RubyGems - rails-html-sanitizer - Versions diffs - 1.6.0.rc2 → 1.6.1 - Mend

rails-html-sanitizer 1.6.0.rc2 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +52 -1
data/README.md +54 -49
data/lib/rails/html/sanitizer/version.rb +1 -1
data/lib/rails/html/sanitizer.rb +1 -0
data/lib/rails/html/scrubbers.rb +31 -7
data/test/sanitizer_test.rb +208 -9
data/test/scrubbers_test.rb +80 -2
metadata +69 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ce8562c96b3e842ebf50227e682c3fa948ebf8474786f100dbf78adff7f98d0
-  data.tar.gz: 7ca7beb76be35dea0dd926819212445e885a2b205ca0b2e45628f58d734a1a9f
+  metadata.gz: ad86488f25943fb1d0050513a08581231534a8552e4de66329270845ff650b12
+  data.tar.gz: ca70b518cc54e0ec2e224a5c3dbd82d567e39fd2d2ce3538e308f4d8846234b4
 SHA512:
-  metadata.gz: 30d9b9288698da75f713811e8b507edda0645eb4a485b0466847a4b8246aa854cd12e4dae238e61b09e371c950ee8516595b39207d4b10323bf81cf74b0a5114
-  data.tar.gz: 81698f017c423bac3434e7129b70c4ecba80b27a4f8c6d86294d548aeeb9238d98cd65c15f06bcf62c6ee104e8b3beca782c8e9b338302590c33b65ab9ed8121
+  metadata.gz: f6e2db01e0cd52d3bdcae7ceb90a081998111e84f19f4908d73a9b229a0ec87edfc10f05772b057d2c3e6c9cd08df267f82070f16015d9953d3edc85002dcafd
+  data.tar.gz: 746475ff0522b512e28f7bfd83a7e54be7445a29abcd9b1c8aa16c7b6c39b6f97f5e553ac228b3bad98af8b5f828c4fb6c311f75ddd4b286045ba9a353f0fd8a

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,55 @@
-## 1.6.0.rc2 / 2023-05-24
+## 1.6.1 / 2024-12-02
+This is a performance and security release which addresses several possible XSS vulnerabilities.
+* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
+  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).
+  *Mike Dalessio*
+* Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
+  regardless of the `prune:` option value. Previously, disallowed tags were "stripped" unless the
+  gem was configured with the `prune: true` option.
+  The CVEs addressed by this change are:
+  - CVE-2024-53986 (GHSA-638j-pmjw-jq48)
+  - CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)
+  *Mike Dalessio*
+* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
+  the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
+  are removed from the allow-list.
+  The CVEs addressed by this change are:
+  - CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
+  - CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)
+  Please note that we _may_ restore support for allowing "noscript" in a future release. We do not
+  expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
+  for these tags.
+  *Mike Dalessio*
+* Improve performance by eliminating needless operations on attributes that are being removed. #188
+  *Mike Dalessio*
+## 1.6.0 / 2023-05-26
+* Dependencies have been updated:
+  - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
+  - As a result, required Ruby version is now `>= 2.7.0`
+  Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
+  (which supports Ruby 2.5) is still in security support.
+  *Mike Dalessio*
 * HTML5 standards-compliant sanitizers are now available on platforms supported by
   Nokogiri::HTML5. These are available as:

data/README.md CHANGED Viewed

@@ -7,51 +7,6 @@ Rails HTML Sanitizer is only intended to be used with Rails applications. If you
 ## Usage
-### A note on HTML entities
-__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
-Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
-This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
-#### A concrete example showing the problem that can arise
-Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
-If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
-When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
-Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
-#### Suggested alternatives
-You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
-That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
-If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
-### A note on module names
-In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
-- `Rails::HTML` for general functionality (replacing `Rails::Html`)
-- `Rails::HTML4` containing sanitizers that parse content as HTML4
-- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
-The following aliases are maintained for backwards compatibility:
