rails-html-sanitizer 1.5.0 → 1.6.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +58 -0
- data/MIT-LICENSE +1 -1
- data/README.md +95 -48
- data/lib/rails/html/sanitizer/version.rb +4 -2
- data/lib/rails/html/sanitizer.rb +367 -104
- data/lib/rails/html/scrubbers.rb +70 -69
- data/lib/rails-html-sanitizer.rb +7 -23
- data/test/rails_api_test.rb +74 -0
- data/test/sanitizer_test.rb +900 -590
- data/test/scrubbers_test.rb +49 -36
- metadata +21 -65
data/test/scrubbers_test.rb
CHANGED
|
@@ -1,11 +1,16 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require "minitest/autorun"
|
|
2
4
|
require "rails-html-sanitizer"
|
|
3
5
|
|
|
4
6
|
class ScrubberTest < Minitest::Test
|
|
5
7
|
protected
|
|
8
|
+
def scrub_fragment(html)
|
|
9
|
+
Loofah.scrub_fragment(html, @scrubber).to_s
|
|
10
|
+
end
|
|
6
11
|
|
|
7
12
|
def assert_scrubbed(html, expected = html)
|
|
8
|
-
output =
|
|
13
|
+
output = scrub_fragment(html)
|
|
9
14
|
assert_equal expected, output
|
|
10
15
|
end
|
|
11
16
|
|
|
@@ -28,9 +33,8 @@ class ScrubberTest < Minitest::Test
|
|
|
28
33
|
end
|
|
29
34
|
|
|
30
35
|
class PermitScrubberTest < ScrubberTest
|
|
31
|
-
|
|
32
36
|
def setup
|
|
33
|
-
@scrubber = Rails::
|
|
37
|
+
@scrubber = Rails::HTML::PermitScrubber.new
|
|
34
38
|
end
|
|
35
39
|
|
|
36
40
|
def test_responds_to_scrub
|
|
@@ -38,51 +42,60 @@ class PermitScrubberTest < ScrubberTest
|
|
|
38
42
|
end
|
|
39
43
|
|
|
40
44
|
def test_default_scrub_behavior
|
|
41
|
-
assert_scrubbed
|
|
45
|
+
assert_scrubbed "<tag>hello</tag>", "hello"
|
|
42
46
|
end
|
|
43
47
|
|
|
44
48
|
def test_default_scrub_removes_comments
|
|
45
|
-
assert_scrubbed(
|
|
46
|
-
|
|
49
|
+
assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
|
|
50
|
+
"<div>one</div><span>three</span>")
|
|
47
51
|
end
|
|
48
52
|
|
|
49
53
|
def test_default_scrub_removes_processing_instructions
|
|
50
|
-
|
|
51
|
-
|
|
54
|
+
input = "<div>one</div><?div two><span>three</span>"
|
|
55
|
+
result = scrub_fragment(input)
|
|
56
|
+
|
|
57
|
+
acceptable_results = [
|
|
58
|
+
# jruby cyberneko (nokogiri < 1.14.0)
|
|
59
|
+
"<div>one</div>",
|
|
60
|
+
# everything else
|
|
61
|
+
"<div>one</div><span>three</span>",
|
|
62
|
+
]
|
|
63
|
+
|
|
64
|
+
assert_includes(acceptable_results, result)
|
|
52
65
|
end
|
|
53
66
|
|
|
54
67
|
def test_default_attributes_removal_behavior
|
|
55
|
-
assert_scrubbed '<p cooler="hello">hello</p>',
|
|
68
|
+
assert_scrubbed '<p cooler="hello">hello</p>', "<p>hello</p>"
|
|
56
69
|
end
|
|
57
70
|
|
|
58
71
|
def test_leaves_supplied_tags
|
|
59
72
|
@scrubber.tags = %w(a)
|
|
60
|
-
assert_scrubbed
|
|
73
|
+
assert_scrubbed "<a>hello</a>"
|
|
61
74
|
end
|
|
62
75
|
|
|
63
76
|
def test_leaves_only_supplied_tags
|
|
64
|
-
html =
|
|
77
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
