rails-html-sanitizer 1.4.3 → 1.6.0

data/lib/rails/html/sanitizer.rb

@@ -1,172 +1,422 @@
+# frozen_string_literal: true
+
 module Rails
-  module Html
-    XPATHS_TO_REMOVE = %w{.//script .//form comment()}
+  module HTML
+    class Sanitizer
+      class << self
+        def html5_support?
+          return @html5_support if defined?(@html5_support)
+
+          @html5_support = Loofah.respond_to?(:html5_support?) && Loofah.html5_support?
+        end
+
+        def best_supported_vendor
+          html5_support? ? Rails::HTML5::Sanitizer : Rails::HTML4::Sanitizer
+        end
+      end
 
-    class Sanitizer # :nodoc:
       def sanitize(html, options = {})
         raise NotImplementedError, "subclasses must implement sanitize method."
       end
 
       private
+        def remove_xpaths(node, xpaths)
+          node.xpath(*xpaths).remove
+          node
+        end
+
+        def properly_encode(fragment, options)
+          fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
+        end
+    end
 
-      def remove_xpaths(node, xpaths)
-        node.xpath(*xpaths).remove
-        node
+    module Concern
+      module ComposedSanitize
+        def sanitize(html, options = {})
+          return unless html
+          return html if html.empty?
+
+          serialize(scrub(parse_fragment(html), options))
+        end
       end
 
-      def properly_encode(fragment, options)
-        fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
+      module Parser
+        module HTML4
+          def parse_fragment(html)
+            Loofah.html4_fragment(html)
+          end
+        end
+
+        module HTML5
+          def parse_fragment(html)
+            Loofah.html5_fragment(html)
+          end
+        end if Rails::HTML::Sanitizer.html5_support?
+      end
+
+      module Scrubber
+        module Full
+          def scrub(fragment, options = {})
+            fragment.scrub!(TextOnlyScrubber.new)
+          end
+        end
+
+        module Link
+          def initialize
+            super
+            @link_scrubber = TargetScrubber.new
+            @link_scrubber.tags = %w(a)
+            @link_scrubber.attributes = %w(href)
+          end
+
+          def scrub(fragment, options = {})
+            fragment.scrub!(@link_scrubber)
+          end
+        end
+
+        module SafeList
+          # The default safe list for tags
+          DEFAULT_ALLOWED_TAGS = Set.new([
+                                           "a",
+                                           "abbr",
+                                           "acronym",
+                                           "address",
+                                           "b",
+                                           "big",
+                                           "blockquote",
+                                           "br",
+                                           "cite",
+                                           "code",
+                                           "dd",
+                                           "del",
+                                           "dfn",
+                                           "div",
+                                           "dl",
+                                           "dt",
+                                           "em",
+                                           "h1",
+                                           "h2",
+                                           "h3",
+                                           "h4",
+                                           "h5",
+                                           "h6",
+                                           "hr",
+                                           "i",
+                                           "img",
+                                           "ins",
+                                           "kbd",
+                                           "li",
+                                           "ol",
+                                           "p",
+                                           "pre",
+                                           "samp",
+                                           "small",
+                                           "span",
+                                           "strong",
+                                           "sub",
+                                           "sup",
+                                           "time",
+                                           "tt",
+                                           "ul",
+                                           "var",
+                                         ]).freeze
+
+          # The default safe list for attributes
+          DEFAULT_ALLOWED_ATTRIBUTES = Set.new([
+                                                 "abbr",
+                                                 "alt",
+                                                 "cite",
+                                                 "class",
+                                                 "datetime",
+                                                 "height",
+                                                 "href",
+                                                 "lang",
+                                                 "name",
+                                                 "src",
+                                                 "title",
+                                                 "width",
+                                                 "xml:lang",
+                                               ]).freeze
+
+          def self.included(klass)
+            class << klass
+              attr_accessor :allowed_tags
+              attr_accessor :allowed_attributes
+            end
+
+            klass.allowed_tags = DEFAULT_ALLOWED_TAGS.dup
+            klass.allowed_attributes = DEFAULT_ALLOWED_ATTRIBUTES.dup
+          end
+
+          def initialize(prune: false)
+            @permit_scrubber = PermitScrubber.new(prune: prune)
+          end
+
+          def scrub(fragment, options = {})
+            if scrubber = options[:scrubber]
+              # No duck typing, Loofah ensures subclass of Loofah::Scrubber
+              fragment.scrub!(scrubber)
+            elsif allowed_tags(options) || allowed_attributes(options)
+              @permit_scrubber.tags = allowed_tags(options)
+              @permit_scrubber.attributes = allowed_attributes(options)
+              fragment.scrub!(@permit_scrubber)
+            else
+              fragment.scrub!(:strip)
+            end
+          end
+
+          def sanitize_css(style_string)
+            Loofah::HTML5::Scrub.scrub_css(style_string)
+          end
+
+          private
+            def allowed_tags(options)
+              options[:tags] || self.class.allowed_tags
+            end
+
+            def allowed_attributes(options)
+              options[:attributes] || self.class.allowed_attributes
+            end
+        end
+      end
+
+      module Serializer
+        module UTF8Encode
+          def serialize(fragment)
+            properly_encode(fragment, encoding: "UTF-8")
+          end
+        end
       end
     end
+  end
 
