rails-html-sanitizer 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +3 -3
- data/lib/rails/html/sanitizer.rb +6 -2
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/test/sanitizer_test.rb +14 -2
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 330722b1f148ac96ebebc529d2b971d2f32584bb
|
|
4
|
+
data.tar.gz: 5441eea2b71bd6786f38061d60db7c80f18896ff
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c346b077718dd1ebba5c1aecab78421e30b3dbda64a7a43ecf0cea96b3f25ea72f9b93dc2f7b36d11453d8249f87847ef4087f1bc1086812314e1ff3fcc67eef
|
|
7
|
+
data.tar.gz: 0e598d16bae9973b706e739ff87ea767d96859d2a27349890bb848c783161bfffccf99d26ffa231ee4e9a3ccb4dfe137ab76c6ef88eb6b32fee9f7dc3dfdb2c5
|
data/README.md
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# Rails Html Sanitizers
|
|
2
2
|
|
|
3
|
-
In Rails
|
|
4
|
-
i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
|
|
3
|
+
In Rails 4.2 and above this gem will be responsible for sanitizing HTML fragments in Rails
|
|
4
|
+
applications, i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
|
|
5
5
|
|
|
6
|
-
|
|
6
|
+
Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using [Loofah](https://github.com/flavorjones/loofah) directly (that's what handles sanitization under the hood).
|
|
7
7
|
|
|
8
8
|
## Installation
|
|
9
9
|
|
data/lib/rails/html/sanitizer.rb
CHANGED
|
@@ -28,7 +28,7 @@ module Rails
|
|
|
28
28
|
|
|
29
29
|
Loofah.fragment(html).tap do |fragment|
|
|
30
30
|
remove_xpaths(fragment, XPATHS_TO_REMOVE)
|
|
31
|
-
end.text
|
|
31
|
+
end.text(options)
|
|
32
32
|
end
|
|
33
33
|
end
|
|
34
34
|
|
|
@@ -120,7 +120,7 @@ module Rails
|
|
|
120
120
|
loofah_fragment.scrub!(:strip)
|
|
121
121
|
end
|
|
122
122
|
|
|
123
|
-
loofah_fragment
|
|
123
|
+
properly_encode(loofah_fragment, encoding: 'UTF-8')
|
|
124
124
|
end
|
|
125
125
|
|
|
126
126
|
def sanitize_css(style_string)
|
|
@@ -136,6 +136,10 @@ module Rails
|
|
|
136
136
|
def allowed_attributes(options)
|
|
137
137
|
options[:attributes] || self.class.allowed_attributes
|
|
138
138
|
end
|
|
139
|
+
|
|
140
|
+
def properly_encode(fragment, options)
|
|
141
|
+
fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
|
|
142
|
+
end
|
|
139
143
|
end
|
|
140
144
|
end
|
|
141
145
|
end
|
data/test/sanitizer_test.rb
CHANGED
|
@@ -104,6 +104,11 @@ class SanitizersTest < Minitest::Test
|
|
|
104
104
|
assert_equal "Frozen string with no tags", full_sanitize("Frozen string with no tags".freeze)
|
|
105
105
|
end
|
|
106
106
|
|
|
107
|
+
def test_full_sanitize_allows_turning_off_encoding_special_chars
|
|
108
|
+
assert_equal '&', full_sanitize('&')
|
|
109
|
+
assert_equal '&', full_sanitize('&', encode_special_chars: false)
|
|
110
|
+
end
|
|
111
|
+
|
|
107
112
|
def test_strip_links_with_tags_in_tags
|
|
108
113
|
expected = "a href='hello'>all <b>day</b> long/a>"
|
|
109
114
|
input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
|
|
@@ -173,7 +178,7 @@ class SanitizersTest < Minitest::Test
|
|
|
173
178
|
end
|
|
174
179
|
|
|
175
180
|
def test_should_allow_anchors
|
|
176
|
-
assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\"
|
|
181
|
+
assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\"></a>)
|
|
177
182
|
end
|
|
178
183
|
|
|
179
184
|
def test_video_poster_sanitization
|
|
@@ -441,6 +446,13 @@ class SanitizersTest < Minitest::Test
|
|
|
441
446
|
assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">)
|
|
442
447
|
end
|
|
443
448
|
|
|
449
|
+
def test_sanitize_ascii_8bit_string
|
|
450
|
+
white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
|
|
451
|
+
assert_equal '<a>hello</a>', sanitized
|
|
452
|
+
assert_equal Encoding::UTF_8, sanitized.encoding
|
|
453
|
+
end
|
|
454
|
+
end
|
|
455
|
+
|
|
444
456
|
protected
|
|
445
457
|
|
|
446
458
|
def xpath_sanitize(input, options = {})
|
|
@@ -472,7 +484,7 @@ protected
|
|
|
472
484
|
end
|
|
473
485
|
|
|
474
486
|
def scope_allowed_tags(tags)
|
|
475
|
-
Rails::Html::WhiteListSanitizer.allowed_tags =
|
|
487
|
+
Rails::Html::WhiteListSanitizer.allowed_tags = tags
|
|
476
488
|
yield Rails::Html::WhiteListSanitizer.new
|
|
477
489
|
|
|
478
490
|
ensure
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2015-03-10 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -81,7 +81,7 @@ dependencies:
|
|
|
81
81
|
- - ">="
|
|
82
82
|
- !ruby/object:Gem::Version
|
|
83
83
|
version: '0'
|
|
84
|
-
description: HTML sanitization
|
|
84
|
+
description: HTML sanitization for Rails applications
|
|
85
85
|
email:
|
|
86
86
|
- rafaelmfranca@gmail.com
|
|
87
87
|
- kaspth@gmail.com
|
|
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
118
118
|
version: '0'
|
|
119
119
|
requirements: []
|
|
120
120
|
rubyforge_project:
|
|
121
|
-
rubygems_version: 2.
|
|
121
|
+
rubygems_version: 2.4.5
|
|
122
122
|
signing_key:
|
|
123
123
|
specification_version: 4
|
|
124
124
|
summary: This gem is responsible to sanitize HTML fragments in Rails applications.
|