65
78
|
@scrubber.tags = %w(tag)
|
|
66
|
-
assert_scrubbed html,
|
|
79
|
+
assert_scrubbed html, "<tag>leave me now</tag>"
|
|
67
80
|
end
|
|
68
81
|
|
|
69
82
|
def test_prunes_tags
|
|
70
|
-
@scrubber = Rails::
|
|
83
|
+
@scrubber = Rails::HTML::PermitScrubber.new(prune: true)
|
|
71
84
|
@scrubber.tags = %w(tag)
|
|
72
|
-
html =
|
|
73
|
-
assert_scrubbed html,
|
|
85
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
86
|
+
assert_scrubbed html, "<tag>leave me </tag>"
|
|
74
87
|
end
|
|
75
88
|
|
|
76
89
|
def test_leaves_comments_when_supplied_as_tag
|
|
77
90
|
@scrubber.tags = %w(div comment)
|
|
78
|
-
assert_scrubbed(
|
|
79
|
-
|
|
91
|
+
assert_scrubbed("<div>one</div><!-- two --><span>three</span>",
|
|
92
|
+
"<div>one</div><!-- two -->three")
|
|
80
93
|
end
|
|
81
94
|
|
|
82
95
|
def test_leaves_only_supplied_tags_nested
|
|
83
|
-
html =
|
|
96
|
+
html = "<tag>leave <em>me <span>now</span></em></tag>"
|
|
84
97
|
@scrubber.tags = %w(tag)
|
|
85
|
-
assert_scrubbed html,
|
|
98
|
+
assert_scrubbed html, "<tag>leave me now</tag>"
|
|
86
99
|
end
|
|
87
100
|
|
|
88
101
|
def test_leaves_supplied_attributes
|
|
@@ -109,16 +122,16 @@ class PermitScrubberTest < ScrubberTest
|
|
|
109
122
|
end
|
|
110
123
|
|
|
111
124
|
def test_leaves_text
|
|
112
|
-
assert_scrubbed(
|
|
125
|
+
assert_scrubbed("some text")
|
|
113
126
|
end
|
|
114
127
|
|
|
115
128
|
def test_skips_text_nodes
|
|
116
|
-
assert_node_skipped(
|
|
129
|
+
assert_node_skipped("some text")
|
|
117
130
|
end
|
|
118
131
|
|
|
119
132
|
def test_tags_accessor_validation
|
|
120
133
|
e = assert_raises(ArgumentError) do
|
|
121
|
-
@scrubber.tags =
|
|
134
|
+
@scrubber.tags = "tag"
|
|
122
135
|
end
|
|
123
136
|
|
|
124
137
|
assert_equal "You should pass :tags as an Enumerable", e.message
|
|
@@ -127,7 +140,7 @@ class PermitScrubberTest < ScrubberTest
|
|
|
127
140
|
|
|
128
141
|
def test_attributes_accessor_validation
|
|
129
142
|
e = assert_raises(ArgumentError) do
|
|
130
|
-
@scrubber.attributes =
|
|
143
|
+
@scrubber.attributes = "cooler"
|
|
131
144
|
end
|
|
132
145
|
|
|
133
146
|
assert_equal "You should pass :attributes as an Enumerable", e.message
|
|
@@ -137,19 +150,19 @@ end
|
|
|
137
150
|
|
|
138
151
|
class TargetScrubberTest < ScrubberTest
|
|
139
152
|
def setup
|
|
140
|
-
@scrubber = Rails::
|
|
153
|
+
@scrubber = Rails::HTML::TargetScrubber.new
|
|
141
154
|
end
|
|
142
155
|
|
|
143
156
|
def test_targeting_tags_removes_only_them
|
|
144
157
|
@scrubber.tags = %w(a h1)
|
|
145
|
-
html =
|
|
146
|
-
assert_scrubbed html,
|
|
158
|
+
html = "<script></script><a></a><h1></h1>"
|
|
159
|
+
assert_scrubbed html, "<script></script>"
|
|
147
160
|
end
|
|
148
161
|
|
|
149
162
|
def test_targeting_tags_removes_only_them_nested
|
|
150
163
|
