sanitize 2.1.1 → 3.0.0

data/test/test_config.rb

@@ -0,0 +1,65 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Config' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  def verify_deeply_frozen(config)
+    config.must_be :frozen?
+
+    if Hash === config
+      config.each_value {|v| verify_deeply_frozen(v) }
+    elsif Set === config || Array === config
+      config.each {|v| verify_deeply_frozen(v) }
+    end
+  end
+
+  it 'built-in configs should be deeply frozen' do
+    verify_deeply_frozen Sanitize::Config::DEFAULT
+    verify_deeply_frozen Sanitize::Config::BASIC
+    verify_deeply_frozen Sanitize::Config::RELAXED
+    verify_deeply_frozen Sanitize::Config::RESTRICTED
+  end
+
+  describe '.freeze_config' do
+    it 'should deeply freeze and return a configuration Hash' do
+      a = {:one => {:one_one => [0, '1', :a], :one_two => false, :one_three => Set.new([:a, :b, :c])}}
+      b = Sanitize::Config.freeze_config(a)
+
+      b.must_be_same_as a
+      verify_deeply_frozen a
+    end
+  end
+
+  describe '.merge' do
+    it 'should deeply merge a configuration Hash' do
+      # Freeze to ensure that we get an error if either Hash is modified.
+      a = Sanitize::Config.freeze_config({:one => {:one_one => [0, '1', :a], :one_two => false, :one_three => Set.new([:a, :b, :c])}})
+      b = Sanitize::Config.freeze_config({:one => {:one_two => true, :one_three => 3}, :two => 2})
+
+      c = Sanitize::Config.merge(a, b)
+
+      c.wont_be_same_as a
+      c.wont_be_same_as b
+
+      c.must_equal(
+        :one => {
+          :one_one   => [0, '1', :a],
+          :one_two   => true,
+          :one_three => 3
+        },
+
+        :two => 2
+      )
+
+      c[:one].wont_be_same_as a[:one]
+      c[:one][:one_one].wont_be_same_as a[:one][:one_one]
+    end
+
+    it 'should raise an ArgumentError if either argument is not a Hash' do
+      proc { Sanitize::Config.merge('foo', {}) }.must_raise ArgumentError
+      proc { Sanitize::Config.merge({}, 'foo') }.must_raise ArgumentError
+    end
+  end
+end

data/test/test_malicious_css.rb

@@ -0,0 +1,42 @@
+# encoding: utf-8
+require_relative 'common'
+
+# Miscellaneous attempts to sneak maliciously crafted CSS past Sanitize. Some of
+# these are courtesy of (or inspired by) the OWASP XSS Filter Evasion Cheat
+# Sheet.
+#
+# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+
+describe 'Malicious CSS' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  before do
+    @s = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  end
+
+  it 'should not be possible to inject an expression by munging it with a comment' do
+    @s.properties(%[width:expr/*XSS*/ession(alert('XSS'))]).
+      must_equal ''
+
+    @s.properties(%[width:ex/*XSS*//*/*/pression(alert("XSS"))]).
+      must_equal ''
+  end
+
+  it 'should not be possible to inject an expression by munging it with a newline' do
+    @s.properties(%[width:\nexpression(alert('XSS'));]).
+      must_equal ''
+  end
+
+  it 'should not allow the javascript protocol' do
+    @s.properties(%[background-image:url("javascript:alert('XSS')");]).
+      must_equal ''
+
+    Sanitize.fragment(%[<div style="background-image: url(&#1;javascript:alert('XSS'))">],
+      Sanitize::Config::RELAXED).must_equal '<div></div>'
+  end
+
+  it 'should not allow behaviors' do
+    @s.properties(%[behavior: url(xss.htc);]).must_equal ''
+  end
+end

