rails-html-sanitizer 1.0.3 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 44e7ba72869ce5a5b6aa4f202dced7073ef94b72
-  data.tar.gz: b5410baf4f05cc97449852a7b3b4e36774a9942d
+SHA256:
+  metadata.gz: f1aa629ae03d828f900932e2272c2d13baf2eae94adb214896cdf2eb959e4172
+  data.tar.gz: 970c65b32aa93c659e6483e8b798ea23fa8b8eadb1963fba813dd33ba6432ae2
 SHA512:
-  metadata.gz: 9ea541f36dbc6de129d6bd889a8b198bf5e4805a578e204dc21dfc01c29551f869e064b7c315a9cd7e2732cef58ad820851684df55568922135dd4866f5d8ff7
-  data.tar.gz: ff206594a72e31e5504f935b437ea105327f7540d5d1a8530f202d35419c278f9d78a5e7f413e86c519bf7bf12b54341aadb7591cfa719f35ea1693d4d4998b2
+  metadata.gz: c97587f6427b9e67e76050f21ab8f39148fd0ff47e87282a4a13802a6ae02ffa62034a187a8e5cfd0577e53d0f0cbc8e2e72abce3171d7f6139f186f1b75e1a2
+  data.tar.gz: 411f2f9593fda42880b3ed9fcb99431e353c133d36a74e0aed52fa3959efa4bd8cc6aad5d90dddfc4565b0fabc80d68e9cfbf8cea055ae9463cba326f0735dc2

data/MIT-LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2013-2015 Rafael Mendonça França, Kasper Timm Hansen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -99,17 +99,15 @@ You can also create custom scrubbers in your application if you want to.
 
 ```ruby
 class CommentScrubber < Rails::Html::PermitScrubber
-  def allowed_node?(node)
-    !%w(form script comment blockquote).include?(node.name)
+  def initialize
+    super
+    self.tags = %w( form script comment blockquote )
+    self.attributes = %w( style )
   end
 
   def skip_node?(node)
     node.text?
   end
-
-  def scrub_attribute?(name)
-    name == "style"
-  end
 end
 ```
 

data/lib/rails/html/sanitizer.rb

@@ -61,7 +61,7 @@ module Rails
     # Sanitizes html and css from an extensive white list (see link further down).
     #
     # === Whitespace
-    # We can't make any guarentees about whitespace being kept or stripped.
+    # We can't make any guarantees about whitespace being kept or stripped.
     # Loofah uses Nokogiri, which wraps either a C or Java parser for the
     # respective Ruby implementation.
     # Those two parsers determine how whitespace is ultimately handled.

data/lib/rails/html/sanitizer/version.rb

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.0.3"
+      VERSION = "1.0.4"
     end
   end
 end

data/lib/rails/html/scrubbers.rb

@@ -28,8 +28,9 @@ module Rails
     # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
     #
     # class CommentScrubber < Html::PermitScrubber
-    #   def allowed_node?(node)
-    #     !%w(form script comment blockquote).include?(node.name)
+    #   def initialize
+    #     super
+    #     self.tags = %w(form script comment blockquote)
     #   end
     #
     #   def skip_node?(node)
@@ -152,6 +153,8 @@ module Rails
         end
 
         node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+
+        Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
       end
     end
 

data/test/sanitizer_test.rb

@@ -33,7 +33,7 @@ class SanitizersTest < Minitest::Test
     assert_equal %(<h1>hello </h1>), xpath_sanitize(html, xpaths: %w(.//script))
   end
 
-  def test_remove_xpaths_removes_all_occurences_of_xpath
+  def test_remove_xpaths_removes_all_occurrences_of_xpath
     html = %(<section><header><script>code!</script></header><p>hello <script>code!</script></p></section>)
     assert_equal %(<section><header></header><p>hello </p></section>), xpath_sanitize(html, xpaths: %w(.//script))
   end
@@ -58,11 +58,11 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_invalid_html
-    assert_equal "", full_sanitize("<<<bad html")
+    assert_equal "&lt;&lt;", full_sanitize("<<<bad html")
   end
 
   def test_strip_nested_tags
-    expected = "Weia onclick='alert(document.cookie);'/&gt;rdos"
+    expected = "Wei&lt;a onclick='alert(document.cookie);'/&gt;rdos"
     input = "Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"
     assert_equal expected, full_sanitize(input)
   end
@@ -74,7 +74,7 @@ class SanitizersTest < Minitest::Test
     assert_equal expected, full_sanitize(input)
   end
 
-  def test_strip_comments
+  def test_remove_unclosed_tags
     assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
   end
 
@@ -87,7 +87,9 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_blank_string
-    [nil, '', '   '].each { |blank| assert_equal blank, full_sanitize(blank) }
+    assert_nil full_sanitize(nil)
+    assert_equal "", full_sanitize("")
+    assert_equal "   ", full_sanitize("   ")
   end
 
   def test_strip_tags_with_plaintext
@@ -98,8 +100,8 @@ class SanitizersTest < Minitest::Test
     assert_equal "This is a test.", full_sanitize("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>")
   end
 
-  def test_strip_tags_with_many_open_quotes
-    assert_equal "", full_sanitize("<<<bad html>")
+  def test_escape_tags_with_many_open_quotes
+    assert_equal "&lt;&lt;", full_sanitize("<<<bad html>")
   end
 
   def test_strip_tags_with_sentence
@@ -123,7 +125,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_links_with_tags_in_tags
-    expected = "a href='hello'&gt;all <b>day</b> long/a&gt;"
+    expected = "&lt;a href='hello'&gt;all <b>day</b> long&lt;/a&gt;"
     input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
     assert_equal expected, link_sanitize(input)
   end
@@ -360,7 +362,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_script_tag_with_multiple_open_brackets
-    assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "alert(\"XSS\");//"
+    assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "&lt;alert(\"XSS\");//&lt;"
     assert_sanitized %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), ""
   end
 
@@ -383,13 +385,13 @@ class SanitizersTest < Minitest::Test
 
   def test_should_sanitize_illegal_style_properties
     raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
-    expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;)
+    expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
     assert_equal expected, sanitize_css(raw)
   end
 
   def test_should_sanitize_with_trailing_space
     raw = "display:block; "
-    expected = "display: block;"
+    expected = "display:block;"
     assert_equal expected, sanitize_css(raw)
   end
 
@@ -482,6 +484,38 @@ class SanitizersTest < Minitest::Test
     assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
   end
 
+  def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
+    html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html, attributes: ['action'])
+
+    assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.4
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-25 00:00:00.000000000 Z
+date: 2018-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -17,14 +17,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.2
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -90,6 +96,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
+- MIT-LICENSE
 - README.md
 - lib/rails-html-sanitizer.rb
 - lib/rails/html/sanitizer.rb
@@ -117,10 +124,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/sanitizer_test.rb
 - test/scrubbers_test.rb
+- test/sanitizer_test.rb