rails-html-sanitizer 1.0.4 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rails-html-sanitizer might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f1aa629ae03d828f900932e2272c2d13baf2eae94adb214896cdf2eb959e4172
4
- data.tar.gz: 970c65b32aa93c659e6483e8b798ea23fa8b8eadb1963fba813dd33ba6432ae2
3
+ metadata.gz: 78b391f62382bca60620a37a2b7a1fe6cd8e81545210d308bc56991d11b39b6e
4
+ data.tar.gz: a8065b0d76a88caadeb594ac9e70857aaf061cdceab106781af41285c2e7302f
5
5
  SHA512:
6
- metadata.gz: c97587f6427b9e67e76050f21ab8f39148fd0ff47e87282a4a13802a6ae02ffa62034a187a8e5cfd0577e53d0f0cbc8e2e72abce3171d7f6139f186f1b75e1a2
7
- data.tar.gz: 411f2f9593fda42880b3ed9fcb99431e353c133d36a74e0aed52fa3959efa4bd8cc6aad5d90dddfc4565b0fabc80d68e9cfbf8cea055ae9463cba326f0735dc2
6
+ metadata.gz: b2a15acaf0bf620db43645b28d44d4e75d9bb9111bf77d4c7d90f812f697cbd8e33b704694af590e2af3c5e083d600c1cf82f7234ef737a05954582d1785bebb
7
+ data.tar.gz: af8b02f7811544234b263bfa6dd7062f117e549a6b58271be609c827a1468131caa56afd14b4f2b34e069e5f5d088ef3ba05f11c62b7d84ed69da6794c2c7de0
@@ -1,3 +1,20 @@
1
+ ## 1.1.0
2
+
3
+ * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
4
+ in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
5
+
6
+ *Juanito Fatas*
7
+
8
+ * Remove `href` from LinkScrubber's `tags` as it's not an element.
9
+ https://github.com/rails/rails-html-sanitizer/pull/92
10
+
11
+ *Juanito Fatas*
12
+
13
+ * Explain that we don't need to bump Loofah here if there's CVEs.
14
+ https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
15
+
16
+ *Kasper Timm Hansen*
17
+
1
18
  ## 1.0.1
2
19
 
3
20
  * Added support for Rails 4.2.0.beta2 and above
data/README.md CHANGED
@@ -41,22 +41,22 @@ link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.<
41
41
  # => Only the link text will be kept.
42
42
  ```
43
43
 
44
- #### WhiteListSanitizer
44
+ #### SafeListSanitizer
45
45
 
46
46
  ```ruby
47
- white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
47
+ safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
48
48
 
49
- # sanitize via an extensive white list of allowed elements
50
- white_list_sanitizer.sanitize(@article.body)
49
+ # sanitize via an extensive safe list of allowed elements
50
+ safe_list_sanitizer.sanitize(@article.body)
51
51
 
52
- # white list only the supplied tags and attributes
53
- white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
52
+ # safe list only the supplied tags and attributes
53
+ safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
54
54
 
55
- # white list via a custom scrubber
56
- white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
55
+ # safe list via a custom scrubber
56
+ safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
57
57
 
58
- # white list sanitizer can also sanitize css
59
- white_list_sanitizer.sanitize_css('background-color: #000;')
58
+ # safe list sanitizer can also sanitize css
59
+ safe_list_sanitizer.sanitize_css('background-color: #000;')
60
60
  ```
61
61
 
62
62
  ### Scrubbers
@@ -127,7 +127,7 @@ Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
127
127
  - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
128
128
 
129
129
  The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
130
- - [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
130
+ - [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
131
131
  - [Nokogiri](http://nokogiri.org)
132
132
 
133
133
  ## Contributing to Rails Html Sanitizers
@@ -15,8 +15,14 @@ module Rails
15
15
  Html::LinkSanitizer
16
16
  end
17
17
 
18
+ def safe_list_sanitizer
19
+ Html::SafeListSanitizer
20
+ end
21
+
18
22
  def white_list_sanitizer
19
- Html::WhiteListSanitizer
23
+ ActiveSupport::Deprecation.warn "warning: white_list_sanitizer is" \
24
+ "deprecated, please use safe_list_sanitizer instead."
