rails-html-sanitizer 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/rails/html/sanitizer.rb +1 -1
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +4 -4
- data/test/sanitizer_test.rb +1 -1
- metadata +5 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8eba1aac52c80be280f186c5d378150709b7d4cd2a5d5b2367e6d2c036648d52
|
|
4
|
+
data.tar.gz: 96408eae2efee778a704f7caf246b64868a63bfdbbb81905b294bcca731a9289
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c4209cebc841299143a466143f4b776461fc1cc8bba112dc603e86835b68ee44a800566f64224b27f5a45d164d0b004049b228dc405c3de59068800ec7a5d564
|
|
7
|
+
data.tar.gz: c899472b8dffe9f9fd4d15ae4739f07a775d74b9ed14143beb688bb546b6a82ec469add036747b81aff33510e6e241379e21458cb39d9b2a8e797824066e24e5
|
data/CHANGELOG.md
CHANGED
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -74,7 +74,7 @@ module Rails
|
|
|
74
74
|
#
|
|
75
75
|
# === Options
|
|
76
76
|
# Sanitizes both html and css via the safe lists found here:
|
|
77
|
-
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/
|
|
77
|
+
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
|
|
78
78
|
#
|
|
79
79
|
# SafeListSanitizer also accepts options to configure
|
|
80
80
|
# the safe list used when sanitizing html.
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -138,17 +138,17 @@ module Rails
|
|
|
138
138
|
attr_node.node_name
|
|
139
139
|
end
|
|
140
140
|
|
|
141
|
-
if Loofah::HTML5::
|
|
141
|
+
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
|
|
142
142
|
# this block lifted nearly verbatim from HTML5 sanitization
|
|
143
143
|
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
|
|
144
|
-
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::
|
|
144
|
+
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
|
|
145
145
|
attr_node.remove
|
|
146
146
|
end
|
|
147
147
|
end
|
|
148
|
-
if Loofah::HTML5::
|
|
148
|
+
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
|
|
149
149
|
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
|
|
150
150
|
end
|
|
151
|
-
if Loofah::HTML5::
|
|
151
|
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
|
|
152
152
|
attr_node.remove
|
|
153
153
|
end
|
|
154
154
|
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -181,7 +181,7 @@ class SanitizersTest < Minitest::Test
|
|
|
181
181
|
assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
|
|
182
182
|
end
|
|
183
183
|
|
|
184
|
-
tags = Loofah::HTML5::
|
|
184
|
+
tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
|
|
185
185
|
tags.each do |tag_name|
|
|
186
186
|
define_method "test_should_allow_#{tag_name}_tag" do
|
|
187
187
|
scope_allowed_tags(tags) do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2019-
|
|
12
|
+
date: 2019-10-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -17,20 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - "~>"
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: '2.
|
|
21
|
-
- - ">="
|
|
22
|
-
- !ruby/object:Gem::Version
|
|
23
|
-
version: 2.2.2
|
|
20
|
+
version: '2.3'
|
|
24
21
|
type: :runtime
|
|
25
22
|
prerelease: false
|
|
26
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
27
24
|
requirements:
|
|
28
25
|
- - "~>"
|
|
29
26
|
- !ruby/object:Gem::Version
|
|
30
|
-
version: '2.
|
|
31
|
-
- - ">="
|
|
32
|
-
- !ruby/object:Gem::Version
|
|
33
|
-
version: 2.2.2
|
|
27
|
+
version: '2.3'
|
|
34
28
|
- !ruby/object:Gem::Dependency
|
|
35
29
|
name: bundler
|
|
36
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -123,7 +117,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
117
|
- !ruby/object:Gem::Version
|
|
124
118
|
version: '0'
|
|
125
119
|
requirements: []
|
|
126
|
-
rubygems_version: 3.0.
|
|
120
|
+
rubygems_version: 3.0.3
|
|
127
121
|
signing_key:
|
|
128
122
|
specification_version: 4
|
|
129
123
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|