-- `Rails::Html` points to `Rails::HTML`
-- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
-- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
-- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ### Sanitizers
 All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
@@ -75,10 +30,6 @@ full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here
 # => Bold no more!  See more here...
 ```
-HTML5 version:
 #### LinkSanitizer
 ```ruby
@@ -219,6 +170,51 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
 <%= sanitize @comment, scrubber: CommentScrubber.new %>
 ```
+### A note on HTML entities
+__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
+Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
+This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
+#### A concrete example showing the problem that can arise
+Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
+If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
+When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
+Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
+#### Suggested alternatives
+You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
+That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
+If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
+### A note on module names
+In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
+- `Rails::HTML` for general functionality (replacing `Rails::Html`)
+- `Rails::HTML4` containing sanitizers that parse content as HTML4
+- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
+The following aliases are maintained for backwards compatibility:
+- `Rails::Html` points to `Rails::HTML`
+- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ## Installation
 Add this line to your application's Gemfile:
@@ -234,6 +230,15 @@ Or install it yourself as:
     $ gem install rails-html-sanitizer
+## Support matrix
+| branch | ruby support | actively maintained | security support                       |
+|--------|--------------|---------------------|----------------------------------------|
+| 1.6.x  | >= 2.7       | yes                 | yes                                    |
+| 1.5.x  | >= 2.5       | no                  | while Rails 6.1 is in security support |
+| 1.4.x  | >= 1.8.7     | no                  | no                                     |
 ## Read more
 Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Rails
   module HTML
     class Sanitizer
-      VERSION = "1.6.0.rc2"
+      VERSION = "1.6.1"
     end
   end
 end

data/lib/rails/html/sanitizer.rb CHANGED Viewed

@@ -106,6 +106,7 @@ module Rails
                                            "ins",
                                            "kbd",
                                            "li",
+                                           "mark",
                                            "ol",
                                            "p",
                                            "pre",

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -72,10 +72,11 @@ module Rails
         return CONTINUE if skip_node?(node)
         unless (node.element? || node.comment?) && keep_node?(node)
-          return STOP if scrub_node(node) == STOP
+          return STOP unless scrub_node(node) == CONTINUE
         end
         scrub_attributes(node)
+        CONTINUE
       end
       protected
@@ -100,15 +101,22 @@ module Rails
         end
         def scrub_node(node)
-          node.before(node.children) unless prune # strip
+          # If a node has a namespace, then it's a tag in either a `math` or `svg` foreign context,
+          # and we should always prune it to avoid namespace confusion and mutation XSS vectors.
+          unless prune || node.namespace
+            node.before(node.children)
+          end
           node.remove
         end
         def scrub_attributes(node)
           if @attributes
             node.attribute_nodes.each do |attr|
-              attr.remove if scrub_attribute?(attr.name)
-              scrub_attribute(node, attr)
+              if scrub_attribute?(attr.name)
+                attr.remove
+              else
+                scrub_attribute(node, attr)
+              end
             end
             scrub_css_attribute(node)
@@ -130,6 +138,24 @@ module Rails
           if var && !var.is_a?(Enumerable)
             raise ArgumentError, "You should pass :#{name} as an Enumerable"
           end
+          if var && name == :tags
+            if var.include?("mglyph")
+              warn("WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("mglyph")
+            end
+            if var.include?("malignmark")
+              warn("WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("malignmark")
+            end
+            if var.include?("noscript")
+              warn("WARNING: 'noscript' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("noscript")
+            end
+          end
           var
         end
@@ -140,9 +166,7 @@ module Rails
             attr_node.node_name
           end
-          if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
-            return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
-          end
+          return if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name) && Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
           if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
             Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)

data/test/sanitizer_test.rb CHANGED Viewed

@@ -728,8 +728,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -747,8 +745,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -766,8 +762,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -785,8 +779,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html, attributes: ["action"])
@@ -926,7 +918,7 @@ module SanitizerTests