25
+ safe_list_sanitizer
20
26
  end
21
27
  end
22
28
  end
@@ -34,7 +40,7 @@ module ActionView
34
40
  # end
35
41
  #
36
42
  def sanitized_allowed_tags=(tags)
37
- sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
43
+ sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
38
44
  end
39
45
 
40
46
  # Replaces the allowed HTML attributes for the +sanitize+ helper.
@@ -44,7 +50,7 @@ module ActionView
44
50
  # end
45
51
  #
46
52
  def sanitized_allowed_attributes=(attributes)
47
- sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
53
+ sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
48
54
  end
49
55
 
50
56
  [:protocol_separator,
@@ -40,15 +40,16 @@ module Rails
40
40
  end
41
41
 
42
42
  # === Rails::Html::LinkSanitizer
43
- # Removes a tags and href attributes leaving only the link text
43
+ # Removes +a+ tags and +href+ attributes leaving only the link text.
44
44
  #
45
- # link_sanitizer = Rails::Html::LinkSanitizer.new
46
- # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
- # # => Only the link text will be kept.
45
+ # link_sanitizer = Rails::Html::LinkSanitizer.new
46
+ # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
47
+ #
48
+ # => 'Only the link text will be kept.'
48
49
  class LinkSanitizer < Sanitizer
49
50
  def initialize
50
51
  @link_scrubber = TargetScrubber.new
51
- @link_scrubber.tags = %w(a href)
52
+ @link_scrubber.tags = %w(a)
52
53
  @link_scrubber.attributes = %w(href)
53
54
  end
54
55
 
@@ -57,8 +58,8 @@ module Rails
57
58
  end
58
59
  end
59
60
 
60
- # === Rails::Html::WhiteListSanitizer
61
- # Sanitizes html and css from an extensive white list (see link further down).
61
+ # === Rails::Html::SafeListSanitizer
62
+ # Sanitizes html and css from an extensive safe list (see link further down).
62
63
  #
63
64
  # === Whitespace
64
65
  # We can't make any guarantees about whitespace being kept or stripped.
@@ -72,34 +73,34 @@ module Rails
72
73
  # so automatically.
73
74
  #
74
75
  # === Options
75
- # Sanitizes both html and css via the white lists found here:
76
+ # Sanitizes both html and css via the safe lists found here:
76
77
  # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
77
78
  #
78
- # WhiteListSanitizer also accepts options to configure
79
- # the white list used when sanitizing html.
79
+ # SafeListSanitizer also accepts options to configure
80
+ # the safe list used when sanitizing html.
80
81
  # There's a class level option:
81
- # Rails::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
82
- # Rails::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
82
+ # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
83
+ # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
83
84
  #
84
85
  # Tags and attributes can also be passed to +sanitize+.
85
86
  # Passed options take precedence over the class level options.
86
87
  #
87
88
  # === Examples
88
- # white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
89
+ # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
89
90
  #
90
91
  # Sanitize css doesn't take options
91
- # white_list_sanitizer.sanitize_css('background-color: #000;')
92
+ # safe_list_sanitizer.sanitize_css('background-color: #000;')
92
93
  #
93
- # Default: sanitize via a extensive white list of allowed elements
94
- # white_list_sanitizer.sanitize(@article.body)
94
+ # Default: sanitize via a extensive safe list of allowed elements
95
+ # safe_list_sanitizer.sanitize(@article.body)
95
96
  #
96
- # White list via the supplied tags and attributes
97
- # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
97
+ # Safe list via the supplied tags and attributes
98
+ # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
98
99
  # attributes: %w(id class style))
99
100
  #
100
- # White list via a custom scrubber
101
- # white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
102
- class WhiteListSanitizer < Sanitizer
101
+ # Safe list via a custom scrubber
102
+ # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
103
+ class SafeListSanitizer < Sanitizer
103
104
  class << self
104
105
  attr_accessor :allowed_tags
105
106
  attr_accessor :allowed_attributes
@@ -148,5 +149,10 @@ module Rails
148
149
  options[:attributes] || self.class.allowed_attributes
149
150
  end
150
151
  end
152
+
153
+ WhiteListSanitizer = SafeListSanitizer
154
+ if Object.respond_to?(:deprecate_constant)
155
+ deprecate_constant :WhiteListSanitizer
156
+ end
151
157
  end
152
158
  end
@@ -1,7 +1,7 @@
1
1
  module Rails
2
2
  module Html
3
3
  class Sanitizer
4
- VERSION = "1.0.4"
4
+ VERSION = "1.1.0"
5
5
  end
6
6
  end
7
7
  end
@@ -2,9 +2,9 @@ module Rails
2
2
  module Html
3
3
  # === Rails::Html::PermitScrubber
4
4
  #
5
- # Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
5
+ # +Rails::Html::PermitScrubber+ allows you to permit only your own tags and/or attributes.
