RubyGems - rails-html-sanitizer - Versions diffs - 1.5.0 → 1.6.2 - Mend

rails-html-sanitizer 1.5.0 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +125 -0
data/MIT-LICENSE +1 -1
data/README.md +124 -72
data/lib/rails/html/sanitizer/version.rb +4 -2
data/lib/rails/html/sanitizer.rb +372 -104
data/lib/rails/html/scrubbers.rb +98 -73
data/lib/rails-html-sanitizer.rb +7 -23
data/test/rails_api_test.rb +88 -0
data/test/sanitizer_test.rb +1095 -584
data/test/scrubbers_test.rb +129 -38
metadata +68 -58

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59897b4a0d7f69a21932ec1cb44e24ea0ba4c2cf79ef7101ef32e90f40ad766b
-  data.tar.gz: '063919ea5426a6938040672fefeabcaf82087a5ccd12ffc7457e34eb6984042b'
+  metadata.gz: d5507b24d4d93d6efebf2e327d04980dd114cd491732b5c71a7e1a3294c846a9
+  data.tar.gz: dd7a5070b04bf6a97b96df01d65fce9d52790e62dc6631b31fb72ecc2a6d16ed
 SHA512:
-  metadata.gz: 2b0c23a07bc8acb3c1a039266cf053ad9044670a96620365b3ed722eb9a602def1bebe8de40697a2b12deba61cf224461ae8a4dc93749fa8c9675cda4cd216dd
-  data.tar.gz: 5dce2af04dd887e08773a975cc67d93987b15330d023cc68a6cc51322ed73b60681309b25feab1a2c54b0e062696af1dd78c83cdb609e8d179b6ef95419573b3
+  metadata.gz: 912e9d41629bd93de8a14352757add81fde36e394e7907923a88dbebc39da85722fc13a01fa23973421a11e715b41fb78cec3f0379ccf5a97ab0f0ee3ed3dc5a
+  data.tar.gz: e03d92f6289ef71e4039a64b89bce79c5d5a9d628632c84b2b54235fbe69384578de92f7b2db114c13d041c4d589672dd09e23758a043e675eb37f961a858f67

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,119 @@
+## v1.6.2 / 2024-12-12
+* `PermitScrubber` fully supports frozen "allowed tags".
+  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
+  introduced a regression for applications passing a frozen array of allowed tags. Tags and
+  attributes are now properly copied when they are passed to the scrubber.
+  Fixes #195.
+  *Mike Dalessio*
+## 1.6.1 / 2024-12-02
+This is a performance and security release which addresses several possible XSS vulnerabilities.
+* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
+  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).
+  *Mike Dalessio*
+* Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
+  regardless of the `prune:` option value. Previously, disallowed tags were "stripped" unless the
+  gem was configured with the `prune: true` option.
+  The CVEs addressed by this change are:
+  - CVE-2024-53986 (GHSA-638j-pmjw-jq48)
+  - CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)
+  *Mike Dalessio*
+* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
+  the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
+  are removed from the allow-list.
+  The CVEs addressed by this change are:
+  - CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
+  - CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)
+  Please note that we _may_ restore support for allowing "noscript" in a future release. We do not
+  expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
+  for these tags.
+  *Mike Dalessio*
+* Improve performance by eliminating needless operations on attributes that are being removed. #188
+  *Mike Dalessio*
+## 1.6.0 / 2023-05-26
+* Dependencies have been updated:
+  - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
+  - As a result, required Ruby version is now `>= 2.7.0`
+  Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
+  (which supports Ruby 2.5) is still in security support.
+  *Mike Dalessio*
+* HTML5 standards-compliant sanitizers are now available on platforms supported by
+  Nokogiri::HTML5. These are available as:
+  - `Rails::HTML5::FullSanitizer`
+  - `Rails::HTML5::LinkSanitizer`
+  - `Rails::HTML5::SafeListSanitizer`
+  And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version
+  of Rails.
+  Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical
+  to the vendor class methods on `Rails::HTML::Sanitizer`.
