rails-html-sanitizer 1.2.0 → 1.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +38 -0
- data/README.md +3 -1
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/sanitizer.rb +1 -1
- data/lib/rails/html/scrubbers.rb +5 -5
- data/test/sanitizer_test.rb +14 -5
- data/test/scrubbers_test.rb +16 -0
- metadata +11 -13
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 85be608ca4422813683df971eb55217f0a70d9bb3d6398efad913ddb90d2c3c5
|
|
4
|
+
data.tar.gz: cdc86ec92f2698f49d73d37e58622b97f4115330e084a2bc6ea46fc711926e94
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b748cab99a7c9bdda776b5aaf76a55e16ff59b6aa10f4ee1fd9b97b7f5a6a897a8a2e0e1fe31cdd741207130d34ccdff2debb4437b0b03b87896ab9c16537f4b
|
|
7
|
+
data.tar.gz: 35f4c0c12c555feb73623df3bc09d19069c48b9ee91539dc247b6a599dc091adb08b56f43041014dfacd6f46183f7b6d68355104716a1feeaef58c3319be6bea
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,41 @@
|
|
|
1
|
+
## 1.4.2 / 2021-08-23
|
|
2
|
+
|
|
3
|
+
* Slightly improve performance.
|
|
4
|
+
|
|
5
|
+
Assuming elements are more common than comments, make one less method call per node.
|
|
6
|
+
|
|
7
|
+
*Mike Dalessio*
|
|
8
|
+
|
|
9
|
+
## 1.4.1 / 2021-08-18
|
|
10
|
+
|
|
11
|
+
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
|
12
|
+
|
|
13
|
+
Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
|
|
14
|
+
passed through elements to the scrubber's `keep_node?` method.
|
|
15
|
+
|
|
16
|
+
This change once again allows the scrubber to make the decision on comment nodes, but still skips
|
|
17
|
+
other non-elements like processing instructions (see #115).
|
|
18
|
+
|
|
19
|
+
*Mike Dalessio*
|
|
20
|
+
|
|
21
|
+
## 1.4.0 / 2021-08-18
|
|
22
|
+
|
|
23
|
+
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
|
24
|
+
|
|
25
|
+
Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
|
|
26
|
+
are no known security issues associated with these PIs, but similar to comments it's preferred to
|
|
27
|
+
omit these nodes when possible from sanitized output.
|
|
28
|
+
|
|
29
|
+
Fixes #115.
|
|
30
|
+
|
|
31
|
+
*Mike Dalessio*
|
|
32
|
+
|
|
33
|
+
## 1.3.0
|
|
34
|
+
|
|
35
|
+
* Address deprecations in Loofah 2.3.0.
|
|
36
|
+
|
|
37
|
+
*Josh Goodall*
|
|
38
|
+
|
|
1
39
|
## 1.2.0
|
|
2
40
|
|
|
3
41
|
* Remove needless `white_list_sanitizer` deprecation.
|
data/README.md
CHANGED
|
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
|
|
|
81
81
|
#### `Rails::Html::TargetScrubber`
|
|
82
82
|
|
|
83
83
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
|
84
|
-
`Rails::Html::TargetScrubber` targets them for removal.
|
|
84
|
+
`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
|
85
85
|
|
|
86
|
+
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
|
87
|
+
loofah `HTML5::Scrub.allowed_element?`.
