rails-html-sanitizer 1.0.4 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f1aa629ae03d828f900932e2272c2d13baf2eae94adb214896cdf2eb959e4172
-  data.tar.gz: 970c65b32aa93c659e6483e8b798ea23fa8b8eadb1963fba813dd33ba6432ae2
+  metadata.gz: 72ef1b871489bb5189b4010ce24714523903baa2347ca8c49c0d8d3334439a22
+  data.tar.gz: 8e870f37ddb730ba3bf184cd5d9ddf2c8b8bc80d1a1ff3430553959b9478edcb
 SHA512:
-  metadata.gz: c97587f6427b9e67e76050f21ab8f39148fd0ff47e87282a4a13802a6ae02ffa62034a187a8e5cfd0577e53d0f0cbc8e2e72abce3171d7f6139f186f1b75e1a2
-  data.tar.gz: 411f2f9593fda42880b3ed9fcb99431e353c133d36a74e0aed52fa3959efa4bd8cc6aad5d90dddfc4565b0fabc80d68e9cfbf8cea055ae9463cba326f0735dc2
+  metadata.gz: 30e80f4579a449b65f0e88e1383953c17df46bd527707c37b425837980167447559a32bfe8815e6f9523727f626059f92fe55d63ac136f798bfe46f323788310
+  data.tar.gz: f554d91da09f669d5e4015294ec96a3431d535a60c254b5ae940227a74753eafde42d9e324009e98247c75210de3d0c6d18583550b11a63048a5adf0a4dfbd31

data/CHANGELOG.md

@@ -1,3 +1,52 @@
+## 1.4.0 / 2021-08-18
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+
+  Fixes #115.
+
+  *Mike Dalessio*
+
+## 1.3.0
+
+* Address deprecations in Loofah 2.3.0.
+
+  *Josh Goodall*
+
+## 1.2.0
+
+* Remove needless `white_list_sanitizer` deprecation.
+
+  By deprecating this, we were forcing Rails 5.2 to be updated or spew
+  deprecations that users could do nothing about.
+
+  That's pointless and I'm sorry for adding that!
+
+  Now there's no deprecation warning and Rails 5.2 works out of the box, while
+  Rails 6 can use the updated naming.
+
+  *Kasper Timm Hansen*
+
+## 1.1.0
+
+* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
+  in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
+
+  *Juanito Fatas*
+
+* Remove `href` from LinkScrubber's `tags` as it's not an element.
+  https://github.com/rails/rails-html-sanitizer/pull/92
+
+  *Juanito Fatas*
+
+* Explain that we don't need to bump Loofah here if there's CVEs.
+  https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
+
+  *Kasper Timm Hansen*
+
 ## 1.0.1
 
 * Added support for Rails 4.2.0.beta2 and above

data/README.md

@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
 # => Only the link text will be kept.
 ```
 
-#### WhiteListSanitizer
+#### SafeListSanitizer
 
 ```ruby
-white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
+safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
 
-# sanitize via an extensive white list of allowed elements
-white_list_sanitizer.sanitize(@article.body)
+# sanitize via an extensive safe list of allowed elements
+safe_list_sanitizer.sanitize(@article.body)
 
-# white list only the supplied tags and attributes
-white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
+# safe list only the supplied tags and attributes
+safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
 
-# white list via a custom scrubber
-white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+# safe list via a custom scrubber
+safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
 
-# white list sanitizer can also sanitize css
-white_list_sanitizer.sanitize_css('background-color: #000;')
+# safe list sanitizer can also sanitize css
+safe_list_sanitizer.sanitize_css('background-color: #000;')
 ```
 
 ### Scrubbers
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
 #### `Rails::Html::TargetScrubber`
 
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
 
+**Note:** by default, it will scrub anything that is not part of the permitted tags from
+loofah `HTML5::Scrub.allowed_element?`.
 
 ```ruby
 scrubber = Rails::Html::TargetScrubber.new
@@ -127,7 +129,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
 - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
 
 The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
-- [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
+- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
 - [Nokogiri](http://nokogiri.org)
 
 ## Contributing to Rails Html Sanitizers

data/lib/rails-html-sanitizer.rb

@@ -15,8 +15,12 @@ module Rails
           Html::LinkSanitizer
         end
 
+        def safe_list_sanitizer
+          Html::SafeListSanitizer
+        end
+
         def white_list_sanitizer
-          Html::WhiteListSanitizer
+          safe_list_sanitizer
         end
       end
     end
@@ -34,7 +38,7 @@ module ActionView
         #   end
         #
         def sanitized_allowed_tags=(tags)
-          sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
+          sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
         end
 