data/test/test_malicious_html.rb

@@ -0,0 +1,128 @@
+# encoding: utf-8
+require_relative 'common'
+
+# Miscellaneous attempts to sneak maliciously crafted HTML past Sanitize. Many
+# of these are courtesy of (or inspired by) the OWASP XSS Filter Evasion Cheat
+# Sheet.
+#
+# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+
+describe 'Malicious HTML' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  before do
+    @s = Sanitize.new(Sanitize::Config::RELAXED)
+  end
+
+  describe 'comments' do
+    it 'should not allow script injection via conditional comments' do
+      @s.fragment(%[<!--[if gte IE 4]>\n<script>alert('XSS');</script>\n<![endif]-->]).
+        must_equal ''
+    end
+  end
+
+  describe 'interpolation (ERB, PHP, etc.)' do
+    it 'should escape ERB-style tags' do
+      @s.fragment('<% naughty_ruby_code %>').
+        must_equal '&lt;% naughty_ruby_code %&gt;'
+
+      @s.fragment('<%= naughty_ruby_code %>').
+        must_equal '&lt;%= naughty_ruby_code %&gt;'
+    end
+
+    it 'should remove PHP-style tags' do
+      @s.fragment('<? naughtyPHPCode(); ?>').
+        must_equal ''
+
+      @s.fragment('<?= naughtyPHPCode(); ?>').
+        must_equal ''
+    end
+  end
+
+  describe '<body>' do
+    it 'should not be possible to inject JS via a malformed event attribute' do
+      @s.document('<html><head></head><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></body></html>').
+        must_equal "<html><head></head><body></body></html>\n"
+    end
+  end
+
+  describe '<iframe>' do
+    it 'should not be possible to inject an iframe using an improperly closed tag' do
+      @s.fragment(%[<iframe src=http://ha.ckers.org/scriptlet.html <]).
+        must_equal ''
+    end
+  end
+
+  describe '<img>' do
+    it 'should not be possible to inject JS via an unquoted <img> src attribute' do
+      @s.fragment("<img src=javascript:alert('XSS')>").must_equal '<img>'
+    end
+
+    it 'should not be possible to inject JS using grave accents as <img> src delimiters' do
+      @s.fragment("<img src=`javascript:alert('XSS')`>").must_equal '<img>'
+    end
+
+    it 'should not be possible to inject <script> via a malformed <img> tag' do
+      @s.fragment('<img """><script>alert("XSS")</script>">').
+        must_equal '<img>alert("XSS")"&gt;'
+    end
+
+    it 'should not be possible to inject protocol-based JS' do
+      @s.fragment('<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>').
+        must_equal '<img>'
+
+      @s.fragment('<img src=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>').
+        must_equal '<img>'
+
+      @s.fragment('<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>').
+        must_equal '<img>'
+
+      # Encoded tab character.
+      @s.fragment(%[<img src="jav&#x09;ascript:alert('XSS');">]).
+        must_equal '<img>'
+
+      # Encoded newline.
+      @s.fragment(%[<img src="jav&#x0A;ascript:alert('XSS');">]).
+        must_equal '<img>'
+
+      # Encoded carriage return.
+      @s.fragment(%[<img src="jav&#x0D;ascript:alert('XSS');">]).
+        must_equal '<img>'
+
+      # Null byte.
+      @s.fragment(%[<img src=java\0script:alert("XSS")>]).
+        must_equal '<img>'
+
+      # Spaces plus meta char.
+      @s.fragment(%[<img src=" &#14;  javascript:alert('XSS');">]).
+        must_equal '<img>'
+
+      # Mixed spaces and tabs.
+      @s.fragment(%[<img src="j\na v\tascript://alert('XSS');">]).
+        must_equal '<img>'
+    end
+
+    it 'should not be possible to inject protocol-based JS via whitespace' do
+      @s.fragment(%[<img src="jav\tascript:alert('XSS');">]).
+        must_equal '<img>'
+    end
+
+    it 'should not be possible to inject JS using a half-open <img> tag' do
+      @s.fragment(%[<img src="javascript:alert('XSS')"]).
+        must_equal ''
+    end
+  end
+
+  describe '<script>' do
+    it 'should not be possible to inject <script> using a malformed non-alphanumeric tag name' do
+      @s.fragment(%[<script/xss src="http://ha.ckers.org/xss.js">alert(1)</script>]).
+        must_equal 'alert(1)'
+    end
+
+    it 'should not be possible to inject <script> via extraneous open brackets' do
+      @s.fragment(%[<<script>alert("XSS");//<</script>]).
+        must_equal '&lt;alert("XSS");//&lt;'
+    end
+  end
+end