+  Users may call `Rails::HTML::Sanitizer.best_supported_vendor` to get back the HTML5 vendor if it's
+  supported, else the legacy HTML4 vendor.
+  *Mike Dalessio*
+* Module namespaces have changed, but backwards compatibility is provided by aliases.
+  The library defines three additional modules:
+  - `Rails::HTML` for general functionality (replacing `Rails::Html`)
+  - `Rails::HTML4` containing sanitizers that parse content as HTML4
+  - `Rails::HTML5` containing sanitizers that parse content as HTML5
+  The following aliases are maintained for backwards compatibility:
+  - `Rails::Html` points to `Rails::HTML`
+  - `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+  - `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+  - `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
+  *Mike Dalessio*
+* `LinkSanitizer` always returns UTF-8 encoded strings. `SafeListSanitizer` and `FullSanitizer`
+  already ensured this encoding.
+  *Mike Dalessio*
+* `SafeListSanitizer` allows `time` tag and `lang` attribute by default.
+  *Mike Dalessio*
+* The constant `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the
+  existing sanitizers, and should have been a private constant all along anyway.
+  *Mike Dalessio*
 ## 1.5.0 / 2023-01-20
 * `SafeListSanitizer`, `PermitScrubber`, and `TargetScrubber` now all support pruning of unsafe tags.
@@ -7,6 +123,7 @@
   *seyerian*
 ## 1.4.4 / 2022-12-13
 * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
@@ -52,6 +169,7 @@
   *Mike Dalessio*
 ## 1.4.2 / 2021-08-23
 * Slightly improve performance.
@@ -60,6 +178,7 @@
   *Mike Dalessio*
 ## 1.4.1 / 2021-08-18
 * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
@@ -72,6 +191,7 @@
   *Mike Dalessio*
 ## 1.4.0 / 2021-08-18
 * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
@@ -84,12 +204,14 @@
   *Mike Dalessio*
 ## 1.3.0
 * Address deprecations in Loofah 2.3.0.
   *Josh Goodall*
 ## 1.2.0
 * Remove needless `white_list_sanitizer` deprecation.
@@ -104,6 +226,7 @@
   *Kasper Timm Hansen*
 ## 1.1.0
 * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
@@ -121,10 +244,12 @@
   *Kasper Timm Hansen*
 ## 1.0.1
 * Added support for Rails 4.2.0.beta2 and above
 ## 1.0.0
 * First release.

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2013-2015 Rafael Mendonça França, Kasper Timm Hansen
+Copyright (c) 2013-2023 Rafael Mendonça França, Kasper Timm Hansen, Mike Dalessio
 MIT License

data/README.md CHANGED Viewed

@@ -1,63 +1,31 @@
-# Rails Html Sanitizers
+# Rails HTML Sanitizers
-In Rails 4.2 and above this gem will be responsible for sanitizing HTML fragments in Rails
-applications, i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
+This gem is responsible for sanitizing HTML fragments in Rails applications. Specifically, this is the set of sanitizers used to implement the Action View `SanitizerHelper` methods `sanitize`, `sanitize_css`, `strip_tags` and `strip_links`.
-Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using [Loofah](https://github.com/flavorjones/loofah) directly (that's what handles sanitization under the hood).
+Rails HTML Sanitizer is only intended to be used with Rails applications. If you need similar functionality but aren't using Rails, consider using the underlying sanitization library [Loofah](https://github.com/flavorjones/loofah) directly.
-## Installation
-Add this line to your application's Gemfile:
-    gem 'rails-html-sanitizer'
-And then execute:
-    $ bundle
-Or install it yourself as:
-    $ gem install rails-html-sanitizer
 ## Usage
-### A note on HTML entities
-__Rails::HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will sanitized *again* at page-render time.__
-Proper HTML sanitization will replace some characters with HTML entities. For example, `<` will be replaced with `&lt;` to ensure that the markup is well-formed.
-This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
-#### A concrete example showing the problem that can arise
-Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
-If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
-When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
-Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
-#### Suggested alternatives
+### Sanitizers
-You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
+All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
-That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
+NOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling `Rails::HTML::Sanitizer.html5_support?`.
-If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails::HTML sanitizers.
+#### FullSanitizer
-### Sanitizers
+```ruby
+full_sanitizer = Rails::HTML5::FullSanitizer.new
+full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+# => Bold no more!  See more here...
+```
-All sanitizers respond to `sanitize`.
-#### FullSanitizer
+or, if you insist on parsing the content as HTML4:
 ```ruby
-full_sanitizer = Rails::Html::FullSanitizer.new
+full_sanitizer = Rails::HTML4::FullSanitizer.new
 full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
 # => Bold no more!  See more here...
 ```
@@ -65,44 +33,55 @@ full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here
 #### LinkSanitizer
 ```ruby
-link_sanitizer = Rails::Html::LinkSanitizer.new
+link_sanitizer = Rails::HTML5::LinkSanitizer.new
+link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+# => Only the link text will be kept.
+```
+or, if you insist on parsing the content as HTML4:
+```ruby
+link_sanitizer = Rails::HTML4::LinkSanitizer.new
 link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
 # => Only the link text will be kept.
 ```
 #### SafeListSanitizer
+This sanitizer is also available as an HTML4 variant, but for simplicity we'll document only the HTML5 variant below.
 ```ruby
-safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
+safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new
 # sanitize via an extensive safe list of allowed elements
 safe_list_sanitizer.sanitize(@article.body)
-# safe list only the supplied tags and attributes
+# sanitize only the supplied tags and attributes
 safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
-# safe list via a custom scrubber
+# sanitize via a custom scrubber
 safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
-# safe list sanitizer can also sanitize css
-safe_list_sanitizer.sanitize_css('background-color: #000;')
+# prune nodes from the tree instead of stripping tags and leaving inner content
+safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)
-# fully prune nodes from the tree instead of stripping tags and leaving inner content
-safe_list_sanitizer = Rails::Html::SafeListSanitizer.new(prune: true)
+# the sanitizer can also sanitize css
+safe_list_sanitizer.sanitize_css('background-color: #000;')
 ```
 ### Scrubbers
 Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.
-This gem includes two scrubbers `Rails::Html::PermitScrubber` and `Rails::Html::TargetScrubber`.
+This gem includes two scrubbers `Rails::HTML::PermitScrubber` and `Rails::HTML::TargetScrubber`.
-#### `Rails::Html::PermitScrubber`
+#### `Rails::HTML::PermitScrubber`
 This scrubber allows you to permit only the tags and attributes you want.
 ```ruby
-scrubber = Rails::Html::PermitScrubber.new
+scrubber = Rails::HTML::PermitScrubber.new
 scrubber.tags = ['a']
 html_fragment = Loofah.fragment('<a><img/ ></a>')
@@ -113,14 +92,14 @@ html_fragment.to_s # => "<a></a>"
 By default, inner content is left, but it can be removed as well.
 ```ruby
-scrubber = Rails::Html::PermitScrubber.new
+scrubber = Rails::HTML::PermitScrubber.new
 scrubber.tags = ['a']
 html_fragment = Loofah.fragment('<a><span>text</span></a>')
 html_fragment.scrub!(scrubber)
 html_fragment.to_s # => "<a>text</a>"
-scrubber = Rails::Html::PermitScrubber.new(prune: true)
+scrubber = Rails::HTML::PermitScrubber.new(prune: true)
 scrubber.tags = ['a']
 html_fragment = Loofah.fragment('<a><span>text</span></a>')
@@ -128,16 +107,16 @@ html_fragment.scrub!(scrubber)
 html_fragment.to_s # => "<a></a>"
 ```
-#### `Rails::Html::TargetScrubber`
+#### `Rails::HTML::TargetScrubber`
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
+`Rails::HTML::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
 **Note:** by default, it will scrub anything that is not part of the permitted tags from
 loofah `HTML5::Scrub.allowed_element?`.
 ```ruby
-scrubber = Rails::Html::TargetScrubber.new
+scrubber = Rails::HTML::TargetScrubber.new
 scrubber.tags = ['img']
 html_fragment = Loofah.fragment('<a><img/ ></a>')
@@ -148,26 +127,27 @@ html_fragment.to_s # => "<a></a>"
 Similarly to `PermitScrubber`, nodes can be fully pruned.
 ```ruby
-scrubber = Rails::Html::TargetScrubber.new
+scrubber = Rails::HTML::TargetScrubber.new
 scrubber.tags = ['span']
 html_fragment = Loofah.fragment('<a><span>text</span></a>')
 html_fragment.scrub!(scrubber)
 html_fragment.to_s # => "<a>text</a>"
-scrubber = Rails::Html::TargetScrubber.new(prune: true)
+scrubber = Rails::HTML::TargetScrubber.new(prune: true)
 scrubber.tags = ['span']
 html_fragment = Loofah.fragment('<a><span>text</span></a>')
 html_fragment.scrub!(scrubber)
 html_fragment.to_s # => "<a></a>"
 ```
 #### Custom Scrubbers
 You can also create custom scrubbers in your application if you want to.
 ```ruby
-class CommentScrubber < Rails::Html::PermitScrubber
+class CommentScrubber < Rails::HTML::PermitScrubber
   def initialize
     super
     self.tags = %w( form script comment blockquote )
@@ -180,7 +160,7 @@ class CommentScrubber < Rails::Html::PermitScrubber
 end
 ```
-See `Rails::Html::PermitScrubber` documentation to learn more about which methods can be overridden.
+See `Rails::HTML::PermitScrubber` documentation to learn more about which methods can be overridden.
 #### Custom Scrubber in a Rails app
@@ -190,26 +170,98 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
 <%= sanitize @comment, scrubber: CommentScrubber.new %>
 ```
+### A note on HTML entities
+__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
+Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
+This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
+#### A concrete example showing the problem that can arise
+Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
+If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
+When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
+Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
+#### Suggested alternatives
+You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
+That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
+If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
+### A note on module names
+In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
+- `Rails::HTML` for general functionality (replacing `Rails::Html`)
+- `Rails::HTML4` containing sanitizers that parse content as HTML4
+- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
+The following aliases are maintained for backwards compatibility:
+- `Rails::Html` points to `Rails::HTML`
+- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
+## Installation
+Add this line to your application's Gemfile:
+    gem 'rails-html-sanitizer'
+And then execute:
+    $ bundle
+Or install it yourself as:
+    $ gem install rails-html-sanitizer
+## Support matrix
+| branch | ruby support | actively maintained | security support                       |
+|--------|--------------|---------------------|----------------------------------------|
+| 1.6.x  | >= 2.7       | yes                 | yes                                    |
+| 1.5.x  | >= 2.5       | no                  | while Rails 6.1 is in security support |
+| 1.4.x  | >= 1.8.7     | no                  | no                                     |
 ## Read more
 Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
 - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
 The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
 - [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
 - [Nokogiri](http://nokogiri.org)
-## Contributing to Rails Html Sanitizers
-Rails Html Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
+## Contributing to Rails HTML Sanitizers
+Rails HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
 See [CONTRIBUTING](CONTRIBUTING.md).
 ### Security reports
-Trying to report a possible security vulnerability in this project? Please
-check out our [security policy](https://rubyonrails.org/security) for
-guidelines about how to proceed.
+Trying to report a possible security vulnerability in this project? Please check out the [Rails project's security policy](https://rubyonrails.org/security) for instructions.
 ## License
-Rails Html Sanitizers is released under the [MIT License](MIT-LICENSE).
+Rails HTML Sanitizers is released under the [MIT License](MIT-LICENSE).

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
 module Rails
-  module Html
+  module HTML
     class Sanitizer
-      VERSION = "1.5.0"
+      VERSION = "1.6.2"
     end
   end
 end