@scrubber.tags = %w(a)
|
|
151
|
-
html =
|
|
152
|
-
assert_scrubbed html,
|
|
164
|
+
html = "<tag><a><tag><a></a></tag></a></tag>"
|
|
165
|
+
assert_scrubbed html, "<tag><tag></tag></tag>"
|
|
153
166
|
end
|
|
154
167
|
|
|
155
168
|
def test_targeting_attributes_removes_only_them
|
|
@@ -166,29 +179,29 @@ class TargetScrubberTest < ScrubberTest
|
|
|
166
179
|
end
|
|
167
180
|
|
|
168
181
|
def test_prunes_tags
|
|
169
|
-
@scrubber = Rails::
|
|
182
|
+
@scrubber = Rails::HTML::TargetScrubber.new(prune: true)
|
|
170
183
|
@scrubber.tags = %w(span)
|
|
171
|
-
html =
|
|
172
|
-
assert_scrubbed html,
|
|
184
|
+
html = "<tag>leave me <span>now</span></tag>"
|
|
185
|
+
assert_scrubbed html, "<tag>leave me </tag>"
|
|
173
186
|
end
|
|
174
187
|
end
|
|
175
188
|
|
|
176
189
|
class TextOnlyScrubberTest < ScrubberTest
|
|
177
190
|
def setup
|
|
178
|
-
@scrubber = Rails::
|
|
191
|
+
@scrubber = Rails::HTML::TextOnlyScrubber.new
|
|
179
192
|
end
|
|
180
193
|
|
|
181
194
|
def test_removes_all_tags_and_keep_the_content
|
|
182
|
-
assert_scrubbed
|
|
195
|
+
assert_scrubbed "<tag>hello</tag>", "hello"
|
|
183
196
|
end
|
|
184
197
|
|
|
185
198
|
def test_skips_text_nodes
|
|
186
|
-
assert_node_skipped(
|
|
199
|
+
assert_node_skipped("some text")
|
|
187
200
|
end
|
|
188
201
|
end
|
|
189
202
|
|
|
190
203
|
class ReturningStopFromScrubNodeTest < ScrubberTest
|
|
191
|
-
class ScrubStopper < Rails::
|
|
204
|
+
class ScrubStopper < Rails::HTML::PermitScrubber
|
|
192
205
|
def scrub_node(node)
|
|
193
206
|
Loofah::Scrubber::STOP
|
|
194
207
|
end
|
|
@@ -199,6 +212,6 @@ class ReturningStopFromScrubNodeTest < ScrubberTest
|
|
|
199
212
|
end
|
|
200
213
|
|
|
201
214
|
def test_returns_stop_from_scrub_if_scrub_node_does
|
|
202
|
-
assert_scrub_stopped
|
|
215
|
+
assert_scrub_stopped "<script>remove me</script>"
|
|
203
216
|
end
|
|
204
217
|
end
|
metadata
CHANGED
|
@@ -1,15 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0.rc1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
8
8
|
- Kasper Timm Hansen
|
|
9
|
+
- Mike Dalessio
|
|
9
10
|
autorequire:
|
|
10
11
|
bindir: bin
|
|
11
12
|
cert_chain: []
|
|
12
|
-
date: 2023-
|
|
13
|
+
date: 2023-05-24 00:00:00.000000000 Z
|
|
13
14
|
dependencies:
|
|
14
15
|
- !ruby/object:Gem::Dependency
|
|
15
16
|
name: loofah
|
|
@@ -17,80 +18,33 @@ dependencies:
|
|
|
17
18
|
requirements:
|
|
18
19
|
- - "~>"
|
|
19
20
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: '2.
|
|
21
|
-
- - ">="
|
|
22
|
-
- !ruby/object:Gem::Version
|
|
23
|
-
version: 2.19.1
|
|
21
|
+
version: '2.21'
|
|
24
22
|
type: :runtime
|
|
25
23
|
prerelease: false
|
|
26
24
|
version_requirements: !ruby/object:Gem::Requirement
|
|
27
25
|
requirements:
|
|
28
26
|
- - "~>"
|
|
29
27
|
- !ruby/object:Gem::Version
|
|
30
|
-
version: '2.
