sanitize 2.1.1 → 3.0.0

data/lib/sanitize/config/restricted.rb

@@ -1,29 +1,9 @@
-#--
-# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the 'Software'), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#++
+# encoding: utf-8
 
 class Sanitize
   module Config
-    RESTRICTED = {
+    RESTRICTED = freeze_config(
       :elements => %w[b em i strong u]
-    }
+    )
   end
 end

data/lib/sanitize/css.rb

@@ -0,0 +1,218 @@
+# encoding: utf-8
+
+require 'crass'
+require 'set'
+
+class Sanitize; class CSS
+  attr_reader :config
+
+  # Names of CSS at-rules whose blocks may contain properties.
+  AT_RULES_WITH_PROPERTIES = Set.new(%w[font-face page])
+
+  # Names of CSS at-rules whose blocks may contain style rules.
+  AT_RULES_WITH_STYLES = Set.new(%w[document media supports])
+
+  # -- Class Methods -----------------------------------------------------------
+
+  # Sanitizes inline CSS style properties.
+  #
+  # This is most useful for sanitizing non-stylesheet fragments of CSS like you
+  # would find in the `style` attribute of an HTML element. To sanitize a full
+  # CSS stylesheet, use {.stylesheet}.
+  #
+  # @example
+  #   Sanitize::CSS.properties("background: url(foo.png); color: #fff;")
+  #
+  # @return [String] Sanitized CSS properties.
+  def self.properties(css, config = {})
+    self.new(config).properties(css)
+  end
+
+  def self.stylesheet(css, config = {})
+    self.new(config).stylesheet(css)
+  end
+
+  def self.tree!(tree, config = {})
+    self.new(config).tree!(tree)
+  end
+
+  # -- Instance Methods --------------------------------------------------------
+
+  # Returns a new Sanitize::CSS object initialized with the settings in
+  # _config_.
+  def initialize(config = {})
+    @config = Config.merge(Config::DEFAULT[:css], config[:css] || config)
+  end
+
+  # Sanitizes inline CSS style properties.
+  #
+  # This is most useful for sanitizing non-stylesheet fragments of CSS like you
+  # would find in the `style` attribute of an HTML element. To sanitize a full
+  # CSS stylesheet, use {#stylesheet}.
+  #
+  # @example
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   scss.properties("background: url(foo.png); color: #fff;")
+  #
+  # @return [String] Sanitized CSS properties.
+  def properties(css)
+    tree = Crass.parse_properties(css,
+      :preserve_comments => @config[:allow_comments],
+      :preserve_hacks    => @config[:allow_hacks])
+
+    tree!(tree)
+    Crass::Parser.stringify(tree)
+  end
+
+  # Sanitizes a full CSS stylesheet.
+  #
+  # A stylesheet may include selectors, @ rules, and comments. To sanitize only
+  # inline style properties such as the contents of an HTML `style` attribute,
+  # use {#properties}.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   scss.stylesheet(css)
+  #
+  # @return [String] Sanitized CSS stylesheet.
+  def stylesheet(css)
+    tree = Crass.parse(css,
+      :preserve_comments => @config[:allow_comments],
+      :preserve_hacks    => @config[:allow_hacks])
+
+    tree!(tree)
+    Crass::Parser.stringify(tree)
+  end
+
+  # Sanitizes the given Crass CSS parse tree and all its children, modifying it
+  # in place.
+  #
+  # @example
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   tree = Crass.parse(css)
+  #
+  #   scss.tree!(tree)
+  #
+  # @return [Array] Sanitized Crass CSS parse tree.
+  def tree!(tree)
+    tree.map! do |node|
+      next nil if node.nil?
+
+      case node[:node]
+      when :at_rule
+        next at_rule!(node)
+
+      when :comment
+        next node if @config[:allow_comments]
+
+      when :property
+        next property!(node)
+
+      when :style_rule
+        tree!(node[:children])
+        next node
+
+      when :whitespace
+        next node
+      end
+
+      nil
+    end
+
+    tree
+  end
+
+  # -- Protected Instance Methods ----------------------------------------------
+  protected
+
+  # Sanitizes a CSS at-rule node. Returns the sanitized node, or `nil` if the
+  # current config doesn't allow this at-rule.
+  def at_rule!(rule)
+    name = rule[:name].downcase
+    return nil unless @config[:at_rules].include?(name)
+
+    if AT_RULES_WITH_STYLES.include?(name)
+      styles = Crass::Parser.parse_rules(rule[:block][:value],
+        :preserve_comments => @config[:allow_comments],
+        :preserve_hacks    => @config[:allow_hacks])
+
+      rule[:block][:value] = tree!(styles)
+
+    elsif AT_RULES_WITH_PROPERTIES.include?(name)
+      props = Crass::Parser.parse_properties(rule[:block][:value],
+        :preserve_comments => @config[:allow_comments],
+        :preserve_hacks    => @config[:allow_hacks])
+
+      rule[:block][:value] = tree!(props)
+
+    else
+      rule.delete(:block)
+    end
+
+    rule
+  end
+
+  # Sanitizes a CSS property node. Returns the sanitized node, or `nil` if the
+  # current config doesn't allow this property.
+  def property!(prop)
+    name = prop[:name].downcase
+
+    # Preserve IE * and _ hacks if desired.
+    if @config[:allow_hacks]
+      name.slice!(0) if name =~ /\A[*_]/
+    end
+
+    return nil unless @config[:properties].include?(name)
+
+    nodes          = prop[:children].dup
+    combined_value = ''
+
+    nodes.each do |child|
+      value = child[:value]
+
+      case child[:node]
+      when :ident
+        combined_value << value if String === value
+
+      when :function
+        if child.key?(:name)
+          return nil if child[:name].downcase == 'expression'
+        end
+
+        if Array === value
+          nodes.concat(value)
+        elsif String === value
+          combined_value << value
+
+          if value.downcase == 'expression' || combined_value.downcase == 'expression'
+            return nil
+          end
+        end
+
+      when :url
+        if value =~ Sanitize::REGEX_PROTOCOL
+          return nil unless @config[:protocols].include?($1.downcase)
+        else
+          return nil unless @config[:protocols].include?(:relative)
+        end
+
+      when :bad_url
+        return nil
+      end
+    end
+
+    prop
+  end
+
+end; end

