RubyGems - rails-html-sanitizer - Versions diffs - 1.2.0 → 1.4.2 - Mend

rails-html-sanitizer 1.2.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rails-html-sanitizer might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +38 -0
data/README.md +3 -1
data/lib/rails/html/sanitizer/version.rb +1 -1
data/lib/rails/html/sanitizer.rb +1 -1
data/lib/rails/html/scrubbers.rb +5 -5
data/test/sanitizer_test.rb +14 -5
data/test/scrubbers_test.rb +16 -0
metadata +11 -13

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 870e022a24bf7e490864eb68c6676617508060c44cb0fbcfbce1f476b7bfa453
-  data.tar.gz: 280abb7f0ce9d0d311f4a1b8ac84d94dbe009592c32c2364eea594b0d336f5eb
+  metadata.gz: 85be608ca4422813683df971eb55217f0a70d9bb3d6398efad913ddb90d2c3c5
+  data.tar.gz: cdc86ec92f2698f49d73d37e58622b97f4115330e084a2bc6ea46fc711926e94
 SHA512:
-  metadata.gz: d3780c7ea8e6e77bafe1486aef16852ba326adf8a9cbcdc5fe2639f8ea47e9bb8a2e50553ecb25bceeeeb1665b5edfab92c1022707c7aa59a4f0d0c605b67223
-  data.tar.gz: 14bba8b83f0e0a6782b0e12a8c29fc73d469cda550104d7ad32b8cf8ef3628d981d4c82637e7826c79e2dc4bfd86c230a74031acf53ec0b10a40d2cabf7eed84
+  metadata.gz: b748cab99a7c9bdda776b5aaf76a55e16ff59b6aa10f4ee1fd9b97b7f5a6a897a8a2e0e1fe31cdd741207130d34ccdff2debb4437b0b03b87896ab9c16537f4b
+  data.tar.gz: 35f4c0c12c555feb73623df3bc09d19069c48b9ee91539dc247b6a599dc091adb08b56f43041014dfacd6f46183f7b6d68355104716a1feeaef58c3319be6bea

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,41 @@
+## 1.4.2 / 2021-08-23
+* Slightly improve performance.
+  Assuming elements are more common than comments, make one less method call per node.
+  *Mike Dalessio*
+## 1.4.1 / 2021-08-18
+* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
+  passed through elements to the scrubber's `keep_node?` method.
+  This change once again allows the scrubber to make the decision on comment nodes, but still skips
+  other non-elements like processing instructions (see #115).
+  *Mike Dalessio*
+## 1.4.0 / 2021-08-18
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+  Fixes #115.
+  *Mike Dalessio*
+## 1.3.0
+* Address deprecations in Loofah 2.3.0.
+  *Josh Goodall*
 ## 1.2.0
 * Remove needless `white_list_sanitizer` deprecation.

data/README.md CHANGED Viewed

@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
 #### `Rails::Html::TargetScrubber`
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
+**Note:** by default, it will scrub anything that is not part of the permitted tags from
+loofah `HTML5::Scrub.allowed_element?`.
 ```ruby
 scrubber = Rails::Html::TargetScrubber.new

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.2.0"
+      VERSION = "1.4.2"
     end
   end
 end

data/lib/rails/html/sanitizer.rb CHANGED Viewed

@@ -74,7 +74,7 @@ module Rails
     #
     # === Options
     # Sanitizes both html and css via the safe lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
     # SafeListSanitizer also accepts options to configure
     # the safe list used when sanitizing html.

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
-        unless keep_node?(node)
+        unless (node.element? || node.comment?) && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
@@ -138,17 +138,17 @@ module Rails
                       attr_node.node_name
                     end
-        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
           # this block lifted nearly verbatim from HTML5 sanitization
           val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
             attr_node.remove
           end
         end
-        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
           attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
         end
-        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end

data/test/sanitizer_test.rb CHANGED Viewed

@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
   end
   def test_strip_tags_with_plaintext
-    assert_equal "Dont touch me", full_sanitize("Dont touch me")
+    assert_equal "Don't touch me", full_sanitize("Don't touch me")
   end
   def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
   end
   def test_strip_links_with_plaintext
-    assert_equal "Dont touch me", link_sanitize("Dont touch me")
+    assert_equal "Don't touch me", link_sanitize("Don't touch me")
   end
   def test_strip_links_with_line_feed_and_uppercase_tag
@@ -181,7 +181,7 @@ class SanitizersTest < Minitest::Test
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
-  tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
+  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
   tags.each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       scope_allowed_tags(tags) do
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
-    assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
+    actual = safe_list_sanitize(input, attributes: %w(style))
+    assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
   def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
   end
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
+    raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
     assert_equal '', sanitize_css(raw)
   end
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
     assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+  end
 protected
   def xpath_sanitize(input, options = {})

data/test/scrubbers_test.rb CHANGED Viewed

@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed '<tag>hello</tag>', 'hello'
   end
+  def test_default_scrub_removes_comments
+    assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+                    '<div>one</div><span>three</span>')
+  end
+  def test_default_scrub_removes_processing_instructions
+    assert_scrubbed('<div>one</div><?div two><span>three</span>',
+                    '<div>one</div><span>three</span>')
+  end
   def test_default_attributes_removal_behavior
     assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
   end
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed html, '<tag>leave me now</tag>'
   end
+  def test_leaves_comments_when_supplied_as_tag
+    @scrubber.tags = %w(div comment)
+    assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+                    '<div>one</div><!-- two -->three')
+  end
   def test_leaves_only_supplied_tags_nested
     html = '<tag>leave <em>me <span>now</span></em></tag>'
     @scrubber.tags = %w(tag)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.2
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-08 00:00:00.000000000 Z
+date: 2021-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -17,20 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -107,7 +101,11 @@ files:
 homepage: https://github.com/rails/rails-html-sanitizer
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -123,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.4
+rubygems_version: 3.2.15
 signing_key:
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/scrubbers_test.rb
 - test/sanitizer_test.rb
+- test/scrubbers_test.rb