rails-html-sanitizer 1.4.3 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +114 -0
- data/MIT-LICENSE +1 -1
- data/README.md +163 -34
- data/lib/rails/html/sanitizer/version.rb +4 -2
- data/lib/rails/html/sanitizer.rb +371 -121
- data/lib/rails/html/scrubbers.rb +78 -78
- data/lib/rails-html-sanitizer.rb +7 -23
- data/test/rails_api_test.rb +88 -0
- data/test/sanitizer_test.rb +925 -505
- data/test/scrubbers_test.rb +57 -30
- metadata +19 -57
data/test/scrubbers_test.rb
CHANGED
|
@@ -1,11 +1,16 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require "minitest/autorun"
|
|
2
4
|
require "rails-html-sanitizer"
|
|
3
5
|
|
|
4
6
|
class ScrubberTest < Minitest::Test
|
|
5
7
|
protected
|
|
8
|
+
def scrub_fragment(html)
|
|
9
|
+
Loofah.scrub_fragment(html, @scrubber).to_s
|
|
10
|
+
end
|
|
6
11
|
|
|
7
12
|
def assert_scrubbed(html, expected = html)
|
|
8
|
-
output =
|
|
13
|
+
output = scrub_fragment(html)
|
|
9
14
|
assert_equal expected, output
|
|
10
15
|
end
|
|
11
16
|
|
|
@@ -28,9 +33,8 @@ class ScrubberTest < Minitest::Test
|
|
|
28
33
|
end
|
|
29
34
|
|
|
30
35
|
class PermitScrubberTest < ScrubberTest
|
|
31
|
-
|
|
32
36
|
def setup
|
|
33
|
-
@scrubber = Rails::
|
|
37
|
+
@scrubber = Rails::HTML::PermitScrubber.new
|
|
34
38
|
end
|
|
35
39
|
|
|
36
40
|
def test_responds_to_scrub
|
|
@@ -38,44 +42,60 @@ class PermitScrubberTest < ScrubberTest
|
|
|
38
42
|
end
|
|
39
43
|
|
|
40
44
|
def test_default_scrub_behavior
|
|
41
|
-
assert_scrubbed
|
|
45
|
+
assert_scrubbed "<tag>hello</tag>", "hello"
|
|
42
46
|
end
|
|
43
47
|
|
|
44
48
|
def test_default_scrub_removes_comments
|
|
45
|
-
assert_scrubbed(
|
|
46
|
-
|
|
49
|
+
assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
|
|
50
|
+
"<div>one</div><span>three</span>")
|
|
47
51
|
end
|
|
48
52
|
|
|
49
53
|
def test_default_scrub_removes_processing_instructions
|
|
50
|
-
|
|
51
|
-
|
|
54
|
+
input = "<div>one</div><?div two><span>three</span>"
|
|
55
|
+
result = scrub_fragment(input)
|
|
56
|
+
|
|
57
|
+
acceptable_results = [
|
|
58
|
+
# jruby cyberneko (nokogiri < 1.14.0)
|
|
59
|
+
"<div>one</div>",
|
|
60
|
+
# everything else
|
|
61
|
+
"<div>one</div><span>three</span>",
|
|
62
|
+
]
|
|
63
|
+
|
|
64
|
+
assert_includes(acceptable_results, result)
|
|
52
65
|
end
|
|
53
66
|
|
|
54
67
|
def test_default_attributes_removal_behavior
|
|
55
|
-
assert_scrubbed '<p cooler="hello">hello</p>',
|
|
68
|
+
assert_scrubbed '<p cooler="hello">hello</p>', "<p>hello</p>"
|
|
56
69
|
end
|
|
57
70
|
|
|
58
71
|
def test_leaves_supplied_tags
|
|
59
72
|
@scrubber.tags = %w(a)
|
|
60
|
-
assert_scrubbed
|
|
73
|
+
assert_scrubbed "<a>hello</a>"
|
|
61
74
|
end
|
|
62
75
|
|
|
63
76
|
def test_leaves_only_supplied_tags
|
|
64
|
-