|
|
86
88
|
|
|
87
89
|
```ruby
|
|
88
90
|
scrubber = Rails::Html::TargetScrubber.new
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -74,7 +74,7 @@ module Rails
|
|
|
74
74
|
#
|
|
75
75
|
# === Options
|
|
76
76
|
# Sanitizes both html and css via the safe lists found here:
|
|
77
|
-
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/
|
|
77
|
+
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
|
|
78
78
|
#
|
|
79
79
|
# SafeListSanitizer also accepts options to configure
|
|
80
80
|
# the safe list used when sanitizing html.
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -68,7 +68,7 @@ module Rails
|
|
|
68
68
|
end
|
|
69
69
|
return CONTINUE if skip_node?(node)
|
|
70
70
|
|
|
71
|
-
unless keep_node?(node)
|
|
71
|
+
unless (node.element? || node.comment?) && keep_node?(node)
|
|
72
72
|
return STOP if scrub_node(node) == STOP
|
|
73
73
|
end
|
|
74
74
|
|
|
@@ -138,17 +138,17 @@ module Rails
|
|
|
138
138
|
attr_node.node_name
|
|
139
139
|
end
|
|
140
140
|
|
|
141
|
-
if Loofah::HTML5::
|
|
141
|
+
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
|
|
142
142
|
# this block lifted nearly verbatim from HTML5 sanitization
|
|
143
143
|
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
|
|
144
|
-
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::
|
|
144
|
+
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
|
|
145
145
|
attr_node.remove
|
|
146
146
|
end
|
|
147
147
|
end
|
|
148
|
-
if Loofah::HTML5::
|
|
148
|
+
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
|
|
149
149
|
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
|
|
150
150
|
end
|
|
151
|
-
if Loofah::HTML5::
|
|
151
|
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
|
|
152
152
|
attr_node.remove
|
|
153
153
|
end
|
|
154
154
|
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
|
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
def test_strip_tags_with_plaintext
|
|
96
|
-
assert_equal "
|
|
96
|
+
assert_equal "Don't touch me", full_sanitize("Don't touch me")
|
|
97
97
|
end
|
|
98
98
|
|
|
99
99
|
def test_strip_tags_with_tags
|
|
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
|
|
|
135
135
|
end
|
|
136
136
|
|
|
137
137
|
def test_strip_links_with_plaintext
|
|
138
|
-
assert_equal "
|
|
138
|
+
assert_equal "Don't touch me", link_sanitize("Don't touch me")
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
def test_strip_links_with_line_feed_and_uppercase_tag
|
|
@@ -181,7 +181,7 @@ class SanitizersTest < Minitest::Test
|
|
|
181
181
|
assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
|
|
182
182
|
end
|
|
183
183
|
|
|
184
|
-
tags = Loofah::HTML5::
|
|
184
|
+
tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
|
|
185
185
|
tags.each do |tag_name|
|
|
186
186
|
define_method "test_should_allow_#{tag_name}_tag" do
|
|
187
187
|
scope_allowed_tags(tags) do
|
|
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
|
|
|
271
271
|
|
|
272
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
273
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
274
|
-
|
|
274
|
+
actual = safe_list_sanitize(input, attributes: %w(style))
|
|
275
|
+
assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
|
|
275
276
|
end
|
|
276
277
|
|
|
277
278
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
|
|
|
413
414
|
end
|
|
414
415
|
|
|
415
416
|
def test_should_sanitize_div_background_image_unicode_encoded
|
|
416
|
-
raw = %(background-image:\
|
|
417
|
+
raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
|
|
417
418
|
assert_equal '', sanitize_css(raw)
|
|
418
419
|
end
|
|
419
420
|
|
|
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
|
|
|
520
521
|
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
521
522
|
end
|
|
522
523
|
|
|
524
|
+
def test_exclude_node_type_processing_instructions
|
|
525
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
|
|
526
|
+
end
|
|
527
|
+
|
|
528
|
+
def test_exclude_node_type_comment
|
|
529
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
|
|
530
|
+
end
|
|
531
|
+
|
|
523
532
|
protected
|
|
524
533
|
|
|
525
534
|
def xpath_sanitize(input, options = {})
|
data/test/scrubbers_test.rb
CHANGED
|
@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
|
|
|
41
41
|
assert_scrubbed '<tag>hello</tag>', 'hello'
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
+
def test_default_scrub_removes_comments
|
|
45
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
|
46
|
+
'<div>one</div><span>three</span>')
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def test_default_scrub_removes_processing_instructions
|
|
50
|
+
assert_scrubbed('<div>one</div><?div two><span>three</span>',
|
|
51
|
+
'<div>one</div><span>three</span>')
|
|
52
|
+
end
|
|
53
|
+
|
|
44
54
|
def test_default_attributes_removal_behavior
|
|
45
55
|
assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
|
|
46
56
|
end
|
|
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
|
|
|
56
66
|
assert_scrubbed html, '<tag>leave me now</tag>'
|
|
57
67
|
end
|
|
58
68
|
|
|
69
|
+
def test_leaves_comments_when_supplied_as_tag
|
|
70
|
+
@scrubber.tags = %w(div comment)
|
|
71
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
|
72
|
+
'<div>one</div><!-- two -->three')
|
|
73
|
+
end
|
|
74
|
+
|
|
59
75
|
def test_leaves_only_supplied_tags_nested
|
|
60
76
|
html = '<tag>leave <em>me <span>now</span></em></tag>'
|
|
61
77
|
@scrubber.tags = %w(tag)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.2
|
|
4
|
+
version: 1.4.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2021-08-24 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -17,20 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - "~>"
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: '2.
|
|
21
|
-
- - ">="
|
|
22
|
-
- !ruby/object:Gem::Version
|
|
23
|
-
version: 2.2.2
|
|
20
|
+
version: '2.3'
|
|
24
21
|
type: :runtime
|
|
25
22
|
prerelease: false
|
|
26
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
27
24
|
requirements:
|
|
28
25
|
- - "~>"
|
|
29
26
|
- !ruby/object:Gem::Version
|
|
30
|
-
version: '2.
|
|
31
|
-
- - ">="
|
|
32
|
-
- !ruby/object:Gem::Version
|
|
33
|
-
version: 2.2.2
|
|
27
|
+
version: '2.3'
|
|
34
28
|
- !ruby/object:Gem::Dependency
|
|
35
29
|
name: bundler
|
|
36
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -107,7 +101,11 @@ files:
|
|
|
107
101
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
108
102
|
licenses:
|
|
109
103
|
- MIT
|
|
110
|
-
metadata:
|
|
104
|
+
metadata:
|
|
105
|
+
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
|
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
|
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
|
|
111
109
|
post_install_message:
|
|
112
110
|
rdoc_options: []
|
|
113
111
|
require_paths:
|
|
@@ -123,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
121
|
- !ruby/object:Gem::Version
|
|
124
122
|
version: '0'
|
|
125
123
|
requirements: []
|
|
126
|
-
rubygems_version: 3.
|
|
124
|
+
rubygems_version: 3.2.15
|
|
127
125
|
signing_key:
|
|
128
126
|
specification_version: 4
|
|
129
127
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
130
128
|
test_files:
|
|
131
|
-
- test/scrubbers_test.rb
|
|
132
129
|
- test/sanitizer_test.rb
|
|
130
|
+
- test/scrubbers_test.rb
|