data/test/test_parser.rb

@@ -0,0 +1,104 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Parser' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  it 'should translate valid entities into characters' do
+    Sanitize.fragment("'é&").must_equal("'é&")
+  end
+
+  it 'should translate orphaned ampersands into entities' do
+    Sanitize.fragment('at&t').must_equal('at&t')
+  end
+
+  it 'should not add newlines after tags when serializing a fragment' do
+    Sanitize.fragment("<div>foo\n\n<p>bar</p><div>\nbaz</div></div><div>quux</div>", :elements => ['div', 'p'])
+      .must_equal "<div>foo\n\n<p>bar</p><div>\nbaz</div></div><div>quux</div>"
+  end
+
+  it 'should not have the Nokogiri 1.4.2+ unterminated script/style element bug' do
+    Sanitize.fragment('foo <script>bar').must_equal 'foo bar'
+    Sanitize.fragment('foo <style>bar').must_equal 'foo bar'
+  end
+
+  it 'ambiguous non-tag brackets like "1 > 2 and 2 < 1" should be parsed correctly' do
+    Sanitize.fragment('1 > 2 and 2 < 1').must_equal '1 &gt; 2 and 2 &lt; 1'
+    Sanitize.fragment('OMG HAPPY BIRTHDAY! *<:-D').must_equal 'OMG HAPPY BIRTHDAY! *&lt;:-D'
+  end
+
+  # https://github.com/sparklemotion/nokogiri/issues/1008
+  it 'should work around the libxml2 content-type meta tag bug' do
+    Sanitize.document('<html><head></head><body>Howdy!</body></html>',
+      :elements => %w[html head body]
+    ).must_equal "<html><head></head><body>Howdy!</body></html>\n"
+
+    Sanitize.document('<html><head></head><body>Howdy!</body></html>',
+      :elements => %w[html head meta body]
+    ).must_equal "<html><head></head><body>Howdy!</body></html>\n"
+
+    Sanitize.document('<html><head><meta charset="utf-8"></head><body>Howdy!</body></html>',
+      :elements   => %w[html head meta body],
+      :attributes => {'meta' => ['charset']}
+    ).must_equal "<html><head><meta charset=\"utf-8\"></head><body>Howdy!</body></html>\n"
+
+    Sanitize.document('<html><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"></head><body>Howdy!</body></html>',
+      :elements   => %w[html head meta body],
+      :attributes => {'meta' => %w[charset content http-equiv]}
+    ).must_equal "<html><head><meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"></head><body>Howdy!</body></html>\n"
+
+    # Edge case: an existing content-type meta tag with a non-UTF-8 content type
+    # will be converted to UTF-8, since that's the only output encoding we
+    # support.
+    Sanitize.document('<html><head><meta http-equiv="content-type" content="text/html;charset=us-ascii"></head><body>Howdy!</body></html>',
+      :elements   => %w[html head meta body],
+      :attributes => {'meta' => %w[charset content http-equiv]}
+    ).must_equal "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"></head><body>Howdy!</body></html>\n"
+  end
+
+  describe 'when siblings are added after a node during traversal' do
+    it 'the added siblings should be traversed' do
+      html = %[
+        <div id="one">
+            <div id="one_one">
+                <div id="one_one_one"></div>
+            </div>
+            <div id="one_two"></div>
+        </div>
+        <div id="two">
+            <div id="two_one"><div id="two_one_one"></div></div>
+            <div id="two_two"></div>
+        </div>
+        <div id="three"></div>
+      ]
+
+      siblings = []
+
+      Sanitize.fragment(html, :transformers => ->(env) {
+          name = env[:node].name
+
+          if name == 'div'
+            env[:node].add_next_sibling('<b id="added_' + env[:node]['id'] + '">')
+          elsif name == 'b'
+            siblings << env[:node][:id]
+          end
+
+          return {:node_whitelist => [env[:node]]}
+      })
+
+      # All siblings should be traversed, and in the order added.
+      siblings.must_equal [
+        "added_one_one_one",
+        "added_one_one",
+        "added_one_two",
+        "added_one",
+        "added_two_one_one",
+        "added_two_one",
+        "added_two_two",
+        "added_two",
+        "added_three"
+      ]
+    end
+  end
+end

data/test/test_sanitize.rb

@@ -1,721 +1,93 @@
 # encoding: utf-8
-#--
-# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the 'Software'), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#++
+require_relative 'common'
 
