sanitize-whitelist 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e5b9340d1fdf955406ddf07541231b65e77c936b
+  data.tar.gz: 4b3963b3848cb1fd5b90b53d780d89b25232974b
+SHA512:
+  metadata.gz: e49f199fba770fcddc0b2b442d8224dc35afddbdfe1940e3b508d4363d0638d60d48cdb8c16116a184ca63de633a5ce2ccbee43ab7d15d123faa0e638cc3ff40
+  data.tar.gz: faef079c1b47f2ae5556fa256441417814cbc8dc608eed164f49d73c36f07b5882ed714d021515183bcee835c6b3403bd6080ac8493c316dce45595534a53ba5

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :guard do
+  gem 'guard-rspec'
+  gem 'guard-bundler'
+  gem 'rb-fsevent'
+end
+
+gem "byebug"

data/Guardfile

@@ -0,0 +1,9 @@
+guard "bundler" do
+  watch("Gemfile")
+end
+
+guard "rspec" do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^spec/spec_helper.rb$})    { "spec" }
+  watch(%r{^lib/(.+)\.rb$})           { |m| "spec/#{m[1]}_spec.rb" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Brandon Keepers
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,85 @@
+# Sanitize::Whitelist
+
+Objects to represent a whitelist that can be used by the sanitize gem.
+
+Problem: the `sanitize` gem uses a deeply nested hash to configure sanitization. It is cumbersome to inherit and modify sanitization configuration without modifying the original hash.
+
+This wraps it with real objects, which means:
+
+- The entire whitelist is frozen after the yielded block.
+- #dup behaves as expected and returns a deep clone
+- #to_hash creates a hash that can be passed to the sanitize gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'sanitize-whitelist'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install sanitize-whitelist
+
+## Usage
+
+```ruby
+Whitelist.new do
+  # Explicitly declare elements that are allowed.
+  allow %w(
+    h1 h2 h3 h4 h5 h6 h7 h8 br b i strong em a pre code img tt
+    div ins del sup sub p ol ul table thead tbody tfoot blockquote
+    dl dt dd kbd q samp var hr ruby rt rp li tr td th s strike
+  )
+
+  # Elements to completely remove instead of escape.
+  remove "script"
+
+  # Allow href and src attributes, and specify the protocols that they can use.
+  element("a").allow("href").protocols('http', 'https', 'mailto', :relative, 'github-windows', 'github-mac')
+  element("img").allow("src").protocols('http', 'https', :relative)
+
+  # Allow other elements on divs
+  element("div").allow %w(itemscope itemtype)
+
+  # All elements can have these attributes
+  element(:all).allow %w(
+    abbr accept accept-charset accesskey action align alt axis border
+    cellpadding cellspacing char charoff charset checked cite clear cols
+    colspan color compact coords datetime dir disabled enctype for frame
+    headers height hreflang hspace ismap label lang longdesc maxlength media
+    method multiple name nohref noshade nowrap prompt readonly rel rev rows
+    rowspan rules scope selected shape size span start summary tabindex target
+    title type usemap valign value vspace width itempro
+  )
+
+  # Top-level <li> elements are removed because they can break out of
+  # containing markup.
+  transform do |env|
+    name, node = env[:node_name], env[:node]
+    if name == "li" && !node.ancestors.any?{ |n| %w(ul ol).include?(n.name) }
+      node.replace(node.children)
+    end
+  end
+
+  # Table child elements that are not contained by a <table> are removed.
+  # Otherwise they can be used to break out of containing markup.
+  transform do |env|
+    name, node = env[:node_name], env[:node]
+    if (%w(thead tbody tfoot).include?(name) || %w(tr td th).include?(name)) && !node.ancestors.any? { |n| n.name == "table" }
+      node.replace(node.children)
+    end
+  end
+end
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/bkeepers/sanitize-whitelist/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/lib/sanitize/whitelist.rb