|
|
31
|
-
- - ">="
|
|
32
|
-
- !ruby/object:Gem::Version
|
|
33
|
-
version: 2.19.1
|
|
34
|
-
- !ruby/object:Gem::Dependency
|
|
35
|
-
name: bundler
|
|
36
|
-
requirement: !ruby/object:Gem::Requirement
|
|
37
|
-
requirements:
|
|
38
|
-
- - ">="
|
|
39
|
-
- !ruby/object:Gem::Version
|
|
40
|
-
version: '1.3'
|
|
41
|
-
type: :development
|
|
42
|
-
prerelease: false
|
|
43
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
44
|
-
requirements:
|
|
45
|
-
- - ">="
|
|
46
|
-
- !ruby/object:Gem::Version
|
|
47
|
-
version: '1.3'
|
|
48
|
-
- !ruby/object:Gem::Dependency
|
|
49
|
-
name: rake
|
|
50
|
-
requirement: !ruby/object:Gem::Requirement
|
|
51
|
-
requirements:
|
|
52
|
-
- - ">="
|
|
53
|
-
- !ruby/object:Gem::Version
|
|
54
|
-
version: '0'
|
|
55
|
-
type: :development
|
|
56
|
-
prerelease: false
|
|
57
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
58
|
-
requirements:
|
|
59
|
-
- - ">="
|
|
60
|
-
- !ruby/object:Gem::Version
|
|
61
|
-
version: '0'
|
|
28
|
+
version: '2.21'
|
|
62
29
|
- !ruby/object:Gem::Dependency
|
|
63
|
-
name:
|
|
30
|
+
name: nokogiri
|
|
64
31
|
requirement: !ruby/object:Gem::Requirement
|
|
65
32
|
requirements:
|
|
66
|
-
- - "
|
|
67
|
-
- !ruby/object:Gem::Version
|
|
68
|
-
version: '0'
|
|
69
|
-
type: :development
|
|
70
|
-
prerelease: false
|
|
71
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
72
|
-
requirements:
|
|
73
|
-
- - ">="
|
|
74
|
-
- !ruby/object:Gem::Version
|
|
75
|
-
version: '0'
|
|
76
|
-
- !ruby/object:Gem::Dependency
|
|
77
|
-
name: rails-dom-testing
|
|
78
|
-
requirement: !ruby/object:Gem::Requirement
|
|
79
|
-
requirements:
|
|
80
|
-
- - ">="
|
|
33
|
+
- - "~>"
|
|
81
34
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: '
|
|
83
|
-
type: :
|
|
35
|
+
version: '1.14'
|
|
36
|
+
type: :runtime
|
|
84
37
|
prerelease: false
|
|
85
38
|
version_requirements: !ruby/object:Gem::Requirement
|
|
86
39
|
requirements:
|
|
87
|
-
- - "
|
|
40
|
+
- - "~>"
|
|
88
41
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '
|
|
42
|
+
version: '1.14'
|
|
90
43
|
description: HTML sanitization for Rails applications
|
|
91
44
|
email:
|
|
92
45
|
- rafaelmfranca@gmail.com
|
|
93
46
|
- kaspth@gmail.com
|
|
47
|
+
- mike.dalessio@gmail.com
|
|
94
48
|
executables: []
|
|
95
49
|
extensions: []
|
|
96
50
|
extra_rdoc_files: []
|
|
@@ -102,6 +56,7 @@ files:
|
|
|
102
56
|
- lib/rails/html/sanitizer.rb
|
|
103
57
|
- lib/rails/html/sanitizer/version.rb
|
|
104
58
|
- lib/rails/html/scrubbers.rb
|
|
59
|
+
- test/rails_api_test.rb
|
|
105
60
|
- test/sanitizer_test.rb
|
|
106
61
|
- test/scrubbers_test.rb
|
|
107
62
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
@@ -109,9 +64,9 @@ licenses:
|
|
|
109
64
|
- MIT
|
|
110
65
|
metadata:
|
|
111
66
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
112
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.
|
|
113
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.
|
|
114
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.
|
|
67
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0.rc1/CHANGELOG.md
|
|
68
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0.rc1
|
|
69
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0.rc1
|
|
115
70
|
post_install_message:
|
|
116
71
|
rdoc_options: []
|
|
117
72
|
require_paths:
|
|
@@ -120,17 +75,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
120
75
|
requirements:
|
|
121
76
|
- - ">="
|
|
122
77
|
- !ruby/object:Gem::Version
|
|
123
|
-
version:
|
|
78
|
+
version: 2.7.0
|
|
124
79
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
125
80
|
requirements:
|
|
126
|
-
- - "
|
|
81
|
+
- - ">"
|
|
127
82
|
- !ruby/object:Gem::Version
|
|
128
|
-
version:
|
|
83
|
+
version: 1.3.1
|
|
129
84
|
requirements: []
|
|
130
|
-
rubygems_version: 3.4.
|
|
85
|
+
rubygems_version: 3.4.10
|
|
131
86
|
signing_key:
|
|
132
87
|
specification_version: 4
|
|
133
88
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
134
89
|
test_files:
|
|
90
|
+
- test/rails_api_test.rb
|
|
135
91
|
- test/sanitizer_test.rb
|
|
136
92
|
- test/scrubbers_test.rb
|