rails-html-sanitizer 1.3.0 → 1.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +24 -0
- data/README.md +3 -1
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +1 -1
- data/test/sanitizer_test.rb +13 -4
- data/test/scrubbers_test.rb +44 -0
- metadata +9 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 38acab5c0aaf09ef2f52189de3445647192a0625e7bf530f8e08edb60ce7f17b
|
|
4
|
+
data.tar.gz: ba0f051dbdf277df8f135dce164d90cbc2acee95b9965986bdc00742ea0a0553
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c73a294fed5e28ab21b9fbade61fc722c2876c79215f4c84fa618d99c356e532584746d7178c1a2cc08354699eb986a741a2011b0c268cf8b3cc1bfa6a56994
|
|
7
|
+
data.tar.gz: 561a2601cd732428f89a662e53076bc557e591892f952b46770f10b014cbbd5cf1192a5a70de5f44f296be3a9f4820c6a5412c36464f939b4ca51a70fdf33c69
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,27 @@
|
|
|
1
|
+
## 1.4.1 / 2021-08-18
|
|
2
|
+
|
|
3
|
+
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
|
4
|
+
|
|
5
|
+
Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
|
|
6
|
+
passed through elements to the scrubber's `keep_node?` method.
|
|
7
|
+
|
|
8
|
+
This change once again allows the scrubber to make the decision on comment nodes, but still skips
|
|
9
|
+
other non-elements like processing instructions (see #115).
|
|
10
|
+
|
|
11
|
+
*Mike Dalessio*
|
|
12
|
+
|
|
13
|
+
## 1.4.0 / 2021-08-18
|
|
14
|
+
|
|
15
|
+
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
|
16
|
+
|
|
17
|
+
Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
|
|
18
|
+
are no known security issues associated with these PIs, but similar to comments it's preferred to
|
|
19
|
+
omit these nodes when possible from sanitized output.
|
|
20
|
+
|
|
21
|
+
Fixes #115.
|
|
22
|
+
|
|
23
|
+
*Mike Dalessio*
|
|
24
|
+
|
|
1
25
|
## 1.3.0
|
|
2
26
|
|
|
3
27
|
* Address deprecations in Loofah 2.3.0.
|
data/README.md
CHANGED
|
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
|
|
|
81
81
|
#### `Rails::Html::TargetScrubber`
|
|
82
82
|
|
|
83
83
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
|
84
|
-
`Rails::Html::TargetScrubber` targets them for removal.
|
|
84
|
+
`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
|
85
85
|
|
|
86
|
+
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
|
87
|
+
loofah `HTML5::Scrub.allowed_element?`.
|
|
86
88
|
|
|
87
89
|
```ruby
|
|
88
90
|
scrubber = Rails::Html::TargetScrubber.new
|
data/lib/rails/html/scrubbers.rb
CHANGED
data/test/sanitizer_test.rb
CHANGED
|
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
|
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
def test_strip_tags_with_plaintext
|
|
96
|
-
assert_equal "
|
|
96
|
+
assert_equal "Don't touch me", full_sanitize("Don't touch me")
|
|
97
97
|
end
|
|
98
98
|
|
|
99
99
|
def test_strip_tags_with_tags
|
|
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
|
|
|
135
135
|
end
|
|
136
136
|
|
|
137
137
|
def test_strip_links_with_plaintext
|
|
138
|
-
assert_equal "
|
|
138
|
+
assert_equal "Don't touch me", link_sanitize("Don't touch me")
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
def test_strip_links_with_line_feed_and_uppercase_tag
|
|
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
|
|
|
271
271
|
|
|
272
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
273
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
274
|
-
|
|
274
|
+
actual = safe_list_sanitize(input, attributes: %w(style))
|
|
275
|
+
assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
|
|
275
276
|
end
|
|
276
277
|
|
|
277
278
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
|
|
|
413
414
|
end
|
|
414
415
|
|
|
415
416
|
def test_should_sanitize_div_background_image_unicode_encoded
|
|
416
|
-
raw = %(background-image:\
|
|
417
|
+
raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
|
|
417
418
|
assert_equal '', sanitize_css(raw)
|
|
418
419
|
end
|
|
419
420
|
|
|
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
|
|
|
520
521
|
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
521
522
|
end
|
|
522
523
|
|
|
524
|
+
def test_exclude_node_type_processing_instructions
|
|
525
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
|
|
526
|
+
end
|
|
527
|
+
|
|
528
|
+
def test_exclude_node_type_comment
|
|
529
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
|
|
530
|
+
end
|
|
531
|
+
|
|
523
532
|
protected
|
|
524
533
|
|
|
525
534
|
def xpath_sanitize(input, options = {})
|
data/test/scrubbers_test.rb
CHANGED
|
@@ -112,6 +112,50 @@ class PermitScrubberTest < ScrubberTest
|
|
|
112
112
|
end
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
+
class PermitScrubberSubclassTest < ScrubberTest
|
|
116
|
+
def setup
|
|
117
|
+
@scrubber = Class.new(::Rails::Html::PermitScrubber) do
|
|
118
|
+
attr :nodes_seen
|
|
119
|
+
|
|
120
|
+
def initialize
|
|
121
|
+
super()
|
|
122
|
+
@nodes_seen = []
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def keep_node?(node)
|
|
126
|
+
@nodes_seen << node.name
|
|
127
|
+
super(node)
|
|
128
|
+
end
|
|
129
|
+
end.new
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
def test_elements_are_checked
|
|
133
|
+
html = %Q("<div></div><a></a><tr></tr>")
|
|
134
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
135
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
136
|
+
assert_includes(@scrubber.nodes_seen, "a")
|
|
137
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
def test_comments_are_checked
|
|
141
|
+
# this passes in v1.3.0 but fails in v1.4.0
|
|
142
|
+
html = %Q("<div></div><!-- ohai --><tr></tr>")
|
|
143
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
144
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
145
|
+
assert_includes(@scrubber.nodes_seen, "comment")
|
|
146
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def test_craftily_named_processing_instructions_are_not_checked
|
|
150
|
+
# this fails in v1.3.0 but passes in v1.4.0
|
|
151
|
+
html = %Q("<div></div><?a content><tr></tr>")
|
|
152
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
153
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
154
|
+
refute_includes(@scrubber.nodes_seen, "a")
|
|
155
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
156
|
+
end
|
|
157
|
+
end
|
|
158
|
+
|
|
115
159
|
class TargetScrubberTest < ScrubberTest
|
|
116
160
|
def setup
|
|
117
161
|
@scrubber = Rails::Html::TargetScrubber.new
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2021-08-18 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -101,7 +101,11 @@ files:
|
|
|
101
101
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
102
102
|
licenses:
|
|
103
103
|
- MIT
|
|
104
|
-
metadata:
|
|
104
|
+
metadata:
|
|
105
|
+
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.1/CHANGELOG.md
|
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.1
|
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.1
|
|
105
109
|
post_install_message:
|
|
106
110
|
rdoc_options: []
|
|
107
111
|
require_paths:
|
|
@@ -117,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
117
121
|
- !ruby/object:Gem::Version
|
|
118
122
|
version: '0'
|
|
119
123
|
requirements: []
|
|
120
|
-
rubygems_version: 3.
|
|
124
|
+
rubygems_version: 3.2.15
|
|
121
125
|
signing_key:
|
|
122
126
|
specification_version: 4
|
|
123
127
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
124
128
|
test_files:
|
|
125
|
-
- test/scrubbers_test.rb
|
|
126
129
|
- test/sanitizer_test.rb
|
|
130
|
+
- test/scrubbers_test.rb
|