RubyGems - rails-html-sanitizer - Versions diffs - 1.4.0 → 1.4.1 - Mend

rails-html-sanitizer 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rails-html-sanitizer might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +12 -0
data/lib/rails/html/sanitizer/version.rb +1 -1
data/lib/rails/html/scrubbers.rb +1 -1
data/test/scrubbers_test.rb +44 -0
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72ef1b871489bb5189b4010ce24714523903baa2347ca8c49c0d8d3334439a22
-  data.tar.gz: 8e870f37ddb730ba3bf184cd5d9ddf2c8b8bc80d1a1ff3430553959b9478edcb
+  metadata.gz: 38acab5c0aaf09ef2f52189de3445647192a0625e7bf530f8e08edb60ce7f17b
+  data.tar.gz: ba0f051dbdf277df8f135dce164d90cbc2acee95b9965986bdc00742ea0a0553
 SHA512:
-  metadata.gz: 30e80f4579a449b65f0e88e1383953c17df46bd527707c37b425837980167447559a32bfe8815e6f9523727f626059f92fe55d63ac136f798bfe46f323788310
-  data.tar.gz: f554d91da09f669d5e4015294ec96a3431d535a60c254b5ae940227a74753eafde42d9e324009e98247c75210de3d0c6d18583550b11a63048a5adf0a4dfbd31
+  metadata.gz: 3c73a294fed5e28ab21b9fbade61fc722c2876c79215f4c84fa618d99c356e532584746d7178c1a2cc08354699eb986a741a2011b0c268cf8b3cc1bfa6a56994
+  data.tar.gz: 561a2601cd732428f89a662e53076bc557e591892f952b46770f10b014cbbd5cf1192a5a70de5f44f296be3a9f4820c6a5412c36464f939b4ca51a70fdf33c69

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,15 @@
+## 1.4.1 / 2021-08-18
+* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
+  passed through elements to the scrubber's `keep_node?` method.
+  This change once again allows the scrubber to make the decision on comment nodes, but still skips
+  other non-elements like processing instructions (see #115).
+  *Mike Dalessio*
 ## 1.4.0 / 2021-08-18
 * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.4.0"
+      VERSION = "1.4.1"
     end
   end
 end

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
-        unless node.element? && keep_node?(node)
+        unless (node.comment? || node.element?) && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end

data/test/scrubbers_test.rb CHANGED Viewed

@@ -112,6 +112,50 @@ class PermitScrubberTest < ScrubberTest
   end
 end
+class PermitScrubberSubclassTest < ScrubberTest
+  def setup
+    @scrubber = Class.new(::Rails::Html::PermitScrubber) do
+      attr :nodes_seen
+      def initialize
+        super()
+        @nodes_seen = []
+      end
+      def keep_node?(node)
+        @nodes_seen << node.name
+        super(node)
+      end
+    end.new
+  end
+  def test_elements_are_checked
+    html = %Q("<div></div><a></a><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    assert_includes(@scrubber.nodes_seen, "a")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+  def test_comments_are_checked
+    # this passes in v1.3.0 but fails in v1.4.0
+    html = %Q("<div></div><!-- ohai --><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    assert_includes(@scrubber.nodes_seen, "comment")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+  def test_craftily_named_processing_instructions_are_not_checked
+    # this fails in v1.3.0 but passes in v1.4.0
+    html = %Q("<div></div><?a content><tr></tr>")
+    Loofah.scrub_fragment(html, @scrubber)
+    assert_includes(@scrubber.nodes_seen, "div")
+    refute_includes(@scrubber.nodes_seen, "a")
+    assert_includes(@scrubber.nodes_seen, "tr")
+  end
+end
 class TargetScrubberTest < ScrubberTest
   def setup
     @scrubber = Rails::Html::TargetScrubber.new

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.4.1
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -103,9 +103,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
-  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.0/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.0
-  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.0
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.1/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.1
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.1
 post_install_message:
 rdoc_options: []
 require_paths: