rails-html-sanitizer 1.4.4 → 1.6.0.rc1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +66 -0
  3. data/MIT-LICENSE +1 -1
  4. data/README.md +150 -30
  5. data/lib/rails/html/sanitizer/version.rb +4 -2
  6. data/lib/rails/html/sanitizer.rb +367 -104
  7. data/lib/rails/html/scrubbers.rb +74 -72
  8. data/lib/rails-html-sanitizer.rb +7 -23
  9. data/test/rails_api_test.rb +74 -0
  10. data/test/sanitizer_test.rb +901 -585
  11. data/test/scrubbers_test.rb +57 -30
  12. metadata +21 -65
data/test/scrubbers_test.rb CHANGED
@@ -1,11 +1,16 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require "minitest/autorun"
2
4
  require "rails-html-sanitizer"
3
5
 
4
6
  class ScrubberTest < Minitest::Test
5
7
  protected
8
+ def scrub_fragment(html)
9
+ Loofah.scrub_fragment(html, @scrubber).to_s
10
+ end
6
11
 
7
12
  def assert_scrubbed(html, expected = html)
8
- output = Loofah.scrub_fragment(html, @scrubber).to_s
13
+ output = scrub_fragment(html)
9
14
  assert_equal expected, output
10
15
  end
11
16
 
@@ -28,9 +33,8 @@ class ScrubberTest < Minitest::Test
28
33
  end
29
34
 
30
35
  class PermitScrubberTest < ScrubberTest
31
-
32
36
  def setup
33
- @scrubber = Rails::Html::PermitScrubber.new
37
+ @scrubber = Rails::HTML::PermitScrubber.new
34
38
  end
35
39
 
36
40
  def test_responds_to_scrub
@@ -38,44 +42,60 @@ class PermitScrubberTest < ScrubberTest
38
42
  end
39
43
 
40
44
  def test_default_scrub_behavior
41
- assert_scrubbed '<tag>hello</tag>', 'hello'
45
+ assert_scrubbed "<tag>hello</tag>", "hello"
42
46
  end
43
47
 
44
48
  def test_default_scrub_removes_comments
45
- assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
46
- '<div>one</div><span>three</span>')
49
+ assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
50
+ "<div>one</div><span>three</span>")
47
51
  end
48
52
 
49
53
  def test_default_scrub_removes_processing_instructions
50
- assert_scrubbed('<div>one</div><?div two><span>three</span>',
51
- '<div>one</div><span>three</span>')
54
+ input = "<div>one</div><?div two><span>three</span>"
55
+ result = scrub_fragment(input)
56
+
57
+ acceptable_results = [
58
+ # jruby cyberneko (nokogiri < 1.14.0)
59
+ "<div>one</div>",
60
+ # everything else
61
+ "<div>one</div><span>three</span>",
62
+ ]
63
+
64
+ assert_includes(acceptable_results, result)
52
65
  end
53
66
 
54
67
  def test_default_attributes_removal_behavior
55
- assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
68
+ assert_scrubbed '<p cooler="hello">hello</p>', "<p>hello</p>"
56
69
  end
57
70
 
58
71
  def test_leaves_supplied_tags
59
72
  @scrubber.tags = %w(a)
60
- assert_scrubbed '<a>hello</a>'
73
+ assert_scrubbed "<a>hello</a>"
61
74
  end
62
75
 
63
76
  def test_leaves_only_supplied_tags
64
- html = '<tag>leave me <span>now</span></tag>'
77
+ html = "<tag>leave me <span>now</span></tag>"
65
78
  @scrubber.tags = %w(tag)
66
- assert_scrubbed html, '<tag>leave me now</tag>'
79
+ assert_scrubbed html, "<tag>leave me now</tag>"
80
+ end
81
+
82
+ def test_prunes_tags
83
+ @scrubber = Rails::HTML::PermitScrubber.new(prune: true)
84
+ @scrubber.tags = %w(tag)
85
+ html = "<tag>leave me <span>now</span></tag>"
86
+ assert_scrubbed html, "<tag>leave me </tag>"
67
87
  end
68
88
 
69
89
  def test_leaves_comments_when_supplied_as_tag
70
90
  @scrubber.tags = %w(div comment)
71
- assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
72
- '<div>one</div><!-- two -->three')
91
+ assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
92
+ "<div>one</div><!-- two -->three")
73
93
  end
74
94
 
75
95
  def test_leaves_only_supplied_tags_nested
76
- html = '<tag>leave <em>me <span>now</span></em></tag>'
96
+ html = "<tag>leave <em>me <span>now</span></em></tag>"
77
97
  @scrubber.tags = %w(tag)
78
- assert_scrubbed html, '<tag>leave me now</tag>'
98
+ assert_scrubbed html, "<tag>leave me now</tag>"
79
99
  end
80
100
 