         # Replaces the allowed HTML attributes for the +sanitize+ helper.
@@ -44,7 +48,7 @@ module ActionView
         #   end
         #
         def sanitized_allowed_attributes=(attributes)
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
+          sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
         end
 
         [:protocol_separator,

data/lib/rails/html/sanitizer.rb

@@ -40,15 +40,16 @@ module Rails
     end
 
     # === Rails::Html::LinkSanitizer
-    # Removes a tags and href attributes leaving only the link text
+    # Removes +a+ tags and +href+ attributes leaving only the link text.
     #
-    # link_sanitizer = Rails::Html::LinkSanitizer.new
-    # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
-    # # => Only the link text will be kept.
+    #  link_sanitizer = Rails::Html::LinkSanitizer.new
+    #  link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    #
+    #  => 'Only the link text will be kept.'
     class LinkSanitizer < Sanitizer
       def initialize
         @link_scrubber = TargetScrubber.new
-        @link_scrubber.tags = %w(a href)
+        @link_scrubber.tags = %w(a)
         @link_scrubber.attributes = %w(href)
       end
 
@@ -57,8 +58,8 @@ module Rails
       end
     end
 
-    # === Rails::Html::WhiteListSanitizer
-    # Sanitizes html and css from an extensive white list (see link further down).
+    # === Rails::Html::SafeListSanitizer
+    # Sanitizes html and css from an extensive safe list (see link further down).
     #
     # === Whitespace
     # We can't make any guarantees about whitespace being kept or stripped.
@@ -72,34 +73,34 @@ module Rails
     # so automatically.
     #
     # === Options
-    # Sanitizes both html and css via the white lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    # Sanitizes both html and css via the safe lists found here:
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
-    # WhiteListSanitizer also accepts options to configure
-    # the white list used when sanitizing html.
+    # SafeListSanitizer also accepts options to configure
+    # the safe list used when sanitizing html.
     # There's a class level option:
-    # Rails::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
-    # Rails::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
+    # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
+    # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
     #
     # Tags and attributes can also be passed to +sanitize+.
     # Passed options take precedence over the class level options.
     #
     # === Examples
-    # white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
+    # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
     #
     # Sanitize css doesn't take options
-    # white_list_sanitizer.sanitize_css('background-color: #000;')
+    # safe_list_sanitizer.sanitize_css('background-color: #000;')
     #
-    # Default: sanitize via a extensive white list of allowed elements
-    # white_list_sanitizer.sanitize(@article.body)
+    # Default: sanitize via a extensive safe list of allowed elements
+    # safe_list_sanitizer.sanitize(@article.body)
     #
-    # White list via the supplied tags and attributes
-    # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
+    # Safe list via the supplied tags and attributes
+    # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
     # attributes: %w(id class style))
     #
-    # White list via a custom scrubber
-    # white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
-    class WhiteListSanitizer < Sanitizer
+    # Safe list via a custom scrubber
+    # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+    class SafeListSanitizer < Sanitizer
       class << self
         attr_accessor :allowed_tags
         attr_accessor :allowed_attributes
@@ -148,5 +149,7 @@ module Rails
         options[:attributes] || self.class.allowed_attributes
       end
     end
+
+    WhiteListSanitizer = SafeListSanitizer
   end
 end

data/lib/rails/html/sanitizer/version.rb

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.0.4"
+      VERSION = "1.4.0"
     end
   end
 end

data/lib/rails/html/scrubbers.rb

@@ -2,9 +2,9 @@ module Rails
   module Html
     # === Rails::Html::PermitScrubber
     #
-    # Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
+    # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
     #
-    # Rails::Html::PermitScrubber can be subclassed to determine:
+    # +Rails::Html::PermitScrubber+ can be subclassed to determine:
     # - When a node should be skipped via +skip_node?+.
     # - When a node is allowed via +allowed_node?+.
     # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,23 +27,23 @@ module Rails
     # If set, attributes excluded will be removed.
     # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
     #
-    # class CommentScrubber < Html::PermitScrubber
-    #   def initialize
-    #     super
-    #     self.tags = %w(form script comment blockquote)
-    #   end
+    #  class CommentScrubber < Html::PermitScrubber
+    #    def initialize
+    #      super
+    #      self.tags = %w(form script comment blockquote)
+    #    end
     #
-    #   def skip_node?(node)
-    #     node.text?
-    #   end
+    #    def skip_node?(node)
+    #      node.text?
+    #    end
     #
-    #   def scrub_attribute?(name)
-    #     name == "style"
-    #   end
-    # end
+    #    def scrub_attribute?(name)
+    #      name == "style"
+    #    end
+    #  end
     #
-    # See the documentation for Nokogiri::XML::Node to understand what's possible
-    # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
+    # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
+    # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
     class PermitScrubber < Loofah::Scrubber
       attr_reader :tags, :attributes
 