@@ -0,0 +1,98 @@
+class Sanitize
+  class Whitelist
+    attr_reader :elements, :transformers
+
+    def initialize(&block)
+      @elements = {}
+      @transformers = []
+      eval_block(&block)
+      freeze
+    end
+
+    def freeze
+      super
+      @elements.freeze.values.each(&:freeze)
+      @transformers.freeze
+    end
+
+    def initialize_dup(original)
+      @elements = original.elements.each_with_object({}) do |(name,element), elements|
+        elements[name] = element.dup
+      end
+      @transformers = original.transformers.dup
+      super
+    end
+
+    def dup(&block)
+      super.tap do |object|
+        object.eval_block(&block)
+        freeze
+      end
+    end
+
+    def eval_block(&block)
+      block.arity == 1 ? block.call(self) : instance_eval(&block) if block
+    end
+
+    def allow(elements)
+      Array(elements).map { |name| element(name) }
+    end
+
+    def remove(boolean_or_elements)
+      Array(boolean_or_elements).map { |name| element(name).remove! }
+    end
+
+    def remove_non_whitelisted!
+      @remove_non_whitelisted = true
+    end
+
+    def escape_non_whitelisted!
+      @remove_non_whitelisted = false
+    end
+
+    def element(name)
+      @elements[name] ||= Sanitize::Whitelist::Element.new(name)
+    end
+
+    def transform(&block)
+      @transformers << block
+    end
+
+    def allowed_elements
+      @elements.values.select(&:allowed?)
+    end
+
+    def remove_elements
+      @elements.values.select(&:remove?)
+    end
+
+    def to_hash
+      {}.tap do |result|
+        result[:elements] = allowed_elements.map(&:name)
+
+        if @remove_non_whitelisted
+          result[:remove_contents] = @remove_non_whitelisted
+        else
+          elements = remove_elements.map(&:name)
+          result[:remove_contents] = elements unless elements.empty?
+        end
+
+        result[:transformers] = @transformers unless @transformers.empty?
+
+        attributes = allowed_elements.each_with_object({}) do |element,attrs|
+          attrs.merge! element.to_hash
+        end
+        result[:attributes] = attributes unless attributes.empty?
+
+        protocols = allowed_elements.each_with_object({}) do |element,attrs|
+          attrs.merge! element.to_protocols_hash
+        end
+        result[:protocols] = protocols unless protocols.empty?
+      end
+    end
+  end
+end
+
+require "sanitize/whitelist/version"
+require "sanitize/whitelist/attribute"
+require "sanitize/whitelist/element"

data/lib/sanitize/whitelist/attribute.rb

@@ -0,0 +1,18 @@
+class Sanitize::Whitelist::Attribute
+  def initialize(name)
+    @name = name
+  end
+
+  def protocols(protocols)
+    @protocols = Array(protocols)
+  end
+
+  def to_hash
+    @protocols ? {@name => @protocols} : {}
+  end
+
+  def freeze
+    super
+    @protocols.freeze if @protocols
+  end
+end

data/lib/sanitize/whitelist/element.rb

@@ -0,0 +1,55 @@
+class Sanitize::Whitelist::Element
+  attr_reader :name, :attributes
+
+  def initialize(name)
+    @name = name
+    @attributes = {}
+    @allowed = true
+  end
+
+  def freeze
+    super
+    @attributes.values.each(&:freeze)
+    @attributes.freeze
+  end
+
+  def initialize_dup(original)
+    super
+    @attributes = original.attributes.each_with_object({}) do |(key,value), result|
+      result[key] = value.dup
+    end
+  end
+
+  def allow!
+    @allowed = true
+  end
+
+  def allowed?
+    !!@allowed
+  end
+
+  def remove!
+    @allowed = false
+  end
+
+  def remove?
+    !@allowed
+  end
+
+  def allow(attributes)
+    result = Array(attributes).map do |attr|
+      @attributes[attr] = Sanitize::Whitelist::Attribute.new(attr)
+    end
+    result.size == 1 ? result.first : result
+  end
+
+  def to_hash
+    @attributes.empty? ? {} : {@name => @attributes.keys}
+  end
+
+  def to_protocols_hash
+    @attributes.values.each_with_object({}) do |attribute, result|
+      result.merge! @name => attribute.to_hash unless attribute.to_hash.empty?
+    end
+  end
+end