-require 'rubygems'
-gem 'minitest'
-
-require 'minitest/autorun'
-require 'sanitize'
-
-strings = {
-  :basic => {
-    :html       => '<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script>',
-    :default    => 'Lorem ipsum dolor sit amet alert("hello world");',
-    :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet alert("hello world");',
-    :basic      => '<b>Lorem</b> <a href="pants" rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");',
-    :relaxed    => '<b>Lorem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet alert("hello world");'
-  },
-
-  :malformed => {
-    :html       => 'Lo<!-- comment -->rem</b> <a href=pants title="foo>ipsum <a href="http://foo.com/"><strong>dolor</a></strong> sit<br/>amet <script>alert("hello world");',
-    :default    => 'Lorem dolor sit amet alert("hello world");',
-    :restricted => 'Lorem <strong>dolor</strong> sit amet alert("hello world");',
-    :basic      => 'Lorem <a href="pants" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");',
-    :relaxed    => 'Lorem <a href="pants" title="foo&gt;ipsum &lt;a href="><strong>dolor</strong></a> sit<br>amet alert("hello world");',
-    :document   => ' Lorem dolor sit amet alert("hello world"); '
-  },
-
-  :unclosed => {
-    :html       => '<p>a</p><blockquote>b',
-    :default    => ' a  b ',
-    :restricted => ' a  b ',
-    :basic      => '<p>a</p><blockquote>b</blockquote>',
-    :relaxed    => '<p>a</p><blockquote>b</blockquote>'
-  },
-
-  :malicious => {
-    :html       => '<b>Lo<!-- comment -->rem</b> <a href="javascript:pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <<foo>script>alert("hello world");</script>',
-    :default    => 'Lorem ipsum dolor sit amet &lt;script&gt;alert("hello world");',
-    :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet &lt;script&gt;alert("hello world");',
-    :basic      => '<b>Lorem</b> <a rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet &lt;script&gt;alert("hello world");',
-    :relaxed    => '<b>Lorem</b> <a title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet &lt;script&gt;alert("hello world");'
-  },
-
-  :raw_comment => {
-    :html       => '<!-- comment -->Hello',
-    :default    => 'Hello',
-    :restricted => 'Hello',
-    :basic      => 'Hello',
-    :relaxed    => 'Hello',
-    :document   => ' Hello ',
-  }
-}
-
-tricky = {
-  'protocol-based JS injection: simple, no spaces' => {
-    :html       => '<a href="javascript:alert(\'XSS\');">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: simple, spaces before' => {
-    :html       => '<a href="javascript    :alert(\'XSS\');">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: simple, spaces after' => {
-    :html       => '<a href="javascript:    alert(\'XSS\');">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: simple, spaces before and after' => {
-    :html       => '<a href="javascript    :   alert(\'XSS\');">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: preceding colon' => {
-    :html       => '<a href=":javascript:alert(\'XSS\');">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: UTF-8 encoding' => {
-    :html       => '<a href="javascript&#58;">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: long UTF-8 encoding' => {
-    :html       => '<a href="javascript&#0058;">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: long UTF-8 encoding without semicolons' => {
-    :html       => '<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: hex encoding' => {
-    :html       => '<a href="javascript&#x3A;">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: long hex encoding' => {
-    :html       => '<a href="javascript&#x003A;">foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: hex encoding without semicolons' => {
-    :html       => '<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>foo</a>',
-    :default    => 'foo',
-    :restricted => 'foo',
-    :basic      => '<a rel="nofollow">foo</a>',
-    :relaxed    => '<a>foo</a>'
-  },
-
-  'protocol-based JS injection: null char' => {
-    :html       => "<img src=java\0script:alert(\"XSS\")>",
-    :default    => '',
-    :restricted => '',
-    :basic      => '',
-    :relaxed    => '<img src="java">' # everything following the null char gets stripped, and URL is considered relative
-  },
-
-  'protocol-based JS injection: invalid URL char' => {
-    :html       => '<img src=java\script:alert("XSS")>',
-    :default    => '',
-    :restricted => '',
-    :basic      => '',
-    :relaxed    => '<img>'
-  },
-
-  'protocol-based JS injection: spaces and entities' => {
-    :html       => '<img src=" &#14;  javascript:alert(\'XSS\');">',
-    :default    => '',
-    :restricted => '',
-    :basic      => '',
-    :relaxed    => '<img src>'
-  }
-}
-
-describe 'Config::DEFAULT' do
-  it 'should translate valid HTML entities' do
-    Sanitize.clean("Don&apos;t tas&eacute; me &amp; bro!").must_equal("Don't tasé me &amp; bro!")
-  end
-
-  it 'should translate valid HTML entities while encoding unencoded ampersands' do
-    Sanitize.clean("cookies&sup2; & &frac14; cr&eacute;me").must_equal("cookies² &amp; ¼ créme")
-  end
-
-  it 'should never output &apos;' do
-    Sanitize.clean("<a href='&apos;' class=\"' &#39;\">IE6 isn't a real browser</a>").wont_match(/&apos;/)
-  end
-
-  it 'should not choke on several instances of the same element in a row' do
-    Sanitize.clean('<img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif">').must_equal('')
-  end
-
-  it 'should surround the contents of :whitespace_elements with space characters when removing the element' do
-    Sanitize.clean('foo<div>bar</div>baz').must_equal('foo bar baz')
-    Sanitize.clean('foo<br>bar<br>baz').must_equal('foo bar baz')
-    Sanitize.clean('foo<hr>bar<hr>baz').must_equal('foo bar baz')
-  end
-
-  strings.each do |name, data|
-    it "should clean #{name} HTML" do
-      Sanitize.clean(data[:html]).must_equal(data[:default])
-    end
-  end
-
-  tricky.each do |name, data|
-    it "should not allow #{name}" do
-      Sanitize.clean(data[:html]).must_equal(data[:default])
-    end
-  end
-end
-
-describe 'Config::RESTRICTED' do
-  before { @s = Sanitize.new(Sanitize::Config::RESTRICTED) }
-
-  strings.each do |name, data|
-    it "should clean #{name} HTML" do
-      @s.clean(data[:html]).must_equal(data[:restricted])
-    end
-  end
-
-  tricky.each do |name, data|
-    it "should not allow #{name}" do
-      @s.clean(data[:html]).must_equal(data[:restricted])
+describe 'Sanitize' do
+  describe 'instance methods' do
+    before do
+      @s = Sanitize.new
     end
-  end
-end
-
-describe 'Config::BASIC' do
-  before { @s = Sanitize.new(Sanitize::Config::BASIC) }
 
-  it 'should not choke on valueless attributes' do
-    @s.clean('foo <a href>foo</a> bar').must_equal('foo <a href rel="nofollow">foo</a> bar')
-  end
-
-  it 'should downcase attribute names' do
-    @s.clean('<a HREF="javascript:alert(\'foo\')">bar</a>').must_equal('<a rel="nofollow">bar</a>')
-  end
+    describe '#document' do
+      before do
+        @s = Sanitize.new(:elements => ['html'])
+      end
 
