RubyGems - rails-html-sanitizer - Versions diffs - 1.5.0 → 1.6.0.rc1 - Mend

rails-html-sanitizer 1.5.0 → 1.6.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +58 -0
data/MIT-LICENSE +1 -1
data/README.md +95 -48
data/lib/rails/html/sanitizer/version.rb +4 -2
data/lib/rails/html/sanitizer.rb +367 -104
data/lib/rails/html/scrubbers.rb +70 -69
data/lib/rails-html-sanitizer.rb +7 -23
data/test/rails_api_test.rb +74 -0
data/test/sanitizer_test.rb +900 -590
data/test/scrubbers_test.rb +49 -36
metadata +21 -65

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 module Rails
-  module Html
-    # === Rails::Html::PermitScrubber
+  module HTML
+    # === Rails::HTML::PermitScrubber
     #
-    # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
+    # +Rails::HTML::PermitScrubber+ allows you to permit only your own tags and/or attributes.
     #
-    # +Rails::Html::PermitScrubber+ can be subclassed to determine:
+    # +Rails::HTML::PermitScrubber+ can be subclassed to determine:
     # - When a node should be skipped via +skip_node?+.
     # - When a node is allowed via +allowed_node?+.
     # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,7 +29,7 @@ module Rails
     # If set, attributes excluded will be removed.
     # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
     #
-    #  class CommentScrubber < Html::PermitScrubber
+    #  class CommentScrubber < Rails::HTML::PermitScrubber
     #    def initialize
     #      super
     #      self.tags = %w(form script comment blockquote)
@@ -77,90 +79,89 @@ module Rails
       end
       protected
+        def allowed_node?(node)
+          @tags.include?(node.name)
+        end
-      def allowed_node?(node)
-        @tags.include?(node.name)
-      end
+        def skip_node?(node)
+          node.text?
+        end
-      def skip_node?(node)
-        node.text?
-      end
+        def scrub_attribute?(name)
+          !@attributes.include?(name)
+        end
-      def scrub_attribute?(name)
-        !@attributes.include?(name)
-      end
+        def keep_node?(node)
+          if @tags
+            allowed_node?(node)
+          else
+            Loofah::HTML5::Scrub.allowed_element?(node.name)
+          end
+        end
-      def keep_node?(node)
-        if @tags
-          allowed_node?(node)
-        else
-          Loofah::HTML5::Scrub.allowed_element?(node.name)
+        def scrub_node(node)
+          node.before(node.children) unless prune # strip
+          node.remove
         end
-      end
-      def scrub_node(node)
-        node.before(node.children) unless prune # strip
-        node.remove
-      end
+        def scrub_attributes(node)
+          if @attributes
+            node.attribute_nodes.each do |attr|
+              attr.remove if scrub_attribute?(attr.name)
+              scrub_attribute(node, attr)
+            end
-      def scrub_attributes(node)
-        if @attributes
-          node.attribute_nodes.each do |attr|
-            attr.remove if scrub_attribute?(attr.name)
-            scrub_attribute(node, attr)
+            scrub_css_attribute(node)
+          else
+            Loofah::HTML5::Scrub.scrub_attributes(node)
           end
-          scrub_css_attribute(node)
-        else
-          Loofah::HTML5::Scrub.scrub_attributes(node)
         end
-      end
-      def scrub_css_attribute(node)
-        if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
-          Loofah::HTML5::Scrub.scrub_css_attribute(node)
-        else
-          style = node.attributes['style']
-          style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
+        def scrub_css_attribute(node)
+          if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
+            Loofah::HTML5::Scrub.scrub_css_attribute(node)
+          else
+            style = node.attributes["style"]
+            style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
+          end
         end
-      end
-      def validate!(var, name)
-        if var && !var.is_a?(Enumerable)
-          raise ArgumentError, "You should pass :#{name} as an Enumerable"
+        def validate!(var, name)
+          if var && !var.is_a?(Enumerable)
+            raise ArgumentError, "You should pass :#{name} as an Enumerable"
+          end
+          var
         end
-        var
-      end
-      def scrub_attribute(node, attr_node)
-        attr_name = if attr_node.namespace
-                      "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
-                    else
-                      attr_node.node_name
-                    end
+        def scrub_attribute(node, attr_node)
+          attr_name = if attr_node.namespace
+            "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+          else
+            attr_node.node_name
+          end
-        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
-          return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
-        end
+          if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
+            return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
+          end
-        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-          Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
-        end
+          if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+            Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
+          end
-        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
-          attr_node.remove
-        end
+          if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
+            attr_node.remove
+          end
-        node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+          node.remove_attribute(attr_node.name) if attr_name == "src" && attr_node.value !~ /[^[:space:]]/
-        Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
-      end
+          Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
+        end
     end
-    # === Rails::Html::TargetScrubber
+    # === Rails::HTML::TargetScrubber
     #
-    # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
-    # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
+    # Where +Rails::HTML::PermitScrubber+ picks out tags and attributes to permit in
+    # sanitization, +Rails::HTML::TargetScrubber+ targets them for removal.
     #
     # +tags=+
     # If set, elements included will be stripped.
@@ -177,9 +178,9 @@ module Rails
       end
     end
-    # === Rails::Html::TextOnlyScrubber
+    # === Rails::HTML::TextOnlyScrubber
     #
-    # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
+    # +Rails::HTML::TextOnlyScrubber+ allows you to permit text nodes.
     #
     # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
     class TextOnlyScrubber < Loofah::Scrubber