data/lib/sanitize/whitelist/version.rb

@@ -0,0 +1,5 @@
+class Sanitize
+  class Whitelist
+    VERSION = "0.0.1"
+  end
+end

data/sanitize-whitelist.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'sanitize/whitelist/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "sanitize-whitelist"
+  spec.version       = Sanitize::Whitelist::VERSION
+  spec.authors       = ["Brandon Keepers"]
+  spec.email         = ["brandon@opensoul.org"]
+  spec.summary       = %q{Objects to represent a whitelist that can be used by the sanitize gem.}
+  spec.description   = %q{Objects to represent a whitelist that can be used by the sanitize gem.}
+  spec.homepage      = "https://github.com/bkeepers/sanitize-whitelist"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/spec/sanitize/whitelist_spec.rb

@@ -0,0 +1,160 @@
+require "spec_helper"
+
+describe Sanitize::Whitelist do
+  describe "initialize" do
+    it "instance_evals block with arity of 0" do
+      whitelist = Sanitize::Whitelist.new { allow "div" }
+      expect(whitelist.to_hash).to eq({:elements => ["div"]})
+    end
+
+    it "yields with self as arg if arity of 1" do
+      self_in_block = nil
+      arg_in_block = nil
+      whitelist = Sanitize::Whitelist.new do |w|
+        w.allow "div"
+        arg_in_block = w
+        self_in_block = self
+      end
+      expect(whitelist.to_hash).to eq({:elements => ["div"]})
+      expect(arg_in_block).to be(whitelist)
+      expect(self_in_block).to be(self)
+    end
+
+    it "freezes elements after initialization" do
+      whitelist = Sanitize::Whitelist.new do
+        allow "div"
+        element("a").allow("href")
+      end
+      expect { whitelist.allow("p") }.to raise_error(RuntimeError, /frozen/)
+      expect { whitelist.element("div").allow("class") }.to raise_error(RuntimeError, /frozen/)
+      expect { whitelist.element("a").allow("href").protocols("http") }.to raise_error(RuntimeError, /frozen/)
+    end
+  end
+
+  describe "allow" do
+    it "allows nothing by default" do
+      whitelist = Sanitize::Whitelist.new
+      expect(whitelist.to_hash).to eq({:elements => []})
+    end
+
+    it "adds a single element" do
+      whitelist = Sanitize::Whitelist.new { allow "div" }
+      expect(whitelist.to_hash).to eq({:elements => ["div"]})
+    end
+
+    it "adds an array of elements" do
+      whitelist = Sanitize::Whitelist.new { allow %w(div p) }
+      expect(whitelist.to_hash).to eq({:elements =>  %w(div p)})
+    end
+
+    it "adds multiple calls" do
+      whitelist = Sanitize::Whitelist.new do
+        allow "p"
+        allow "a"
+      end
+      expect(whitelist.to_hash).to eq({:elements =>  %w(p a)})
+    end
+  end
+
+  describe "remove" do
+    it "adds a single element" do
+      whitelist = Sanitize::Whitelist.new { remove "script" }
+      expect(whitelist.to_hash).to eq({:remove_contents =>  %w(script), :elements => []})
+    end
+
+    it "adds an array of elements" do
+      whitelist = Sanitize::Whitelist.new { remove %w(script object) }
+      expect(whitelist.to_hash).to eq({:remove_contents =>  %w(script object), :elements => []})
+    end
+  end
+
+  describe "remove_non_whitelisted!" do
+    it "sets remove_contents to true" do
+      whitelist = Sanitize::Whitelist.new { remove_non_whitelisted! }
+      expect(whitelist.to_hash).to eq({:remove_contents => true, :elements => []})
+    end
+  end
+
+  describe "element#allow" do
+    it "adds a single attribute" do
+      whitelist = Sanitize::Whitelist.new { element("a").allow("href") }
+      expect(whitelist.to_hash).to eq({:elements => ["a"], :attributes => {"a" => ["href"]}})
