rails-html-sanitizer 1.1.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78b391f62382bca60620a37a2b7a1fe6cd8e81545210d308bc56991d11b39b6e
-  data.tar.gz: a8065b0d76a88caadeb594ac9e70857aaf061cdceab106781af41285c2e7302f
+  metadata.gz: 38acab5c0aaf09ef2f52189de3445647192a0625e7bf530f8e08edb60ce7f17b
+  data.tar.gz: ba0f051dbdf277df8f135dce164d90cbc2acee95b9965986bdc00742ea0a0553
 SHA512:
-  metadata.gz: b2a15acaf0bf620db43645b28d44d4e75d9bb9111bf77d4c7d90f812f697cbd8e33b704694af590e2af3c5e083d600c1cf82f7234ef737a05954582d1785bebb
-  data.tar.gz: af8b02f7811544234b263bfa6dd7062f117e549a6b58271be609c827a1468131caa56afd14b4f2b34e069e5f5d088ef3ba05f11c62b7d84ed69da6794c2c7de0
+  metadata.gz: 3c73a294fed5e28ab21b9fbade61fc722c2876c79215f4c84fa618d99c356e532584746d7178c1a2cc08354699eb986a741a2011b0c268cf8b3cc1bfa6a56994
+  data.tar.gz: 561a2601cd732428f89a662e53076bc557e591892f952b46770f10b014cbbd5cf1192a5a70de5f44f296be3a9f4820c6a5412c36464f939b4ca51a70fdf33c69

data/CHANGELOG.md

@@ -1,3 +1,47 @@
+## 1.4.1 / 2021-08-18
+
+* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+
+  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
+  passed through elements to the scrubber's `keep_node?` method.
+
+  This change once again allows the scrubber to make the decision on comment nodes, but still skips
+  other non-elements like processing instructions (see #115).
+
+  *Mike Dalessio*
+
+## 1.4.0 / 2021-08-18
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+
+  Fixes #115.
+
+  *Mike Dalessio*
+
+## 1.3.0
+
+* Address deprecations in Loofah 2.3.0.
+
+  *Josh Goodall*
+
+## 1.2.0
+
+* Remove needless `white_list_sanitizer` deprecation.
+
+  By deprecating this, we were forcing Rails 5.2 to be updated or spew
+  deprecations that users could do nothing about.
+
+  That's pointless and I'm sorry for adding that!
+
+  Now there's no deprecation warning and Rails 5.2 works out of the box, while
+  Rails 6 can use the updated naming.
+
+  *Kasper Timm Hansen*
+
 ## 1.1.0
 
 * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed

data/README.md

@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
 #### `Rails::Html::TargetScrubber`
 
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
 
+**Note:** by default, it will scrub anything that is not part of the permitted tags from
+loofah `HTML5::Scrub.allowed_element?`.
 
 ```ruby
 scrubber = Rails::Html::TargetScrubber.new

data/lib/rails-html-sanitizer.rb

@@ -20,8 +20,6 @@ module Rails
         end
 
         def white_list_sanitizer
-          ActiveSupport::Deprecation.warn "warning: white_list_sanitizer is" \
-          "deprecated, please use safe_list_sanitizer instead."
           safe_list_sanitizer
         end
       end

data/lib/rails/html/sanitizer.rb

@@ -74,7 +74,7 @@ module Rails
     #
     # === Options
     # Sanitizes both html and css via the safe lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
     # SafeListSanitizer also accepts options to configure
     # the safe list used when sanitizing html.
@@ -151,8 +151,5 @@ module Rails
     end
 
     WhiteListSanitizer = SafeListSanitizer
-    if Object.respond_to?(:deprecate_constant)
-      deprecate_constant :WhiteListSanitizer
-    end
   end
 end

data/lib/rails/html/sanitizer/version.rb

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.1.0"
+      VERSION = "1.4.1"
     end
   end
 end

data/lib/rails/html/scrubbers.rb

@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
 
-        unless keep_node?(node)
+        unless (node.comment? || node.element?) && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
 
@@ -138,17 +138,17 @@ module Rails
                       attr_node.node_name
                     end
 
-        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
           # this block lifted nearly verbatim from HTML5 sanitization
           val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
             attr_node.remove
           end
         end
-        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
           attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
         end
-        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
 

data/test/sanitizer_test.rb

@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_tags_with_plaintext
-    assert_equal "Dont touch me", full_sanitize("Dont touch me")
+    assert_equal "Don't touch me", full_sanitize("Don't touch me")
   end
 
   def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_links_with_plaintext
-    assert_equal "Dont touch me", link_sanitize("Dont touch me")
+    assert_equal "Don't touch me", link_sanitize("Don't touch me")
   end
 
   def test_strip_links_with_line_feed_and_uppercase_tag
@@ -181,7 +181,7 @@ class SanitizersTest < Minitest::Test
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
 
-  tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
+  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
   tags.each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       scope_allowed_tags(tags) do
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
 
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
-    assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
+    actual = safe_list_sanitize(input, attributes: %w(style))
+    assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
 
   def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
+    raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
     assert_equal '', sanitize_css(raw)
   end
 
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
     assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
+
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})

data/test/scrubbers_test.rb

@@ -112,6 +112,50 @@ class PermitScrubberTest < ScrubberTest
   end
 end
 
+class PermitScrubberSubclassTest < ScrubberTest
+  def setup
+    @scrubber = Class.new(::Rails::Html::PermitScrubber) do
+      attr :nodes_seen
+
+      def initialize
+        super()
+        @nodes_seen = []
+      end
+
+      def keep_node?(node)
+        @nodes_seen << node.name
+        super(node)
+      end
+    end.new
+  end
+
+  def test_elements_are_checked
+    html = %Q("<div></div><a></a><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    assert_includes(@scrubber.nodes_seen, "a")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+
+  def test_comments_are_checked
+    # this passes in v1.3.0 but fails in v1.4.0
+    html = %Q("<div></div><!-- ohai --><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    assert_includes(@scrubber.nodes_seen, "comment")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+
+  def test_craftily_named_processing_instructions_are_not_checked
+    # this fails in v1.3.0 but passes in v1.4.0
+    html = %Q("<div></div><?a content><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    refute_includes(@scrubber.nodes_seen, "a")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+end
+
 class TargetScrubberTest < ScrubberTest
   def setup
     @scrubber = Rails::Html::TargetScrubber.new

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.4.1
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-05 00:00:00.000000000 Z
+date: 2021-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -17,20 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -107,7 +101,11 @@ files:
 homepage: https://github.com/rails/rails-html-sanitizer
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.1/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.1
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.1
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -123,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.4
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/scrubbers_test.rb
 - test/sanitizer_test.rb
+- test/scrubbers_test.rb