@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
 
-        unless keep_node?(node)
+        unless node.element? && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
 
@@ -138,17 +138,17 @@ module Rails
                       attr_node.node_name
                     end
 
-        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
           # this block lifted nearly verbatim from HTML5 sanitization
           val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
             attr_node.remove
           end
         end
-        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
           attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
         end
-        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
 
@@ -160,8 +160,8 @@ module Rails
 
     # === Rails::Html::TargetScrubber
     #
-    # Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
-    # sanitization, Rails::Html::TargetScrubber targets them for removal.
+    # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
+    # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
     #
     # +tags=+
     # If set, elements included will be stripped.
@@ -180,7 +180,7 @@ module Rails
 
     # === Rails::Html::TextOnlyScrubber
     #
-    # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
+    # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
     #
     # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
     class TextOnlyScrubber < Loofah::Scrubber

data/test/sanitizer_test.rb

@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_sanitize_nested_script
-    sanitizer = Rails::Html::WhiteListSanitizer.new
+    sanitizer = Rails::Html::SafeListSanitizer.new
     assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
   end
 
   def test_sanitize_nested_script_in_style
-    sanitizer = Rails::Html::WhiteListSanitizer.new
+    sanitizer = Rails::Html::SafeListSanitizer.new
     assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
   end
 
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_tags_with_plaintext
-    assert_equal "Dont touch me", full_sanitize("Dont touch me")
+    assert_equal "Don't touch me", full_sanitize("Don't touch me")
   end
 
   def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_links_with_plaintext
-    assert_equal "Dont touch me", link_sanitize("Dont touch me")
+    assert_equal "Don't touch me", link_sanitize("Don't touch me")
   end
 
   def test_strip_links_with_line_feed_and_uppercase_tag
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
     assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
   end
 
-  def test_strip_links_with_a_tag_in_href
-    assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
-  end
-
   def test_sanitize_form
     assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
   end
@@ -185,7 +181,7 @@ class SanitizersTest < Minitest::Test
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
 
-  tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
+  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
   tags.each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       scope_allowed_tags(tags) do
@@ -255,38 +251,39 @@ class SanitizersTest < Minitest::Test
 
   def test_should_allow_custom_tags
     text = "<u>foo</u>"
-    assert_equal text, white_list_sanitize(text, tags: %w(u))
+    assert_equal text, safe_list_sanitize(text, tags: %w(u))
   end
 
   def test_should_allow_only_custom_tags
     text = "<u>foo</u> with <i>bar</i>"
-    assert_equal "<u>foo</u> with bar", white_list_sanitize(text, tags: %w(u))
+    assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
   end
 
   def test_should_allow_custom_tags_with_attributes
     text = %(<blockquote cite="http://example.com/">foo</blockquote>)
-    assert_equal text, white_list_sanitize(text)
+    assert_equal text, safe_list_sanitize(text)
   end
 
   def test_should_allow_custom_tags_with_custom_attributes
     text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
-    assert_equal text, white_list_sanitize(text, attributes: ['foo'])
+    assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
   end
 
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
-    assert_equal '<p style="color: #000;"></p>', white_list_sanitize(input, attributes: %w(style))
+    actual = safe_list_sanitize(input, attributes: %w(style))
+    assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
 
   def test_should_raise_argument_error_if_tags_is_not_enumerable
     assert_raises ArgumentError do
-      white_list_sanitize('<a>some html</a>', tags: 'foo')
+      safe_list_sanitize('<a>some html</a>', tags: 'foo')
     end
   end
 
   def test_should_raise_argument_error_if_attributes_is_not_enumerable
     assert_raises ArgumentError do
-      white_list_sanitize('<a>some html</a>', attributes: 'foo')
+      safe_list_sanitize('<a>some html</a>', attributes: 'foo')
     end
   end
 
@@ -295,7 +292,7 @@ class SanitizersTest < Minitest::Test
     def scrubber.scrub(node); node.name = 'h1'; end
 
     assert_raises Loofah::ScrubberNotFound do
-      white_list_sanitize('<a>some html</a>', scrubber: scrubber)
+      safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
     end
   end
 
