RubyGems - rails-html-sanitizer - Versions diffs - 1.6.0.rc2 → 1.6.1 - Mend

rails-html-sanitizer 1.6.0.rc2 → 1.6.1

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +52 -1
data/README.md +54 -49
data/lib/rails/html/sanitizer/version.rb +1 -1
data/lib/rails/html/sanitizer.rb +1 -0
data/lib/rails/html/scrubbers.rb +31 -7
data/test/sanitizer_test.rb +208 -9
data/test/scrubbers_test.rb +80 -2
metadata +69 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ce8562c96b3e842ebf50227e682c3fa948ebf8474786f100dbf78adff7f98d0
-  data.tar.gz: 7ca7beb76be35dea0dd926819212445e885a2b205ca0b2e45628f58d734a1a9f
+  metadata.gz: ad86488f25943fb1d0050513a08581231534a8552e4de66329270845ff650b12
+  data.tar.gz: ca70b518cc54e0ec2e224a5c3dbd82d567e39fd2d2ce3538e308f4d8846234b4
 SHA512:
-  metadata.gz: 30d9b9288698da75f713811e8b507edda0645eb4a485b0466847a4b8246aa854cd12e4dae238e61b09e371c950ee8516595b39207d4b10323bf81cf74b0a5114
-  data.tar.gz: 81698f017c423bac3434e7129b70c4ecba80b27a4f8c6d86294d548aeeb9238d98cd65c15f06bcf62c6ee104e8b3beca782c8e9b338302590c33b65ab9ed8121
+  metadata.gz: f6e2db01e0cd52d3bdcae7ceb90a081998111e84f19f4908d73a9b229a0ec87edfc10f05772b057d2c3e6c9cd08df267f82070f16015d9953d3edc85002dcafd
+  data.tar.gz: 746475ff0522b512e28f7bfd83a7e54be7445a29abcd9b1c8aa16c7b6c39b6f97f5e553ac228b3bad98af8b5f828c4fb6c311f75ddd4b286045ba9a353f0fd8a

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,55 @@
-## 1.6.0.rc2 / 2023-05-24
+## 1.6.1 / 2024-12-02
+This is a performance and security release which addresses several possible XSS vulnerabilities.
+* The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
+  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).
+  *Mike Dalessio*
+* Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content),
+  regardless of the `prune:` option value. Previously, disallowed tags were "stripped" unless the
+  gem was configured with the `prune: true` option.
+  The CVEs addressed by this change are:
+  - CVE-2024-53986 (GHSA-638j-pmjw-jq48)
+  - CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)
+  *Mike Dalessio*
+* The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to
+  the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags
+  are removed from the allow-list.
+  The CVEs addressed by this change are:
+  - CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
+  - CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)
+  Please note that we _may_ restore support for allowing "noscript" in a future release. We do not
+  expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal
+  for these tags.
+  *Mike Dalessio*
+* Improve performance by eliminating needless operations on attributes that are being removed. #188
+  *Mike Dalessio*
+## 1.6.0 / 2023-05-26
+* Dependencies have been updated:
+  - Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
+  - As a result, required Ruby version is now `>= 2.7.0`
+  Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
+  (which supports Ruby 2.5) is still in security support.
+  *Mike Dalessio*
 * HTML5 standards-compliant sanitizers are now available on platforms supported by
   Nokogiri::HTML5. These are available as:

data/README.md CHANGED Viewed

@@ -7,51 +7,6 @@ Rails HTML Sanitizer is only intended to be used with Rails applications. If you
 ## Usage
-### A note on HTML entities
-__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
-Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
-This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
-#### A concrete example showing the problem that can arise
-Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
-If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
-When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
-Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
-#### Suggested alternatives
-You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
-That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
-If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
-### A note on module names
-In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
-- `Rails::HTML` for general functionality (replacing `Rails::Html`)
-- `Rails::HTML4` containing sanitizers that parse content as HTML4
-- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
-The following aliases are maintained for backwards compatibility:
-- `Rails::Html` points to `Rails::HTML`
-- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
-- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
-- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ### Sanitizers
 All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
@@ -75,10 +30,6 @@ full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here
 # => Bold no more!  See more here...
 ```
-HTML5 version:
 #### LinkSanitizer
 ```ruby
@@ -219,6 +170,51 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
 <%= sanitize @comment, scrubber: CommentScrubber.new %>
 ```
+### A note on HTML entities
+__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
+Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `&lt;` to ensure that the markup is well-formed.