6
6
  #
7
- # Rails::Html::PermitScrubber can be subclassed to determine:
7
+ # +Rails::Html::PermitScrubber+ can be subclassed to determine:
8
8
  # - When a node should be skipped via +skip_node?+.
9
9
  # - When a node is allowed via +allowed_node?+.
10
10
  # - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,23 +27,23 @@ module Rails
27
27
  # If set, attributes excluded will be removed.
28
28
  # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+.
29
29
  #
30
- # class CommentScrubber < Html::PermitScrubber
31
- # def initialize
32
- # super
33
- # self.tags = %w(form script comment blockquote)
34
- # end
30
+ # class CommentScrubber < Html::PermitScrubber
31
+ # def initialize
32
+ # super
33
+ # self.tags = %w(form script comment blockquote)
34
+ # end
35
35
  #
36
- # def skip_node?(node)
37
- # node.text?
38
- # end
36
+ # def skip_node?(node)
37
+ # node.text?
38
+ # end
39
39
  #
40
- # def scrub_attribute?(name)
41
- # name == "style"
42
- # end
43
- # end
40
+ # def scrub_attribute?(name)
41
+ # name == "style"
42
+ # end
43
+ # end
44
44
  #
45
- # See the documentation for Nokogiri::XML::Node to understand what's possible
46
- # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
45
+ # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
46
+ # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
47
47
  class PermitScrubber < Loofah::Scrubber
48
48
  attr_reader :tags, :attributes
49
49
 
@@ -160,8 +160,8 @@ module Rails
160
160
 
161
161
  # === Rails::Html::TargetScrubber
162
162
  #
163
- # Where Rails::Html::PermitScrubber picks out tags and attributes to permit in
164
- # sanitization, Rails::Html::TargetScrubber targets them for removal.
163
+ # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to permit in
164
+ # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
165
165
  #
166
166
  # +tags=+
167
167
  # If set, elements included will be stripped.
@@ -180,7 +180,7 @@ module Rails
180
180
 
181
181
  # === Rails::Html::TextOnlyScrubber
182
182
  #
183
- # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
183
+ # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
184
184
  #
185
185
  # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
186
186
  class TextOnlyScrubber < Loofah::Scrubber
@@ -12,12 +12,12 @@ class SanitizersTest < Minitest::Test
12
12
  end
13
13
 
14
14
  def test_sanitize_nested_script
15
- sanitizer = Rails::Html::WhiteListSanitizer.new
15
+ sanitizer = Rails::Html::SafeListSanitizer.new
16
16
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
17
17
  end
18
18
 
19
19
  def test_sanitize_nested_script_in_style
20
- sanitizer = Rails::Html::WhiteListSanitizer.new
20
+ sanitizer = Rails::Html::SafeListSanitizer.new
21
21
  assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
22
22
  end
23
23
 
@@ -154,10 +154,6 @@ class SanitizersTest < Minitest::Test
154
154
  assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
155
155
  end
156
156
 
157
- def test_strip_links_with_a_tag_in_href
158
- assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
159
- end
160
-
161
157
  def test_sanitize_form
162
158
  assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
163
159
  end
@@ -255,38 +251,38 @@ class SanitizersTest < Minitest::Test
255
251
 
256
252
  def test_should_allow_custom_tags
257
253
  text = "<u>foo</u>"
258
- assert_equal text, white_list_sanitize(text, tags: %w(u))
254
+ assert_equal text, safe_list_sanitize(text, tags: %w(u))
259
255
  end
260
256
 
261
257
  def test_should_allow_only_custom_tags
262
258
  text = "<u>foo</u> with <i>bar</i>"
263
- assert_equal "<u>foo</u> with bar", white_list_sanitize(text, tags: %w(u))
259
+ assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
264
260
  end
265
261
 
266
262
  def test_should_allow_custom_tags_with_attributes
267
263
  text = %(<blockquote cite="http://example.com/">foo</blockquote>)
268
- assert_equal text, white_list_sanitize(text)
264
+ assert_equal text, safe_list_sanitize(text)
269
265
  end
270
266
 
271
267
  def test_should_allow_custom_tags_with_custom_attributes
272
268
