rails-html-sanitizer 1.6.0.rc2 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -1
- data/README.md +54 -45
- data/lib/rails/html/sanitizer/version.rb +1 -1
- metadata +7 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 365db7c11fc174c5da0a4a670fec92033cf277b71e7bb089534b2ad1bd48b314
|
|
4
|
+
data.tar.gz: b33e592de2e0081f1493d9fc29e8db1a26b2f727c20aa7d111332438bfbf2f1d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bafc9210e52f68f6ea033c1deb70d2d227a85a661f9c4fe988da876a73e29b7c86e0910d9705616ed536978d4c6cdf9e5a23b211e720c1f4c86d7b5ce04c03bf
|
|
7
|
+
data.tar.gz: acb3ed50bf5ebd95824bffc8efb4be8745c32e3d5bd5d157edc14648f4f00e07f308ce5ecb2889ae417d7cd999871f4860ac79ecb0864a25220683ae2edd5473
|
data/CHANGELOG.md
CHANGED
|
@@ -1,4 +1,14 @@
|
|
|
1
|
-
## 1.6.0
|
|
1
|
+
## 1.6.0 / 2023-05-26
|
|
2
|
+
|
|
3
|
+
* Dependencies have been updated:
|
|
4
|
+
|
|
5
|
+
- Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
|
|
6
|
+
- As a result, required Ruby version is now `>= 2.7.0`
|
|
7
|
+
|
|
8
|
+
Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
|
|
9
|
+
(which supports Ruby 2.5) is still in security support.
|
|
10
|
+
|
|
11
|
+
*Mike Dalessio*
|
|
2
12
|
|
|
3
13
|
* HTML5 standards-compliant sanitizers are now available on platforms supported by
|
|
4
14
|
Nokogiri::HTML5. These are available as:
|
data/README.md
CHANGED
|
@@ -7,51 +7,6 @@ Rails HTML Sanitizer is only intended to be used with Rails applications. If you
|
|
|
7
7
|
|
|
8
8
|
## Usage
|
|
9
9
|
|
|
10
|
-
### A note on HTML entities
|
|
11
|
-
|
|
12
|
-
__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
|
|
13
|
-
|
|
14
|
-
Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `<` to ensure that the markup is well-formed.
|
|
15
|
-
|
|
16
|
-
This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
#### A concrete example showing the problem that can arise
|
|
20
|
-
|
|
21
|
-
Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
|
|
22
|
-
|
|
23
|
-
If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase & Co.`
|
|
24
|
-
|
|
25
|
-
When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp; Co.` which will render as "JPMorgan Chase &amp; Co.".
|
|
26
|
-
|
|
27
|
-
Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
#### Suggested alternatives
|
|
31
|
-
|
|
32
|
-
You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
|
|
33
|
-
|
|
34
|
-
That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
|
|
35
|
-
|
|
36
|
-
If you really want to sanitize the string that's stored in your database, you may wish to look into [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
### A note on module names
|
|
40
|
-
|
|
41
|
-
In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
|
|
42
|
-
|
|
43
|
-
- `Rails::HTML` for general functionality (replacing `Rails::Html`)
|
|
44
|
-
- `Rails::HTML4` containing sanitizers that parse content as HTML4
|
|
45
|
-
- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
|
|
46
|
-
|
|
47
|
-
The following aliases are maintained for backwards compatibility:
|
|
48
|
-
|
|
49
|
-
- `Rails::Html` points to `Rails::HTML`
|
|
50
|
-
- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
|
|
51
|
-
- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
|
|
52
|
-
- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
|
|
53
|
-
|
|
54
|
-
|
|
55
10
|
### Sanitizers
|
|
56
11
|
|
|
57
12
|
All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
|
|
@@ -219,6 +174,51 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
|
|
|
219
174
|
<%= sanitize @comment, scrubber: CommentScrubber.new %>
|
|
220
175
|
```
|
|
221
176
|
|
|
177
|
+
### A note on HTML entities
|
|
178
|
+
|
|
179
|
+
__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
|
|
180
|
+
|
|
181
|
+
Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `<` to ensure that the markup is well-formed.
|
|
182
|
+
|
|
183
|
+
This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
|
|
184
|
+
|
|
185
|
+
|
|
186
|
+
#### A concrete example showing the problem that can arise
|
|
187
|
+
|
|
188
|
+
Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
|
|
189
|
+
|
|
190
|
+
If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase & Co.`
|
|
191
|
+
|
|
192
|
+
When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp; Co.` which will render as "JPMorgan Chase &amp; Co.".
|
|
193
|
+
|
|
194
|
+
Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
|
|
195
|
+
|
|
196
|
+
|
|
197
|
+
#### Suggested alternatives
|
|
198
|
+
|
|
199
|
+
You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
|
|
200
|
+
|
|
201
|
+
That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
|
|
202
|
+
|
|
203
|
+
If you really want to sanitize the string that's stored in your database, you may wish to look into [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
|
|
204
|
+
|
|
205
|
+
|
|
206
|
+
### A note on module names
|
|
207
|
+
|
|
208
|
+
In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
|
|
209
|
+
|
|
210
|
+
- `Rails::HTML` for general functionality (replacing `Rails::Html`)
|
|
211
|
+
- `Rails::HTML4` containing sanitizers that parse content as HTML4
|
|
212
|
+
- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
|
|
213
|
+
|
|
214
|
+
The following aliases are maintained for backwards compatibility:
|
|
215
|
+
|
|
216
|
+
- `Rails::Html` points to `Rails::HTML`
|
|
217
|
+
- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
|
|
218
|
+
- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
|
|
219
|
+
- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
|
|
220
|
+
|
|
221
|
+
|
|
222
222
|
## Installation
|
|
223
223
|
|
|
224
224
|
Add this line to your application's Gemfile:
|
|
@@ -234,6 +234,15 @@ Or install it yourself as:
|
|
|
234
234
|
$ gem install rails-html-sanitizer
|
|
235
235
|
|
|
236
236
|
|
|
237
|
+
## Support matrix
|
|
238
|
+
|
|
239
|
+
| branch | ruby support | actively maintained | security support |
|
|
240
|
+
|--------|--------------|---------------------|----------------------------------------|
|
|
241
|
+
| 1.6.x | >= 2.7 | yes | yes |
|
|
242
|
+
| 1.5.x | >= 2.5 | no | while Rails 6.1 is in security support |
|
|
243
|
+
| 1.4.x | >= 1.8.7 | no | no |
|
|
244
|
+
|
|
245
|
+
|
|
237
246
|
## Read more
|
|
238
247
|
|
|
239
248
|
Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.0
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2023-05-
|
|
13
|
+
date: 2023-05-26 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: loofah
|
|
@@ -64,9 +64,9 @@ licenses:
|
|
|
64
64
|
- MIT
|
|
65
65
|
metadata:
|
|
66
66
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
67
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0
|
|
68
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0
|
|
69
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0
|
|
67
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0/CHANGELOG.md
|
|
68
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0
|
|
69
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0
|
|
70
70
|
post_install_message:
|
|
71
71
|
rdoc_options: []
|
|
72
72
|
require_paths:
|
|
@@ -78,9 +78,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
78
78
|
version: 2.7.0
|
|
79
79
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
80
80
|
requirements:
|
|
81
|
-
- - "
|
|
81
|
+
- - ">="
|
|
82
82
|
- !ruby/object:Gem::Version
|
|
83
|
-
version:
|
|
83
|
+
version: '0'
|
|
84
84
|
requirements: []
|
|
85
85
|
rubygems_version: 3.4.10
|
|
86
86
|
signing_key:
|