-    # === Rails::Html::FullSanitizer
-    # Removes all tags but strips out scripts, forms and comments.
-    #
-    # full_sanitizer = Rails::Html::FullSanitizer.new
-    # full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
-    # # => Bold no more!  See more here...
-    class FullSanitizer < Sanitizer
-      def sanitize(html, options = {})
-        return unless html
-        return html if html.empty?
+  module HTML4
+    module Sanitizer
+      module VendorMethods
+        def full_sanitizer
+          Rails::HTML4::FullSanitizer
+        end
 
-        loofah_fragment = Loofah.fragment(html)
+        def link_sanitizer
+          Rails::HTML4::LinkSanitizer
+        end
 
-        remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
-        loofah_fragment.scrub!(TextOnlyScrubber.new)
+        def safe_list_sanitizer
+          Rails::HTML4::SafeListSanitizer
+        end
 
-        properly_encode(loofah_fragment, encoding: 'UTF-8')
+        def white_list_sanitizer # :nodoc:
+          safe_list_sanitizer
+        end
       end
+
+      extend VendorMethods
     end
 
-    # === Rails::Html::LinkSanitizer
-    # Removes +a+ tags and +href+ attributes leaving only the link text.
+    # == Rails::HTML4::FullSanitizer
     #
-    #  link_sanitizer = Rails::Html::LinkSanitizer.new
-    #  link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    # Removes all tags from HTML4 but strips out scripts, forms and comments.
     #
-    #  => 'Only the link text will be kept.'
-    class LinkSanitizer < Sanitizer
-      def initialize
-        @link_scrubber = TargetScrubber.new
-        @link_scrubber.tags = %w(a)
-        @link_scrubber.attributes = %w(href)
-      end
+    #   full_sanitizer = Rails::HTML4::FullSanitizer.new
+    #   full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+    #   # => "Bold no more!  See more here..."
+    #
+    class FullSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML4
+      include HTML::Concern::Scrubber::Full
+      include HTML::Concern::Serializer::UTF8Encode
+    end
 
-      def sanitize(html, options = {})
-        Loofah.scrub_fragment(html, @link_scrubber).to_s
-      end
+    # == Rails::HTML4::LinkSanitizer
+    #
+    # Removes +a+ tags and +href+ attributes from HTML4 leaving only the link text.
+    #
+    #   link_sanitizer = Rails::HTML4::LinkSanitizer.new
+    #   link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    #   # => "Only the link text will be kept."
+    #
+    class LinkSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML4
+      include HTML::Concern::Scrubber::Link
+      include HTML::Concern::Serializer::UTF8Encode
     end
 