@@ -304,19 +301,19 @@ class SanitizersTest < Minitest::Test
     def scrubber.scrub(node); node.name = 'h1'; end
 
     html = "<script>hello!</script>"
-    assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
+    assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
   end
 
   def test_should_accept_loofah_scrubber_that_wraps_a_block
     scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
     html = "<script>hello!</script>"
-    assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
+    assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
   end
 
   def test_custom_scrubber_takes_precedence_over_other_options
     scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
     html = "<script>hello!</script>"
-    assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
+    assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
   end
 
   [%w(img src), %w(a href)].each do |(tag, attr)|
@@ -417,7 +414,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
+    raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
     assert_equal '', sanitize_css(raw)
   end
 
@@ -468,7 +465,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_sanitize_ascii_8bit_string
-    white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
+    safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
       assert_equal '<a>hello</a>', sanitized
       assert_equal Encoding::UTF_8, sanitized.encoding
     end
@@ -481,39 +478,55 @@ class SanitizersTest < Minitest::Test
 
   def test_allow_data_attribute_if_requested
     text = %(<a data-foo="foo">foo</a>)
-    assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
+    assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
   end
 
-  def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
+  def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
+    skip if RUBY_VERSION < "2.3"
+
     html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
 
-    text = white_list_sanitize(html)
+    text = safe_list_sanitize(html)
 
-    assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+    assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
-  def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
+  def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
+    skip if RUBY_VERSION < "2.3"
+
     html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
 
-    text = white_list_sanitize(html)
+    text = safe_list_sanitize(html)
 
-    assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+    assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
-  def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
+  def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
+    skip if RUBY_VERSION < "2.3"
+
     html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
 
-    text = white_list_sanitize(html)
+    text = safe_list_sanitize(html)
 
-    assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+    assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
-  def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
+  def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
+    skip if RUBY_VERSION < "2.3"
+
     html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
 
-    text = white_list_sanitize(html, attributes: ['action'])
+    text = safe_list_sanitize(html, attributes: ['action'])
+
+    assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+  end
+
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
 
-    assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
   end
 
 protected
@@ -530,35 +543,35 @@ protected
     Rails::Html::LinkSanitizer.new.sanitize(input, options)
   end
 
-  def white_list_sanitize(input, options = {})
-    Rails::Html::WhiteListSanitizer.new.sanitize(input, options)
+  def safe_list_sanitize(input, options = {})
+    Rails::Html::SafeListSanitizer.new.sanitize(input, options)
   end
 
   def assert_sanitized(input, expected = nil)
     if input
-      assert_dom_equal expected || input, white_list_sanitize(input)
+      assert_dom_equal expected || input, safe_list_sanitize(input)
     else
-      assert_nil white_list_sanitize(input)
+      assert_nil safe_list_sanitize(input)
     end
   end
 
   def sanitize_css(input)
-    Rails::Html::WhiteListSanitizer.new.sanitize_css(input)
+    Rails::Html::SafeListSanitizer.new.sanitize_css(input)
   end
 
   def scope_allowed_tags(tags)
-    old_tags = Rails::Html::WhiteListSanitizer.allowed_tags
-    Rails::Html::WhiteListSanitizer.allowed_tags = tags
-    yield Rails::Html::WhiteListSanitizer.new
+    old_tags = Rails::Html::SafeListSanitizer.allowed_tags
+    Rails::Html::SafeListSanitizer.allowed_tags = tags
+    yield Rails::Html::SafeListSanitizer.new
   ensure
-    Rails::Html::WhiteListSanitizer.allowed_tags = old_tags
+    Rails::Html::SafeListSanitizer.allowed_tags = old_tags
   end
 
   def scope_allowed_attributes(attributes)
-    old_attributes = Rails::Html::WhiteListSanitizer.allowed_attributes
-    Rails::Html::WhiteListSanitizer.allowed_attributes = attributes
-    yield Rails::Html::WhiteListSanitizer.new
+    old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
+    Rails::Html::SafeListSanitizer.allowed_attributes = attributes
+    yield Rails::Html::SafeListSanitizer.new
   ensure
-    Rails::Html::WhiteListSanitizer.allowed_attributes = old_attributes
+    Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.4.0
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-22 00:00:00.000000000 Z
+date: 2021-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -17,32 +17,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
@@ -107,7 +101,11 @@ files:
 homepage: https://github.com/rails/rails-html-sanitizer
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.0/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.0
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.0
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -123,11 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/scrubbers_test.rb
 - test/sanitizer_test.rb
+- test/scrubbers_test.rb