data/lib/sanitize/transformers/clean_cdata.rb

@@ -1,11 +1,11 @@
+# encoding: utf-8
+
 class Sanitize; module Transformers
 
   CleanCDATA = lambda do |env|
-    return if env[:is_whitelisted]
-
     node = env[:node]
 
-    if node.cdata?
+    if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
       node.replace(Nokogiri::XML::Text.new(node.text, node.document))
     end
   end

data/lib/sanitize/transformers/clean_comment.rb

@@ -1,10 +1,13 @@
+# encoding: utf-8
+
 class Sanitize; module Transformers
 
   CleanComment = lambda do |env|
-    return if env[:is_whitelisted]
-
     node = env[:node]
-    node.unlink if node.comment? && !env[:config][:allow_comments]
+
+    if node.type == Nokogiri::XML::Node::COMMENT_NODE
+        node.unlink unless env[:is_whitelisted]
+    end
   end
 
 end; end

data/lib/sanitize/transformers/clean_css.rb

@@ -0,0 +1,57 @@
+class Sanitize; module Transformers; module CSS
+
+# Enforces a CSS whitelist on the contents of `style` attributes.
+class CleanAttribute
+  def initialize(sanitizer_or_config)
+    if Sanitize::CSS === sanitizer_or_config
+      @scss = sanitizer_or_config
+    else
+      @scss = Sanitize::CSS.new(sanitizer_or_config)
+    end
+  end
+
+  def call(env)
+    node = env[:node]
+
+    return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
+        node.key?('style') && !env[:is_whitelisted]
+
+    attr = node.attribute('style')
+    css  = @scss.properties(attr.value)
+
+    if css.strip.empty?
+      attr.unlink
+    else
+      attr.value = css
+    end
+  end
+end
+
+# Enforces a CSS whitelist on the contents of `<style>` elements.
+class CleanElement
+  def initialize(sanitizer_or_config)
+    if Sanitize::CSS === sanitizer_or_config
+      @scss = sanitizer_or_config
+    else
+      @scss = Sanitize::CSS.new(sanitizer_or_config)
+    end
+  end
+
+  def call(env)
+    node = env[:node]
+
+    return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
+        env[:node_name] == 'style'
+
+    css = @scss.stylesheet(node.content)
+
+    if css.strip.empty?
+      node.unlink
+    else
+      node.children.unlink
+      node << Nokogiri::XML::Text.new(css, node.document)
+    end
+  end
+end
+
+end; end; end

data/lib/sanitize/transformers/clean_doctype.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+
+class Sanitize; module Transformers
+
+  CleanDoctype = lambda do |env|
+    node = env[:node]
+
+    if node.type == Nokogiri::XML::Node::DTD_NODE
+        node.unlink unless env[:is_whitelisted]
+    end
+  end
+
+end; end