html =
|
|
77
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
65
78
|
@scrubber.tags = %w(tag)
|
|
66
|
-
assert_scrubbed html,
|
|
79
|
+
assert_scrubbed html, "<tag>leave me now</tag>"
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def test_prunes_tags
|
|
83
|
+
@scrubber = Rails::HTML::PermitScrubber.new(prune: true)
|
|
84
|
+
@scrubber.tags = %w(tag)
|
|
85
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
86
|
+
assert_scrubbed html, "<tag>leave me </tag>"
|
|
67
87
|
end
|
|
68
88
|
|
|
69
89
|
def test_leaves_comments_when_supplied_as_tag
|
|
70
90
|
@scrubber.tags = %w(div comment)
|
|
71
|
-
assert_scrubbed(
|
|
72
|
-
|
|
91
|
+
assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
|
|
92
|
+
"<div>one</div><!-- two -->three")
|
|
73
93
|
end
|
|
74
94
|
|
|
75
95
|
def test_leaves_only_supplied_tags_nested
|
|
76
|
-
html =
|
|
96
|
+
html = "<tag>leave <em>me <span>now</span></em></tag>"
|
|
77
97
|
@scrubber.tags = %w(tag)
|
|
78
|
-
assert_scrubbed html,
|
|
98
|
+
assert_scrubbed html, "<tag>leave me now</tag>"
|
|
79
99
|
end
|
|
80
100
|
|
|
81
101
|
def test_leaves_supplied_attributes
|
|
@@ -102,16 +122,16 @@ class PermitScrubberTest < ScrubberTest
|
|
|
102
122
|
end
|
|
103
123
|
|
|
104
124
|
def test_leaves_text
|
|
105
|
-
assert_scrubbed(
|
|
125
|
+
assert_scrubbed("some text")
|
|
106
126
|
end
|
|
107
127
|
|
|
108
128
|
def test_skips_text_nodes
|
|
109
|
-
assert_node_skipped(
|
|
129
|
+
assert_node_skipped("some text")
|
|
110
130
|
end
|
|
111
131
|
|
|
112
132
|
def test_tags_accessor_validation
|
|
113
133
|
e = assert_raises(ArgumentError) do
|
|
114
|
-
@scrubber.tags =
|
|
134
|
+
@scrubber.tags = "tag"
|
|
115
135
|
end
|
|
116
136
|
|
|
117
137
|
assert_equal "You should pass :tags as an Enumerable", e.message
|
|
@@ -120,7 +140,7 @@ class PermitScrubberTest < ScrubberTest
|
|
|
120
140
|
|
|
121
141
|
def test_attributes_accessor_validation
|
|
122
142
|
e = assert_raises(ArgumentError) do
|
|
123
|
-
@scrubber.attributes =
|
|
143
|
+
@scrubber.attributes = "cooler"
|
|
124
144
|
end
|
|
125
145
|
|
|
126
146
|
assert_equal "You should pass :attributes as an Enumerable", e.message
|
|
@@ -130,19 +150,19 @@ end
|
|
|
130
150
|
|
|
131
151
|
class TargetScrubberTest < ScrubberTest
|
|
132
152
|
def setup
|
|
133
|
-
@scrubber = Rails::
|
|
153
|
+
@scrubber = Rails::HTML::TargetScrubber.new
|
|
134
154
|
end
|
|
135
155
|
|
|
136
156
|
def test_targeting_tags_removes_only_them
|
|
137
157
|
@scrubber.tags = %w(a h1)
|
|
138
|
-
html =
|
|
139
|
-
assert_scrubbed html,
|
|
158
|
+
html = "<script></script><a></a><h1></h1>"
|
|
159
|
+
assert_scrubbed html, "<script></script>"
|
|
140
160
|
end
|
|
141
161
|
|
|
142
162
|
def test_targeting_tags_removes_only_them_nested