-    # === Rails::Html::SafeListSanitizer
-    # Sanitizes html and css from an extensive safe list (see link further down).
+    # == Rails::HTML4::SafeListSanitizer
+    #
+    # Sanitizes HTML4 and CSS from an extensive safe list.
     #
     # === Whitespace
-    # We can't make any guarantees about whitespace being kept or stripped.
-    # Loofah uses Nokogiri, which wraps either a C or Java parser for the
-    # respective Ruby implementation.
-    # Those two parsers determine how whitespace is ultimately handled.
     #
-    # When the stripped markup will be rendered the users browser won't take
-    # whitespace into account anyway. It might be better to suggest your users
-    # wrap their whitespace sensitive content in pre tags or that you do
-    # so automatically.
+    # We can't make any guarantees about whitespace being kept or stripped.  Loofah uses Nokogiri,
+    # which wraps either a C or Java parser for the respective Ruby implementation.  Those two
+    # parsers determine how whitespace is ultimately handled.
+    #
+    # When the stripped markup will be rendered the users browser won't take whitespace into account
+    # anyway. It might be better to suggest your users wrap their whitespace sensitive content in
+    # pre tags or that you do so automatically.
     #
     # === Options
-    # Sanitizes both html and css via the safe lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
-    # SafeListSanitizer also accepts options to configure
-    # the safe list used when sanitizing html.
+    # Sanitizes both html and css via the safe lists found in
+    # Rails::HTML::Concern::Scrubber::SafeList
+    #
+    # SafeListSanitizer also accepts options to configure the safe list used when sanitizing html.
     # There's a class level option:
-    # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
-    # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
     #
-    # Tags and attributes can also be passed to +sanitize+.
-    # Passed options take precedence over the class level options.
+    #   Rails::HTML4::SafeListSanitizer.allowed_tags = %w(table tr td)
+    #   Rails::HTML4::SafeListSanitizer.allowed_attributes = %w(id class style)
+    #
+    # Tags and attributes can also be passed to +sanitize+.  Passed options take precedence over the
+    # class level options.
     #
     # === Examples
-    # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
     #
-    # Sanitize css doesn't take options
-    # safe_list_sanitizer.sanitize_css('background-color: #000;')
+    #   safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new
     #
-    # Default: sanitize via a extensive safe list of allowed elements
-    # safe_list_sanitizer.sanitize(@article.body)
+    #   # default: sanitize via a extensive safe list of allowed elements
+    #   safe_list_sanitizer.sanitize(@article.body)
     #
-    # Safe list via the supplied tags and attributes
-    # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
-    # attributes: %w(id class style))
+    #   # sanitize via the supplied tags and attributes
+    #   safe_list_sanitizer.sanitize(
+    #     @article.body,
+    #     tags: %w(table tr td),
+    #     attributes: %w(id class style),
+    #   )
     #
-    # Safe list via a custom scrubber
-    # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
-    class SafeListSanitizer < Sanitizer
-      class << self
-        attr_accessor :allowed_tags
-        attr_accessor :allowed_attributes
-      end
-      self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub
-        sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
-        acronym a img blockquote del ins))
-      self.allowed_attributes = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
-
-      def initialize
-        @permit_scrubber = PermitScrubber.new
-      end
-
-      def sanitize(html, options = {})
-        return unless html
-        return html if html.empty?
-
-        loofah_fragment = Loofah.fragment(html)
+    #   # sanitize via a custom Loofah scrubber
+    #   safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+    #
+    #   # prune nodes from the tree instead of stripping tags and leaving inner content
+    #   safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new(prune: true)
+    #
+    #   # the sanitizer can also sanitize CSS
+    #   safe_list_sanitizer.sanitize_css('background-color: #000;')
+    #
+    class SafeListSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML4
+      include HTML::Concern::Scrubber::SafeList
+      include HTML::Concern::Serializer::UTF8Encode
+    end
+  end
 
-        if scrubber = options[:scrubber]
-          # No duck typing, Loofah ensures subclass of Loofah::Scrubber
-          loofah_fragment.scrub!(scrubber)
-        elsif allowed_tags(options) || allowed_attributes(options)
-          @permit_scrubber.tags = allowed_tags(options)
-          @permit_scrubber.attributes = allowed_attributes(options)
-          loofah_fragment.scrub!(@permit_scrubber)
-        else
-          remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
-          loofah_fragment.scrub!(:strip)
+  module HTML5
+    class Sanitizer
+      class << self
+        def full_sanitizer
+          Rails::HTML5::FullSanitizer
         end
 
-        properly_encode(loofah_fragment, encoding: 'UTF-8')
-      end
-
-      def sanitize_css(style_string)
-        Loofah::HTML5::Scrub.scrub_css(style_string)
-      end
-
-      private
-
-      def loofah_using_html5?
-        # future-proofing, see https://github.com/flavorjones/loofah/pull/239
-        Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
-      end
+        def link_sanitizer
+          Rails::HTML5::LinkSanitizer
+        end
 
