rails-html-sanitizer 1.6.2 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d5507b24d4d93d6efebf2e327d04980dd114cd491732b5c71a7e1a3294c846a9
4
- data.tar.gz: dd7a5070b04bf6a97b96df01d65fce9d52790e62dc6631b31fb72ecc2a6d16ed
3
+ metadata.gz: 1e57ccc4baea7e97018e7794845e4f95ca0beee76bbdeff5f377dc1d8385a170
4
+ data.tar.gz: 4b66dc1f9e7f0bfbcb8707c4c208ed6f9f3af50b521015d65e638e90296db066
5
5
  SHA512:
6
- metadata.gz: 912e9d41629bd93de8a14352757add81fde36e394e7907923a88dbebc39da85722fc13a01fa23973421a11e715b41fb78cec3f0379ccf5a97ab0f0ee3ed3dc5a
7
- data.tar.gz: e03d92f6289ef71e4039a64b89bce79c5d5a9d628632c84b2b54235fbe69384578de92f7b2db114c13d041c4d589672dd09e23758a043e675eb37f961a858f67
6
+ metadata.gz: 5ba5bacc8b35f00909f62e68dbb21c30bce706d6e19865803a84119c5fb3ea6ac459719e5b14827f370d428e9fc22eb0cb507824f864855857abc9303175e46a
7
+ data.tar.gz: 395e935d2056f773fbf8324caa0852e070245dd02d7b6d69b205b4a4835fedc3951484f724ea20f69f6ae98578d80535eedc950be44cf149b440249bd1d58ee8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,28 @@
1
+ ## v1.7.1 / 2026-07-15
2
+
3
+ * SVG reference elements now restrict both `href` and `xlink:href` to local references.
4
+
5
+ Previously `PermitScrubber` restricted only `xlink:href` on elements in `SVG_ALLOW_LOCAL_HREF`,
6
+ so a plain `href` attribute on those elements could reference an external document. Applications
7
+ are only affected if the allowed tags are overridden to include an SVG reference element such as
8
+ `use`; the default configuration is not affected.
9
+
10
+ This change addresses GHSA-cj75-f6xr-r4g7 (CVE requested). The minimum Loofah dependency is now
11
+ `~> 2.25, >= 2.25.2`.
12
+
13
+ *Mike Dalessio*
14
+
15
+
16
+ ## v1.7.0 / 2026-02-24
17
+
18
+ * Add `Rails::HTML::Sanitizer.allowed_uri?` which delegates to `Loofah::HTML5::Scrub.allowed_uri?`,
19
+ allowing the Rails framework to check URI safety without a direct dependency on Loofah.
20
+
21
+ The minimum Loofah dependency is now `~> 2.25`.
22
+
23
+ *Mike Dalessio*
24
+
25
+
1
26
  ## v1.6.2 / 2024-12-12
2
27
 
3
28
  * `PermitScrubber` fully supports frozen "allowed tags".
@@ -3,7 +3,7 @@
3
3
  module Rails
4
4
  module HTML
5
5
  class Sanitizer
6
- VERSION = "1.6.2"
6
+ VERSION = "1.7.1"
7
7
  end
8
8
  end
9
9
  end
@@ -13,6 +13,10 @@ module Rails
13
13
  def best_supported_vendor
14
14
  html5_support? ? Rails::HTML5::Sanitizer : Rails::HTML4::Sanitizer
15
15
  end
16
+
17
+ def allowed_uri?(uri_string)
18
+ Loofah::HTML5::Scrub.allowed_uri?(uri_string)
19
+ end
16
20
  end
17
21
 
18
22
  def sanitize(html, options = {})
@@ -172,7 +172,7 @@ module Rails
172
172
  Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
173
173
  end
174
174
 
175
- if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
175
+ if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && Loofah::HTML5::SafeList::SVG_HREF_ATTRIBUTES.include?(attr_name) && attr_node.value =~ /^\s*[^#\s].*/m
176
176
  attr_node.remove
177
177
  end
178
178
 
metadata CHANGED
@@ -1,16 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.2
4
+ version: 1.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
8
8
  - Kasper Timm Hansen
9
9
  - Mike Dalessio
10
- autorequire:
11
10
  bindir: bin
12
11
  cert_chain: []
13
- date: 2024-12-12 00:00:00.000000000 Z
12
+ date: 1980-01-02 00:00:00.000000000 Z
14
13
  dependencies:
15
14
  - !ruby/object:Gem::Dependency
16
15
  name: loofah
@@ -18,14 +17,20 @@ dependencies:
18
17
  requirements:
19
18
  - - "~>"
20
19
  - !ruby/object:Gem::Version
21
- version: '2.21'
20
+ version: '2.25'
21
+ - - ">="
22
+ - !ruby/object:Gem::Version
23
+ version: 2.25.2
22
24
  type: :runtime
23
25
  prerelease: false
24
26
  version_requirements: !ruby/object:Gem::Requirement
25
27
  requirements:
26
28
  - - "~>"
27
29
  - !ruby/object:Gem::Version
28
- version: '2.21'
30
+ version: '2.25'
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: 2.25.2
29
34
  - !ruby/object:Gem::Dependency
30
35
  name: nokogiri
31
36
  requirement: !ruby/object:Gem::Requirement
@@ -110,18 +115,14 @@ files:
110
115
  - lib/rails/html/sanitizer.rb
111
116
  - lib/rails/html/sanitizer/version.rb
112
117
  - lib/rails/html/scrubbers.rb
113
- - test/rails_api_test.rb
114
- - test/sanitizer_test.rb
115
- - test/scrubbers_test.rb
116
118
  homepage: https://github.com/rails/rails-html-sanitizer
117
119
  licenses:
118
120
  - MIT
119
121
  metadata:
120
122
  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
121
- changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.6.2/CHANGELOG.md
122
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.6.2
123
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.6.2
124
- post_install_message:
123
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.7.1/CHANGELOG.md
124
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.7.1
125
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.7.1
125
126
  rdoc_options: []
126
127
  require_paths:
127
128
  - lib
@@ -136,11 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
136
137
  - !ruby/object:Gem::Version
137
138
  version: '0'
138
139
  requirements: []
139
- rubygems_version: 3.3.22
140
- signing_key:
140
+ rubygems_version: 4.0.10
141
141
  specification_version: 4
142
142
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.
143
- test_files:
144
- - test/rails_api_test.rb
145
- - test/sanitizer_test.rb
146
- - test/scrubbers_test.rb
143
+ test_files: []
@@ -1,88 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require "minitest/autorun"
4
- require "rails-html-sanitizer"
5
-
6
- class RailsApiTest < Minitest::Test
7
- def test_html_module_name_alias
8
- assert_equal(Rails::Html, Rails::HTML)
9
- assert_equal("Rails::HTML", Rails::Html.name)
10
- assert_equal("Rails::HTML", Rails::HTML.name)
11
- end
12
-
13
- def test_html_scrubber_class_names
14
- assert(Rails::Html::PermitScrubber)
15
- assert(Rails::Html::TargetScrubber)
16
- assert(Rails::Html::TextOnlyScrubber)
17
- assert(Rails::Html::Sanitizer)
18
- end
19
-
20
- def test_best_supported_vendor_when_html5_is_not_supported_returns_html4
21
- Rails::HTML::Sanitizer.stub(:html5_support?, false) do
22
- assert_equal(Rails::HTML4::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
23
- end
24
- end
25
-
26
- def test_best_supported_vendor_when_html5_is_supported_returns_html5
27
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
28
-
29
- Rails::HTML::Sanitizer.stub(:html5_support?, true) do
30
- assert_equal(Rails::HTML5::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
31
- end
32
- end
33
-
34
- def test_html4_sanitizer_alias_full
35
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer)
36
- assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name)
37
- end
38
-
39
- def test_html4_sanitizer_alias_link
40
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer)
41
- assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name)
42
- end
43
-
44
- def test_html4_sanitizer_alias_safe_list
45
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer)
46
- assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name)
47
- end
48
-
49
- def test_html4_full_sanitizer
50
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer)
51
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer)
52
- end
53
-
54
- def test_html4_link_sanitizer
55
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer)
56
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer)
57
- end
58
-
59
- def test_html4_safe_list_sanitizer
60
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer)
61
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer)
62
- end
63
-
64
- def test_html4_white_list_sanitizer
65
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer)
66
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer)
67
- end
68
-
69
- def test_html5_full_sanitizer
70
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
71
- assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer)
72
- end
73
-
74
- def test_html5_link_sanitizer
75
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
76
- assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer)
77
- end
78
-
79
- def test_html5_safe_list_sanitizer
80
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
81
- assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer)
82
- end
83
-
84
- def test_html5_white_list_sanitizer
85
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
86
- assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer)
87
- end
88
- end