-  strings.each do |name, data|
-    it "should clean #{name} HTML" do
-      @s.clean(data[:html]).must_equal(data[:basic])
-    end
-  end
+      it 'should sanitize an HTML document' do
+        @s.document('<!doctype html><html><b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script></html>')
+          .must_equal "<html>Lorem ipsum dolor sit amet alert(\"hello world\");</html>\n"
+      end
 
-  tricky.each do |name, data|
-    it "should not allow #{name}" do
-      @s.clean(data[:html]).must_equal(data[:basic])
+      it 'should not modify the input string' do
+        input = '<!DOCTYPE html><b>foo</b>'
+        @s.document(input)
+        input.must_equal('<!DOCTYPE html><b>foo</b>')
+      end
     end
-  end
-end
-
-describe 'Config::RELAXED' do
-  before { @s = Sanitize.new(Sanitize::Config::RELAXED) }
 
-  it 'should encode special chars in attribute values' do
-    input  = '<a href="http://example.com" title="<b>&eacute;xamples</b> & things">foo</a>'
-    output = Nokogiri::HTML.fragment('<a href="http://example.com" title="&lt;b&gt;éxamples&lt;/b&gt; &amp; things">foo</a>').to_xhtml(:encoding => 'utf-8', :indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XHTML)
-    @s.clean(input).must_equal(output)
-  end
+    describe '#fragment' do
+      it 'should sanitize an HTML fragment' do
+        @s.fragment('<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script>')
+          .must_equal 'Lorem ipsum dolor sit amet alert("hello world");'
+      end
 
-  strings.each do |name, data|
-    it "should clean #{name} HTML" do
-      @s.clean(data[:html]).must_equal(data[:relaxed])
-    end
-  end
+      it 'should not modify the input string' do
+        input = '<b>foo</b>'
+        @s.fragment(input)
+        input.must_equal '<b>foo</b>'
+      end
 
-  tricky.each do |name, data|
-    it "should not allow #{name}" do
-      @s.clean(data[:html]).must_equal(data[:relaxed])
+      it 'should not choke on fragments containing <html> or <body>' do
+        @s.fragment('<html><b>foo</b></html>').must_equal 'foo'
+        @s.fragment('<body><b>foo</b></body>').must_equal 'foo'
+        @s.fragment('<html><body><b>foo</b></body></html>').must_equal 'foo'
+        @s.fragment('<!DOCTYPE html><html><body><b>foo</b></body></html>').must_equal 'foo'
+      end
     end
-  end
-end
-
-describe 'Full Document parser (using clean_document)' do
-  before {
-    @s = Sanitize.new({:elements => %w[!DOCTYPE html]})
-    @default_doctype = "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" \"http://www.w3.org/TR/REC-html40/loose.dtd\">"
-  }
 
-  it 'should require HTML element is whitelisted to prevent parser errors' do
-    assert_raises(RuntimeError, 'You must have the HTML element whitelisted') {
-      Sanitize.clean_document!('', {:elements => [], :remove_contents => false})
-    }
-  end
-
-  it 'should NOT require HTML element to be whitelisted if remove_contents is true' do
-    output = '<!DOCTYPE html><html>foo</html>'
-    Sanitize.clean_document!(output, {:remove_contents => true}).must_equal "<!DOCTYPE html>\n\n"
-  end
+    describe '#node!' do
+      it 'should sanitize a Nokogiri::XML::Node' do
+        doc  = Nokogiri::HTML5.parse('<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script>')
+        frag = doc.fragment
 
-  it 'adds a doctype tag if not included' do
-    @s.clean_document('').must_equal("#{@default_doctype}\n\n")
-  end
+        doc.xpath('/html/body/node()').each {|node| frag << node }
 
-  it 'should apply whitelist filtering to HTML element' do
-    output = "<!DOCTYPE html>\n<html anything='false'></html>\n\n"
-    @s.clean_document(output).must_equal("<!DOCTYPE html>\n<html></html>\n")
-  end
-
-  strings.each do |name, data|
-    it "should wrap #{name} with DOCTYPE and HTML tag" do
-      output = data[:document] || data[:default]
-      @s.clean_document(data[:html]).must_equal("#{@default_doctype}\n<html>#{output}</html>\n")
-    end
-  end
+        @s.node!(frag)
+        frag.to_html.must_equal 'Lorem ipsum dolor sit amet alert("hello world");'
+      end
 
