rails-html-sanitizer 1.3.0 → 1.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +24 -0
- data/README.md +3 -1
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +1 -1
- data/test/sanitizer_test.rb +13 -4
- data/test/scrubbers_test.rb +44 -0
- metadata +9 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 38acab5c0aaf09ef2f52189de3445647192a0625e7bf530f8e08edb60ce7f17b
|
|
4
|
+
data.tar.gz: ba0f051dbdf277df8f135dce164d90cbc2acee95b9965986bdc00742ea0a0553
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c73a294fed5e28ab21b9fbade61fc722c2876c79215f4c84fa618d99c356e532584746d7178c1a2cc08354699eb986a741a2011b0c268cf8b3cc1bfa6a56994
|
|
7
|
+
data.tar.gz: 561a2601cd732428f89a662e53076bc557e591892f952b46770f10b014cbbd5cf1192a5a70de5f44f296be3a9f4820c6a5412c36464f939b4ca51a70fdf33c69
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,27 @@
|
|
|
1
|
+
## 1.4.1 / 2021-08-18
|
|
2
|
+
|
|
3
|
+
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
|
4
|
+
|
|
5
|
+
Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
|
|
6
|
+
passed through elements to the scrubber's `keep_node?` method.
|
|
7
|
+
|
|
8
|
+
This change once again allows the scrubber to make the decision on comment nodes, but still skips
|
|
9
|
+
other non-elements like processing instructions (see #115).
|
|
10
|
+
|
|
11
|
+
*Mike Dalessio*
|
|
12
|
+
|
|
13
|
+
## 1.4.0 / 2021-08-18
|
|
14
|
+
|
|
15
|
+
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
|
16
|
+
|
|
17
|
+
Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
|
|
18
|
+
are no known security issues associated with these PIs, but similar to comments it's preferred to
|
|
19
|
+
omit these nodes when possible from sanitized output.
|
|
20
|
+
|
|
21
|
+
Fixes #115.
|
|
22
|
+
|
|
23
|
+
*Mike Dalessio*
|
|
24
|
+
|
|
1
25
|
## 1.3.0
|
|
2
26
|
|
|
3
27
|
* Address deprecations in Loofah 2.3.0.
|
data/README.md
CHANGED
|
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
|
|
|
81
81
|
#### `Rails::Html::TargetScrubber`
|
|
82
82
|
|
|
83
83
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
|
84
|
-
`Rails::Html::TargetScrubber` targets them for removal.
|
|
84
|
+
`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
|
85
85
|
|
|
86
|
+
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
|
87
|
+
loofah `HTML5::Scrub.allowed_element?`.
|
|
86
88
|
|
|
87
89
|
```ruby
|
|
88
90
|
scrubber = Rails::Html::TargetScrubber.new
|
data/lib/rails/html/scrubbers.rb
CHANGED
data/test/sanitizer_test.rb
CHANGED
|
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
|
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
def test_strip_tags_with_plaintext
|
|
96
|
-
assert_equal "
|
|
96
|
+
assert_equal "Don't touch me", full_sanitize("Don't touch me")
|
|
97
97
|
end
|
|
98
98
|
|
|
99
99
|
def test_strip_tags_with_tags
|
|
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
|
|
|
135
135
|
end
|
|
136
136
|
|
|
137
137
|
def test_strip_links_with_plaintext
|
|
138
|
-
assert_equal "
|
|
138
|
+
assert_equal "Don't touch me", link_sanitize("Don't touch me")
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
def test_strip_links_with_line_feed_and_uppercase_tag
|
|
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
|
|
|
271
271
|
|
|
272
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
|
273
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
|
274
|
-
|
|
274
|
+
actual = safe_list_sanitize(input, attributes: %w(style))
|
|
275
|
+
assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
|
|
275
276
|
end
|
|
276
277
|
|
|
277
278
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
|
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
|
|
|
413
414
|
end
|
|
414
415
|
|
|
415
416
|
def test_should_sanitize_div_background_image_unicode_encoded
|
|
416
|
-
raw = %(background-image:\
|
|
417
|
+
raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
|
|
417
418
|
assert_equal '', sanitize_css(raw)
|
|
418
419
|
end
|
|
419
420
|
|
|
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
|
|
|
520
521
|
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
|
521
522
|
end
|
|
522
523
|
|
|
524
|
+
def test_exclude_node_type_processing_instructions
|
|
525
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
|
|
526
|
+
end
|
|
527
|
+
|
|
528
|
+
def test_exclude_node_type_comment
|
|
529
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
|
|
530
|
+
end
|
|
531
|
+
|
|
523
532
|
protected
|
|
524
533
|
|
|
525
534
|
def xpath_sanitize(input, options = {})
|
data/test/scrubbers_test.rb
CHANGED
|
@@ -112,6 +112,50 @@ class PermitScrubberTest < ScrubberTest
|
|
|
112
112
|
end
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
+
class PermitScrubberSubclassTest < ScrubberTest
|
|
116
|
+
def setup
|
|
117
|
+
@scrubber = Class.new(::Rails::Html::PermitScrubber) do
|
|
118
|
+
attr :nodes_seen
|
|
119
|
+
|
|
120
|
+
def initialize
|
|
121
|
+
super()
|
|
122
|
+
@nodes_seen = []
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def keep_node?(node)
|
|
126
|
+
@nodes_seen << node.name
|
|
127
|
+
super(node)
|
|
128
|
+
end
|
|
129
|
+
end.new
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
def test_elements_are_checked
|
|
133
|
+
html = %Q("<div></div><a></a><tr></tr>")
|
|
134
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
135
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
136
|
+
assert_includes(@scrubber.nodes_seen, "a")
|
|
137
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
def test_comments_are_checked
|
|
141
|
+
# this passes in v1.3.0 but fails in v1.4.0
|
|
142
|
+
html = %Q("<div></div><!-- ohai --><tr></tr>")
|
|
143
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
144
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
145
|
+
assert_includes(@scrubber.nodes_seen, "comment")
|
|
146
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def test_craftily_named_processing_instructions_are_not_checked
|
|
150
|
+
# this fails in v1.3.0 but passes in v1.4.0
|
|
151
|
+
html = %Q("<div></div><?a content><tr></tr>")
|
|
152
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
153
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
154
|
+
refute_includes(@scrubber.nodes_seen, "a")
|
|
155
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
156
|
+
end
|
|
157
|
+
end
|
|
158
|
+
|
|
115
159
|
class TargetScrubberTest < ScrubberTest
|
|
116
160
|
def setup
|
|
117
161
|
@scrubber = Rails::Html::TargetScrubber.new
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2021-08-18 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -101,7 +101,11 @@ files:
|
|
|
101
101
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
102
102
|
licenses:
|
|
103
103
|
- MIT
|
|
104
|
-
metadata:
|
|
104
|
+
metadata:
|
|
105
|
+
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.1/CHANGELOG.md
|
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.1
|
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.1
|
|
105
109
|
post_install_message:
|
|
106
110
|
rdoc_options: []
|
|
107
111
|
require_paths:
|
|
@@ -117,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
117
121
|
- !ruby/object:Gem::Version
|
|
118
122
|
version: '0'
|
|
119
123
|
requirements: []
|
|
120
|
-
rubygems_version: 3.
|
|
124
|
+
rubygems_version: 3.2.15
|
|
121
125
|
signing_key:
|
|
122
126
|
specification_version: 4
|
|
123
127
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
124
128
|
test_files:
|
|
125
|
-
- test/scrubbers_test.rb
|
|
126
129
|
- test/sanitizer_test.rb
|
|
130
|
+
- test/scrubbers_test.rb
|