rails-html-sanitizer 1.0.4 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of rails-html-sanitizer might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f1aa629ae03d828f900932e2272c2d13baf2eae94adb214896cdf2eb959e4172
4
- data.tar.gz: 970c65b32aa93c659e6483e8b798ea23fa8b8eadb1963fba813dd33ba6432ae2
3
+ metadata.gz: 72ef1b871489bb5189b4010ce24714523903baa2347ca8c49c0d8d3334439a22
4
+ data.tar.gz: 8e870f37ddb730ba3bf184cd5d9ddf2c8b8bc80d1a1ff3430553959b9478edcb
5
5
  SHA512:
6
- metadata.gz: c97587f6427b9e67e76050f21ab8f39148fd0ff47e87282a4a13802a6ae02ffa62034a187a8e5cfd0577e53d0f0cbc8e2e72abce3171d7f6139f186f1b75e1a2
7
- data.tar.gz: 411f2f9593fda42880b3ed9fcb99431e353c133d36a74e0aed52fa3959efa4bd8cc6aad5d90dddfc4565b0fabc80d68e9cfbf8cea055ae9463cba326f0735dc2
6
+ metadata.gz: 30e80f4579a449b65f0e88e1383953c17df46bd527707c37b425837980167447559a32bfe8815e6f9523727f626059f92fe55d63ac136f798bfe46f323788310
7
+ data.tar.gz: f554d91da09f669d5e4015294ec96a3431d535a60c254b5ae940227a74753eafde42d9e324009e98247c75210de3d0c6d18583550b11a63048a5adf0a4dfbd31
data/CHANGELOG.md CHANGED
@@ -1,3 +1,52 @@
1
+ ## 1.4.0 / 2021-08-18
2
+
3
+ * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
4
+
5
+ Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
6
+ are no known security issues associated with these PIs, but similar to comments it's preferred to
7
+ omit these nodes when possible from sanitized output.
8
+
9
+ Fixes #115.
10
+
11
+ *Mike Dalessio*
12
+
13
+ ## 1.3.0
14
+
15
+ * Address deprecations in Loofah 2.3.0.
16
+
17
+ *Josh Goodall*
18
+
19
+ ## 1.2.0
20
+
21
+ * Remove needless `white_list_sanitizer` deprecation.
22
+
23
+ By deprecating this, we were forcing Rails 5.2 to be updated or spew
24
+ deprecations that users could do nothing about.
25
+
26
+ That's pointless and I'm sorry for adding that!
27
+
28
+ Now there's no deprecation warning and Rails 5.2 works out of the box, while
29
+ Rails 6 can use the updated naming.
30
+
31
+ *Kasper Timm Hansen*
32
+
33
+ ## 1.1.0
34
+
35
+ * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
36
+ in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
37
+
38
+ *Juanito Fatas*
39
+
40
+ * Remove `href` from LinkScrubber's `tags` as it's not an element.
41
+ https://github.com/rails/rails-html-sanitizer/pull/92
42
+
43
+ *Juanito Fatas*
44
+
45
+ * Explain that we don't need to bump Loofah here if there's CVEs.
46
+ https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
47
+
48
+ *Kasper Timm Hansen*
49
+
1
50
  ## 1.0.1
2
51
 
3
52
  * Added support for Rails 4.2.0.beta2 and above
data/README.md CHANGED
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
41
41
  # => Only the link text will be kept.
42
42
  ```
43
43
 
44
- #### WhiteListSanitizer
44
+ #### SafeListSanitizer
45
45
 
46
46
  ```ruby
47
- white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
47
+ safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
48
48
 
49
- # sanitize via an extensive white list of allowed elements
50
- white_list_sanitizer.sanitize(@article.body)
49
+ # sanitize via an extensive safe list of allowed elements
50
+ safe_list_sanitizer.sanitize(@article.body)
51
51
 
52
- # white list only the supplied tags and attributes
53
- white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
52
+ # safe list only the supplied tags and attributes
53
+ safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
54
54
 
55
- # white list via a custom scrubber
56
- white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
55
+ # safe list via a custom scrubber
56
+ safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
57
57
 
