rails-html-sanitizer 1.6.2 → 1.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +25 -0
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/sanitizer.rb +4 -0
- data/lib/rails/html/scrubbers.rb +1 -1
- metadata +15 -18
- data/test/rails_api_test.rb +0 -88
- data/test/sanitizer_test.rb +0 -1288
- data/test/scrubbers_test.rb +0 -295
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1e57ccc4baea7e97018e7794845e4f95ca0beee76bbdeff5f377dc1d8385a170
|
|
4
|
+
data.tar.gz: 4b66dc1f9e7f0bfbcb8707c4c208ed6f9f3af50b521015d65e638e90296db066
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5ba5bacc8b35f00909f62e68dbb21c30bce706d6e19865803a84119c5fb3ea6ac459719e5b14827f370d428e9fc22eb0cb507824f864855857abc9303175e46a
|
|
7
|
+
data.tar.gz: 395e935d2056f773fbf8324caa0852e070245dd02d7b6d69b205b4a4835fedc3951484f724ea20f69f6ae98578d80535eedc950be44cf149b440249bd1d58ee8
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,28 @@
|
|
|
1
|
+
## v1.7.1 / 2026-07-15
|
|
2
|
+
|
|
3
|
+
* SVG reference elements now restrict both `href` and `xlink:href` to local references.
|
|
4
|
+
|
|
5
|
+
Previously `PermitScrubber` restricted only `xlink:href` on elements in `SVG_ALLOW_LOCAL_HREF`,
|
|
6
|
+
so a plain `href` attribute on those elements could reference an external document. Applications
|
|
7
|
+
are only affected if the allowed tags are overridden to include an SVG reference element such as
|
|
8
|
+
`use`; the default configuration is not affected.
|
|
9
|
+
|
|
10
|
+
This change addresses GHSA-cj75-f6xr-r4g7 (CVE requested). The minimum Loofah dependency is now
|
|
11
|
+
`~> 2.25, >= 2.25.2`.
|
|
12
|
+
|
|
13
|
+
*Mike Dalessio*
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
## v1.7.0 / 2026-02-24
|
|
17
|
+
|
|
18
|
+
* Add `Rails::HTML::Sanitizer.allowed_uri?` which delegates to `Loofah::HTML5::Scrub.allowed_uri?`,
|
|
19
|
+
allowing the Rails framework to check URI safety without a direct dependency on Loofah.
|
|
20
|
+
|
|
21
|
+
The minimum Loofah dependency is now `~> 2.25`.
|
|
22
|
+
|
|
23
|
+
*Mike Dalessio*
|
|
24
|
+
|
|
25
|
+
|
|
1
26
|
## v1.6.2 / 2024-12-12
|
|
2
27
|
|
|
3
28
|
* `PermitScrubber` fully supports frozen "allowed tags".
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -13,6 +13,10 @@ module Rails
|
|
|
13
13
|
def best_supported_vendor
|
|
14
14
|
html5_support? ? Rails::HTML5::Sanitizer : Rails::HTML4::Sanitizer
|
|
15
15
|
end
|
|
16
|
+
|
|
17
|
+
def allowed_uri?(uri_string)
|
|
18
|
+
Loofah::HTML5::Scrub.allowed_uri?(uri_string)
|
|
19
|
+
end
|
|
16
20
|
end
|
|
17
21
|
|
|
18
22
|
def sanitize(html, options = {})
|
data/lib/rails/html/scrubbers.rb
CHANGED
|
@@ -172,7 +172,7 @@ module Rails
|
|
|
172
172
|
Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
|
|
173
173
|
end
|
|
174
174
|
|
|
175
|
-
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name
|
|
175
|
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && Loofah::HTML5::SafeList::SVG_HREF_ATTRIBUTES.include?(attr_name) && attr_node.value =~ /^\s*[^#\s].*/m
|
|
176
176
|
attr_node.remove
|
|
177
177
|
end
|
|
178
178
|
|
metadata
CHANGED
|
@@ -1,16 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
8
8
|
- Kasper Timm Hansen
|
|
9
9
|
- Mike Dalessio
|
|
10
|
-
autorequire:
|
|
11
10
|
bindir: bin
|
|
12
11
|
cert_chain: []
|
|
13
|
-
date:
|
|
12
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
14
13
|
dependencies:
|
|
15
14
|
- !ruby/object:Gem::Dependency
|
|
16
15
|
name: loofah
|
|
@@ -18,14 +17,20 @@ dependencies:
|
|
|
18
17
|
requirements:
|
|
19
18
|
- - "~>"
|
|
20
19
|
- !ruby/object:Gem::Version
|
|
21
|
-
version: '2.
|
|
20
|
+
version: '2.25'
|
|
21
|
+
- - ">="
|
|
22
|
+
- !ruby/object:Gem::Version
|
|
23
|
+
version: 2.25.2
|
|
22
24
|
type: :runtime
|
|
23
25
|
prerelease: false
|
|
24
26
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
27
|
requirements:
|
|
26
28
|
- - "~>"
|
|
27
29
|
- !ruby/object:Gem::Version
|
|
28
|
-
version: '2.