data/lib/rails-html-sanitizer.rb CHANGED Viewed

@@ -1,30 +1,14 @@
-require "rails/html/sanitizer/version"
-require "loofah"
-require "rails/html/scrubbers"
-require "rails/html/sanitizer"
+# frozen_string_literal: true
-module Rails
-  module Html
-    class Sanitizer
-      class << self
-        def full_sanitizer
-          Html::FullSanitizer
-        end
+require_relative "rails/html/sanitizer/version"
-        def link_sanitizer
-          Html::LinkSanitizer
-        end
+require "loofah"
-        def safe_list_sanitizer
-          Html::SafeListSanitizer
-        end
+require_relative "rails/html/scrubbers"
+require_relative "rails/html/sanitizer"
-        def white_list_sanitizer
-          safe_list_sanitizer
-        end
-      end
-    end
-  end
+module Rails
+  Html = HTML # :nodoc:
 end
 module ActionView

data/test/rails_api_test.rb ADDED Viewed

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+require "minitest/autorun"
+require "rails-html-sanitizer"
+class RailsApiTest < Minitest::Test
+  def test_html_module_name_alias
+    assert_equal(Rails::Html, Rails::HTML)
+    assert_equal("Rails::HTML", Rails::Html.name)
+    assert_equal("Rails::HTML", Rails::HTML.name)
+  end
+  def test_html_scrubber_class_names
+    assert(Rails::Html::PermitScrubber)
+    assert(Rails::Html::TargetScrubber)
+    assert(Rails::Html::TextOnlyScrubber)
+    assert(Rails::Html::Sanitizer)
+  end
+  def test_html4_sanitizer_alias_full
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer)
+    assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name)
+  end
+  def test_html4_sanitizer_alias_link
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer)
+    assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name)
+  end
+  def test_html4_sanitizer_alias_safe_list
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer)
+    assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name)
+  end
+  def test_html4_full_sanitizer
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer)
+    assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer)
+  end
+  def test_html4_link_sanitizer
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer)
+    assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer)
+  end
+  def test_html4_safe_list_sanitizer
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer)
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer)
+  end
+  def test_html4_white_list_sanitizer
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer)
+    assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer)
+  end
+  def test_html5_full_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer)
+  end
+  def test_html5_link_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer)
+  end
+  def test_html5_safe_list_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer)
+  end
+  def test_html5_white_list_sanitizer
+    skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
+    assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer)
+  end
+end