-  tricky.each do |name, data|
-    it "should wrap #{name} with DOCTYPE and HTML tag" do
-      @s.clean_document(data[:html]).must_equal("#{@default_doctype}\n<html>#{data[:default]}</html>\n")
+      describe "when the given node is a document and <html> isn't whitelisted" do
+        it 'should raise a Sanitize::Error' do
+          doc = Nokogiri::HTML5.parse('foo')
+          proc { @s.node!(doc) }.must_raise Sanitize::Error
+        end
+      end
     end
   end
-end
-
-describe 'Custom configs' do
-  it 'should allow attributes on all elements if whitelisted under :all' do
-    input = '<p class="foo">bar</p>'
-
-    Sanitize.clean(input).must_equal(' bar ')
-    Sanitize.clean(input, {:elements => ['p'], :attributes => {:all => ['class']}}).must_equal(input)
-    Sanitize.clean(input, {:elements => ['p'], :attributes => {'div' => ['class']}}).must_equal('<p>bar</p>')
-    Sanitize.clean(input, {:elements => ['p'], :attributes => {'p' => ['title'], :all => ['class']}}).must_equal(input)
-  end
-
-  it 'should allow comments when :allow_comments == true' do
-    input = 'foo <!-- bar --> baz'
-    Sanitize.clean(input).must_equal('foo  baz')
-    Sanitize.clean(input, :allow_comments => true).must_equal(input)
-  end
-
-  it 'should allow relative URLs containing colons where the colon is not in the first path segment' do
-    input = '<a href="/wiki/Special:Random">Random Page</a>'
-    Sanitize.clean(input, { :elements => ['a'], :attributes => {'a' => ['href']}, :protocols => { 'a' => { 'href' => [:relative] }} }).must_equal(input)
-  end
-
-  it 'should allow relative URLs containing colons where the colon is part of an anchor' do
-    input = '<a href="#fn:1">Footnote 1</a>'
-    Sanitize.clean(input, { :elements => ['a'], :attributes => {'a' => ['href']}, :protocols => { 'a' => { 'href' => [:relative] }} }).must_equal(input)
-  end
-
-  it 'should allow relative URLs containing colons where the colon is part of an anchor' do
-    input = '<a href="somepage#fn:1">Footnote 1</a>'
-    Sanitize.clean(input, { :elements => ['a'], :attributes => {'a' => ['href']}, :protocols => { 'a' => { 'href' => [:relative] }} }).must_equal(input)
-  end
-
-  it 'should output HTML when :output == :html' do
-    input = 'foo<br/>bar<br>baz'
-    Sanitize.clean(input, :elements => ['br'], :output => :html).must_equal('foo<br>bar<br>baz')
-  end
-
-  it 'should remove the contents of filtered nodes when :remove_contents == true' do
-    Sanitize.clean('foo bar <div>baz<span>quux</span></div>', :remove_contents => true).must_equal('foo bar   ')
-  end
-
-  it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as strings' do
-    Sanitize.clean('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', :remove_contents => ['script', 'span']).must_equal('foo bar  baz ')
-  end
-
-  it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as symbols' do
-    Sanitize.clean('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', :remove_contents => [:script, :span]).must_equal('foo bar  baz ')
-  end
-
-  it 'should support encodings other than utf-8' do
-    html = 'foo&nbsp;bar'
-    Sanitize.clean(html).must_equal("foo\302\240bar")
-    Sanitize.clean(html, :output_encoding => 'ASCII').must_equal("foo&#160;bar")
-  end
-
-  it 'should not allow arbitrary HTML5 data attributes by default' do
-    config = {
-      :elements => ['b']
-    }
-
-    Sanitize.clean('<b data-foo="bar"></b>', config)
-      .must_equal('<b></b>')
-
-    config[:attributes] = {'b' => ['class']}
-
-    Sanitize.clean('<b class="foo" data-foo="bar"></b>', config)
-      .must_equal('<b class="foo"></b>')
-  end
-
-  it 'should allow arbitrary HTML5 data attributes when the :attributes config includes :data' do
-    config = {
-      :attributes => {'b' => [:data]},
-      :elements   => ['b']
-    }
-
-    Sanitize.clean('<b data-foo="valid" data-bar="valid"></b>', config)
-      .must_equal('<b data-foo="valid" data-bar="valid"></b>')
-
-    Sanitize.clean('<b data-="invalid"></b>', config)
-      .must_equal('<b></b>')
-
-    Sanitize.clean('<b data-="invalid"></b>', config)
-      .must_equal('<b></b>')
-
-    Sanitize.clean('<b data-xml="invalid"></b>', config)
-      .must_equal('<b></b>')
-
-    Sanitize.clean('<b data-xmlfoo="invalid"></b>', config)
-      .must_equal('<b></b>')
-
-    Sanitize.clean('<b data-f:oo="valid"></b>', config)
-      .must_equal('<b></b>')
-
-    Sanitize.clean('<b data-f/oo="partial"></b>', config)