+This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
+#### A concrete example showing the problem that can arise
+Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
+If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase &amp; Co.`
+When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp;amp; Co.` which will render as "JPMorgan Chase &amp;amp; Co.".
+Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
+#### Suggested alternatives
+You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
+That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
+If you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
+### A note on module names
+In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
+- `Rails::HTML` for general functionality (replacing `Rails::Html`)
+- `Rails::HTML4` containing sanitizers that parse content as HTML4
+- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
+The following aliases are maintained for backwards compatibility:
+- `Rails::Html` points to `Rails::HTML`
+- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
+- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
+- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
 ## Installation
 Add this line to your application's Gemfile:
@@ -234,6 +230,15 @@ Or install it yourself as:
     $ gem install rails-html-sanitizer
+## Support matrix
+| branch | ruby support | actively maintained | security support                       |
+|--------|--------------|---------------------|----------------------------------------|
+| 1.6.x  | >= 2.7       | yes                 | yes                                    |
+| 1.5.x  | >= 2.5       | no                  | while Rails 6.1 is in security support |
+| 1.4.x  | >= 1.8.7     | no                  | no                                     |
 ## Read more
 Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.

data/lib/rails/html/sanitizer/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Rails
   module HTML
     class Sanitizer
-      VERSION = "1.6.0.rc2"
+      VERSION = "1.6.1"
     end
   end
 end

data/lib/rails/html/sanitizer.rb CHANGED Viewed

@@ -106,6 +106,7 @@ module Rails
                                            "ins",
                                            "kbd",
                                            "li",
+                                           "mark",
                                            "ol",
                                            "p",
                                            "pre",

data/lib/rails/html/scrubbers.rb CHANGED Viewed

@@ -72,10 +72,11 @@ module Rails
         return CONTINUE if skip_node?(node)
         unless (node.element? || node.comment?) && keep_node?(node)
-          return STOP if scrub_node(node) == STOP
+          return STOP unless scrub_node(node) == CONTINUE
         end
         scrub_attributes(node)
+        CONTINUE
       end
       protected
@@ -100,15 +101,22 @@ module Rails
         end
         def scrub_node(node)
-          node.before(node.children) unless prune # strip
+          # If a node has a namespace, then it's a tag in either a `math` or `svg` foreign context,
+          # and we should always prune it to avoid namespace confusion and mutation XSS vectors.
+          unless prune || node.namespace
+            node.before(node.children)
+          end
           node.remove
         end
         def scrub_attributes(node)
           if @attributes
             node.attribute_nodes.each do |attr|
-              attr.remove if scrub_attribute?(attr.name)
-              scrub_attribute(node, attr)
+              if scrub_attribute?(attr.name)
+                attr.remove
+              else
+                scrub_attribute(node, attr)
+              end
             end
             scrub_css_attribute(node)
@@ -130,6 +138,24 @@ module Rails
           if var && !var.is_a?(Enumerable)
             raise ArgumentError, "You should pass :#{name} as an Enumerable"
           end
+          if var && name == :tags
+            if var.include?("mglyph")
+              warn("WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("mglyph")
+            end
+            if var.include?("malignmark")
+              warn("WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("malignmark")
+            end
+            if var.include?("noscript")
+              warn("WARNING: 'noscript' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+              var.delete("noscript")
+            end
+          end
           var
         end
@@ -140,9 +166,7 @@ module Rails
             attr_node.node_name
           end
-          if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
-            return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
-          end
+          return if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name) && Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
           if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
             Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)

data/test/sanitizer_test.rb CHANGED Viewed

@@ -728,8 +728,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -747,8 +745,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -766,8 +762,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html)
@@ -785,8 +779,6 @@ module SanitizerTests
     end
     def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
-      skip if RUBY_VERSION < "2.3"
       html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
       text = safe_list_sanitize(html, attributes: ["action"])
@@ -926,7 +918,7 @@ module SanitizerTests
         # libxml2
         "<svg><style>&lt;script&gt;alert(1)&lt;/script&gt;</style></svg>",
         # libgumbo
-        "<svg><style>alert(1)</style></svg>"
+        "<svg><style></style></svg>",
       ]
       assert_includes(acceptable_results, actual)
@@ -984,6 +976,76 @@ module SanitizerTests
       assert_includes(acceptable_results, actual)
