rails-html-sanitizer 1.4.0 → 1.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +1 -1
- data/test/scrubbers_test.rb +44 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 38acab5c0aaf09ef2f52189de3445647192a0625e7bf530f8e08edb60ce7f17b
|
|
4
|
+
data.tar.gz: ba0f051dbdf277df8f135dce164d90cbc2acee95b9965986bdc00742ea0a0553
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c73a294fed5e28ab21b9fbade61fc722c2876c79215f4c84fa618d99c356e532584746d7178c1a2cc08354699eb986a741a2011b0c268cf8b3cc1bfa6a56994
|
|
7
|
+
data.tar.gz: 561a2601cd732428f89a662e53076bc557e591892f952b46770f10b014cbbd5cf1192a5a70de5f44f296be3a9f4820c6a5412c36464f939b4ca51a70fdf33c69
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
## 1.4.1 / 2021-08-18
|
|
2
|
+
|
|
3
|
+
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
|
4
|
+
|
|
5
|
+
Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
|
|
6
|
+
passed through elements to the scrubber's `keep_node?` method.
|
|
7
|
+
|
|
8
|
+
This change once again allows the scrubber to make the decision on comment nodes, but still skips
|
|
9
|
+
other non-elements like processing instructions (see #115).
|
|
10
|
+
|
|
11
|
+
*Mike Dalessio*
|
|
12
|
+
|
|
1
13
|
## 1.4.0 / 2021-08-18
|
|
2
14
|
|
|
3
15
|
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
data/lib/rails/html/scrubbers.rb
CHANGED
data/test/scrubbers_test.rb
CHANGED
|
@@ -112,6 +112,50 @@ class PermitScrubberTest < ScrubberTest
|
|
|
112
112
|
end
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
+
class PermitScrubberSubclassTest < ScrubberTest
|
|
116
|
+
def setup
|
|
117
|
+
@scrubber = Class.new(::Rails::Html::PermitScrubber) do
|
|
118
|
+
attr :nodes_seen
|
|
119
|
+
|
|
120
|
+
def initialize
|
|
121
|
+
super()
|
|
122
|
+
@nodes_seen = []
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def keep_node?(node)
|
|
126
|
+
@nodes_seen << node.name
|
|
127
|
+
super(node)
|
|
128
|
+
end
|
|
129
|
+
end.new
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
def test_elements_are_checked
|
|
133
|
+
html = %Q("<div></div><a></a><tr></tr>")
|
|
134
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
135
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
136
|
+
assert_includes(@scrubber.nodes_seen, "a")
|
|
137
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
def test_comments_are_checked
|
|
141
|
+
# this passes in v1.3.0 but fails in v1.4.0
|
|
142
|
+
html = %Q("<div></div><!-- ohai --><tr></tr>")
|
|
143
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
144
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
145
|
+
assert_includes(@scrubber.nodes_seen, "comment")
|
|
146
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def test_craftily_named_processing_instructions_are_not_checked
|
|
150
|
+
# this fails in v1.3.0 but passes in v1.4.0
|
|
151
|
+
html = %Q("<div></div><?a content><tr></tr>")
|
|
152
|
+
Loofah.scrub_fragment(html, @scrubber)
|
|
153
|
+
assert_includes(@scrubber.nodes_seen, "div")
|
|
154
|
+
refute_includes(@scrubber.nodes_seen, "a")
|
|
155
|
+
assert_includes(@scrubber.nodes_seen, "tr")
|
|
156
|
+
end
|
|
157
|
+
end
|
|
158
|
+
|
|
115
159
|
class TargetScrubberTest < ScrubberTest
|
|
116
160
|
def setup
|
|
117
161
|
@scrubber = Rails::Html::TargetScrubber.new
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.4.
|
|
4
|
+
version: 1.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -103,9 +103,9 @@ licenses:
|
|
|
103
103
|
- MIT
|
|
104
104
|
metadata:
|
|
105
105
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.
|
|
107
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.
|
|
108
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.
|
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.1/CHANGELOG.md
|
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.1
|
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.1
|
|
109
109
|
post_install_message:
|
|
110
110
|
rdoc_options: []
|
|
111
111
|
require_paths:
|