sanitize 2.1.1 → 6.0.0

data/test/test_sanitize_css.rb

@@ -0,0 +1,424 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::CSS' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  describe 'instance methods' do
+    before do
+      @default = Sanitize::CSS.new
+      @relaxed = Sanitize::CSS.new(Sanitize::Config::RELAXED[:css])
+      @custom  = Sanitize::CSS.new(:properties => %w[background color width])
+    end
+
+    describe '#properties' do
+      it 'should sanitize CSS properties' do
+        css = 'background: #fff; width: expression(alert("hi"));'
+
+        @default.properties(css).must_equal ' '
+        @relaxed.properties(css).must_equal 'background: #fff; '
+        @custom.properties(css).must_equal 'background: #fff; '
+      end
+
+      it 'should allow allowlisted URL protocols' do
+        [
+          "background: url(relative.jpg)",
+          "background: url('relative.jpg')",
+          "background: url(http://example.com/http.jpg)",
+          "background: url('ht\\tp://example.com/http.jpg')",
+          "background: url(https://example.com/https.jpg)",
+          "background: url('https://example.com/https.jpg')",
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal css
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow non-allowlisted URL protocols' do
+        [
+          "background: url(javascript:alert(0))",
+          "background: url(ja\\56 ascript:alert(0))",
+          "background: url('javascript:foo')",
+          "background: url('ja\\56 ascript:alert(0)')",
+          "background: url('ja\\va\\script\\:alert(0)')",
+          "background: url('javas\\\ncript:alert(0)')",
+          "background: url('java\\0script:foo')"
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal ''
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow -moz-binding' do
+        css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
+
+        @default.properties(css).must_equal ''
+        @relaxed.properties(css).must_equal ''
+        @custom.properties(css).must_equal ''
+      end
+
+      it 'should not allow expressions' do
+        [
+          "width:expression(alert(1))",
+          "width:  /**/expression(alert(1)",
+          "width:e\\78 pression(\n\nalert(\n1)",
+          "width:\nexpression(alert(1));",
+          "xss:expression(alert(1))",
+          "height: foo(expression(alert(1)));"
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal ''
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow behaviors' do
+        css = "behavior: url(xss.htc);"
+
+        @default.properties(css).must_equal ''
+        @relaxed.properties(css).must_equal ''
+        @custom.properties(css).must_equal ''
+      end
+
+      describe 'when :allow_comments is true' do
+        it 'should preserve comments' do
+          @relaxed.properties('color: #fff; /* comment */ width: 100px;')
+            .must_equal 'color: #fff; /* comment */ width: 100px;'
+
+          @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+            .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
+        end
+      end
+
+      describe 'when :allow_comments is false' do
+        it 'should strip comments' do
+          @custom.properties('color: #fff; /* comment */ width: 100px;')
+            .must_equal 'color: #fff;  width: 100px;'
+
+          @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+            .must_equal 'color: #fff;  width: 100px;'
+        end
+      end
+
+      describe 'when :allow_hacks is true' do
+        it 'should allow common CSS hacks' do
+          @relaxed.properties('_border: 1px solid #fff; *width: 10px')
+            .must_equal '_border: 1px solid #fff; *width: 10px'
+        end
+      end
+
+      describe 'when :allow_hacks is false' do
+        it 'should not allow common CSS hacks' do
+          @custom.properties('_border: 1px solid #fff; *width: 10px')
+            .must_equal ' '
+        end
+      end
+    end
+
+    describe '#stylesheet' do
+      it 'should sanitize a CSS stylesheet' do
+        css = %[
+          /* Yay CSS! */
+          .foo { color: #fff; }
+          #bar { background: url(yay.jpg); }
+
+          @media screen (max-width:480px) {
+            .foo { width: 400px; }
+            #bar:not(.baz) { height: 100px; }
+          }
+        ].strip
+
+        @default.stylesheet(css).strip.must_equal %[
+          .foo {  }
+          #bar {  }
+        ].strip
+
+        @relaxed.stylesheet(css).must_equal css
+
+        @custom.stylesheet(css).strip.must_equal %[
+          .foo { color: #fff; }
+          #bar {  }
+        ].strip
+      end
+
+      describe 'when :allow_comments is true' do
+        it 'should preserve comments' do
+          @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+            .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
+
+          @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+            .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