-      .must_equal('<b data-f></b>') # Nokogiri quirk; not ideal, but harmless
-
-    Sanitize.clean('<b data-éfoo="valid"></b>', config)
-      .must_equal('<b></b>') # Another annoying Nokogiri quirk.
-  end
-end
-
-describe 'Sanitize.clean' do
-  it 'should not modify the input string' do
-    input = '<b>foo</b>'
-    Sanitize.clean(input)
-    input.must_equal('<b>foo</b>')
-  end
-
-  it 'should return a new string' do
-    input = '<b>foo</b>'
-    Sanitize.clean(input).must_equal('foo')
-  end
-end
-
-describe 'Sanitize.clean!' do
-  it 'should modify the input string' do
-    input = '<b>foo</b>'
-    Sanitize.clean!(input)
-    input.must_equal('foo')
-  end
-
-  it 'should return the string if it was modified' do
-    input = '<b>foo</b>'
-    Sanitize.clean!(input).must_equal('foo')
-  end
-
-  it 'should return nil if the string was not modified' do
-    input = 'foo'
-    Sanitize.clean!(input).must_equal(nil)
-  end
-end
-
-describe 'Sanitize.clean_document' do
-  before { @config = { :elements => ['html', 'p'] } }
-
-  it 'should be idempotent' do
-    input = '<!DOCTYPE html><html><p>foo</p></html>'
-    first = Sanitize.clean_document(input, @config)
-    second = Sanitize.clean_document(first, @config)
-    second.must_equal first
-    second.wont_be_nil
-  end
-
-  it 'should handle nil without raising' do
-    Sanitize.clean_document(nil).must_equal nil
-  end
-
-  it 'should not modify the input string' do
-    input = '<!DOCTYPE html><b>foo</b>'
-    Sanitize.clean_document(input, @config)
-    input.must_equal('<!DOCTYPE html><b>foo</b>')
-  end
-
-  it 'should return a new string' do
-    input = '<!DOCTYPE html><b>foo</b>'
-    Sanitize.clean_document(input, @config).must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
-  end
-end
-
-describe 'Sanitize.clean_document!' do
-  before { @config = { :elements => ['html'] } }
-
-  it 'should modify the input string' do
-    input = '<!DOCTYPE html><html><body><b>foo</b></body></html>'
-    Sanitize.clean_document!(input, @config)
-    input.must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
-  end
-
-  it 'should return the string if it was modified' do
-    input = '<!DOCTYPE html><html><body><b>foo</b></body></html>'
-    Sanitize.clean_document!(input, @config).must_equal("<!DOCTYPE html>\n<html>foo</html>\n")
-  end
-
-  it 'should return nil if the string was not modified' do
-    input = "<!DOCTYPE html>\n<html></html>\n"
-    Sanitize.clean_document!(input, @config).must_equal(nil)
-  end
-end
-
-describe 'transformers' do
-  # YouTube embed transformer.
-  youtube = lambda do |env|
-    node      = env[:node]
-    node_name = env[:node_name]
-
-    # Don't continue if this node is already whitelisted or is not an element.
-    return if env[:is_whitelisted] || !node.element?
-
-    # Don't continue unless the node is an iframe.
-    return unless node_name == 'iframe'
-
-    # Verify that the video URL is actually a valid YouTube video URL.
-    return unless node['src'] =~ /\Ahttps?:\/\/(?:www\.)?youtube(?:-nocookie)?\.com\//
-
-    # We're now certain that this is a YouTube embed, but we still need to run
-    # it through a special Sanitize step to ensure that no unwanted elements or
-    # attributes that don't belong in a YouTube embed can sneak in.
-    Sanitize.clean_node!(node, {
-      :elements => %w[iframe],
-
-      :attributes => {
-        'iframe'  => %w[allowfullscreen frameborder height src width]
-      }
-    })
-
-    # Now that we're sure that this is a valid YouTube embed and that there are
-    # no unwanted elements or attributes hidden inside it, we can tell Sanitize
-    # to whitelist the current node.
-    {:node_whitelist => [node]}
-  end
-
-  it 'should receive a complete env Hash as input' do
-    Sanitize.clean!('<SPAN>foo</SPAN>', :foo => :bar, :transformers => lambda {|env|
-      return unless env[:node].element?
-
-      env[:config][:foo].must_equal(:bar)
-      env[:is_whitelisted].must_equal(false)
-      env[:node].must_be_kind_of(Nokogiri::XML::Node)
-      env[:node_name].must_equal('span')
-      env[:node_whitelist].must_be_kind_of(Set)
-      env[:node_whitelist].must_be_empty
-    })
-  end
-
-  it 'should traverse all node types, including the fragment itself' do
-    nodes = []
-
-    Sanitize.clean!('<div>foo</div><!--bar--><script>cdata!</script>', :transformers => proc {|env|
-      nodes << env[:node_name]
-    })
 