58
- # white list sanitizer can also sanitize css
59
- white_list_sanitizer.sanitize_css('background-color: #000;')
58
+ # safe list sanitizer can also sanitize css
59
+ safe_list_sanitizer.sanitize_css('background-color: #000;')
60
60
  ```
61
61
 
62
62
  ### Scrubbers
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
81
81
  #### `Rails::Html::TargetScrubber`
82
82
 
83
83
  Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
84
- `Rails::Html::TargetScrubber` targets them for removal.
84
+ `Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
85
85
 
86
+ **Note:** by default, it will scrub anything that is not part of the permitted tags from
87
+ loofah `HTML5::Scrub.allowed_element?`.
86
88
 
87
89
  ```ruby
88
90
  scrubber = Rails::Html::TargetScrubber.new
@@ -127,7 +129,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
127
129
  - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
128
130
 
129
131
  The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
130
- - [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
132
+ - [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
131
133
  - [Nokogiri](http://nokogiri.org)
132
134
 
133
135
  ## Contributing to Rails Html Sanitizers
@@ -15,8 +15,12 @@ module Rails
15
15
  Html::LinkSanitizer
16
16
  end
17
17
 
18
+ def safe_list_sanitizer
19
+ Html::SafeListSanitizer
20
+ end
21
+
18
22
  def white_list_sanitizer
19
- Html::WhiteListSanitizer
23
+ safe_list_sanitizer
20
24
  end
21
25
  end
22
26
  end
@@ -34,7 +38,7 @@ module ActionView
34
38
  # end
35
39
  #
36
40
  def sanitized_allowed_tags=(tags)
37
- sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
41
+ sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
38
42
  end
39
43
 
40
44
  # Replaces the allowed HTML attributes for the +sanitize+ helper.
@@ -44,7 +48,7 @@ module ActionView
44
48
  # end
45
49
  #
46
50
  def sanitized_allowed_attributes=(attributes)
47
- sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
51
+ sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
48
52
  end
49
53
 
50
54
  [:protocol_separator,
@@ -40,15 +40,16 @@ module Rails
40
40
  end
41
41
 
42
42
  # === Rails::Html::LinkSanitizer
43
- # Removes a tags and href attributes leaving only the link text
43
+ # Removes +a+ tags and +href+ attributes leaving only the link text.
44
44
  #
45
- # link_sanitizer = Rails::Html::LinkSanitizer.new
46
- # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
- # # => Only the link text will be kept.
45
+ # link_sanitizer = Rails::Html::LinkSanitizer.new
46
+ # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
+ #
48
+ # => 'Only the link text will be kept.'
48
49
  class LinkSanitizer < Sanitizer
49
50
  def initialize
50
51
  @link_scrubber = TargetScrubber.new
51
- @link_scrubber.tags = %w(a href)
52
+ @link_scrubber.tags = %w(a)
52
53
  @link_scrubber.attributes = %w(href)
53
54
  end
54
55
 