-      def remove_safelist_tag_combinations(tags)
-        if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
-          warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
-          tags.delete("style")
+        def safe_list_sanitizer
+          Rails::HTML5::SafeListSanitizer
         end
-        tags
-      end
 
-      def allowed_tags(options)
-        if options[:tags]
-          remove_safelist_tag_combinations(options[:tags])
-        else
-          self.class.allowed_tags
+        def white_list_sanitizer # :nodoc:
+          safe_list_sanitizer
         end
       end
+    end
 
-      def allowed_attributes(options)
-        options[:attributes] || self.class.allowed_attributes
-      end
+    # == Rails::HTML5::FullSanitizer
+    #
+    # Removes all tags from HTML5 but strips out scripts, forms and comments.
+    #
+    #   full_sanitizer = Rails::HTML5::FullSanitizer.new
+    #   full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+    #   # => "Bold no more!  See more here..."
+    #
+    class FullSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::Full
+      include HTML::Concern::Serializer::UTF8Encode
+    end
+
+    # == Rails::HTML5::LinkSanitizer
+    #
+    # Removes +a+ tags and +href+ attributes from HTML5 leaving only the link text.
+    #
+    #   link_sanitizer = Rails::HTML5::LinkSanitizer.new
+    #   link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    #   # => "Only the link text will be kept."
+    #
+    class LinkSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::Link
+      include HTML::Concern::Serializer::UTF8Encode
+    end
+
+    # == Rails::HTML5::SafeListSanitizer
+    #
+    # Sanitizes HTML5 and CSS from an extensive safe list.
+    #
+    # === Whitespace
+    #
+    # We can't make any guarantees about whitespace being kept or stripped.  Loofah uses Nokogiri,
+    # which wraps either a C or Java parser for the respective Ruby implementation.  Those two
+    # parsers determine how whitespace is ultimately handled.
+    #
+    # When the stripped markup will be rendered the users browser won't take whitespace into account
+    # anyway. It might be better to suggest your users wrap their whitespace sensitive content in
+    # pre tags or that you do so automatically.
+    #
+    # === Options
+    #
+    # Sanitizes both html and css via the safe lists found in
+    # Rails::HTML::Concern::Scrubber::SafeList
+    #
+    # SafeListSanitizer also accepts options to configure the safe list used when sanitizing html.
+    # There's a class level option:
+    #
+    #   Rails::HTML5::SafeListSanitizer.allowed_tags = %w(table tr td)
+    #   Rails::HTML5::SafeListSanitizer.allowed_attributes = %w(id class style)
+    #
+    # Tags and attributes can also be passed to +sanitize+.  Passed options take precedence over the
+    # class level options.
+    #
+    # === Examples
+    #
+    #   safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new
+    #
+    #   # default: sanitize via a extensive safe list of allowed elements
+    #   safe_list_sanitizer.sanitize(@article.body)
+    #
+    #   # sanitize via the supplied tags and attributes
+    #   safe_list_sanitizer.sanitize(
+    #     @article.body,
+    #     tags: %w(table tr td),
+    #     attributes: %w(id class style),
+    #   )
+    #
+    #   # sanitize via a custom Loofah scrubber
+    #   safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+    #
+    #   # prune nodes from the tree instead of stripping tags and leaving inner content
+    #   safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)
+    #
+    #   # the sanitizer can also sanitize CSS
+    #   safe_list_sanitizer.sanitize_css('background-color: #000;')
+    #
+    class SafeListSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::SafeList
+      include HTML::Concern::Serializer::UTF8Encode
     end
+  end if Rails::HTML::Sanitizer.html5_support?
 
-    WhiteListSanitizer = SafeListSanitizer
+  module HTML
+    Sanitizer.extend(HTML4::Sanitizer::VendorMethods) # :nodoc:
+    FullSanitizer = HTML4::FullSanitizer # :nodoc:
+    LinkSanitizer = HTML4::LinkSanitizer # :nodoc:
+    SafeListSanitizer = HTML4::SafeListSanitizer # :nodoc:
+    WhiteListSanitizer = SafeListSanitizer # :nodoc:
   end
 end