rails-html-sanitizer 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8eba1aac52c80be280f186c5d378150709b7d4cd2a5d5b2367e6d2c036648d52
-  data.tar.gz: 96408eae2efee778a704f7caf246b64868a63bfdbbb81905b294bcca731a9289
+  metadata.gz: 72ef1b871489bb5189b4010ce24714523903baa2347ca8c49c0d8d3334439a22
+  data.tar.gz: 8e870f37ddb730ba3bf184cd5d9ddf2c8b8bc80d1a1ff3430553959b9478edcb
 SHA512:
-  metadata.gz: c4209cebc841299143a466143f4b776461fc1cc8bba112dc603e86835b68ee44a800566f64224b27f5a45d164d0b004049b228dc405c3de59068800ec7a5d564
-  data.tar.gz: c899472b8dffe9f9fd4d15ae4739f07a775d74b9ed14143beb688bb546b6a82ec469add036747b81aff33510e6e241379e21458cb39d9b2a8e797824066e24e5
+  metadata.gz: 30e80f4579a449b65f0e88e1383953c17df46bd527707c37b425837980167447559a32bfe8815e6f9523727f626059f92fe55d63ac136f798bfe46f323788310
+  data.tar.gz: f554d91da09f669d5e4015294ec96a3431d535a60c254b5ae940227a74753eafde42d9e324009e98247c75210de3d0c6d18583550b11a63048a5adf0a4dfbd31

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.4.0 / 2021-08-18
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+
+  Fixes #115.
+
+  *Mike Dalessio*
+
 ## 1.3.0
 
 * Address deprecations in Loofah 2.3.0.

data/README.md

@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
 #### `Rails::Html::TargetScrubber`
 
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
 
+**Note:** by default, it will scrub anything that is not part of the permitted tags from
+loofah `HTML5::Scrub.allowed_element?`.
 
 ```ruby
 scrubber = Rails::Html::TargetScrubber.new

data/lib/rails/html/sanitizer/version.rb

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.3.0"
+      VERSION = "1.4.0"
     end
   end
 end

data/lib/rails/html/scrubbers.rb

@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
 
-        unless keep_node?(node)
+        unless node.element? && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
 

data/test/sanitizer_test.rb

@@ -93,7 +93,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_tags_with_plaintext
-    assert_equal "Dont touch me", full_sanitize("Dont touch me")
+    assert_equal "Don't touch me", full_sanitize("Don't touch me")
   end
 
   def test_strip_tags_with_tags
@@ -135,7 +135,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_links_with_plaintext
-    assert_equal "Dont touch me", link_sanitize("Dont touch me")
+    assert_equal "Don't touch me", link_sanitize("Don't touch me")
   end
 
   def test_strip_links_with_line_feed_and_uppercase_tag
@@ -271,7 +271,8 @@ class SanitizersTest < Minitest::Test
 
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
-    assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
+    actual = safe_list_sanitize(input, attributes: %w(style))
+    assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
 
   def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,7 +414,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
+    raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
     assert_equal '', sanitize_css(raw)
   end
 
@@ -520,6 +521,14 @@ class SanitizersTest < Minitest::Test
     assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
+
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-06 00:00:00.000000000 Z
+date: 2021-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -101,7 +101,11 @@ files:
 homepage: https://github.com/rails/rails-html-sanitizer
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.0/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.0
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.0
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -117,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/scrubbers_test.rb
 - test/sanitizer_test.rb
+- test/scrubbers_test.rb