@@ -57,8 +58,8 @@ module Rails
57
58
  end
58
59
  end
59
60
 
60
- # === Rails::Html::WhiteListSanitizer
61
- # Sanitizes html and css from an extensive white list (see link further down).
61
+ # === Rails::Html::SafeListSanitizer
62
+ # Sanitizes html and css from an extensive safe list (see link further down).
62
63
  #
63
64
  # === Whitespace
64
65
  # We can't make any guarantees about whitespace being kept or stripped.
@@ -72,34 +73,34 @@ module Rails
72
73
  # so automatically.
73
74
  #
74
75
  # === Options
75
- # Sanitizes both html and css via the white lists found here:
76
- # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
76
+ # Sanitizes both html and css via the safe lists found here:
77
+ # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
77
78
  #
78
- # WhiteListSanitizer also accepts options to configure
79
- # the white list used when sanitizing html.
79
+ # SafeListSanitizer also accepts options to configure
80
+ # the safe list used when sanitizing html.
80
81
  # There's a class level option:
81
- # Rails::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
82
- # Rails::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
82
+ # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
83
+ # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
83
84
  #
84
85
  # Tags and attributes can also be passed to +sanitize+.
85
86
  # Passed options take precedence over the class level options.
86
87
  #
87
88
  # === Examples
88
- # white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
89
+ # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
89
90
  #
90
91
  # Sanitize css doesn't take options
91
- # white_list_sanitizer.sanitize_css('background-color: #000;')
92
+ # safe_list_sanitizer.sanitize_css('background-color: #000;')
92
93
  #
93
- # Default: sanitize via a extensive white list of allowed elements
94
- # white_list_sanitizer.sanitize(@article.body)
94
+ # Default: sanitize via a extensive safe list of allowed elements
95
+ # safe_list_sanitizer.sanitize(@article.body)
95
96
  #
96
- # White list via the supplied tags and attributes
97
- # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
97
+ # Safe list via the supplied tags and attributes
98
+ # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
98
99
  # attributes: %w(id class style))
99
100
  #
100
- # White list via a custom scrubber
101
- # white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
102
- class WhiteListSanitizer < Sanitizer
101
+ # Safe list via a custom scrubber
102
+ # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
103
+ class SafeListSanitizer < Sanitizer
103
104
  class << self
104
105
  attr_accessor :allowed_tags
105
106
  attr_accessor :allowed_attributes
@@ -148,5 +149,7 @@ module Rails
148
149
  options[:attributes] || self.class.allowed_attributes
149
150
  end
150
151
  end
152
+
153
+ WhiteListSanitizer = SafeListSanitizer
151
154
  end
152
155
  end
@@ -1,7 +1,7 @@
1
1
  module Rails
2
2
  module Html
3
3
  class Sanitizer
4
- VERSION = "1.0.4"
4
+ VERSION = "1.4.0"
5
5
  end
6
6
  end
7
7
  end
@@ -2,9 +2,9 @@ module Rails
2
2
  module Html
3
3
  # === Rails::Html::PermitScrubber
4
4
  #
5
- # Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
5
+ # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
6
6
  #
7
- # Rails::Html::PermitScrubber can be subclassed to determine:
7
+ # +Rails::Html::PermitScrubber+ can be subclassed to determine:
8
8
  # - When a node should be skipped via +skip_node?+.
9
9
  # - When a node is allowed via +allowed_node?+.
10
10
  # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,23 +27,23 @@ module Rails
27
27
  # If set, attributes excluded will be removed.
28
28
  # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
29
29
  #
30
- # class CommentScrubber < Html::PermitScrubber
31
- # def initialize
32
- # super
33
- # self.tags = %w(form script comment blockquote)
34
- # end
30
+ # class CommentScrubber < Html::PermitScrubber
31
+ # def initialize
32
+ # super
33
+ # self.tags = %w(form script comment blockquote)
34
+ # end
35
35
  #
36
- # def skip_node?(node)
37
- # node.text?
38
- # end
36
+ # def skip_node?(node)
37
+ # node.text?
38
+ # end
39
39
  #
40
- # def scrub_attribute?(name)
41
- # name == "style"
42
- # end
43
- # end
40
+ # def scrub_attribute?(name)
41
+ # name == "style"
42
+ # end
43
+ # end
44
44
  #
45
- # See the documentation for Nokogiri::XML::Node to understand what's possible
46
- # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
45
+ # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
46
+ # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
47
47
  class PermitScrubber < Loofah::Scrubber
48
48
  attr_reader :tags, :attributes
49
49
 
@@ -68,7 +68,7 @@ module Rails
68
68
  end
69
69
  return CONTINUE if skip_node?(node)
70
70
 
71
- unless keep_node?(node)
71
+ unless node.element? && keep_node?(node)
72
72
  return STOP if scrub_node(node) == STOP
73
73
  end
74
74
 
@@ -138,17 +138,17 @@ module Rails
138
138
  attr_node.node_name
139
139
  end
140
140
 
141
- if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
141
+ if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
142
142
  # this block lifted nearly verbatim from HTML5 sanitization
143
143
  val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
144
- if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
144
+ if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
145
145
  attr_node.remove
146
146
  end
147
147
  end
148
- if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
148
+ if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
149
149
  attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
150
150
  end
151
- if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
151
+ if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
152
152
  attr_node.remove
153
153
  end
154
154
 
@@ -160,8 +160,8 @@ module Rails
160
160
 
161
161
  # === Rails::Html::TargetScrubber
162
162
  #
163
- # Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
164
- # sanitization, Rails::Html::TargetScrubber targets them for removal.
163
+ # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
164
+ # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
165
165
  #
166
166
  # +tags=+
167
167
  # If set, elements included will be stripped.
@@ -180,7 +180,7 @@ module Rails
180
180
 