|
|
30
|
+
version: '2.25'
|
|
31
|
+
- - ">="
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: 2.25.2
|
|
29
34
|
- !ruby/object:Gem::Dependency
|
|
30
35
|
name: nokogiri
|
|
31
36
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -110,18 +115,14 @@ files:
|
|
|
110
115
|
- lib/rails/html/sanitizer.rb
|
|
111
116
|
- lib/rails/html/sanitizer/version.rb
|
|
112
117
|
- lib/rails/html/scrubbers.rb
|
|
113
|
-
- test/rails_api_test.rb
|
|
114
|
-
- test/sanitizer_test.rb
|
|
115
|
-
- test/scrubbers_test.rb
|
|
116
118
|
homepage: https://github.com/rails/rails-html-sanitizer
|
|
117
119
|
licenses:
|
|
118
120
|
- MIT
|
|
119
121
|
metadata:
|
|
120
122
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
121
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.
|
|
122
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.
|
|
123
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.
|
|
124
|
-
post_install_message:
|
|
123
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.7.1/CHANGELOG.md
|
|
124
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.7.1
|
|
125
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.7.1
|
|
125
126
|
rdoc_options: []
|
|
126
127
|
require_paths:
|
|
127
128
|
- lib
|
|
@@ -136,11 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
136
137
|
- !ruby/object:Gem::Version
|
|
137
138
|
version: '0'
|
|
138
139
|
requirements: []
|
|
139
|
-
rubygems_version:
|
|
140
|
-
signing_key:
|
|
140
|
+
rubygems_version: 4.0.10
|
|
141
141
|
specification_version: 4
|
|
142
142
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|
|
143
|
-
test_files:
|
|
144
|
-
- test/rails_api_test.rb
|
|
145
|
-
- test/sanitizer_test.rb
|
|
146
|
-
- test/scrubbers_test.rb
|
|
143
|
+
test_files: []
|
data/test/rails_api_test.rb
DELETED
|
@@ -1,88 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "minitest/autorun"
|
|
4
|
-
require "rails-html-sanitizer"
|
|
5
|
-
|
|
6
|
-
class RailsApiTest < Minitest::Test
|
|
7
|
-
def test_html_module_name_alias
|
|
8
|
-
assert_equal(Rails::Html, Rails::HTML)
|
|
9
|
-
assert_equal("Rails::HTML", Rails::Html.name)
|
|
10
|
-
assert_equal("Rails::HTML", Rails::HTML.name)
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
def test_html_scrubber_class_names
|
|
14
|
-
assert(Rails::Html::PermitScrubber)
|
|
15
|
-
assert(Rails::Html::TargetScrubber)
|
|
16
|
-
assert(Rails::Html::TextOnlyScrubber)
|
|
17
|
-
assert(Rails::Html::Sanitizer)
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
def test_best_supported_vendor_when_html5_is_not_supported_returns_html4
|
|
21
|
-
Rails::HTML::Sanitizer.stub(:html5_support?, false) do
|
|
22
|
-
assert_equal(Rails::HTML4::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
|
|
23
|
-
end
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
def test_best_supported_vendor_when_html5_is_supported_returns_html5
|
|
27
|
-
skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
|
|
28
|
-
|
|
29
|
-
Rails::HTML::Sanitizer.stub(:html5_support?, true) do
|
|
30
|
-
assert_equal(Rails::HTML5::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
def test_html4_sanitizer_alias_full
|
|
35
|
-
assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer)
|
|
36
|
-
assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name)
|
|
37
|
-
end
|
|
38
|
-
|
|
39
|
-
def test_html4_sanitizer_alias_link
|
|
40
|
-
assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer)
|
|
41
|
-
assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name)
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
def test_html4_sanitizer_alias_safe_list
|
|
45
|
-
assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer)
|
|
46
|
-
assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name)
|
|
47
|
-
end
|
|
48
|
-
|
|
49
|
-
def test_html4_full_sanitizer
|
|
50
|
-
assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer)
|
|
51
|
-
assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer)
|
|
52
|
-
end
|
|
53
|
-
|
|
54
|
-
def test_html4_link_sanitizer
|
|
55
|
-
assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer)
|
|
56
|
-
assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer)
|
|
57
|
-
end
|
|
58
|
-
|
|
59
|
-
def test_html4_safe_list_sanitizer
|
|
60
|
-
assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer)
|
|
61
|
-
assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer)
|
|
62
|
-
end
|
|
63
|
-
|
|
64
|
-
def test_html4_white_list_sanitizer
|
|
65
|
-
assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer)
|
|
66
|
-
assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer)
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
def test_html5_full_sanitizer
|
|
70
|
-
skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
|
|
71
|
-
assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer)
|
|
72
|
-
end
|
|
73
|
-
|
|
74
|
-
def test_html5_link_sanitizer
|
|
75
|
-
skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
|
|
76
|
-
assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer)
|
|
77
|
-
end
|
|
78
|
-
|
|
79
|
-
def test_html5_safe_list_sanitizer
|
|
80
|
-
skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
|
|
81
|
-
assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer)
|
|
82
|
-
end
|
|
83
|
-
|
|
84
|
-
def test_html5_white_list_sanitizer
|
|
85
|
-
skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
|
|
86
|
-
assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer)
|
|
87
|
-
end
|
|
88
|
-
end
|