  text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
273
- assert_equal text, white_list_sanitize(text, attributes: ['foo'])
269
+ assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
274
270
  end
275
271
 
276
272
  def test_scrub_style_if_style_attribute_option_is_passed
277
273
  input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
278
- assert_equal '<p style="color: #000;"></p>', white_list_sanitize(input, attributes: %w(style))
274
+ assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
279
275
  end
280
276
 
281
277
  def test_should_raise_argument_error_if_tags_is_not_enumerable
282
278
  assert_raises ArgumentError do
283
- white_list_sanitize('<a>some html</a>', tags: 'foo')
279
+ safe_list_sanitize('<a>some html</a>', tags: 'foo')
284
280
  end
285
281
  end
286
282
 
287
283
  def test_should_raise_argument_error_if_attributes_is_not_enumerable
288
284
  assert_raises ArgumentError do
289
- white_list_sanitize('<a>some html</a>', attributes: 'foo')
285
+ safe_list_sanitize('<a>some html</a>', attributes: 'foo')
290
286
  end
291
287
  end
292
288
 
@@ -295,7 +291,7 @@ class SanitizersTest < Minitest::Test
295
291
  def scrubber.scrub(node); node.name = 'h1'; end
296
292
 
297
293
  assert_raises Loofah::ScrubberNotFound do
298
- white_list_sanitize('<a>some html</a>', scrubber: scrubber)
294
+ safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
299
295
  end
300
296
  end
301
297
 
@@ -304,19 +300,19 @@ class SanitizersTest < Minitest::Test
304
300
  def scrubber.scrub(node); node.name = 'h1'; end
305
301
 
306
302
  html = "<script>hello!</script>"
307
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
303
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
308
304
  end
309
305
 
310
306
  def test_should_accept_loofah_scrubber_that_wraps_a_block
311
307
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
312
308
  html = "<script>hello!</script>"
313
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber)
309
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
314
310
  end
315
311
 
316
312
  def test_custom_scrubber_takes_precedence_over_other_options
317
313
  scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
318
314
  html = "<script>hello!</script>"
319
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
315
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ['foo'])
320
316
  end
321
317
 
322
318
  [%w(img src), %w(a href)].each do |(tag, attr)|
@@ -468,7 +464,7 @@ class SanitizersTest < Minitest::Test
468
464
  end
469
465
 
470
466
  def test_sanitize_ascii_8bit_string
471
- white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
467
+ safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
472
468
  assert_equal '<a>hello</a>', sanitized
473
469
  assert_equal Encoding::UTF_8, sanitized.encoding
474
470
  end
@@ -481,39 +477,47 @@ class SanitizersTest < Minitest::Test
481
477
 
482
478
  def test_allow_data_attribute_if_requested
483
479
  text = %(<a data-foo="foo">foo</a>)
484
- assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
480
+ assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ['data-foo'])
485
481
  end
486
482
 
487
- def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
483
+ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
484
+ skip if RUBY_VERSION < "2.3"
485
+
488
486
  html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
489
487
 
490
- text = white_list_sanitize(html)
488
+ text = safe_list_sanitize(html)
491
489
 
492
- assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
490
+ assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
493
491
  end
494
492
 
495
- def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
493
+ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
494
+ skip if RUBY_VERSION < "2.3"
495
+
496
496
  html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
497
497
 
498
- text = white_list_sanitize(html)
498
+ text = safe_list_sanitize(html)
499
499
 
500
- assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
500
+ assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