81
101
  def test_leaves_supplied_attributes
@@ -102,16 +122,16 @@ class PermitScrubberTest < ScrubberTest
102
122
  end
103
123
 
104
124
  def test_leaves_text
105
- assert_scrubbed('some text')
125
+ assert_scrubbed("some text")
106
126
  end
107
127
 
108
128
  def test_skips_text_nodes
109
- assert_node_skipped('some text')
129
+ assert_node_skipped("some text")
110
130
  end
111
131
 
112
132
  def test_tags_accessor_validation
113
133
  e = assert_raises(ArgumentError) do
114
- @scrubber.tags = 'tag'
134
+ @scrubber.tags = "tag"
115
135
  end
116
136
 
117
137
  assert_equal "You should pass :tags as an Enumerable", e.message
@@ -120,7 +140,7 @@ class PermitScrubberTest < ScrubberTest
120
140
 
121
141
  def test_attributes_accessor_validation
122
142
  e = assert_raises(ArgumentError) do
123
- @scrubber.attributes = 'cooler'
143
+ @scrubber.attributes = "cooler"
124
144
  end
125
145
 
126
146
  assert_equal "You should pass :attributes as an Enumerable", e.message
@@ -130,19 +150,19 @@ end
130
150
 
131
151
  class TargetScrubberTest < ScrubberTest
132
152
  def setup
133
- @scrubber = Rails::Html::TargetScrubber.new
153
+ @scrubber = Rails::HTML::TargetScrubber.new
134
154
  end
135
155
 
136
156
  def test_targeting_tags_removes_only_them
137
157
  @scrubber.tags = %w(a h1)
138
- html = '<script></script><a></a><h1></h1>'
139
- assert_scrubbed html, '<script></script>'
158
+ html = "<script></script><a></a><h1></h1>"
159
+ assert_scrubbed html, "<script></script>"
140
160
  end
141
161
 
142
162
  def test_targeting_tags_removes_only_them_nested
143
163
  @scrubber.tags = %w(a)
144
- html = '<tag><a><tag><a></a></tag></a></tag>'
145
- assert_scrubbed html, '<tag><tag></tag></tag>'
164
+ html = "<tag><a><tag><a></a></tag></a></tag>"
165
+ assert_scrubbed html, "<tag><tag></tag></tag>"
146
166
  end
147
167
 
148
168
  def test_targeting_attributes_removes_only_them
@@ -157,24 +177,31 @@ class TargetScrubberTest < ScrubberTest
157
177
  html = '<tag remove="" other=""></tag><a remove="" other=""></a>'
158
178
  assert_scrubbed html, '<a other=""></a>'
159
179
  end
180
+
181
+ def test_prunes_tags
182
+ @scrubber = Rails::HTML::TargetScrubber.new(prune: true)
183
+ @scrubber.tags = %w(span)
184
+ html = "<tag>leave me <span>now</span></tag>"
185
+ assert_scrubbed html, "<tag>leave me </tag>"
186
+ end
160
187
  end
161
188
 
162
189
  class TextOnlyScrubberTest < ScrubberTest
163
190
  def setup
164
- @scrubber = Rails::Html::TextOnlyScrubber.new
191
+ @scrubber = Rails::HTML::TextOnlyScrubber.new
165
192
  end
166
193
 
167
194
  def test_removes_all_tags_and_keep_the_content
168
- assert_scrubbed '<tag>hello</tag>', 'hello'
195
+ assert_scrubbed "<tag>hello</tag>", "hello"
169
196
  end
170
197
 
171
198
  def test_skips_text_nodes
172
- assert_node_skipped('some text')
199
+ assert_node_skipped("some text")
173
200
  end
174
201
  end
175
202
 
176
203
  class ReturningStopFromScrubNodeTest < ScrubberTest
177
- class ScrubStopper < Rails::Html::PermitScrubber
204
+ class ScrubStopper < Rails::HTML::PermitScrubber
178
205
  def scrub_node(node)
179
206
  Loofah::Scrubber::STOP
180
207
  end
@@ -185,6 +212,6 @@ class ReturningStopFromScrubNodeTest < ScrubberTest
185
212
  end
186
213
 