|
|
143
163
|
@scrubber.tags = %w(a)
|
|
144
|
-
html =
|
|
145
|
-
assert_scrubbed html,
|
|
164
|
+
html = "<tag><a><tag><a></a></tag></a></tag>"
|
|
165
|
+
assert_scrubbed html, "<tag><tag></tag></tag>"
|
|
146
166
|
end
|
|
147
167
|
|
|
148
168
|
def test_targeting_attributes_removes_only_them
|
|
@@ -157,24 +177,31 @@ class TargetScrubberTest < ScrubberTest
|
|
|
157
177
|
html = '<tag remove="" other=""></tag><a remove="" other=""></a>'
|
|
158
178
|
assert_scrubbed html, '<a other=""></a>'
|
|
159
179
|
end
|
|
180
|
+
|
|
181
|
+
def test_prunes_tags
|
|
182
|
+
@scrubber = Rails::HTML::TargetScrubber.new(prune: true)
|
|
183
|
+
@scrubber.tags = %w(span)
|
|
184
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
185
|
+
assert_scrubbed html, "<tag>leave me </tag>"
|
|
186
|
+
end
|
|
160
187
|
end
|
|
161
188
|
|
|
162
189
|
class TextOnlyScrubberTest < ScrubberTest
|
|
163
190
|
def setup
|
|
164
|
-
@scrubber = Rails::
|
|
191
|
+
@scrubber = Rails::HTML::TextOnlyScrubber.new
|
|
165
192
|
end
|
|
166
193
|
|
|
167
194
|
def test_removes_all_tags_and_keep_the_content
|
|
168
|
-
assert_scrubbed
|
|
195
|
+
assert_scrubbed "<tag>hello</tag>", "hello"
|
|
169
196
|
end
|
|
170
197
|
|
|
171
198
|
def test_skips_text_nodes
|
|
172
|
-
assert_node_skipped(
|
|
199
|
+
assert_node_skipped("some text")
|
|
173
200
|
end
|
|
174
201
|
end
|
|
175
202
|
|
|
176
203
|
class ReturningStopFromScrubNodeTest < ScrubberTest
|
|
177
|
-
class ScrubStopper < Rails::
|
|
204
|
+
class ScrubStopper < Rails::HTML::PermitScrubber
|
|
178
205
|
def scrub_node(node)
|
|
179
206
|
Loofah::Scrubber::STOP
|
|
180
207
|
end
|
|
@@ -185,6 +212,6 @@ class ReturningStopFromScrubNodeTest < ScrubberTest
|
|
|
185
212
|
end
|
|
186
213
|
|
|
187
214
|
def test_returns_stop_from_scrub_if_scrub_node_does
|
|
188
|
-
assert_scrub_stopped
|
|
215
|
+
assert_scrub_stopped "<script>remove me</script>"
|
|
189
216
|
end
|
|
190
217
|
end
|
metadata
CHANGED
|
@@ -1,15 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
8
8
|
- Kasper Timm Hansen
|
|
9
|
+
- Mike Dalessio
|
|
9
10
|
autorequire:
|
|
10
11
|
bindir: bin
|
|
11
12
|
cert_chain: []
|
|
12
|
-
date:
|
|
13
|
+
date: 2023-05-26 00:00:00.000000000 Z
|
|
13
14
|
dependencies:
|
|
14
15
|
- !ruby/object:Gem::Dependency
|
|
15
16
|
name: loofah
|
|
@@ -17,74 +18,33 @@ dependencies:
|
|
|
17
18
|
requirements:
|
|
18
19
|
- - "~>"
|
|
19
20
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: '2.
|
|
21
|
+
version: '2.21'
|
|
21
22
|
type: :runtime
|
|
22
23
|
prerelease: false
|
|
23
24
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
25
|
requirements:
|
|
25
26
|
- - "~>"
|
|
26
27
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: '2.
