sanitize 2.1.1 → 6.0.0

data/lib/sanitize/config/restricted.rb

@@ -1,29 +1,9 @@
-#--
-# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the 'Software'), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#++
+# encoding: utf-8
 
 class Sanitize
   module Config
-    RESTRICTED = {
+    RESTRICTED = freeze_config(
       :elements => %w[b em i strong u]
-    }
+    )
   end
 end

data/lib/sanitize/config.rb

@@ -1,86 +1,60 @@
-#--
-# Copyright (c) 2013 Ryan Grove <ryan@wonko.com>
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the 'Software'), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#++
+# encoding: utf-8
+
+require 'set'
 
 class Sanitize
   module Config
-    DEFAULT = {
-
-      # Whether or not to allow HTML comments. Allowing comments is strongly
-      # discouraged, since IE allows script execution within conditional
-      # comments.
-      :allow_comments => false,
-
-      # HTML attributes to add to specific elements. By default, no attributes
-      # are added.
-      :add_attributes => {},
-
-      # HTML attributes to allow in specific elements. By default, no attributes
-      # are allowed. Use the symbol :data to indicate that arbitrary HTML5
-      # data-* attributes should be allowed.
-      :attributes => {},
-
-      # HTML elements to allow. By default, no elements are allowed (which means
-      # that all HTML will be stripped).
-      :elements => [],
-
-      # Output format. Supported formats are :html and :xhtml. Default is :html.
-      :output => :html,
-
-      # Character encoding to use for HTML output. Default is 'utf-8'.
-      :output_encoding => 'utf-8',
-
-      # URL handling protocols to allow in specific attributes. By default, no
-      # protocols are allowed. Use :relative in place of a protocol if you want
-      # to allow relative URLs sans protocol.
-      :protocols => {},
-
-      # If this is true, Sanitize will remove the contents of any filtered
-      # elements in addition to the elements themselves. By default, Sanitize
-      # leaves the safe parts of an element's contents behind when the element
-      # is removed.
-      #
-      # If this is an Array of element names, then only the contents of the
-      # specified elements (when filtered) will be removed, and the contents of
-      # all other filtered elements will be left behind.
-      :remove_contents => false,
-
-      # Transformers allow you to filter or alter nodes using custom logic. See
-      # README.rdoc for details and examples.
-      :transformers => [],
-
-      # By default, transformers perform depth-first traversal (deepest node
-      # upward). This setting allows you to specify transformers that should
-      # perform breadth-first traversal (top node downward).
-      :transformers_breadth => [],
 
-      # Elements which, when removed, should have their contents surrounded by
-      # space characters to preserve readability. For example,
-      # `foo<div>bar</div>baz` will become 'foo bar baz' when the <div> is
-      # removed.
-      :whitespace_elements => %w[
-        address article aside blockquote br dd div dl dt footer h1 h2 h3 h4 h5
-        h6 header hgroup hr li nav ol p pre section ul
-      ]
+    # Deeply freezes and returns the given configuration Hash.
+    def self.freeze_config(config)
+      if Hash === config
+        config.each_value {|c| freeze_config(c) }
+      elsif Array === config || Set === config
+        config.each {|c| freeze_config(c) }
+      end
+
+      config.freeze
+    end
+
+    # Returns a new Hash containing the result of deeply merging *other_config*
+    # into *config*. Does not modify *config* or *other_config*.
+    #
+    # This is the safest way to use a built-in Sanitize config as the basis for
+    # your own custom config.
+    def self.merge(config, other_config = {})
+      raise ArgumentError, 'config must be a Hash' unless Hash === config
+      raise ArgumentError, 'other_config must be a Hash' unless Hash === other_config
+
+      merged = {}
+      keys   = Set.new(config.keys + other_config.keys)
+
+      keys.each do |key|
+        oldval = config[key]
+
+        if other_config.has_key?(key)
+          newval = other_config[key]
+
+          if Hash === oldval && Hash === newval
+            merged[key] = oldval.empty? ? newval.dup : merge(oldval, newval)
+          elsif Array === newval && key != :transformers
+            merged[key] = Set.new(newval)
+          else
+            merged[key] = can_dupe?(newval) ? newval.dup : newval
+          end
+        else
+          merged[key] = can_dupe?(oldval) ? oldval.dup : oldval
+        end
+      end
+
+      merged
+    end
+
+    # Returns `true` if `dup` may be safely called on _value_, `false`
+    # otherwise.
+    def self.can_dupe?(value)
+      !(true == value || false == value || value.nil? || Method === value || Numeric === value || Symbol === value)
+    end
+    private_class_method :can_dupe?
 
