rails-html-sanitizer 1.3.0 → 1.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +32 -0
- data/README.md +3 -1
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +1 -1
- data/test/sanitizer_test.rb +13 -4
- data/test/scrubbers_test.rb +16 -0
- metadata +9 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 85be608ca4422813683df971eb55217f0a70d9bb3d6398efad913ddb90d2c3c5
|
4
|
+
data.tar.gz: cdc86ec92f2698f49d73d37e58622b97f4115330e084a2bc6ea46fc711926e94
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b748cab99a7c9bdda776b5aaf76a55e16ff59b6aa10f4ee1fd9b97b7f5a6a897a8a2e0e1fe31cdd741207130d34ccdff2debb4437b0b03b87896ab9c16537f4b
|
7
|
+
data.tar.gz: 35f4c0c12c555feb73623df3bc09d19069c48b9ee91539dc247b6a599dc091adb08b56f43041014dfacd6f46183f7b6d68355104716a1feeaef58c3319be6bea
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,35 @@
|
|
1
|
+
## 1.4.2 / 2021-08-23
|
2
|
+
|
3
|
+
* Slightly improve performance.
|
4
|
+
|
5
|
+
Assuming elements are more common than comments, make one less method call per node.
|
6
|
+
|
7
|
+
*Mike Dalessio*
|
8
|
+
|
9
|
+
## 1.4.1 / 2021-08-18
|
10
|
+
|
11
|
+
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
12
|
+
|
13
|
+
Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
|
14
|
+
passed through elements to the scrubber's `keep_node?` method.
|
15
|
+
|
16
|
+
This change once again allows the scrubber to make the decision on comment nodes, but still skips
|
17
|
+
other non-elements like processing instructions (see #115).
|
18
|
+
|
19
|
+
*Mike Dalessio*
|
20
|
+
|
21
|
+
## 1.4.0 / 2021-08-18
|
22
|
+
|
23
|
+
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
24
|
+
|
25
|
+
Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
|
26
|
+
are no known security issues associated with these PIs, but similar to comments it's preferred to
|
27
|
+
omit these nodes when possible from sanitized output.
|
28
|
+
|
29
|
+
Fixes #115.
|
30
|
+
|
31
|
+
*Mike Dalessio*
|
32
|
+
|
1
33
|
## 1.3.0
|
2
34
|
|
3
35
|
* Address deprecations in Loofah 2.3.0.
|
data/README.md
CHANGED
@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
|
|
81
81
|
#### `Rails::Html::TargetScrubber`
|
82
82
|
|
83
83
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
84
|
-
`Rails::Html::TargetScrubber` targets them for removal.
|
84
|
+
`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
85
85
|
|
86
|
+
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
87
|
+
loofah `HTML5::Scrub.allowed_element?`.
|
86
88
|
|
87
89
|
```ruby
|
88
90
|
scrubber = Rails::Html::TargetScrubber.new
|
data/lib/rails/html/scrubbers.rb
CHANGED
data/test/sanitizer_test.rb
CHANGED
@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
|
|
93
93
|
end
|
94
94
|
|
95
95
|
def test_strip_tags_with_plaintext
|
96
|
-
assert_equal "
|
96
|
+
assert_equal "Don't touch me", full_sanitize("Don't touch me")
|
97
97
|
end
|
98
98
|
|
99
99
|
def test_strip_tags_with_tags
|
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
|
|
135
135
|
end
|
136
136
|
|
137
137
|
def test_strip_links_with_plaintext
|
138
|
-
assert_equal "
|
138
|
+
assert_equal "Don't touch me", link_sanitize("Don't touch me")
|
139
139
|
end
|
140
140
|
|
141
141
|
def test_strip_links_with_line_feed_and_uppercase_tag
|
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
|
|
271
271
|
|
272
272
|
def test_scrub_style_if_style_attribute_option_is_passed
|
273
273
|
input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
|
274
|
-
|
274
|
+
actual = safe_list_sanitize(input, attributes: %w(style))
|
275
|
+
assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
|
275
276
|
end
|
276
277
|
|
277
278
|
def test_should_raise_argument_error_if_tags_is_not_enumerable
|
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
|
|
413
414
|
end
|
414
415
|
|
415
416
|
def test_should_sanitize_div_background_image_unicode_encoded
|
416
|
-
raw = %(background-image:\
|
417
|
+
raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
|
417
418
|
assert_equal '', sanitize_css(raw)
|
418
419
|
end
|
419
420
|
|
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
|
|
520
521
|
assert_equal %{<a action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
|
521
522
|
end
|
522
523
|
|
524
|
+
def test_exclude_node_type_processing_instructions
|
525
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
|
526
|
+
end
|
527
|
+
|
528
|
+
def test_exclude_node_type_comment
|
529
|
+
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
|
530
|
+
end
|
531
|
+
|
523
532
|
protected
|
524
533
|
|
525
534
|
def xpath_sanitize(input, options = {})
|
data/test/scrubbers_test.rb
CHANGED
@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
|
|
41
41
|
assert_scrubbed '<tag>hello</tag>', 'hello'
|
42
42
|
end
|
43
43
|
|
44
|
+
def test_default_scrub_removes_comments
|
45
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
46
|
+
'<div>one</div><span>three</span>')
|
47
|
+
end
|
48
|
+
|
49
|
+
def test_default_scrub_removes_processing_instructions
|
50
|
+
assert_scrubbed('<div>one</div><?div two><span>three</span>',
|
51
|
+
'<div>one</div><span>three</span>')
|
52
|
+
end
|
53
|
+
|
44
54
|
def test_default_attributes_removal_behavior
|
45
55
|
assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
|
46
56
|
end
|
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
|
|
56
66
|
assert_scrubbed html, '<tag>leave me now</tag>'
|
57
67
|
end
|
58
68
|
|
69
|
+
def test_leaves_comments_when_supplied_as_tag
|
70
|
+
@scrubber.tags = %w(div comment)
|
71
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
72
|
+
'<div>one</div><!-- two -->three')
|
73
|
+
end
|
74
|
+
|
59
75
|
def test_leaves_only_supplied_tags_nested
|
60
76
|
html = '<tag>leave <em>me <span>now</span></em></tag>'
|
61
77
|
@scrubber.tags = %w(tag)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails-html-sanitizer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rafael Mendonça França
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2021-08-24 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: loofah
|
@@ -101,7 +101,11 @@ files:
|
|
101
101
|
homepage: https://github.com/rails/rails-html-sanitizer
|
102
102
|
licenses:
|
103
103
|
- MIT
|
104
|
-
metadata:
|
104
|
+
metadata:
|
105
|
+
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
|
105
109
|
post_install_message:
|
106
110
|
rdoc_options: []
|
107
111
|
require_paths:
|
@@ -117,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
117
121
|
- !ruby/object:Gem::Version
|
118
122
|
version: '0'
|
119
123
|
requirements: []
|
120
|
-
rubygems_version: 3.
|
124
|
+
rubygems_version: 3.2.15
|
121
125
|
signing_key:
|
122
126
|
specification_version: 4
|
123
127
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
124
128
|
test_files:
|
125
|
-
- test/scrubbers_test.rb
|
126
129
|
- test/sanitizer_test.rb
|
130
|
+
- test/scrubbers_test.rb
|