         # libxml2
         "<svg><style>&lt;script&gt;alert(1)&lt;/script&gt;</style></svg>",
         # libgumbo
-        "<svg><style>alert(1)</style></svg>"
+        "<svg><style></style></svg>",
       ]
       assert_includes(acceptable_results, actual)
@@ -984,6 +976,76 @@ module SanitizerTests
       assert_includes(acceptable_results, actual)
     end
+    def test_combination_of_svg_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<svg><style>&lt;img src onerror=alert(1)>", ["svg", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<svg><style>&amp;lt;img src onerror=alert(1)&gt;</style></svg>",
+        # libgumbo
+        "<svg><style>&lt;img src onerror=alert(1)&gt;</style></svg>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_math_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<math><style>&lt;img src onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&amp;lt;img src onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math><style>&lt;img src onerror=alert(1)&gt;</style></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_style_and_disallowed_svg_with_script_payload
+      # https://hackerone.com/reports/2519936
+      input, tags = "<svg><style><style class='</style><script>alert(1)</script>'>", ["style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<style>&lt;style class='</style>alert(1)'&gt;",
+        # libgumbo
+        "",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_style_and_disallowed_math_with_script_payload
+      # https://hackerone.com/reports/2519936
+      input, tags = "<math><style><style class='</style><script>alert(1)</script>'>", ["style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<style>&lt;style class='</style>alert(1)'&gt;",
+        # libgumbo
+        "",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_math_with_disallowed_mtext_and_img_payload
+      # https://hackerone.com/reports/2519941
+      input, tags = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&lt;img src=: onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
     def test_should_sanitize_illegal_style_properties
       raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
       expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
@@ -1034,6 +1096,64 @@ module SanitizerTests
       assert_equal "", sanitize_css(raw)
     end
+    def test_should_prune_mglyph
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table mglyph style)
+      actual = nil
+      assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags)
+      end
+      acceptable_results = [
+        # libxml2
+        "<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
+        # libgumbo
+        "<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_should_prune_malignmark
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table malignmark style)
+      actual = nil
+      assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags)
+      end
+      acceptable_results = [
+        # libxml2
+        "<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
+        # libgumbo
+        "<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_should_prune_noscript
+      # https://hackerone.com/reports/2509647
+      input, tags = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>", ["p", "div", "noscript"]
+      actual = nil
+      assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
+      end
+      acceptable_results = [
+        # libxml2
+        "<div><p id=\"&lt;/noscript&gt;&lt;script&gt;alert(1)&lt;/script&gt;\"></p></div>",
+        # libgumbo
+        "<div><p id=\"</noscript><script>alert(1)</script>\"></p></div>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
     protected
       def safe_list_sanitize(input, options = {})
         module_under_test::SafeListSanitizer.new.sanitize(input, options)
@@ -1083,5 +1203,84 @@ module SanitizerTests
   class HTML5SafeListSanitizerTest < Minitest::Test
     @module_under_test = Rails::HTML5
     include SafeListSanitizerTest
+    def test_should_not_be_vulnerable_to_nokogiri_foreign_style_serialization_bug
+      # https://hackerone.com/reports/2503220
+      input = "<svg><style>&lt;img src onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["svg", "style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_ns_confusion_2519936
+      # https://hackerone.com/reports/2519936
+      input = "<math><style><style class='</style><script>alert(1)</script>'>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//script")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_ns_confusion_2519941
+      # https://hackerone.com/reports/2519941
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: %w(math style))
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_mglyph_namespace_confusion
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table mglyph style)
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = safe_list_sanitize(input, tags: tags)
+      end
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_malignmark_namespace_confusion
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table malignmark style)
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = safe_list_sanitize(input, tags: tags)
+      end
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_noscript_attacks
+      # https://hackerone.com/reports/2509647
+      skip("browser assertion requires parse_noscript_content_as_text") unless Nokogiri::VERSION >= "1.17"
+      input = '<noscript><p id="</noscript><script>alert(1)</script>"></noscript>'
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: %w(p div noscript), attributes: %w(id class style))
+      end
+      browser = Nokogiri::HTML5::Document.parse(result, parse_noscript_content_as_text: true)
+      xss = browser.at_xpath("//script")
+      assert_nil(xss)
+    end
   end if loofah_html5_support?