181
181
  # === Rails::Html::TextOnlyScrubber
182
182
  #
183
- # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
183
+ # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
184
184
  #
185
185
  # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
186
186
  class TextOnlyScrubber < Loofah::Scrubber
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
12
12
  end
13
13
 
14
14
  def test_sanitize_nested_script
15
- sanitizer = Rails::Html::WhiteListSanitizer.new
15
+ sanitizer = Rails::Html::SafeListSanitizer.new
16
16
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
17
17
  end
18
18
 
19
19
  def test_sanitize_nested_script_in_style
20
- sanitizer = Rails::Html::WhiteListSanitizer.new
20
+ sanitizer = Rails::Html::SafeListSanitizer.new
21
21
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
22
22
  end
23
23
 
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
93
93
  end
94
94
 
95
95
  def test_strip_tags_with_plaintext
96
- assert_equal "Dont touch me", full_sanitize("Dont touch me")
96
+ assert_equal "Don't touch me", full_sanitize("Don't touch me")
97
97
  end
98
98
 
99
99
  def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
135
135
  end
136
136
 
137
137
  def test_strip_links_with_plaintext
138
- assert_equal "Dont touch me", link_sanitize("Dont touch me")
138
+ assert_equal "Don't touch me", link_sanitize("Don't touch me")
139
139
  end
140
140
 
141
141
  def test_strip_links_with_line_feed_and_uppercase_tag
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
154
154
  assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
155
155
  end
156
156
 
157
- def test_strip_links_with_a_tag_in_href
158
- assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
159
- end
160
-
161
157
  def test_sanitize_form
162
158
  assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
163
159
  end
@@ -185,7 +181,7 @@ class SanitizersTest < Minitest::Test
185
181
  assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
186
182
  end
187
183
 
188
- tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
184
+ tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
189
185
  tags.each do |tag_name|
190
186
  define_method "test_should_allow_#{tag_name}_tag" do
191
187
  scope_allowed_tags(tags) do
@@ -255,38 +251,39 @@ class SanitizersTest < Minitest::Test
255
251
 
256
252
  def test_should_allow_custom_tags
257
253
  text = "<u>foo</u>"
258
- assert_equal text, white_list_sanitize(text, tags: %w(u))
254
+ assert_equal text, safe_list_sanitize(text, tags: %w(u))
259
255
  end
260
256
 
261
257
  def test_should_allow_only_custom_tags
262
258
  text = "<u>foo</u> with <i>bar</i>"
263
- assert_equal "<u>foo</u> with bar", white_list_sanitize(text, tags: %w(u))
259
+ assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
264
260
  end
265
261
 
266
262
  def test_should_allow_custom_tags_with_attributes
267
263
  text = %(<blockquote cite="http://example.com/">foo</blockquote>)
268
- assert_equal text, white_list_sanitize(text)
264
+ assert_equal text, safe_list_sanitize(text)
269
265
  end
270
266
 
271
267
  def test_should_allow_custom_tags_with_custom_attributes
272
268
  text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
273
- assert_equal text, white_list_sanitize(text, attributes: ['foo'])
269
+ assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
274
270
  end
275
271
 
276
272
  def test_scrub_style_if_style_attribute_option_is_passed
277
273
  input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
278
- assert_equal '<p style="color: #000;"></p>', white_list_sanitize(input, attributes: %w(style))
274
+ actual = safe_list_sanitize(input, attributes: %w(style))
275
+ assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
279
276
  end
280
277
 
281
278
  def test_should_raise_argument_error_if_tags_is_not_enumerable
282
279
  assert_raises ArgumentError do
283
- white_list_sanitize('<a>some html</a>', tags: 'foo')
280
+ safe_list_sanitize('<a>some html</a>', tags: 'foo')
284
281
  end
285
282
  end
286
283
 
287
284
  def test_should_raise_argument_error_if_attributes_is_not_enumerable
288
285
  assert_raises ArgumentError do
289
- white_list_sanitize('<a>some html</a>', attributes: 'foo')
286
+ safe_list_sanitize('<a>some html</a>', attributes: 'foo')
290
287
  end
291
288
  end
292
289
 