     end
+    def test_combination_of_svg_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<svg><style>&lt;img src onerror=alert(1)>", ["svg", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<svg><style>&amp;lt;img src onerror=alert(1)&gt;</style></svg>",
+        # libgumbo
+        "<svg><style>&lt;img src onerror=alert(1)&gt;</style></svg>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_math_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<math><style>&lt;img src onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&amp;lt;img src onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math><style>&lt;img src onerror=alert(1)&gt;</style></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_style_and_disallowed_svg_with_script_payload
+      # https://hackerone.com/reports/2519936
+      input, tags = "<svg><style><style class='</style><script>alert(1)</script>'>", ["style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<style>&lt;style class='</style>alert(1)'&gt;",
+        # libgumbo
+        "",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_combination_of_style_and_disallowed_math_with_script_payload
+      # https://hackerone.com/reports/2519936
+      input, tags = "<math><style><style class='</style><script>alert(1)</script>'>", ["style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<style>&lt;style class='</style>alert(1)'&gt;",
+        # libgumbo
+        "",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_math_with_disallowed_mtext_and_img_payload
+      # https://hackerone.com/reports/2519941
+      input, tags = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&lt;img src=: onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
     def test_should_sanitize_illegal_style_properties
       raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
       expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
@@ -1034,6 +1096,64 @@ module SanitizerTests
       assert_equal "", sanitize_css(raw)
     end
+    def test_should_prune_mglyph
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table mglyph style)
+      actual = nil
+      assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags)
+      end
+      acceptable_results = [
+        # libxml2
+        "<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
+        # libgumbo
+        "<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_should_prune_malignmark
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table malignmark style)
+      actual = nil
+      assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags)
+      end
+      acceptable_results = [
+        # libxml2
+        "<math><mtext><table><style>&lt;img src=: onerror=alert(1)&gt;</style></table></mtext></math>",
+        # libgumbo
+        "<math><mtext><style><img src=: onerror=alert(1)></style><table></table></mtext></math>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
+    def test_should_prune_noscript
+      # https://hackerone.com/reports/2509647
+      input, tags = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>", ["p", "div", "noscript"]
+      actual = nil
+      assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
+      end
+      acceptable_results = [
+        # libxml2
+        "<div><p id=\"&lt;/noscript&gt;&lt;script&gt;alert(1)&lt;/script&gt;\"></p></div>",
+        # libgumbo
+        "<div><p id=\"</noscript><script>alert(1)</script>\"></p></div>",
+      ]
+      assert_includes(acceptable_results, actual)
+    end
     protected
       def safe_list_sanitize(input, options = {})
         module_under_test::SafeListSanitizer.new.sanitize(input, options)
@@ -1083,5 +1203,84 @@ module SanitizerTests
   class HTML5SafeListSanitizerTest < Minitest::Test
     @module_under_test = Rails::HTML5
     include SafeListSanitizerTest
+    def test_should_not_be_vulnerable_to_nokogiri_foreign_style_serialization_bug
+      # https://hackerone.com/reports/2503220
+      input = "<svg><style>&lt;img src onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["svg", "style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_ns_confusion_2519936
+      # https://hackerone.com/reports/2519936
+      input = "<math><style><style class='</style><script>alert(1)</script>'>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//script")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_ns_confusion_2519941
+      # https://hackerone.com/reports/2519941
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: %w(math style))
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_mglyph_namespace_confusion
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><mglyph><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table mglyph style)
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = safe_list_sanitize(input, tags: tags)
+      end
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_malignmark_namespace_confusion
+      # https://hackerone.com/reports/2519936
+      input = "<math><mtext><table><malignmark><style><img src=: onerror=alert(1)>"
+      tags = %w(math mtext table malignmark style)
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = safe_list_sanitize(input, tags: tags)
+      end
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+      assert_nil(xss)
+    end
+    def test_should_not_be_vulnerable_to_noscript_attacks
+      # https://hackerone.com/reports/2509647
+      skip("browser assertion requires parse_noscript_content_as_text") unless Nokogiri::VERSION >= "1.17"
+      input = '<noscript><p id="</noscript><script>alert(1)</script>"></noscript>'
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: %w(p div noscript), attributes: %w(id class style))
+      end
+      browser = Nokogiri::HTML5::Document.parse(result, parse_noscript_content_as_text: true)
+      xss = browser.at_xpath("//script")
+      assert_nil(xss)
+    end
   end if loofah_html5_support?
 end

data/test/scrubbers_test.rb CHANGED Viewed

@@ -121,6 +121,30 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed html, '<tag></tag><tag cooler=""></tag>'
   end
+  def test_does_not_allow_safelisted_mglyph
+    # https://hackerone.com/reports/2519936
+    assert_output(nil, /WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "mglyph", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
+  def test_does_not_allow_safelisted_malignmark
+    # https://hackerone.com/reports/2519936
+    assert_output(nil, /WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "malignmark", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
+  def test_does_not_allow_safelisted_noscript
+    # https://hackerone.com/reports/2509647
+    assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "noscript", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
   def test_leaves_text
     assert_scrubbed("some text")
   end
@@ -207,11 +231,65 @@ class ReturningStopFromScrubNodeTest < ScrubberTest
     end
   end
-  def setup
-    @scrubber = ScrubStopper.new
+  class ScrubContinuer < Rails::HTML::PermitScrubber
+    def scrub_node(node)
+      Loofah::Scrubber::CONTINUE
+    end
   end
   def test_returns_stop_from_scrub_if_scrub_node_does
+    @scrubber = ScrubStopper.new
     assert_scrub_stopped "<script>remove me</script>"
   end
+  def test_returns_continue_from_scrub_if_scrub_node_does
+    @scrubber = ScrubContinuer.new
+    assert_node_skipped "<script>keep me</script>"
+  end
+end
+class PermitScrubberMinimalOperationsTest < ScrubberTest
+  class TestPermitScrubber < Rails::HTML::PermitScrubber
+    def initialize
+      @scrub_attribute_args = []
+      @scrub_attributes_args = []
+      super
+      self.tags = ["div"]
+      self.attributes = ["class"]
+    end
+    def scrub_attributes(node)
+      @scrub_attributes_args << node.name
+      super
+    end
+    def scrub_attribute(node, attr)
+      @scrub_attribute_args << [node.name, attr.name]
+      super
+    end
+  end
+  def test_does_not_scrub_removed_attributes
+    @scrubber = TestPermitScrubber.new
+    input = "<div class='foo' href='bar'></div>"
+    frag = scrub_fragment(input)
+    assert_equal("<div class=\"foo\"></div>", frag)
+    assert_equal([["div", "class"]], @scrubber.instance_variable_get(:@scrub_attribute_args))
+  end
+  def test_does_not_scrub_attributes_of_a_removed_node
+    @scrubber = TestPermitScrubber.new
+    input = "<div class='foo' href='bar'><svg xlink:href='asdf'><set></set></svg></div>"
+    frag = scrub_fragment(input)
+    assert_equal("<div class=\"foo\"></div>", frag)
+    assert_equal(["div"], @scrubber.instance_variable_get(:@scrub_attributes_args))
+  end
 end

metadata CHANGED Viewed

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.6.0.rc2
+  version: 1.6.1
 platform: ruby
 authors:
 - Rafael Mendonça França
 - Kasper Timm Hansen
 - Mike Dalessio
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-24 00:00:00.000000000 Z
+date: 2024-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -30,16 +30,70 @@ dependencies:
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.15.7
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0.rc1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+    - - "!="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: 1.16.3
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.4
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.5
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: 1.15.7
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.0.rc1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.1
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.3
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.4
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.5
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: 1.16.7
 description: HTML sanitization for Rails applications
 email:
 - rafaelmfranca@gmail.com
@@ -64,10 +118,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
-  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.0.rc2/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.0.rc2
-  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.0.rc2
-post_install_message:
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.1
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.1
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -78,12 +132,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files: