rails-html-sanitizer 1.7.0 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1e73c95bdfd00d65afcc40a3ef436fe4bab7b7571e62b789a877ea2b201a2740
4
- data.tar.gz: 9ac916682a1d0b3b6f45059f5509a1f7785349e0c08102fac6cb1539bff0db3f
3
+ metadata.gz: 1e57ccc4baea7e97018e7794845e4f95ca0beee76bbdeff5f377dc1d8385a170
4
+ data.tar.gz: 4b66dc1f9e7f0bfbcb8707c4c208ed6f9f3af50b521015d65e638e90296db066
5
5
  SHA512:
6
- metadata.gz: d70c999e3775bb58adcc8b6b785c49b7f79ea14990042c2a96105cd36b09c8126f25a317e8f9ab920b0aeaaf107e61870443e0afff78ea291ad163e659b043e6
7
- data.tar.gz: 440f779d178582a39723cc22191e7397becdbc2c2fbd36d3af7eac52f66ce722a9f9000f4cae43d46e36451da2e66249667a5a3d02c5914835a85fac6dd98331
6
+ metadata.gz: 5ba5bacc8b35f00909f62e68dbb21c30bce706d6e19865803a84119c5fb3ea6ac459719e5b14827f370d428e9fc22eb0cb507824f864855857abc9303175e46a
7
+ data.tar.gz: 395e935d2056f773fbf8324caa0852e070245dd02d7b6d69b205b4a4835fedc3951484f724ea20f69f6ae98578d80535eedc950be44cf149b440249bd1d58ee8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## v1.7.1 / 2026-07-15
2
+
3
+ * SVG reference elements now restrict both `href` and `xlink:href` to local references.
4
+
5
+ Previously `PermitScrubber` restricted only `xlink:href` on elements in `SVG_ALLOW_LOCAL_HREF`,
6
+ so a plain `href` attribute on those elements could reference an external document. Applications
7
+ are only affected if the allowed tags are overridden to include an SVG reference element such as
8
+ `use`; the default configuration is not affected.
9
+
10
+ This change addresses GHSA-cj75-f6xr-r4g7 (CVE requested). The minimum Loofah dependency is now
11
+ `~> 2.25, >= 2.25.2`.
12
+
13
+ *Mike Dalessio*
14
+
15
+
1
16
  ## v1.7.0 / 2026-02-24
2
17
 
3
18
  * Add `Rails::HTML::Sanitizer.allowed_uri?` which delegates to `Loofah::HTML5::Scrub.allowed_uri?`,
@@ -3,7 +3,7 @@
3
3
  module Rails
4
4
  module HTML
5
5
  class Sanitizer
6
- VERSION = "1.7.0"
6
+ VERSION = "1.7.1"
7
7
  end
8
8
  end
9
9
  end
@@ -172,7 +172,7 @@ module Rails
172
172
  Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
173
173
  end
174
174
 
175
- if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
175
+ if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && Loofah::HTML5::SafeList::SVG_HREF_ATTRIBUTES.include?(attr_name) && attr_node.value =~ /^\s*[^#\s].*/m
176
176
  attr_node.remove
177
177
  end
178
178
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.0
4
+ version: 1.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -18,6 +18,9 @@ dependencies:
18
18
  - - "~>"
19
19
  - !ruby/object:Gem::Version
20
20
  version: '2.25'
21
+ - - ">="
22
+ - !ruby/object:Gem::Version
23
+ version: 2.25.2
21
24
  type: :runtime
22
25
  prerelease: false
23
26
  version_requirements: !ruby/object:Gem::Requirement
@@ -25,6 +28,9 @@ dependencies:
25
28
  - - "~>"
26
29
  - !ruby/object:Gem::Version
27
30
  version: '2.25'
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: 2.25.2
28
34
  - !ruby/object:Gem::Dependency
29
35
  name: nokogiri
30
36
  requirement: !ruby/object:Gem::Requirement
@@ -109,18 +115,14 @@ files:
109
115
  - lib/rails/html/sanitizer.rb
110
116
  - lib/rails/html/sanitizer/version.rb
111
117
  - lib/rails/html/scrubbers.rb
112
- - test/rails_api_test.rb
113
- - test/sanitizer_test.rb
114
- - test/scrubbers_test.rb
115
- - test/test_helper.rb
116
118
  homepage: https://github.com/rails/rails-html-sanitizer
117
119
  licenses:
118
120
  - MIT
119
121
  metadata:
120
122
  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
121
- changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.7.0/CHANGELOG.md
122
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.7.0
123
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.7.0
123
+ changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.7.1/CHANGELOG.md
124
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.7.1
125
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.7.1
124
126
  rdoc_options: []
125
127
  require_paths:
126
128
  - lib
@@ -135,11 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
135
137
  - !ruby/object:Gem::Version
136
138
  version: '0'
137
139
  requirements: []
138
- rubygems_version: 4.0.3
140
+ rubygems_version: 4.0.10
139
141
  specification_version: 4
140
142
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.
141
- test_files:
142
- - test/rails_api_test.rb
143
- - test/sanitizer_test.rb
144
- - test/scrubbers_test.rb
145
- - test/test_helper.rb
143
+ test_files: []
@@ -1,101 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require_relative "test_helper"
4
-
5
- class RailsApiTest < Minitest::Test
6
- def test_html_module_name_alias
7
- assert_equal(Rails::Html, Rails::HTML)
8
- assert_equal("Rails::HTML", Rails::Html.name)
9
- assert_equal("Rails::HTML", Rails::HTML.name)
10
- end
11
-
12
- def test_html_scrubber_class_names
13
- assert(Rails::Html::PermitScrubber)
14
- assert(Rails::Html::TargetScrubber)
15
- assert(Rails::Html::TextOnlyScrubber)
16
- assert(Rails::Html::Sanitizer)
17
- end
18
-
19
- def test_best_supported_vendor_when_html5_is_not_supported_returns_html4
20
- Rails::HTML::Sanitizer.stub(:html5_support?, false) do
21
- assert_equal(Rails::HTML4::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
22
- end
23
- end
24
-
25
- def test_best_supported_vendor_when_html5_is_supported_returns_html5
26
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
27
-
28
- Rails::HTML::Sanitizer.stub(:html5_support?, true) do
29
- assert_equal(Rails::HTML5::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor)
30
- end
31
- end
32
-
33
- def test_html4_sanitizer_alias_full
34
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer)
35
- assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name)
36
- end
37
-
38
- def test_html4_sanitizer_alias_link
39
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer)
40
- assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name)
41
- end
42
-
43
- def test_html4_sanitizer_alias_safe_list
44
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer)
45
- assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name)
46
- end
47
-
48
- def test_html4_full_sanitizer
49
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer)
50
- assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer)
51
- end
52
-
53
- def test_html4_link_sanitizer
54
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer)
55
- assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer)
56
- end
57
-
58
- def test_html4_safe_list_sanitizer
59
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer)
60
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer)
61
- end
62
-
63
- def test_html4_white_list_sanitizer
64
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer)
65
- assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer)
66
- end
67
-
68
- def test_html5_full_sanitizer
69
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
70
- assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer)
71
- end
72
-
73
- def test_html5_link_sanitizer
74
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
75
- assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer)
76
- end
77
-
78
- def test_html5_safe_list_sanitizer
79
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
80
- assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer)
81
- end
82
-
83
- def test_html5_white_list_sanitizer
84
- skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support?
85
- assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer)
86
- end
87
-
88
- def test_allowed_uri_returns_true_for_allowed_protocols
89
- assert(Rails::HTML::Sanitizer.allowed_uri?("https://example.com"))
90
- assert(Rails::HTML::Sanitizer.allowed_uri?("http://example.com"))
91
- assert(Rails::HTML::Sanitizer.allowed_uri?("mailto:user@example.com"))
92
- end
93
-
94
- def test_allowed_uri_returns_false_for_disallowed_protocols
95
- refute(Rails::HTML::Sanitizer.allowed_uri?("javascript:alert(1)"))
96
- end
97
-
98
- def test_allowed_uri_returns_true_for_relative_uris
99
- assert(Rails::HTML::Sanitizer.allowed_uri?("/relative/path"))
100
- end
101
- end