 end

data/test/scrubbers_test.rb CHANGED Viewed

@@ -121,6 +121,30 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed html, '<tag></tag><tag cooler=""></tag>'
   end
+  def test_does_not_allow_safelisted_mglyph
+    # https://hackerone.com/reports/2519936
+    assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "mglyph", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
+  def test_does_not_allow_safelisted_malignmark
+    # https://hackerone.com/reports/2519936
+    assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "malignmark", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
+  def test_does_not_allow_safelisted_noscript
+    # https://hackerone.com/reports/2509647
+    assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "noscript", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
   def test_leaves_text
     assert_scrubbed("some text")
   end
@@ -207,11 +231,65 @@ class ReturningStopFromScrubNodeTest < ScrubberTest
     end
   end
-  def setup
-    @scrubber = ScrubStopper.new
+  class ScrubContinuer < Rails::HTML::PermitScrubber
+    def scrub_node(node)
+      Loofah::Scrubber::CONTINUE
+    end
   end
   def test_returns_stop_from_scrub_if_scrub_node_does
+    @scrubber = ScrubStopper.new
     assert_scrub_stopped "<script>remove me</script>"
   end
+  def test_returns_continue_from_scrub_if_scrub_node_does
+    @scrubber = ScrubContinuer.new
+    assert_node_skipped "<script>keep me</script>"
+  end
+end
+class PermitScrubberMinimalOperationsTest < ScrubberTest
+  class TestPermitScrubber < Rails::HTML::PermitScrubber
+    def initialize
+      @scrub_attribute_args = []
+      @scrub_attributes_args = []
+      super
+      self.tags = ["div"]
+      self.attributes = ["class"]
+    end
+    def scrub_attributes(node)
+      @scrub_attributes_args << node.name
+      super
+    end
+    def scrub_attribute(node, attr)
+      @scrub_attribute_args << [node.name, attr.name]
+      super
+    end
+  end
+  def test_does_not_scrub_removed_attributes
+    @scrubber = TestPermitScrubber.new
+    input = "<div class='foo' href='bar'></div>"
+    frag = scrub_fragment(input)
+    assert_equal("<div class=\"foo\"></div>", frag)
+    assert_equal([["div", "class"]], @scrubber.instance_variable_get(:@scrub_attribute_args))
+  end
+  def test_does_not_scrub_attributes_of_a_removed_node
+    @scrubber = TestPermitScrubber.new
+    input = "<div class='foo' href='bar'><svg xlink:href='asdf'><set></set></svg></div>"
+    frag = scrub_fragment(input)
+    assert_equal("<div class=\"foo\"></div>", frag)
+    assert_equal(["div"], @scrubber.instance_variable_get(:@scrub_attributes_args))
+  end
 end

metadata CHANGED Viewed

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.6.0.rc2
+  version: 1.6.1
 platform: ruby
 authors:
 - Rafael Mendonça França
 - Kasper Timm Hansen
 - Mike Dalessio
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-24 00:00:00.000000000 Z
+date: 2024-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -30,16 +30,70 @@ dependencies:
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.15.7
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0.rc1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+    - - "!="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: 1.16.3
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.4
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.5
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: 1.15.7
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0.rc1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.3
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.4
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.5
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.7
 description: HTML sanitization for Rails applications
 email:
 - rafaelmfranca@gmail.com
@@ -64,10 +118,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
-  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0.rc2/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0.rc2
-  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0.rc2
-post_install_message:
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.1
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.1
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -78,12 +132,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files: