text,
|
264
|
+
assert_equal text, safe_list_sanitize(text)
|
269
265
|
end
|
270
266
|
|
271
267
|
def test_should_allow_custom_tags_with_custom_attributes
|
272
268
|
text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
|
273
|
-
assert_equal text,
|
269
|
+
assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
|
274
270
|
end
|
275
271
|
|
276
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
277
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
278
|
-
|
274
|
+
actual = safe_list_sanitize(input, attributes: %w(style))
|
275
|
+
assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
|
279
276
|
end
|
280
277
|
|
281
278
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
282
279
|
assert_raises ArgumentError do
|
283
|
-
|
280
|
+
safe_list_sanitize('<a>some html</a>', tags: 'foo')
|
284
281
|
end
|
285
282
|
end
|
286
283
|
|
287
284
|
def test_should_raise_argument_error_if_attributes_is_not_enumerable
|
288
285
|
assert_raises ArgumentError do
|
289
|
-
|
286
|
+
safe_list_sanitize('<a>some html</a>', attributes: 'foo')
|
290
287
|
end
|
291
288
|
end
|
292
289
|
|
@@ -295,7 +292,7 @@ class SanitizersTest < Minitest::Test
|
|
295
292
|
def scrubber.scrub(node); node.name = 'h1'; end
|
296
293
|
|
297
294
|
assert_raises Loofah::ScrubberNotFound do
|
298
|
-
|
295
|
+
safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
|
299
296
|
end
|
300
297
|
end
|
301
298
|
|
@@ -304,19 +301,19 @@ class SanitizersTest < Minitest::Test
|
|
304
301
|
def scrubber.scrub(node); node.name = 'h1'; end
|
305
302
|
|
306
303
|
html = "<script>hello!</script>"
|
307
|
-
assert_equal "<h1>hello!</h1>",
|
304
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
308
305
|
end
|
309
306
|
|
310
307
|
def test_should_accept_loofah_scrubber_that_wraps_a_block
|
311
308
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
312
309
|
html = "<script>hello!</script>"
|
313
|
-
assert_equal "<h1>hello!</h1>",
|
310
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
|
314
311
|
end
|
315
312
|
|
316
313
|
def test_custom_scrubber_takes_precedence_over_other_options
|
317
314
|
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
|
318
315
|
html = "<script>hello!</script>"
|
319
|
-
assert_equal "<h1>hello!</h1>",
|
316
|
+
assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
|
320
317
|
end
|
321
318
|
|
322
319
|
[%w(img src), %w(a href)].each do |(tag, attr)|
|
@@ -417,7 +414,7 @@ class SanitizersTest < Minitest::Test
|
|
417
414
|
end
|
418
415
|
|
419
416
|
def test_should_sanitize_div_background_image_unicode_encoded
|
420
|
-
raw = %(background-image:\
|
417
|
+
raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
|
421
418
|
assert_equal '', sanitize_css(raw)
|
422
419
|
end
|
423
420
|
|
@@ -468,7 +465,7 @@ class SanitizersTest < Minitest::Test
|
|
468
465
|
end
|
469
466
|
|
470
467
|
def test_sanitize_ascii_8bit_string
|
471
|
-
|
468
|
+
safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
|
472
469
|
assert_equal '<a>hello</a>', sanitized
|
473
470
|
assert_equal Encoding::UTF_8, sanitized.encoding
|
474
471
|
end
|
@@ -481,39 +478,55 @@ class SanitizersTest < Minitest::Test
|
|
481
478
|
|
482
479
|
def test_allow_data_attribute_if_requested
|
483
480
|
text = %(<a data-foo="foo">foo</a>)
|
484
|
-
assert_equal %(<a data-foo="foo">foo</a>),
|
481
|
+
assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
|
485
482
|
end
|
486
483
|
|
487
|
-
def
|
484
|
+
def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
|
485
|
+
skip if RUBY_VERSION < "2.3"
|
486
|
+
|
488
487
|
html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
489
488
|
|
490
|
-
text =
|
489
|
+
text = safe_list_sanitize(html)
|
491
490
|
|
492
|
-
assert_equal %{<a href
|
491
|
+
assert_equal %{<a href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
493
492
|
end
|
494
493
|
|
495
|
-
def
|
494
|
+
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
|
495
|
+
skip if RUBY_VERSION < "2.3"
|
496
|
+
|
496
497
|
html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
497
498
|
|
498
|
-
text =
|
499
|
+
text = safe_list_sanitize(html)
|
499
500
|
|
500
|
-
assert_equal %{<a src
|
501
|
+
assert_equal %{<a src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
501
502
|
end
|
502
503
|
|
503
|
-
def
|
504
|
+
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
|
505
|
+
skip if RUBY_VERSION < "2.3"
|
506
|
+
|
504
507
|
html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
505
508
|
|
506
|
-
text =
|
509
|
+
text = safe_list_sanitize(html)
|
507
510
|
|
508
|
-
assert_equal %{<a name
|
511
|
+
assert_equal %{<a name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
509
512
|
end
|
510
513
|
|
511
|
-
def
|
514
|
+
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
|
515
|
+
skip if RUBY_VERSION < "2.3"
|
516
|
+
|
512
517
|
html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
|
513
518
|
|
514
|
-
text =
|
519
|
+
text = safe_list_sanitize(html, attributes: ['action'])
|
520
|
+
|
521
|
+
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
522
|
+
end
|
523
|
+
|
524
|
+
def test_exclude_node_type_processing_instructions
|
525
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
|
526
|
+
end
|
515
527
|
|
516
|
-
|
528
|
+
def test_exclude_node_type_comment
|
529
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
|
517
530
|
end
|
518
531
|
|
519
532
|
protected
|
@@ -530,35 +543,35 @@ protected
|
|
530
543
|
Rails::Html::LinkSanitizer.new.sanitize(input, options)
|
531
544
|
end
|
532
545
|
|
533
|
-
def
|
534
|
-
Rails::Html::
|
546
|
+
def safe_list_sanitize(input, options = {})
|
547
|
+
Rails::Html::SafeListSanitizer.new.sanitize(input, options)
|
535
548
|
end
|
536
549
|
|
537
550
|
def assert_sanitized(input, expected = nil)
|
538
551
|
if input
|
539
|
-
assert_dom_equal expected || input,
|
552
|
+
assert_dom_equal expected || input, safe_list_sanitize(input)
|
540
553
|
else
|
541
|
-
assert_nil
|
554
|
+
assert_nil safe_list_sanitize(input)
|
542
555
|
end
|
543
556
|
end
|
544
557
|
|
545
558
|
def sanitize_css(input)
|
546
|
-
Rails::Html::
|
559
|
+
Rails::Html::SafeListSanitizer.new.sanitize_css(input)
|
547
560
|
end
|
548
561
|
|
549
562
|
def scope_allowed_tags(tags)
|
550
|
-
old_tags = Rails::Html::
|
551
|
-
Rails::Html::
|
552
|
-
yield Rails::Html::
|
563
|
+
old_tags = Rails::Html::SafeListSanitizer.allowed_tags
|
564
|
+
Rails::Html::SafeListSanitizer.allowed_tags = tags
|
565
|
+
yield Rails::Html::SafeListSanitizer.new
|
553
566
|
ensure
|
554
|
-
Rails::Html::
|
567
|
+
Rails::Html::SafeListSanitizer.allowed_tags = old_tags
|
555
568
|
end
|
556
569
|
|
557
570
|
def scope_allowed_attributes(attributes)
|
558
|
-
old_attributes = Rails::Html::
|
559
|
-
Rails::Html::
|
560
|
-
yield Rails::Html::
|
571
|
+
old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
572
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = attributes
|
573
|
+
yield Rails::Html::SafeListSanitizer.new
|
561
574
|
ensure
|
562
|
-
Rails::Html::
|
575
|
+
Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
|
563
576
|
end
|
564
577
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-html-sanitizer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rafael Mendonça França
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2021-08-18 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: loofah
|
@@ -17,32 +17,26 @@ dependencies:
|
|
17
17
|
requirements:
|
18
18
|
- - "~>"
|
19
19
|
- !ruby/object:Gem::Version
|
20
|
-
version: '2.
|
21
|
-
- - ">="
|
22
|
-
- !ruby/object:Gem::Version
|
23
|
-
version: 2.2.2
|
20
|
+
version: '2.3'
|
24
21
|
type: :runtime
|
25
22
|
prerelease: false
|
26
23
|
version_requirements: !ruby/object:Gem::Requirement
|
27
24
|
requirements:
|
28
25
|
- - "~>"
|
29
26
|
- !ruby/object:Gem::Version
|
30
|
-
version: '2.
|
31
|
-
- - ">="
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: 2.2.2
|
27
|
+
version: '2.3'
|
34
28
|
- !ruby/object:Gem::Dependency
|
35
29
|
name: bundler
|
36
30
|
requirement: !ruby/object:Gem::Requirement
|
37
31
|
requirements:
|
38
|
-
- - "
|
32
|
+
- - ">="
|
39
33
|
- !ruby/object:Gem::Version
|
40
34
|
version: '1.3'
|
41
35
|
type: :development
|
42
36
|
prerelease: false
|
43
37
|
version_requirements: !ruby/object:Gem::Requirement
|
44
38
|
requirements:
|
45
|
-
- - "
|
39
|
+
- - ">="
|
46
40
|
- !ruby/object:Gem::Version
|
47
41
|
version: '1.3'
|
48
42
|
- !ruby/object:Gem::Dependency
|
@@ -107,7 +101,11 @@ files:
|
|
107
101
|
homepage: https://github.com/rails/rails-html-sanitizer
|
108
102
|
licenses:
|
109
103
|
- MIT
|
110
|
-
metadata:
|
104
|
+
metadata:
|
105
|
+
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.0/CHANGELOG.md
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.0
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.0
|
111
109
|
post_install_message:
|
112
110
|
rdoc_options: []
|
113
111
|
require_paths:
|
@@ -123,11 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
123
121
|
- !ruby/object:Gem::Version
|
124
122
|
version: '0'
|
125
123
|
requirements: []
|
126
|
-
|
127
|
-
rubygems_version: 2.7.6
|
124
|
+
rubygems_version: 3.2.15
|
128
125
|
signing_key:
|
129
126
|
specification_version: 4
|
130
127
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
131
128
|
test_files:
|
132
|
-
- test/scrubbers_test.rb
|
133
129
|
- test/sanitizer_test.rb
|
130
|
+
- test/scrubbers_test.rb
|