|
|
28
|
+
version: '2.21'
|
|
28
29
|
- !ruby/object:Gem::Dependency
|
|
29
|
-
name:
|
|
30
|
+
name: nokogiri
|
|
30
31
|
requirement: !ruby/object:Gem::Requirement
|
|
31
32
|
requirements:
|
|
32
|
-
- - "
|
|
33
|
-
- !ruby/object:Gem::Version
|
|
34
|
-
version: '1.3'
|
|
35
|
-
type: :development
|
|
36
|
-
prerelease: false
|
|
37
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
38
|
-
requirements:
|
|
39
|
-
- - ">="
|
|
40
|
-
- !ruby/object:Gem::Version
|
|
41
|
-
version: '1.3'
|
|
42
|
-
- !ruby/object:Gem::Dependency
|
|
43
|
-
name: rake
|
|
44
|
-
requirement: !ruby/object:Gem::Requirement
|
|
45
|
-
requirements:
|
|
46
|
-
- - ">="
|
|
47
|
-
- !ruby/object:Gem::Version
|
|
48
|
-
version: '0'
|
|
49
|
-
type: :development
|
|
50
|
-
prerelease: false
|
|
51
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
52
|
-
requirements:
|
|
53
|
-
- - ">="
|
|
54
|
-
- !ruby/object:Gem::Version
|
|
55
|
-
version: '0'
|
|
56
|
-
- !ruby/object:Gem::Dependency
|
|
57
|
-
name: minitest
|
|
58
|
-
requirement: !ruby/object:Gem::Requirement
|
|
59
|
-
requirements:
|
|
60
|
-
- - ">="
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '0'
|
|
63
|
-
type: :development
|
|
64
|
-
prerelease: false
|
|
65
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
66
|
-
requirements:
|
|
67
|
-
- - ">="
|
|
68
|
-
- !ruby/object:Gem::Version
|
|
69
|
-
version: '0'
|
|
70
|
-
- !ruby/object:Gem::Dependency
|
|
71
|
-
name: rails-dom-testing
|
|
72
|
-
requirement: !ruby/object:Gem::Requirement
|
|
73
|
-
requirements:
|
|
74
|
-
- - ">="
|
|
33
|
+
- - "~>"
|
|
75
34
|
- !ruby/object:Gem::Version
|
|
76
|
-
version: '
|
|
77
|
-
type: :
|
|
35
|
+
version: '1.14'
|
|
36
|
+
type: :runtime
|
|
78
37
|
prerelease: false
|
|
79
38
|
version_requirements: !ruby/object:Gem::Requirement
|
|
80
39
|
requirements:
|
|
81
|
-
- - "
|
|
40
|
+
- - "~>"
|
|
82
41
|
- !ruby/object:Gem::Version
|
|
83
|
-
version: '
|
|
42
|
+
version: '1.14'
|
|
84
43
|
description: HTML sanitization for Rails applications
|
|
85
44
|
email:
|
|
86
45
|
- rafaelmfranca@gmail.com
|
|
87
46
|
- kaspth@gmail.com
|
|
47
|
+
- mike.dalessio@gmail.com
|
|
88
48
|
executables: []
|
|
89
49
|
extensions: []
|
|
90
50
|
extra_rdoc_files: []
|
|
@@ -96,6 +56,7 @@ files:
|
|
|
96
56
|
- lib/rails/html/sanitizer.rb
|
|
97
57
|
- lib/rails/html/sanitizer/version.rb
|
|
98
58
|
- lib/rails/html/scrubbers.rb
|
|
59
|
+
- test/rails_api_test.rb
|
|
99
60
|
- test/sanitizer_test.rb
|
|
100
61
|
- test/scrubbers_test.rb
|
|
101
62
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
@@ -103,9 +64,9 @@ licenses:
|
|
|
103
64
|
- MIT
|
|
104
65
|
metadata:
|
|
105
66
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.
|
|
107
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.
|
|
108
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.
|
|
67
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0/CHANGELOG.md
|
|
68
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0
|
|
69
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0
|
|
109
70
|
post_install_message:
|
|
110
71
|
rdoc_options: []
|
|
111
72
|
require_paths:
|
|
@@ -114,17 +75,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
114
75
|
requirements:
|
|
115
76
|
- - ">="
|
|
116
77
|
- !ruby/object:Gem::Version
|
|
117
|
-
version:
|
|
78
|
+
version: 2.7.0
|
|
118
79
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
119
80
|
requirements:
|
|
120
81
|
- - ">="
|
|
121
82
|
- !ruby/object:Gem::Version
|
|
122
83
|
version: '0'
|
|
123
84
|
requirements: []
|
|
124
|
-
rubygems_version: 3.
|
|
85
|
+
rubygems_version: 3.4.10
|
|
125
86
|
signing_key:
|
|
126
87
|
specification_version: 4
|
|
127
88
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
128
89
|
test_files:
|
|
90
|
+
- test/rails_api_test.rb
|
|
129
91
|
- test/sanitizer_test.rb
|
|
130
92
|
- test/scrubbers_test.rb
|