187
214
  def test_returns_stop_from_scrub_if_scrub_node_does
188
- assert_scrub_stopped '<script>remove me</script>'
215
+ assert_scrub_stopped "<script>remove me</script>"
189
216
  end
190
217
  end
metadata CHANGED
@@ -1,15 +1,16 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.4
4
+ version: 1.6.0.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
8
8
  - Kasper Timm Hansen
9
+ - Mike Dalessio
9
10
  autorequire:
10
11
  bindir: bin
11
12
  cert_chain: []
12
- date: 2022-12-13 00:00:00.000000000 Z
13
+ date: 2023-05-24 00:00:00.000000000 Z
13
14
  dependencies:
14
15
  - !ruby/object:Gem::Dependency
15
16
  name: loofah
@@ -17,80 +18,33 @@ dependencies:
17
18
  requirements:
18
19
  - - "~>"
19
20
  - !ruby/object:Gem::Version
20
- version: '2.19'
21
- - - ">="
22
- - !ruby/object:Gem::Version
23
- version: 2.19.1
21
+ version: '2.21'
24
22
  type: :runtime
25
23
  prerelease: false
26
24
  version_requirements: !ruby/object:Gem::Requirement
27
25
  requirements:
28
26
  - - "~>"
29
27
  - !ruby/object:Gem::Version
30
- version: '2.19'
31
- - - ">="
32
- - !ruby/object:Gem::Version
33
- version: 2.19.1
34
- - !ruby/object:Gem::Dependency
35
- name: bundler
36
- requirement: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - ">="
39
- - !ruby/object:Gem::Version
40
- version: '1.3'
41
- type: :development
42
- prerelease: false
43
- version_requirements: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - ">="
46
- - !ruby/object:Gem::Version
47
- version: '1.3'
48
- - !ruby/object:Gem::Dependency
49
- name: rake
50
- requirement: !ruby/object:Gem::Requirement
51
- requirements:
52
- - - ">="
53
- - !ruby/object:Gem::Version
54
- version: '0'
55
- type: :development
56
- prerelease: false
57
- version_requirements: !ruby/object:Gem::Requirement
58
- requirements:
59
- - - ">="
60
- - !ruby/object:Gem::Version
61
- version: '0'
28
+ version: '2.21'
62
29
  - !ruby/object:Gem::Dependency
63
- name: minitest
30
+ name: nokogiri
64
31
  requirement: !ruby/object:Gem::Requirement
65
32
  requirements:
66
- - - ">="
67
- - !ruby/object:Gem::Version
68
- version: '0'
69
- type: :development
70
- prerelease: false
71
- version_requirements: !ruby/object:Gem::Requirement
72
- requirements:
73
- - - ">="
74
- - !ruby/object:Gem::Version
75
- version: '0'
76
- - !ruby/object:Gem::Dependency
77
- name: rails-dom-testing
78
- requirement: !ruby/object:Gem::Requirement
79
- requirements:
80
- - - ">="
33
+ - - "~>"
81
34
  - !ruby/object:Gem::Version
82
- version: '0'
83
- type: :development
35
+ version: '1.14'
36
+ type: :runtime
84
37
  prerelease: false
85
38
  version_requirements: !ruby/object:Gem::Requirement
86
39
  requirements:
87
- - - ">="
40
+ - - "~>"
88
41
  - !ruby/object:Gem::Version
89
- version: '0'
42
+ version: '1.14'
90
43
  description: HTML sanitization for Rails applications
91
44
  email:
92
45
  - rafaelmfranca@gmail.com
93
46
  - kaspth@gmail.com
47
+ - mike.dalessio@gmail.com
94
48
  executables: []
95
49
  extensions: []
96
50
  extra_rdoc_files: []
@@ -102,6 +56,7 @@ files:
102
56
  - lib/rails/html/sanitizer.rb
103
57
  - lib/rails/html/sanitizer/version.rb
104
58
  - lib/rails/html/scrubbers.rb
59
+ - test/rails_api_test.rb
105
60
  - test/sanitizer_test.rb
106
61
  - test/scrubbers_test.rb
107
62
  homepage: https://github.com/rails/rails-html-sanitizer
@@ -109,9 +64,9 @@ licenses:
109
64
  - MIT
110
65
  metadata:
111
66
  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
112
- changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.4/CHANGELOG.md
113
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.4
114
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.4
67
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0.rc1/CHANGELOG.md
68
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0.rc1
69
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0.rc1
115
70
  post_install_message:
116
71
  rdoc_options: []
117
72
  require_paths:
@@ -120,17 +75,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
120
75
  requirements:
121
76
  - - ">="
122
77
  - !ruby/object:Gem::Version
123
- version: '0'
78
+ version: 2.7.0
124
79
  required_rubygems_version: !ruby/object:Gem::Requirement
125
80
  requirements:
126
- - - ">="
81
+ - - ">"
127
82
  - !ruby/object:Gem::Version
128
- version: '0'
83
+ version: 1.3.1
129
84
  requirements: []
130
- rubygems_version: 3.3.7
85
+ rubygems_version: 3.4.10
131
86
  signing_key:
132
87
  specification_version: 4
133
88
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.
134
89
  test_files:
90
+ - test/rails_api_test.rb
135
91
  - test/sanitizer_test.rb
136
92
  - test/scrubbers_test.rb