+        end
+      end
+
+      describe 'when :allow_comments is false' do
+        it 'should strip comments' do
+          @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+            .must_equal '.foo { color: #fff;  width: 100px; }'
+
+          @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+            .must_equal '.foo { color: #fff;  width: 100px; }'
+        end
+      end
+
+      describe 'when :allow_hacks is true' do
+        it 'should allow common CSS hacks' do
+          @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+            .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
+        end
+      end
+
+      describe 'when :allow_hacks is false' do
+        it 'should not allow common CSS hacks' do
+          @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+            .must_equal '.foo {  }'
+        end
+      end
+    end
+
+    describe '#tree!' do
+      it 'should sanitize a Crass CSS parse tree' do
+        tree = Crass.parse(String.new("@import url(foo.css);\n") <<
+          ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
+          "#bar { top: 125px; background: green; }")
+
+        @custom.tree!(tree).must_be_same_as tree
+
+        Crass::Parser.stringify(tree).must_equal String.new("\n") <<
+            ".foo { background: #fff;  }\n" <<
+            "#bar {  background: green; }"
+      end
+    end
+  end
+
+  describe 'class methods' do
+    describe '.properties' do
+      it 'should sanitize CSS properties with the given config' do
+        css = 'background: #fff; width: expression(alert("hi"));'
+
+        Sanitize::CSS.properties(css).must_equal ' '
+        Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
+        Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
+      end
+    end
+
+    describe '.stylesheet' do
+      it 'should sanitize a CSS stylesheet with the given config' do
+        css = %[
+          /* Yay CSS! */
+          .foo { color: #fff; }
+          #bar { background: url(yay.jpg); }
+
+          @media screen (max-width:480px) {
+            .foo { width: 400px; }
+            #bar:not(.baz) { height: 100px; }
+          }
+        ].strip
+
+        Sanitize::CSS.stylesheet(css).strip.must_equal %[
+          .foo {  }
+          #bar {  }
+        ].strip
+
+        Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
+
+        Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
+          .foo { color: #fff; }
+          #bar {  }
+        ].strip
+      end
+    end
+
+    describe '.tree!' do
+      it 'should sanitize a Crass CSS parse tree with the given config' do
+        tree = Crass.parse(String.new("@import url(foo.css);\n") <<
+          ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
+          "#bar { top: 125px; background: green; }")
+
+        Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
+
+        Crass::Parser.stringify(tree).must_equal String.new("\n") <<
+            ".foo { background: #fff;  }\n" <<
+            "#bar {  background: green; }"
+      end
+    end
+  end
+
+  describe 'functionality' do
+    before do
+      @default = Sanitize::CSS.new
+      @relaxed = Sanitize::CSS.new(Sanitize::Config::RELAXED[:css])
+    end
+
+    # https://github.com/rgrove/sanitize/issues/121
+    it 'should parse the contents of @media rules properly' do
+      css = '@media { p[class="center"] { text-align: center; }}'
+      @relaxed.stylesheet(css).must_equal css
+
+      css = %[
+        @media (max-width: 720px) {
+          p.foo > .bar { float: right; width: expression(body.scrollLeft + 50 + 'px'); }
+          #baz { color: green; }
+
+          @media (orientation: portrait) {
+            #baz { color: red; }
+          }
+        }
+      ].strip
+
+      @relaxed.stylesheet(css).must_equal %[
+        @media (max-width: 720px) {
+          p.foo > .bar { float: right;  }
+          #baz { color: green; }
+
+          @media (orientation: portrait) {
+            #baz { color: red; }
+          }
+        }
+      ].strip
+    end
+
+    it 'should parse @page rules properly' do
+      css = %[
+        @page { margin: 2cm } /* All margins set to 2cm */
+
+        @page :right {
+          @top-center { content: "Preliminary edition" }
+          @bottom-center { content: counter(page) }
+        }
+
+        @page {
+          size: 8.5in 11in;
+          margin: 10%;
+
+          @top-left {
+            content: "Hamlet";
+          }
+          @top-right {
+            content: "Page " counter(page);
+          }
+        }
+      ].strip
+
+      @relaxed.stylesheet(css).must_equal css
+    end
+
+    describe ":at_rules" do
+      it "should remove blockless at-rules that aren't allowlisted" do
+        css = %[
+          @charset 'utf-8';
+          @import url('foo.css');
+          .foo { color: green; }
+        ].strip
+
+        @relaxed.stylesheet(css).strip.must_equal %[
+          .foo { color: green; }
+        ].strip
+      end
+
+      describe "when blockless at-rules are allowlisted" do
+        before do
+          @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
+            :at_rules => ['charset', 'import']
+          }))
+        end
+
+        it "should not remove them" do
+          css = %[
+            @charset 'utf-8';
+            @import url('foo.css');
+            .foo { color: green; }
+          ].strip
+
+          @scss.stylesheet(css).must_equal %[
+            @charset 'utf-8';
+            @import url('foo.css');
+            .foo { color: green; }
+          ].strip
+        end
+
+        it "should remove them if they have invalid blocks" do
+          css = %[
+            @charset { color: green }
+            @import { color: green }
+            .foo { color: green; }
+          ].strip
+
+          @scss.stylesheet(css).strip.must_equal %[
+            .foo { color: green; }
+          ].strip
+        end
+      end
+
+      describe "when validating @import rules" do
+
+        describe "with no validation proc specified" do
+          before do
+            @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
+              :at_rules => ['import']
+            }))
+          end
+
+          it "should allow any URL value" do
+            css = %[
+              @import url('https://somesite.com/something.css');
+            ].strip
+
+            @scss.stylesheet(css).strip.must_equal %[
+              @import url('https://somesite.com/something.css');
+            ].strip
+          end
+        end
+
+        describe "with a validation proc specified" do
+          before do
+            google_font_validator = Proc.new { |url| url.start_with?("https://fonts.googleapis.com") }
+
+            @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
+              :at_rules => ['import'], :import_url_validator => google_font_validator
+            }))
+          end
+
+          it "should allow a google fonts url" do
+            css = %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+              @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
+            ].strip
+
+            @scss.stylesheet(css).strip.must_equal %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+              @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
+            ].strip
+          end
+
+          it "should not allow a nasty url" do
+            css = %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+              @import 'https://nastysite.com/nasty_hax0r.css';
+              @import url('https://nastysite.com/nasty_hax0r.css');
+            ].strip
+
+            @scss.stylesheet(css).strip.must_equal %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+            ].strip
+          end
+
+          it "should not allow a blank url" do
+            css = %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+              @import '';
+              @import url('');
+            ].strip
+
+            @scss.stylesheet(css).strip.must_equal %[
+              @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
+            ].strip
+          end
+        end
+      end
+    end
+  end
+end

data/test/test_transformers.rb

@@ -0,0 +1,230 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Transformers' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  it 'should receive a complete env Hash as input' do
+    Sanitize.fragment('<SPAN>foo</SPAN>',
+      :foo => :bar,
+      :transformers => lambda {|env|
+        return unless env[:node].element?
+
+        env[:config][:foo].must_equal :bar
+        env[:is_allowlisted].must_equal false
+        env[:is_whitelisted].must_equal env[:is_allowlisted]
+        env[:node].must_be_kind_of Nokogiri::XML::Node
+        env[:node_name].must_equal 'span'
+        env[:node_allowlist].must_be_kind_of Set
+        env[:node_allowlist].must_be_empty
+        env[:node_whitelist].must_equal env[:node_allowlist]
+      }
+    )
+  end
+
+  it 'should traverse all node types, including the fragment itself' do
+    nodes = []
+
+    Sanitize.fragment('<div>foo</div><!--bar--><script>cdata!</script>',
+      :transformers => proc {|env| nodes << env[:node_name] }
+    )
+
+    nodes.must_equal %w[
+      #document-fragment div text text text comment script text
+    ]
+  end
+
+  it 'should perform top-down traversal' do
+    nodes = []
+
+    Sanitize.fragment('<div><span><strong>foo</strong></span><b></b></div><p>bar</p>',
+      :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
+    )
+
+    nodes.must_equal %w[div span strong b p]
+  end
+
+  it 'should allowlist nodes in the node allowlist' do
+    Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
+      :transformers => [
+        proc {|env|
+          {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
+        },
+
+        proc {|env|
+          env[:is_allowlisted].must_equal false unless env[:node_name] == 'div'