@@ -295,7 +292,7 @@ class SanitizersTest < Minitest::Test
295
292
  def scrubber.scrub(node); node.name = 'h1'; end
296
293
 
297
294
  assert_raises Loofah::ScrubberNotFound do
298
- white_list_sanitize('<a>some html</a>', scrubber: scrubber)
295
+ safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
299
296
  end
300
297
  end
301
298
 
@@ -304,19 +301,19 @@ class SanitizersTest < Minitest::Test
304
301
  def scrubber.scrub(node); node.name = 'h1'; end
305
302
 
306
303
  html = "<script>hello!</script>"
307
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
304
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
308
305
  end
309
306
 
310
307
  def test_should_accept_loofah_scrubber_that_wraps_a_block
311
308
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
312
309
  html = "<script>hello!</script>"
313
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
310
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
314
311
  end
315
312
 
316
313
  def test_custom_scrubber_takes_precedence_over_other_options
317
314
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
318
315
  html = "<script>hello!</script>"
319
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
316
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
320
317
  end
321
318
 
322
319
  [%w(img src), %w(a href)].each do |(tag, attr)|
@@ -417,7 +414,7 @@ class SanitizersTest < Minitest::Test
417
414
  end
418
415
 
419
416
  def test_should_sanitize_div_background_image_unicode_encoded
420
- raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
417
+ raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
421
418
  assert_equal '', sanitize_css(raw)
422
419
  end
423
420
 
@@ -468,7 +465,7 @@ class SanitizersTest < Minitest::Test
468
465
  end
469
466
 
470
467
  def test_sanitize_ascii_8bit_string
471
- white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
468
+ safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
472
469
  assert_equal '<a>hello</a>', sanitized
473
470
  assert_equal Encoding::UTF_8, sanitized.encoding
474
471
  end
@@ -481,39 +478,55 @@ class SanitizersTest < Minitest::Test
481
478
 
482
479
  def test_allow_data_attribute_if_requested
483
480
  text = %(<a data-foo="foo">foo</a>)
484
- assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
481
+ assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
485
482
  end
486
483
 
487
- def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
484
+ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
485
+ skip if RUBY_VERSION < "2.3"
486
+
488
487
  html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
489
488
 
490
- text = white_list_sanitize(html)
489
+ text = safe_list_sanitize(html)
491
490
 
492
- assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
491
+ assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
493
492
  end
494
493
 
495
- def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
494
+ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
495
+ skip if RUBY_VERSION < "2.3"
496
+
496
497
  html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
497
498
 
498
- text = white_list_sanitize(html)
499
+ text = safe_list_sanitize(html)
499
500
 
500
- assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
501
+ assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
501
502
  end
502
503
 
503
- def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
504
+ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
505
+ skip if RUBY_VERSION < "2.3"
506
+
504
507
  html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
505
508
 
506
- text = white_list_sanitize(html)
509
+ text = safe_list_sanitize(html)
507
510
 
508
- assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
511
+ assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
509
512
  end
510
513
 
511
- def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
514
+ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
515
+ skip if RUBY_VERSION < "2.3"
516
+
512
517
  html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
513
518
 
514
- text = white_list_sanitize(html, attributes: ['action'])
519
+ text = safe_list_sanitize(html, attributes: ['action'])
520
+
521
+ assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
522
+ end
523
+
524
+ def test_exclude_node_type_processing_instructions
525
+ assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
526
+ end
515
527
 
516
- assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
528
+ def test_exclude_node_type_comment
529
+ assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
517
530
  end
518
531
 
519
532
  protected
@@ -530,35 +543,35 @@ protected
530
543
  Rails::Html::LinkSanitizer.new.sanitize(input, options)
531
544
  end
532
545
 
533
- def white_list_sanitize(input, options = {})
534
- Rails::Html::WhiteListSanitizer.new.sanitize(input, options)
546
+ def safe_list_sanitize(input, options = {})
547
+ Rails::Html::SafeListSanitizer.new.sanitize(input, options)
535
548
  end
536
549
 