+    end
+  end
+
+  describe "attribute#protocols" do
+    it "adds a single protocol" do
+      whitelist = Sanitize::Whitelist.new { element("a").allow("href").protocols("https") }
+      expect(whitelist.to_hash).to eq({
+        :protocols => {"a" => {"href" => ["https"]}},
+        :elements => ["a"], :attributes => {"a" => ["href"]}
+      })
+    end
+
+    it "adds multiple protocols" do
+      whitelist = Sanitize::Whitelist.new do
+        element("a").allow("href").protocols(%w(http https ftp))
+      end
+      expect(whitelist.to_hash).to eq({
+        :protocols => {"a" => {"href" => %w(http https ftp)}},
+        :elements => ["a"], :attributes => {"a" => ["href"]}
+      })
+    end
+
+    it "accepts empty protocols" do
+      whitelist = Sanitize::Whitelist.new do
+        element("a").allow("href").protocols([])
+      end
+      expect(whitelist.to_hash).to eq({
+        :protocols => {"a" => {"href" => []}},
+        :elements => ["a"], :attributes => {"a" => ["href"]}
+      })
+    end
+  end
+
+  describe "transform" do
+    it "adds block to transformers" do
+      block = lambda { }
+      whitelist = Sanitize::Whitelist.new { transform(&block) }
+      expect(whitelist.to_hash).to eq({:transformers => [block], :elements => []})
+    end
+  end
+
+  describe "dup" do
+    let(:whitelist) { Sanitize::Whitelist.new { allow "p" } }
+
+    it "dups elements" do
+      dup = whitelist.dup { allow "div" }
+      expect(dup.to_hash).to eq({:elements => ["p", "div"]})
+      expect(whitelist.to_hash).to eq({:elements => ["p"]})
+    end
+
+    it "does not remove from original" do
+      dup = whitelist.dup { remove "p" }
+      expect(dup.to_hash).to eq({:elements => [], :remove_contents => ["p"]})
+      expect(whitelist.to_hash).to eq({:elements => ["p"]})
+    end
+
+    it "dups attributes" do
+      dup = whitelist.dup { element("p").allow("class") }
+      expect(dup.to_hash).to eq({:elements => ["p"], :attributes => {"p" => ["class"]}})
+      expect(whitelist.to_hash).to eq({:elements => ["p"]})
+    end
+
+    it "dups protocols" do
+      whitelist = Sanitize::Whitelist.new { element("a").allow("href").protocols("ftp") }
+      dup = whitelist.dup { element("a").allow("href").protocols("https") }
+
+      expect(dup.to_hash).to eq({
+        :elements => ["a"],
+        :attributes => {"a" => ["href"]},
+        :protocols => {"a" => {"href" => ["https"]}}
+      })
+      expect(whitelist.to_hash).to eq({
+        :elements => ["a"],
+        :attributes => {"a" => ["href"]},
+        :protocols => {"a" => {"href" => ["ftp"]}}
+      })
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require "sanitize/whitelist"

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: sanitize-whitelist
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Brandon Keepers
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-10-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Objects to represent a whitelist that can be used by the sanitize gem.
+email:
+- brandon@opensoul.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/sanitize/whitelist.rb
+- lib/sanitize/whitelist/attribute.rb
+- lib/sanitize/whitelist/element.rb
+- lib/sanitize/whitelist/version.rb
+- sanitize-whitelist.gemspec
+- spec/sanitize/whitelist_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/bkeepers/sanitize-whitelist
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Objects to represent a whitelist that can be used by the sanitize gem.
+test_files:
+- spec/sanitize/whitelist_spec.rb
+- spec/spec_helper.rb