data/lib/sanitize/transformers/clean_element.rb

@@ -1,155 +1,125 @@
-class Sanitize; module Transformers
-
-  class CleanElement
-
-    # Attributes that need additional escaping on `<a>` elements due to unsafe
-    # libxml2 behavior.
-    UNSAFE_LIBXML_ATTRS_A = Set.new(%w[
-      name
-    ])
-
-    # Attributes that need additional escaping on all elements due to unsafe
-    # libxml2 behavior.
-    UNSAFE_LIBXML_ATTRS_GLOBAL = Set.new(%w[
-      action
-      href
-      src
-    ])
-
-    # Mapping of original characters to escape sequences for characters that
-    # should be escaped in attributes affected by unsafe libxml2 behavior.
-    UNSAFE_LIBXML_ESCAPE_CHARS = {
-      ' ' => '%20',
-      '"' => '%22'
-    }
-
-    # Regex that matches any single character that needs to be escaped in
-    # attributes affected by unsafe libxml2 behavior.
-    UNSAFE_LIBXML_ESCAPE_REGEX = /[ "]/
-
-    def initialize(config)
-      @config = config
-
-      # For faster lookups.
-      @add_attributes          = config[:add_attributes]
-      @allowed_elements        = Set.new(config[:elements])
-      @attributes              = config[:attributes]
-      @protocols               = config[:protocols]
-      @remove_all_contents     = false
-      @remove_element_contents = Set.new
-      @whitespace_elements     = Set.new(config[:whitespace_elements])
-
-      if config[:remove_contents].is_a?(Array)
-        @remove_element_contents.merge(config[:remove_contents].map(&:to_s))
-      else
-        @remove_all_contents = !!config[:remove_contents]
+# encoding: utf-8
+
+require 'set'
+
+class Sanitize; module Transformers; class CleanElement
+
+  # Matches a valid HTML5 data attribute name. The unicode ranges included here
+  # are a conservative subset of the full range of characters that are
+  # technically allowed, with the intent of matching the most common characters
+  # used in data attribute names while excluding uncommon or potentially
+  # misleading characters, or characters with the potential to be normalized
+  # into unsafe or confusing forms.
+  #
+  # If you need data attr names with characters that aren't included here (such
+  # as combining marks, full-width characters, or CJK), please consider creating
+  # a custom transformer to validate attributes according to your needs.
+  #
+  # http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#embedding-custom-non-visible-data-with-the-data-*-attributes
+  REGEX_DATA_ATTR = /\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u
+
+  def initialize(config)
+    @add_attributes          = config[:add_attributes]
+    @attributes              = config[:attributes].dup
+    @elements                = config[:elements]
+    @protocols               = config[:protocols]
+    @remove_all_contents     = false
+    @remove_element_contents = Set.new
+    @whitespace_elements     = {}
+
+    @attributes.each do |element_name, attrs|
+      unless element_name == :all
+        @attributes[element_name] = Set.new(attrs).merge(@attributes[:all] || [])
       end
     end
 
-    def call(env)
-      name = env[:node_name]
-      node = env[:node]
+    # Backcompat: if :whitespace_elements is a Set, convert it to a hash.
+    if config[:whitespace_elements].is_a?(Set)
+      config[:whitespace_elements].each do |element|
+        @whitespace_elements[element] = {:before => ' ', :after => ' '}
+      end
+    else
+      @whitespace_elements = config[:whitespace_elements]
+    end
 
-      return if env[:is_whitelisted] || !node.element?
+    if config[:remove_contents].is_a?(Set)
+      @remove_element_contents.merge(config[:remove_contents].map(&:to_s))
+    else
+      @remove_all_contents = !!config[:remove_contents]
+    end
+  end
 
-      # Delete any element that isn't in the config whitelist.
-      unless @allowed_elements.include?(name)
-        # Elements like br, div, p, etc. need to be replaced with whitespace in
-        # order to preserve readability.
-        if @whitespace_elements.include?(name)
-          node.add_previous_sibling(Nokogiri::XML::Text.new(' ', node.document))
+  def call(env)
+    node = env[:node]
+    return if node.type != Nokogiri::XML::Node::ELEMENT_NODE || env[:is_whitelisted]
 
-          unless node.children.empty?
-            node.add_next_sibling(Nokogiri::XML::Text.new(' ', node.document))
-          end
-        end
+    name = env[:node_name]
+
+    # Delete any element that isn't in the config whitelist.
+    unless @elements.include?(name)
+      # Elements like br, div, p, etc. need to be replaced with whitespace in
+      # order to preserve readability.
+      if @whitespace_elements.include?(name)
+        node.add_previous_sibling(Nokogiri::XML::Text.new(@whitespace_elements[name][:before].to_s, node.document))
 
-        unless @remove_all_contents || @remove_element_contents.include?(name)
-          node.children.each {|n| node.add_previous_sibling(n) }
+        unless node.children.empty?
+          node.add_next_sibling(Nokogiri::XML::Text.new(@whitespace_elements[name][:after].to_s, node.document))
         end
+      end
 
