rails-html-sanitizer 1.3.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of rails-html-sanitizer might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8eba1aac52c80be280f186c5d378150709b7d4cd2a5d5b2367e6d2c036648d52
4
- data.tar.gz: 96408eae2efee778a704f7caf246b64868a63bfdbbb81905b294bcca731a9289
3
+ metadata.gz: 85be608ca4422813683df971eb55217f0a70d9bb3d6398efad913ddb90d2c3c5
4
+ data.tar.gz: cdc86ec92f2698f49d73d37e58622b97f4115330e084a2bc6ea46fc711926e94
5
5
  SHA512:
6
- metadata.gz: c4209cebc841299143a466143f4b776461fc1cc8bba112dc603e86835b68ee44a800566f64224b27f5a45d164d0b004049b228dc405c3de59068800ec7a5d564
7
- data.tar.gz: c899472b8dffe9f9fd4d15ae4739f07a775d74b9ed14143beb688bb546b6a82ec469add036747b81aff33510e6e241379e21458cb39d9b2a8e797824066e24e5
6
+ metadata.gz: b748cab99a7c9bdda776b5aaf76a55e16ff59b6aa10f4ee1fd9b97b7f5a6a897a8a2e0e1fe31cdd741207130d34ccdff2debb4437b0b03b87896ab9c16537f4b
7
+ data.tar.gz: 35f4c0c12c555feb73623df3bc09d19069c48b9ee91539dc247b6a599dc091adb08b56f43041014dfacd6f46183f7b6d68355104716a1feeaef58c3319be6bea
data/CHANGELOG.md CHANGED
@@ -1,3 +1,35 @@
1
+ ## 1.4.2 / 2021-08-23
2
+
3
+ * Slightly improve performance.
4
+
5
+ Assuming elements are more common than comments, make one less method call per node.
6
+
7
+ *Mike Dalessio*
8
+
9
+ ## 1.4.1 / 2021-08-18
10
+
11
+ * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
12
+
13
+ Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
14
+ passed through elements to the scrubber's `keep_node?` method.
15
+
16
+ This change once again allows the scrubber to make the decision on comment nodes, but still skips
17
+ other non-elements like processing instructions (see #115).
18
+
19
+ *Mike Dalessio*
20
+
21
+ ## 1.4.0 / 2021-08-18
22
+
23
+ * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
24
+
25
+ Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
26
+ are no known security issues associated with these PIs, but similar to comments it's preferred to
27
+ omit these nodes when possible from sanitized output.
28
+
29
+ Fixes #115.
30
+
31
+ *Mike Dalessio*
32
+
1
33
  ## 1.3.0
2
34
 
3
35
  * Address deprecations in Loofah 2.3.0.
data/README.md CHANGED
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
81
81
  #### `Rails::Html::TargetScrubber`
82
82
 
83
83
  Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
84
- `Rails::Html::TargetScrubber` targets them for removal.
84
+ `Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
85
85
 
86
+ **Note:** by default, it will scrub anything that is not part of the permitted tags from
87
+ loofah `HTML5::Scrub.allowed_element?`.
86
88
 
87
89
  ```ruby
88
90
  scrubber = Rails::Html::TargetScrubber.new
@@ -1,7 +1,7 @@
1
1
  module Rails
2
2
  module Html
3
3
  class Sanitizer
4
- VERSION = "1.3.0"
4
+ VERSION = "1.4.2"
5
5
  end
6
6
  end
7
7
  end
@@ -68,7 +68,7 @@ module Rails
68
68
  end
69
69
  return CONTINUE if skip_node?(node)
70
70
 
71
- unless keep_node?(node)
71
+ unless (node.element? || node.comment?) && keep_node?(node)
72
72
  return STOP if scrub_node(node) == STOP
73
73
  end
74
74
 
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
93
93
  end
94
94
 
95
95
  def test_strip_tags_with_plaintext
96
- assert_equal "Dont touch me", full_sanitize("Dont touch me")
96
+ assert_equal "Don't touch me", full_sanitize("Don't touch me")
97
97
  end
98
98
 
99
99
  def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
135
135
  end
136
136
 
137
137
  def test_strip_links_with_plaintext
138
- assert_equal "Dont touch me", link_sanitize("Dont touch me")
138
+ assert_equal "Don't touch me", link_sanitize("Don't touch me")
139
139
  end
140
140
 
141
141
  def test_strip_links_with_line_feed_and_uppercase_tag
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
271
271
 
272
272
  def test_scrub_style_if_style_attribute_option_is_passed
273
273
  input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
274
- assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
274
+ actual = safe_list_sanitize(input, attributes: %w(style))
275
+ assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
275
276
  end
276
277
 
277
278
  def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
413
414
  end
414
415
 
415
416
  def test_should_sanitize_div_background_image_unicode_encoded
416
- raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
417
+ raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
417
418
  assert_equal '', sanitize_css(raw)
418
419
  end
419
420
 
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
520
521
  assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
521
522
  end
522
523
 
524
+ def test_exclude_node_type_processing_instructions
525
+ assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
526
+ end
527
+
528
+ def test_exclude_node_type_comment
529
+ assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
530
+ end
531
+
523
532
  protected
524
533
 
525
534
  def xpath_sanitize(input, options = {})
@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
41
41
  assert_scrubbed '<tag>hello</tag>', 'hello'
42
42
  end
43
43
 
44
+ def test_default_scrub_removes_comments
45
+ assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
46
+ '<div>one</div><span>three</span>')
47
+ end
48
+
49
+ def test_default_scrub_removes_processing_instructions
50
+ assert_scrubbed('<div>one</div><?div two><span>three</span>',
51
+ '<div>one</div><span>three</span>')
52
+ end
53
+
44
54
  def test_default_attributes_removal_behavior
45
55
  assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
46
56
  end
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
56
66
  assert_scrubbed html, '<tag>leave me now</tag>'
57
67
  end
58
68
 
69
+ def test_leaves_comments_when_supplied_as_tag
70
+ @scrubber.tags = %w(div comment)
71
+ assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
72
+ '<div>one</div><!-- two -->three')
73
+ end
74
+
59
75
  def test_leaves_only_supplied_tags_nested
60
76
  html = '<tag>leave <em>me <span>now</span></em></tag>'
61
77
  @scrubber.tags = %w(tag)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.0
4
+ version: 1.4.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-10-06 00:00:00.000000000 Z
12
+ date: 2021-08-24 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: loofah
@@ -101,7 +101,11 @@ files:
101
101
  homepage: https://github.com/rails/rails-html-sanitizer
102
102
  licenses:
103
103
  - MIT
104
- metadata: {}
104
+ metadata:
105
+ bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
106
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
107
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
108
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
105
109
  post_install_message:
106
110
  rdoc_options: []
107
111
  require_paths:
@@ -117,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
117
121
  - !ruby/object:Gem::Version
118
122
  version: '0'
119
123
  requirements: []
120
- rubygems_version: 3.0.3
124
+ rubygems_version: 3.2.15
121
125
  signing_key:
122
126
  specification_version: 4
123
127
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.
124
128
  test_files:
125
- - test/scrubbers_test.rb
126
129
  - test/sanitizer_test.rb
130
+ - test/scrubbers_test.rb