-    nodes.must_equal(%w[
-      text div comment #cdata-section script #document-fragment
-    ])
-  end
-
-  it 'should traverse in depth-first mode by default' do
-    nodes = []
-
-    Sanitize.clean!('<div><span>foo</span></div><p>bar</p>', :transformers => proc {|env|
-      env[:traversal_mode].must_equal(:depth)
-      nodes << env[:node_name] if env[:node].element?
-    })
-
-    nodes.must_equal(['span', 'div', 'p'])
-  end
-
-  it 'should traverse in breadth-first mode when using :transformers_breadth' do
-    nodes = []
-
-    Sanitize.clean!('<div><span>foo</span></div><p>bar</p>', :transformers_breadth => proc {|env|
-      env[:traversal_mode].must_equal(:breadth)
-      nodes << env[:node_name] if env[:node].element?
-    })
-
-    nodes.must_equal(['div', 'span', 'p'])
-  end
-
-  it 'should whitelist nodes in the node whitelist' do
-    Sanitize.clean!('<div class="foo">foo</div><span>bar</span>', :transformers => [
-      proc {|env|
-        {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
-      },
-
-      proc {|env|
-        env[:is_whitelisted].must_equal(false) unless env[:node_name] == 'div'
-        env[:is_whitelisted].must_equal(true) if env[:node_name] == 'div'
-        env[:node_whitelist].must_include(env[:node]) if env[:node_name] == 'div'
-      }
-    ]).must_equal('<div class="foo">foo</div>bar')
-  end
-
-  it 'should clear the node whitelist after each fragment' do
-    called = false
-
-    Sanitize.clean!('<div>foo</div>', :transformers => proc {|env|
-      {:node_whitelist => [env[:node]]}
-    })
-
-    Sanitize.clean!('<div>foo</div>', :transformers =>  proc {|env|
-      called = true
-      env[:is_whitelisted].must_equal(false)
-      env[:node_whitelist].must_be_empty
-    })
-
-    called.must_equal(true)
-  end
-
-  it 'should allow youtube video embeds via the youtube transformer' do
-    input  = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
-    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
-
-    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
-  end
-
-  it 'should allow https youtube video embeds via the youtube transformer' do
-    input  = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
-    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
-
-    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
-  end
-
-  it 'should allow privacy-enhanced youtube video embeds via the youtube transformer' do
-    input  = '<iframe width="420" height="315" src="http://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
-    output = Nokogiri::HTML::DocumentFragment.parse('<iframe width="420" height="315" src="http://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen>alert()</iframe>').to_html(:encoding => 'utf-8', :indent => 0)
-
-    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
-  end
-
-  it 'should not allow non-youtube video embeds via the youtube transformer' do
-    input  = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
-    output = ''
-
-    Sanitize.clean!(input, :transformers => youtube).must_equal(output)
-  end
-end
-
-describe 'bugs' do
-  it 'should not have Nokogiri 1.4.2+ unterminated script/style element bug' do
-    Sanitize.clean!('foo <script>bar').must_equal('foo bar')
-    Sanitize.clean!('foo <style>bar').must_equal('foo bar')
-  end
-end
-
-describe 'Malicious HTML' do
-  make_my_diffs_pretty!
-  parallelize_me!
-
-  before do
-    @s = Sanitize.new(Sanitize::Config::RELAXED)
-  end
-
-  # libxml2 >= 2.9.2 doesn't escape comments within some attributes, in an
-  # attempt to preserve server-side includes. This can result in XSS since an
-  # unescaped double quote can allow an attacker to inject a non-whitelisted
-  # attribute. Sanitize works around this by implementing its own escaping for
-  # affected attributes.
-  #
-  # The relevant libxml2 code is here:
-  # <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
-  describe 'unsafe libxml2 server-side includes in attributes' do
-    tag_configs = [
-      {
-        tag_name: 'a',
-        escaped_attrs: %w[ action href src name ],
-        unescaped_attrs: []
-      },
-
-      {
-        tag_name: 'div',
-        escaped_attrs: %w[ action href src ],
-        unescaped_attrs: %w[ name ]
-      }
-    ]
-
-    before do
-      @s = Sanitize.new({
-        elements: %w[ a div ],
-
-        attributes: {
-          all: %w[ action href src name ]
-        }
-      })
-    end
-
-    tag_configs.each do |tag_config|
-      tag_name = tag_config[:tag_name]
-
-      tag_config[:escaped_attrs].each do |attr_name|
-        input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
-
-        it 'should escape unsafe characters in attributes' do
-          @s.clean(input).must_equal(%[<#{tag_name} #{attr_name}="examp<!--%22%20onmouseover=alert(1)>-->le.com">foo</#{tag_name}>])
-        end
-
-        it 'should round-trip to the same output' do
-          output = @s.clean(input)
-          @s.clean(output).must_equal(output)
+  describe 'class methods' do
+    describe '.document' do
+      it 'should call #document' do
+        Sanitize.stub_instance(:document, proc {|html| html + ' called' }) do
+          Sanitize.document('<html>foo</html>')
+            .must_equal '<html>foo</html> called'
         end
       end
+    end
 
-      tag_config[:unescaped_attrs].each do |attr_name|
-        input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
-
-        it 'should not escape characters unnecessarily' do
-          @s.clean(input).must_equal(input)
+    describe '.fragment' do
+      it 'should call #fragment' do
+        Sanitize.stub_instance(:fragment, proc {|html| html + ' called' }) do
+          Sanitize.fragment('<b>foo</b>').must_equal '<b>foo</b> called'
         end
+      end
+    end
 
-        it 'should round-trip to the same output' do
-          output = @s.clean(input)
-          @s.clean(output).must_equal(output)
+    describe '.node!' do
+      it 'should call #node!' do
+        Sanitize.stub_instance(:node!, proc {|input| input + ' called' }) do
+          Sanitize.node!('not really a node').must_equal 'not really a node called'
         end
       end
     end
   end
 end
-