RubyGems - rails-html-sanitizer - Versions diffs - 1.4.3 → 1.6.0 - Mend

rails-html-sanitizer 1.4.3 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rails-html-sanitizer might be problematic. Click here for more details.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +114 -0
data/MIT-LICENSE +1 -1
data/README.md +163 -34
data/lib/rails/html/sanitizer/version.rb +4 -2
data/lib/rails/html/sanitizer.rb +371 -121
data/lib/rails/html/scrubbers.rb +78 -78
data/lib/rails-html-sanitizer.rb +7 -23
data/test/rails_api_test.rb +88 -0
data/test/sanitizer_test.rb +925 -505
data/test/scrubbers_test.rb +57 -30
metadata +19 -57

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 module Rails
-  module Html
-    # === Rails::Html::PermitScrubber
+  module HTML
+    # === Rails::HTML::PermitScrubber
     #
-    # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
+    # +Rails::HTML::PermitScrubber+ allows you to permit only your own tags and/or attributes.
     #
-    # +Rails::Html::PermitScrubber+ can be subclassed to determine:
+    # +Rails::HTML::PermitScrubber+ can be subclassed to determine:
     # - When a node should be skipped via +skip_node?+.
     # - When a node is allowed via +allowed_node?+.
     # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,7 +29,7 @@ module Rails
     # If set, attributes excluded will be removed.
     # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
     #
-    #  class CommentScrubber < Html::PermitScrubber
+    #  class CommentScrubber < Rails::HTML::PermitScrubber
     #    def initialize
     #      super
     #      self.tags = %w(form script comment blockquote)
@@ -45,10 +47,11 @@ module Rails
     # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
     # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
     class PermitScrubber < Loofah::Scrubber
-      attr_reader :tags, :attributes
+      attr_reader :tags, :attributes, :prune
-      def initialize
-        @direction = :bottom_up
+      def initialize(prune: false)
+        @prune = prune
+        @direction = @prune ? :top_down : :bottom_up
         @tags, @attributes = nil, nil
       end
@@ -61,9 +64,9 @@ module Rails
       end
       def scrub(node)
-        if node.cdata?
-          text = node.document.create_text_node node.text
-          node.replace text
+        if Loofah::HTML5::Scrub.cdata_needs_escaping?(node)
+          replacement = Loofah::HTML5::Scrub.cdata_escape(node)
+          node.replace(replacement)
           return CONTINUE
         end
         return CONTINUE if skip_node?(node)
@@ -76,92 +79,89 @@ module Rails
       end
       protected
+        def allowed_node?(node)
+          @tags.include?(node.name)
+        end
-      def allowed_node?(node)
-        @tags.include?(node.name)
-      end
+        def skip_node?(node)
+          node.text?
+        end
-      def skip_node?(node)
-        node.text?
-      end
+        def scrub_attribute?(name)
+          !@attributes.include?(name)
+        end
-      def scrub_attribute?(name)
-        !@attributes.include?(name)
-      end
+        def keep_node?(node)
+          if @tags
+            allowed_node?(node)
+          else
+            Loofah::HTML5::Scrub.allowed_element?(node.name)
+          end
+        end
-      def keep_node?(node)
-        if @tags
-          allowed_node?(node)
-        else
-          Loofah::HTML5::Scrub.allowed_element?(node.name)
+        def scrub_node(node)
+          node.before(node.children) unless prune # strip
+          node.remove
         end
-      end
-      def scrub_node(node)
-        node.before(node.children) # strip
-        node.remove
-      end
+        def scrub_attributes(node)
+          if @attributes
+            node.attribute_nodes.each do |attr|
+              attr.remove if scrub_attribute?(attr.name)
+              scrub_attribute(node, attr)
+            end
-      def scrub_attributes(node)
-        if @attributes
-          node.attribute_nodes.each do |attr|
-            attr.remove if scrub_attribute?(attr.name)
-            scrub_attribute(node, attr)
+            scrub_css_attribute(node)
+          else
+            Loofah::HTML5::Scrub.scrub_attributes(node)
           end
-          scrub_css_attribute(node)
-        else
-          Loofah::HTML5::Scrub.scrub_attributes(node)
         end
-      end
-      def scrub_css_attribute(node)
-        if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
-          Loofah::HTML5::Scrub.scrub_css_attribute(node)
-        else
-          style = node.attributes['style']
-          style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
+        def scrub_css_attribute(node)
+          if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
+            Loofah::HTML5::Scrub.scrub_css_attribute(node)
+          else
+            style = node.attributes["style"]
+            style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
+          end
         end
-      end
-      def validate!(var, name)
-        if var && !var.is_a?(Enumerable)
-          raise ArgumentError, "You should pass :#{name} as an Enumerable"
+        def validate!(var, name)
+          if var && !var.is_a?(Enumerable)
+            raise ArgumentError, "You should pass :#{name} as an Enumerable"
+          end
+          var
         end
-        var
-      end
-      def scrub_attribute(node, attr_node)
-        attr_name = if attr_node.namespace
-                      "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
-                    else
-                      attr_node.node_name
-                    end
-        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
-          # this block lifted nearly verbatim from HTML5 sanitization
-          val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
+        def scrub_attribute(node, attr_node)
+          attr_name = if attr_node.namespace
+            "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+          else
+            attr_node.node_name
+          end
+          if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
+            return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
+          end
+          if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+            Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
+          end
+          if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
             attr_node.remove
           end
-        end
-        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
-        end
-        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
-          attr_node.remove
-        end
-        node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+          node.remove_attribute(attr_node.name) if attr_name == "src" && attr_node.value !~ /[^[:space:]]/
-        Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
-      end
+          Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
+        end
     end
-    # === Rails::Html::TargetScrubber
+    # === Rails::HTML::TargetScrubber
     #
-    # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
-    # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
+    # Where +Rails::HTML::PermitScrubber+ picks out tags and attributes to permit in
+    # sanitization, +Rails::HTML::TargetScrubber+ targets them for removal.
     #
     # +tags=+
     # If set, elements included will be stripped.
@@ -178,9 +178,9 @@ module Rails
       end
     end
-    # === Rails::Html::TextOnlyScrubber
+    # === Rails::HTML::TextOnlyScrubber
     #
-    # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
+    # +Rails::HTML::TextOnlyScrubber+ allows you to permit text nodes.
     #
     # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
     class TextOnlyScrubber < Loofah::Scrubber

data/lib/rails-html-sanitizer.rb CHANGED Viewed

@@ -1,30 +1,14 @@
-require "rails/html/sanitizer/version"
-require "loofah"
-require "rails/html/scrubbers"
-require "rails/html/sanitizer"
+# frozen_string_literal: true
-module Rails
-  module Html
-    class Sanitizer
-      class << self
-        def full_sanitizer
-          Html::FullSanitizer
-        end
+require_relative "rails/html/sanitizer/version"
-        def link_sanitizer
-          Html::LinkSanitizer
-        end
+require "loofah"
-        def safe_list_sanitizer
-          Html::SafeListSanitizer
-        end
+require_relative "rails/html/scrubbers"
+require_relative "rails/html/sanitizer"
-        def white_list_sanitizer
-          safe_list_sanitizer
-        end
-      end
-    end
-  end
+module Rails
+  Html = HTML # :nodoc:
 end
 module ActionView

data/test/rails_api_test.rb ADDED Viewed

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+require "minitest/autorun"
+require "rails-html-sanitizer"
+class RailsApiTest < Minitest::Test
+  def test_html_module_name_alias
+    assert_equal(Rails::Html, Rails::HTML)
+    assert_equal("Rails::HTML", Rails::Html.name)
+    assert_equal("Rails::HTML", Rails::HTML.name)
+  end
+  def test_html_scrubber_class_names
+    assert(Rails::Html::PermitScrubber)
+    assert(Rails::Html::TargetScrubber)
+    assert(Rails::Html::TextOnlyScrubber)
+    assert(Rails::Html::Sanitizer)
+  end
+  def test_best_supported_vendor_when_html5_is_not_supported_returns_html4
+    Rails::HTML::Sanitizer.stub(:html5_support?, false) do
+      assert_equal(Rails::HTML4::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
+    end
+  end
+  def test_best_supported_vendor_when_html5_is_supported_returns_html5
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    Rails::HTML::Sanitizer.stub(:html5_support?, true) do
+      assert_equal(Rails::HTML5::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
+    end
+  end
+  def test_html4_sanitizer_alias_full
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer)
+    assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name)
+  end
+  def test_html4_sanitizer_alias_link
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer)
+    assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name)
+  end
+  def test_html4_sanitizer_alias_safe_list
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer)
+    assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name)
+  end
+  def test_html4_full_sanitizer
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer)
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer)
+  end
+  def test_html4_link_sanitizer
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer)
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer)
+  end
+  def test_html4_safe_list_sanitizer
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer)
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer)
+  end
+  def test_html4_white_list_sanitizer
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer)
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer)
+  end
+  def test_html5_full_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer)
+  end
+  def test_html5_link_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer)
+  end
+  def test_html5_safe_list_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer)
+  end
+  def test_html5_white_list_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer)
+  end
+end