537
550
  def assert_sanitized(input, expected = nil)
538
551
  if input
539
- assert_dom_equal expected || input, white_list_sanitize(input)
552
+ assert_dom_equal expected || input, safe_list_sanitize(input)
540
553
  else
541
- assert_nil white_list_sanitize(input)
554
+ assert_nil safe_list_sanitize(input)
542
555
  end
543
556
  end
544
557
 
545
558
  def sanitize_css(input)
546
- Rails::Html::WhiteListSanitizer.new.sanitize_css(input)
559
+ Rails::Html::SafeListSanitizer.new.sanitize_css(input)
547
560
  end
548
561
 
549
562
  def scope_allowed_tags(tags)
550
- old_tags = Rails::Html::WhiteListSanitizer.allowed_tags
551
- Rails::Html::WhiteListSanitizer.allowed_tags = tags
552
- yield Rails::Html::WhiteListSanitizer.new
563
+ old_tags = Rails::Html::SafeListSanitizer.allowed_tags
564
+ Rails::Html::SafeListSanitizer.allowed_tags = tags
565
+ yield Rails::Html::SafeListSanitizer.new
553
566
  ensure
554
- Rails::Html::WhiteListSanitizer.allowed_tags = old_tags
567
+ Rails::Html::SafeListSanitizer.allowed_tags = old_tags
555
568
  end
556
569
 
557
570
  def scope_allowed_attributes(attributes)
558
- old_attributes = Rails::Html::WhiteListSanitizer.allowed_attributes
559
- Rails::Html::WhiteListSanitizer.allowed_attributes = attributes
560
- yield Rails::Html::WhiteListSanitizer.new
571
+ old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
572
+ Rails::Html::SafeListSanitizer.allowed_attributes = attributes
573
+ yield Rails::Html::SafeListSanitizer.new
561
574
  ensure
562
- Rails::Html::WhiteListSanitizer.allowed_attributes = old_attributes
575
+ Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
563
576
  end
564
577
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-03-22 00:00:00.000000000 Z
12
+ date: 2021-08-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: loofah
@@ -17,32 +17,26 @@ dependencies:
17
17
  requirements:
18
18
  - - "~>"
19
19
  - !ruby/object:Gem::Version
20
- version: '2.2'
21
- - - ">="
22
- - !ruby/object:Gem::Version
23
- version: 2.2.2
20
+ version: '2.3'
24
21
  type: :runtime
25
22
  prerelease: false
26
23
  version_requirements: !ruby/object:Gem::Requirement
27
24
  requirements:
28
25
  - - "~>"
29
26
  - !ruby/object:Gem::Version
30
- version: '2.2'
31
- - - ">="
32
- - !ruby/object:Gem::Version
33
- version: 2.2.2
27
+ version: '2.3'
34
28
  - !ruby/object:Gem::Dependency
35
29
  name: bundler
36
30
  requirement: !ruby/object:Gem::Requirement
37
31
  requirements:
38
- - - "~>"
32
+ - - ">="
39
33
  - !ruby/object:Gem::Version
40
34
  version: '1.3'
41
35
  type: :development
42
36
  prerelease: false
43
37
  version_requirements: !ruby/object:Gem::Requirement
44
38
  requirements:
45
- - - "~>"
39
+ - - ">="
46
40
  - !ruby/object:Gem::Version
47
41
  version: '1.3'
48
42
  - !ruby/object:Gem::Dependency
@@ -107,7 +101,11 @@ files:
107
101
  homepage: https://github.com/rails/rails-html-sanitizer
108
102
  licenses:
109
103
  - MIT
110
- metadata: {}
104
+ metadata:
105
+ bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
106
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.0/CHANGELOG.md
107
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.0
108
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.0
111
109
  post_install_message:
112
110
  rdoc_options: []
113
111
  require_paths:
@@ -123,11 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
123
121
  - !ruby/object:Gem::Version
124
122
  version: '0'
125
123
  requirements: []
126
- rubyforge_project:
127
- rubygems_version: 2.7.6
124
+ rubygems_version: 3.2.15
128
125
  signing_key:
129
126
  specification_version: 4
130
127
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.
131
128
  test_files:
132
- - test/scrubbers_test.rb
133
129
  - test/sanitizer_test.rb
130
+ - test/scrubbers_test.rb