+          env[:is_allowlisted].must_equal true if env[:node_name] == 'div'
+          env[:node_allowlist].must_include env[:node] if env[:node_name] == 'div'
+          env[:is_whitelisted].must_equal env[:is_allowlisted]
+          env[:node_whitelist].must_equal env[:node_allowlist]
+        }
+      ]
+    ).must_equal '<div class="foo">foo</div>bar'
+  end
+
+  it 'should clear the node allowlist after each fragment' do
+    called = false
+
+    Sanitize.fragment('<div>foo</div>',
+      :transformers => proc {|env| {:node_allowlist => [env[:node]]}}
+    )
+
+    Sanitize.fragment('<div>foo</div>',
+      :transformers => proc {|env|
+        called = true
+        env[:is_allowlisted].must_equal false
+        env[:is_whitelisted].must_equal env[:is_allowlisted]
+        env[:node_allowlist].must_be_empty
+        env[:node_whitelist].must_equal env[:node_allowlist]
+      }
+    )
+
+    called.must_equal true
+  end
+
+  it 'should accept a method transformer' do
+    def transformer(env); end
+    Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
+      .must_equal(' foo ')
+  end
+
+  describe 'Image allowlist transformer' do
+    require 'uri'
+
+    image_allowlist_transformer = lambda do |env|
+      # Ignore everything except <img> elements.
+      return unless env[:node_name] == 'img'
+
+      node      = env[:node]
+      image_uri = URI.parse(node['src'])
+
+      # Only allow relative URLs or URLs with the example.com domain. The
+      # image_uri.host.nil? check ensures that protocol-relative URLs like
+      # "//evil.com/foo.jpg".
+      unless image_uri.host == 'example.com' || (image_uri.host.nil? && image_uri.relative?)
+        node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
+      end
+    end
+
+    before do
+      @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
+          :transformers => image_allowlist_transformer))
+    end
+
+    it 'should allow images with relative URLs' do
+      input = '<img src="/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+    end
+
+    it 'should allow images at the example.com domain' do
+      input = '<img src="http://example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+
+      input = '<img src="https://example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+
+      input = '<img src="//example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+    end
+
+    it 'should not allow images at other domains' do
+      input = '<img src="http://evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+
+      input = '<img src="https://evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+
+      input = '<img src="//evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+
+      input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+    end
+  end
+
+  describe 'YouTube transformer' do
+    youtube_transformer = lambda do |env|
+      node      = env[:node]
+      node_name = env[:node_name]
+
+      # Don't continue if this node is already allowlisted or is not an element.
+      return if env[:is_allowlisted] || !node.element?
+
+      # Don't continue unless the node is an iframe.
+      return unless node_name == 'iframe'
+
+      # Verify that the video URL is actually a valid YouTube video URL.
+      return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|
+
+      # We're now certain that this is a YouTube embed, but we still need to run
+      # it through a special Sanitize step to ensure that no unwanted elements or
+      # attributes that don't belong in a YouTube embed can sneak in.
+      Sanitize.node!(node, {
+        :elements => %w[iframe],
+
+        :attributes => {
+          'iframe'  => %w[allowfullscreen frameborder height src width]
+        }
+      })
+
+      # Now that we're sure that this is a valid YouTube embed and that there are
+      # no unwanted elements or attributes hidden inside it, we can tell Sanitize
+      # to allowlist the current node.
+      {:node_allowlist => [node]}
+    end
+
+    it 'should allow HTTP YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
+    end
+
+    it 'should allow HTTPS YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
+    end
+
+    it 'should allow protocol-relative YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
+    end
+
+    it 'should allow privacy-enhanced YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
+    end
+
+    it 'should not allow non-YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal('')
+    end
+  end
+
+  describe 'DOM modification transformer' do
+    b_to_strong_tag_transformer = lambda do |env|
+      node      = env[:node]
+      node_name = env[:node_name]
+
+      if node_name == 'b'
+        node.name = 'strong'
+      end
+    end
+
+    it 'should allow the <b> tag to be changed to a <strong> tag' do
+      input = '<b>text</b>'
+
+      Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
+        .must_equal '<strong>text</strong>'
+    end
+  end
+end