-        node.unlink
-        return
+      unless @remove_all_contents || @remove_element_contents.include?(name)
+        node.children.each {|n| node.add_previous_sibling(n) }
       end
 
-      attr_whitelist = Set.new((@attributes[name] || []) +
-          (@attributes[:all] || []))
+      node.unlink
+      return
+    end
 
-      allow_data_attributes = attr_whitelist.include?(:data)
+    attr_whitelist = @attributes[name] || @attributes[:all]
 
-      if attr_whitelist.empty?
-        # Delete all attributes from elements with no whitelisted attributes.
-        node.attribute_nodes.each {|attr| attr.unlink }
-      else
-        # Delete any attribute that isn't allowed on this element.
-        node.attribute_nodes.each do |attr|
-          attr_name = attr.name.downcase
-
-          unless attr_whitelist.include?(attr_name)
-            # The attribute isn't explicitly whitelisted.
-
-            if allow_data_attributes && attr_name.start_with?('data-')
-              # Arbitrary data attributes are allowed. Verify that the attribute
-              # is a valid data attribute.
-              attr.unlink unless attr_name =~ REGEX_DATA_ATTR
-            else
-              # Either the attribute isn't a data attribute, or arbitrary data
-              # attributes aren't allowed. Remove the attribute.
-              attr.unlink
-            end
-          end
-        end
+    if attr_whitelist.nil?
+      # Delete all attributes from elements with no whitelisted attributes.
+      node.attribute_nodes.each {|attr| attr.unlink }
+    else
+      allow_data_attributes = attr_whitelist.include?(:data)
 
-        # Delete remaining attributes that use unacceptable protocols.
-        if @protocols.has_key?(name)
-          protocol = @protocols[name]
+      # Delete any attribute that isn't allowed on this element.
+      node.attribute_nodes.each do |attr|
+        attr_name = attr.name.downcase
 
-          node.attribute_nodes.each do |attr|
-            attr_name = attr.name.downcase
-            next false unless protocol.has_key?(attr_name)
+        if attr_whitelist.include?(attr_name)
+          # The attribute is whitelisted.
 
-            del = if attr.value.to_s.downcase =~ REGEX_PROTOCOL
-              !protocol[attr_name].include?($1.downcase)
-            else
-              !protocol[attr_name].include?(:relative)
-            end
+          # Remove any attributes that use unacceptable protocols.
+          if @protocols.include?(name) && @protocols[name].include?(attr_name)
+            attr_protocols = @protocols[name][attr_name]
 
-            if del
-              attr.unlink
+            if attr.value.to_s.downcase =~ REGEX_PROTOCOL
+              attr.unlink unless attr_protocols.include?($1.downcase)
             else
-              # Leading and trailing whitespace around URLs is ignored at parse
-              # time. Stripping it here prevents it from being escaped by the
-              # libxml2 workaround below.
-              attr.value = attr.value.strip
+              attr.unlink unless attr_protocols.include?(:relative)
             end
           end
+        else
+          # The attribute isn't whitelisted.
+
+          if allow_data_attributes && attr_name.start_with?('data-')
+            # Arbitrary data attributes are allowed. Verify that the attribute
+            # is a valid data attribute.
+            attr.unlink unless attr_name =~ REGEX_DATA_ATTR
+          else
+            # Either the attribute isn't a data attribute, or arbitrary data
+            # attributes aren't allowed. Remove the attribute.
+            attr.unlink
+          end
         end
       end
+    end
 
-      # libxml2 >= 2.9.2 doesn't escape comments within some attributes, in an
-      # attempt to preserve server-side includes. This can result in XSS since
-      # an unescaped double quote can allow an attacker to inject a
-      # non-whitelisted attribute.
-      #
-      # Sanitize works around this by implementing its own escaping for
-      # affected attributes, some of which can exist on any element and some
-      # of which can only exist on `<a>` elements.
-      #
-      # The relevant libxml2 code is here:
-      # <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
-      node.attribute_nodes.each do |attr|
-        attr_name = attr.name.downcase
-        if UNSAFE_LIBXML_ATTRS_GLOBAL.include?(attr_name) ||
-          (name == 'a' && UNSAFE_LIBXML_ATTRS_A.include?(attr_name))
-            attr.value = attr.value.gsub(UNSAFE_LIBXML_ESCAPE_REGEX, UNSAFE_LIBXML_ESCAPE_CHARS)
-        end
-      end
-
-      # Add required attributes.
-      if @add_attributes.has_key?(name)
-        @add_attributes[name].each {|key, val| node[key] = val }
-      end
+    # Add required attributes.
+    if @add_attributes.include?(name)
+      @add_attributes[name].each {|key, val| node[key] = val }
     end
   end
 
-end; end
+end; end; end