rails-html-sanitizer 1.4.1 → 1.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rails-html-sanitizer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/rails/html/sanitizer/version.rb +1 -1
- data/lib/rails/html/scrubbers.rb +1 -1
- data/test/scrubbers_test.rb +16 -44
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 85be608ca4422813683df971eb55217f0a70d9bb3d6398efad913ddb90d2c3c5
|
|
4
|
+
data.tar.gz: cdc86ec92f2698f49d73d37e58622b97f4115330e084a2bc6ea46fc711926e94
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b748cab99a7c9bdda776b5aaf76a55e16ff59b6aa10f4ee1fd9b97b7f5a6a897a8a2e0e1fe31cdd741207130d34ccdff2debb4437b0b03b87896ab9c16537f4b
|
|
7
|
+
data.tar.gz: 35f4c0c12c555feb73623df3bc09d19069c48b9ee91539dc247b6a599dc091adb08b56f43041014dfacd6f46183f7b6d68355104716a1feeaef58c3319be6bea
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
## 1.4.2 / 2021-08-23
|
|
2
|
+
|
|
3
|
+
* Slightly improve performance.
|
|
4
|
+
|
|
5
|
+
Assuming elements are more common than comments, make one less method call per node.
|
|
6
|
+
|
|
7
|
+
*Mike Dalessio*
|
|
8
|
+
|
|
1
9
|
## 1.4.1 / 2021-08-18
|
|
2
10
|
|
|
3
11
|
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
data/lib/rails/html/scrubbers.rb
CHANGED
data/test/scrubbers_test.rb
CHANGED
|
@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
|
|
|
41
41
|
assert_scrubbed '<tag>hello</tag>', 'hello'
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
+
def test_default_scrub_removes_comments
|
|
45
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
|
46
|
+
'<div>one</div><span>three</span>')
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def test_default_scrub_removes_processing_instructions
|
|
50
|
+
assert_scrubbed('<div>one</div><?div two><span>three</span>',
|
|
51
|
+
'<div>one</div><span>three</span>')
|
|
52
|
+
end
|
|
53
|
+
|
|
44
54
|
def test_default_attributes_removal_behavior
|
|
45
55
|
assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
|
|
46
56
|
end
|
|
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
|
|
|
56
66
|
assert_scrubbed html, '<tag>leave me now</tag>'
|
|
57
67
|
end
|
|
58
68
|
|
|
69
|
+
def test_leaves_comments_when_supplied_as_tag
|
|
70
|
+
@scrubber.tags = %w(div comment)
|
|
71
|
+
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
|
|
72
|
+
'<div>one</div><!-- two -->three')
|
|
73
|
+
end
|
|
74
|
+
|
|
59
75
|
def test_leaves_only_supplied_tags_nested
|
|
60
76
|
html = '<tag>leave <em>me <span>now</span></em></tag>'
|
|
61
77
|
@scrubber.tags = %w(tag)
|
|
@@ -112,50 +128,6 @@ class PermitScrubberTest < ScrubberTest
|
|
|
112
128
|
end
|
|
113
129
|
end
|
|
114
130
|
|
|
115
|
-
class PermitScrubberSubclassTest < ScrubberTest
|
|
116
|
-
def setup
|
|
117
|
-
@scrubber = Class.new(::Rails::Html::PermitScrubber) do
|
|
118
|
-
attr :nodes_seen
|
|
119
|
-
|
|
120
|
-
def initialize
|
|
121
|
-
super()
|
|
122
|
-
@nodes_seen = []
|
|
123
|
-
end
|
|
124
|
-
|
|
125
|
-
def keep_node?(node)
|
|
126
|
-
@nodes_seen << node.name
|
|
127
|
-
super(node)
|
|
128
|
-
end
|
|
129
|
-
end.new
|
|
130
|
-
end
|
|
131
|
-
|
|
132
|
-
def test_elements_are_checked
|
|
133
|
-
html = %Q("<div></div><a></a><tr></tr>")
|
|
134
|
-
Loofah.scrub_fragment(html, @scrubber)
|
|
135
|
-
assert_includes(@scrubber.nodes_seen, "div")
|
|
136
|
-
assert_includes(@scrubber.nodes_seen, "a")
|
|
137
|
-
assert_includes(@scrubber.nodes_seen, "tr")
|
|
138
|
-
end
|
|
139
|
-
|
|
140
|
-
def test_comments_are_checked
|
|
141
|
-
# this passes in v1.3.0 but fails in v1.4.0
|
|
142
|
-
html = %Q("<div></div><!-- ohai --><tr></tr>")
|
|
143
|
-
Loofah.scrub_fragment(html, @scrubber)
|
|
144
|
-
assert_includes(@scrubber.nodes_seen, "div")
|
|
145
|
-
assert_includes(@scrubber.nodes_seen, "comment")
|
|
146
|
-
assert_includes(@scrubber.nodes_seen, "tr")
|
|
147
|
-
end
|
|
148
|
-
|
|
149
|
-
def test_craftily_named_processing_instructions_are_not_checked
|
|
150
|
-
# this fails in v1.3.0 but passes in v1.4.0
|
|
151
|
-
html = %Q("<div></div><?a content><tr></tr>")
|
|
152
|
-
Loofah.scrub_fragment(html, @scrubber)
|
|
153
|
-
assert_includes(@scrubber.nodes_seen, "div")
|
|
154
|
-
refute_includes(@scrubber.nodes_seen, "a")
|
|
155
|
-
assert_includes(@scrubber.nodes_seen, "tr")
|
|
156
|
-
end
|
|
157
|
-
end
|
|
158
|
-
|
|
159
131
|
class TargetScrubberTest < ScrubberTest
|
|
160
132
|
def setup
|
|
161
133
|
@scrubber = Rails::Html::TargetScrubber.new
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails-html-sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.4.
|
|
4
|
+
version: 1.4.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rafael Mendonça França
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2021-08-
|
|
12
|
+
date: 2021-08-24 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: loofah
|
|
@@ -103,9 +103,9 @@ licenses:
|
|
|
103
103
|
- MIT
|
|
104
104
|
metadata:
|
|
105
105
|
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
|
|
106
|
-
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.
|
|
107
|
-
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.
|
|
108
|
-
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.
|
|
106
|
+
changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
|
|
107
|
+
documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
|
|
108
|
+
source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
|
|
109
109
|
post_install_message:
|
|
110
110
|
rdoc_options: []
|
|
111
111
|
require_paths:
|