501
501
  end
502
502
 
503
- def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
503
+ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
504
+ skip if RUBY_VERSION < "2.3"
505
+
504
506
  html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
505
507
 
506
- text = white_list_sanitize(html)
508
+ text = safe_list_sanitize(html)
507
509
 
508
- assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
510
+ assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
509
511
  end
510
512
 
511
- def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
513
+ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
514
+ skip if RUBY_VERSION < "2.3"
515
+
512
516
  html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
513
517
 
514
- text = white_list_sanitize(html, attributes: ['action'])
518
+ text = safe_list_sanitize(html, attributes: ['action'])
515
519
 
516
- assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
520
+ assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
517
521
  end
518
522
 
519
523
  protected
@@ -530,35 +534,35 @@ protected
530
534
  Rails::Html::LinkSanitizer.new.sanitize(input, options)
531
535
  end
532
536
 
533
- def white_list_sanitize(input, options = {})
534
- Rails::Html::WhiteListSanitizer.new.sanitize(input, options)
537
+ def safe_list_sanitize(input, options = {})
538
+ Rails::Html::SafeListSanitizer.new.sanitize(input, options)
535
539
  end
536
540
 
537
541
  def assert_sanitized(input, expected = nil)
538
542
  if input
539
- assert_dom_equal expected || input, white_list_sanitize(input)
543
+ assert_dom_equal expected || input, safe_list_sanitize(input)
540
544
  else
541
- assert_nil white_list_sanitize(input)
545
+ assert_nil safe_list_sanitize(input)
542
546
  end
543
547
  end
544
548
 
545
549
  def sanitize_css(input)
546
- Rails::Html::WhiteListSanitizer.new.sanitize_css(input)
550
+ Rails::Html::SafeListSanitizer.new.sanitize_css(input)
547
551
  end
548
552
 
549
553
  def scope_allowed_tags(tags)
550
- old_tags = Rails::Html::WhiteListSanitizer.allowed_tags
551
- Rails::Html::WhiteListSanitizer.allowed_tags = tags
552
- yield Rails::Html::WhiteListSanitizer.new
554
+ old_tags = Rails::Html::SafeListSanitizer.allowed_tags
555
+ Rails::Html::SafeListSanitizer.allowed_tags = tags
556
+ yield Rails::Html::SafeListSanitizer.new
553
557
  ensure
554
- Rails::Html::WhiteListSanitizer.allowed_tags = old_tags
558
+ Rails::Html::SafeListSanitizer.allowed_tags = old_tags
555
559
  end
556
560
 
557
561
  def scope_allowed_attributes(attributes)
558
- old_attributes = Rails::Html::WhiteListSanitizer.allowed_attributes
559
- Rails::Html::WhiteListSanitizer.allowed_attributes = attributes
560
- yield Rails::Html::WhiteListSanitizer.new
562
+ old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
563
+ Rails::Html::SafeListSanitizer.allowed_attributes = attributes
564
+ yield Rails::Html::SafeListSanitizer.new
561
565
  ensure
562
- Rails::Html::WhiteListSanitizer.allowed_attributes = old_attributes
566
+ Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
563
567
  end
564
568
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-html-sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-03-22 00:00:00.000000000 Z
12
+ date: 2019-08-05 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: loofah
@@ -35,14 +35,14 @@ dependencies:
35
35
  name: bundler
36
36
  requirement: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '1.3'
41
41
  type: :development
42
42
  prerelease: false
43
43
  version_requirements: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - "~>"
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
47
  version: '1.3'
48
48
  - !ruby/object:Gem::Dependency
@@ -123,8 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
123
123
  - !ruby/object:Gem::Version
124
124
  version: '0'
125
125
  requirements: []
126
- rubyforge_project:
127
- rubygems_version: 2.7.6
126
+ rubygems_version: 3.0.4
128
127
  signing_key:
129
128
  specification_version: 4
130
129
  summary: This gem is responsible to sanitize HTML fragments in Rails applications.