sanitize 2.1.1 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sanitize might be problematic. Click here for more details.

@@ -1,40 +1,20 @@
1
- #--
2
- # Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy
5
- # of this software and associated documentation files (the 'Software'), to deal
6
- # in the Software without restriction, including without limitation the rights
7
- # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8
- # copies of the Software, and to permit persons to whom the Software is
9
- # furnished to do so, subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16
- # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17
- # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18
- # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19
- # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20
- # SOFTWARE.
21
- #++
1
+ # encoding: utf-8
22
2
 
23
3
  class Sanitize
24
4
  module Config
25
- BASIC = {
26
- :elements => %w[
27
- a abbr b blockquote br cite code dd dfn dl dt em i kbd li mark ol p pre
28
- q s samp small strike strong sub sup time u ul var
5
+ BASIC = freeze_config(
6
+ :elements => RESTRICTED[:elements] + %w[
7
+ a abbr blockquote br cite code dd dfn dl dt kbd li mark ol p pre q s
8
+ samp small strike sub sup time ul var
29
9
  ],
30
10
 
31
11
  :attributes => {
32
- 'a' => ['href'],
33
- 'abbr' => ['title'],
34
- 'blockquote' => ['cite'],
35
- 'dfn' => ['title'],
36
- 'q' => ['cite'],
37
- 'time' => ['datetime', 'pubdate']
12
+ 'a' => %w[href],
13
+ 'abbr' => %w[title],
14
+ 'blockquote' => %w[cite],
15
+ 'dfn' => %w[title],
16
+ 'q' => %w[cite],
17
+ 'time' => %w[datetime pubdate]
38
18
  },
39
19
 
40
20
  :add_attributes => {
@@ -46,6 +26,6 @@ class Sanitize
46
26
  'blockquote' => {'cite' => ['http', 'https', :relative]},
47
27
  'q' => {'cite' => ['http', 'https', :relative]}
48
28
  }
49
- }
29
+ )
50
30
  end
51
31
  end
@@ -0,0 +1,118 @@
1
+ # encoding: utf-8
2
+
3
+ class Sanitize
4
+ module Config
5
+ DEFAULT = freeze_config(
6
+ # HTML attributes to add to specific elements. By default, no attributes
7
+ # are added.
8
+ :add_attributes => {},
9
+
10
+ # Whether or not to allow HTML comments. Allowing comments is strongly
11
+ # discouraged, since IE allows script execution within conditional
12
+ # comments.
13
+ :allow_comments => false,
14
+
15
+ # Whether or not to allow well-formed HTML doctype declarations such as
16
+ # "<!DOCTYPE html>" when sanitizing a document. This setting is ignored
17
+ # when sanitizing fragments.
18
+ :allow_doctype => false,
19
+
20
+ # HTML attributes to allow in specific elements. By default, no attributes
21
+ # are allowed. Use the symbol :data to indicate that arbitrary HTML5
22
+ # data-* attributes should be allowed.
23
+ :attributes => {},
24
+
25
+ # CSS sanitization settings.
26
+ :css => {
27
+ # Whether or not to allow CSS comments.
28
+ :allow_comments => false,
29
+
30
+ # Whether or not to allow browser compatibility hacks such as the IE *
31
+ # and _ hacks. These are generally harmless, but technically result in
32
+ # invalid CSS.
33
+ :allow_hacks => false,
34
+
35
+ # CSS at-rules to allow that may not have associated blocks (e.g.
36
+ # "import").
37
+ #
38
+ # https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule
39
+ :at_rules => [],
40
+
41
+ # CSS at-rules to allow whose blocks may contain properties (e.g.
42
+ # "font-face").
43
+ :at_rules_with_properties => [],
44
+
45
+ # CSS at-rules to allow whose blocks may contain styles (e.g. "media").
46
+ :at_rules_with_styles => [],
47
+
48
+ # CSS properties to allow.
49
+ :properties => [],
50
+
51
+ # URL protocols to allow in CSS URLs.
52
+ :protocols => []
53
+ },
54
+
55
+ # HTML elements to allow. By default, no elements are allowed (which means
56
+ # that all HTML will be stripped).
57
+ :elements => [],
58
+
59
+ # HTML parsing options to pass to Nokogumbo.
60
+ # https://github.com/rubys/nokogumbo/tree/v2.0.1#parsing-options
61
+ :parser_options => {},
62
+
63
+ # URL handling protocols to allow in specific attributes. By default, no
64
+ # protocols are allowed. Use :relative in place of a protocol if you want
65
+ # to allow relative URLs sans protocol.
66
+ :protocols => {},
67
+
68
+ # If this is true, Sanitize will remove the contents of any filtered
69
+ # elements in addition to the elements themselves. By default, Sanitize
70
+ # leaves the safe parts of an element's contents behind when the element
71
+ # is removed.
72
+ #
73
+ # If this is an Array or Set of element names, then only the contents of
74
+ # the specified elements (when filtered) will be removed, and the contents
75
+ # of all other filtered elements will be left behind.
76
+ :remove_contents => %w[
77
+ iframe math noembed noframes noscript plaintext script style svg xmp
78
+ ],
79
+
80
+ # Transformers allow you to filter or alter nodes using custom logic. See
81
+ # README.md for details and examples.
82
+ :transformers => [],
83
+
84
+ # Elements which, when removed, should have their contents surrounded by
85
+ # values specified with `before` and `after` keys to preserve readability.
86
+ # For example, `foo<div>bar</div>baz` will become 'foo bar baz' when the
87
+ # <div> is removed.
88
+ :whitespace_elements => {
89
+ 'address' => { :before => ' ', :after => ' ' },
90
+ 'article' => { :before => ' ', :after => ' ' },
91
+ 'aside' => { :before => ' ', :after => ' ' },
92
+ 'blockquote' => { :before => ' ', :after => ' ' },
93
+ 'br' => { :before => ' ', :after => ' ' },
94
+ 'dd' => { :before => ' ', :after => ' ' },
95
+ 'div' => { :before => ' ', :after => ' ' },
96
+ 'dl' => { :before => ' ', :after => ' ' },
97
+ 'dt' => { :before => ' ', :after => ' ' },
98
+ 'footer' => { :before => ' ', :after => ' ' },
99
+ 'h1' => { :before => ' ', :after => ' ' },
100
+ 'h2' => { :before => ' ', :after => ' ' },
101
+ 'h3' => { :before => ' ', :after => ' ' },
102
+ 'h4' => { :before => ' ', :after => ' ' },
103
+ 'h5' => { :before => ' ', :after => ' ' },
104
+ 'h6' => { :before => ' ', :after => ' ' },
105
+ 'header' => { :before => ' ', :after => ' ' },
106
+ 'hgroup' => { :before => ' ', :after => ' ' },
107
+ 'hr' => { :before => ' ', :after => ' ' },
108
+ 'li' => { :before => ' ', :after => ' ' },
109
+ 'nav' => { :before => ' ', :after => ' ' },
110
+ 'ol' => { :before => ' ', :after => ' ' },
111
+ 'p' => { :before => ' ', :after => ' ' },
112
+ 'pre' => { :before => ' ', :after => ' ' },
113
+ 'section' => { :before => ' ', :after => ' ' },
114
+ 'ul' => { :before => ' ', :after => ' ' }
115
+ }
116
+ )
117
+ end
118
+ end