-    }
   end
 end

data/lib/sanitize/css.rb

@@ -0,0 +1,348 @@
+# encoding: utf-8
+
+require 'crass'
+require 'set'
+
+class Sanitize; class CSS
+  attr_reader :config
+
+  # -- Class Methods -----------------------------------------------------------
+
+  # Sanitizes inline CSS style properties.
+  #
+  # This is most useful for sanitizing non-stylesheet fragments of CSS like you
+  # would find in the `style` attribute of an HTML element. To sanitize a full
+  # CSS stylesheet, use {.stylesheet}.
+  #
+  # @example
+  #   Sanitize::CSS.properties("background: url(foo.png); color: #fff;")
+  #
+  # @return [String] Sanitized CSS properties.
+  def self.properties(css, config = {})
+    self.new(config).properties(css)
+  end
+
+  # Sanitizes a full CSS stylesheet.
+  #
+  # A stylesheet may include selectors, at-rules, and comments. To sanitize only
+  # inline style properties such as the contents of an HTML `style` attribute,
+  # use {.properties}.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED)
+  #
+  # @return [String] Sanitized CSS stylesheet.
+  def self.stylesheet(css, config = {})
+    self.new(config).stylesheet(css)
+  end
+
+  # Sanitizes the given Crass CSS parse tree and all its children, modifying it
+  # in place.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   tree = Crass.parse(css)
+  #   Sanitize::CSS.tree!(tree, Sanitize::Config::RELAXED)
+  #
+  # @return [Array] Sanitized Crass CSS parse tree.
+  def self.tree!(tree, config = {})
+    self.new(config).tree!(tree)
+  end
+
+  # -- Instance Methods --------------------------------------------------------
+
+  # Returns a new Sanitize::CSS object initialized with the settings in
+  # _config_.
+  def initialize(config = {})
+    @config = Config.merge(Config::DEFAULT[:css], config[:css] || config)
+
+    @at_rules                 = Set.new(@config[:at_rules])
+    @at_rules_with_properties = Set.new(@config[:at_rules_with_properties])
+    @at_rules_with_styles     = Set.new(@config[:at_rules_with_styles])
+    @import_url_validator     = @config[:import_url_validator]
+  end
+
+  # Sanitizes inline CSS style properties.
+  #
+  # This is most useful for sanitizing non-stylesheet fragments of CSS like you
+  # would find in the `style` attribute of an HTML element. To sanitize a full
+  # CSS stylesheet, use {#stylesheet}.
+  #
+  # @example
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   scss.properties("background: url(foo.png); color: #fff;")
+  #
+  # @return [String] Sanitized CSS properties.
+  def properties(css)
+    tree = Crass.parse_properties(css,
+      :preserve_comments => @config[:allow_comments],
+      :preserve_hacks    => @config[:allow_hacks])
+
+    tree!(tree)
+    Crass::Parser.stringify(tree)
+  end
+
+  # Sanitizes a full CSS stylesheet.
+  #
+  # A stylesheet may include selectors, at-rules, and comments. To sanitize only
+  # inline style properties such as the contents of an HTML `style` attribute,
+  # use {#properties}.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   scss.stylesheet(css)
+  #
+  # @return [String] Sanitized CSS stylesheet.
+  def stylesheet(css)
+    tree = Crass.parse(css,
+      :preserve_comments => @config[:allow_comments],
+      :preserve_hacks    => @config[:allow_hacks])
+
+    tree!(tree)
+    Crass::Parser.stringify(tree)
+  end
+
+  # Sanitizes the given Crass CSS parse tree and all its children, modifying it
+  # in place.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
+  #   tree = Crass.parse(css)
+  #
+  #   scss.tree!(tree)
+  #
+  # @return [Array] Sanitized Crass CSS parse tree.
+  def tree!(tree)
+    preceded_by_property = false
+
+    tree.map! do |node|
+      next nil if node.nil?
+
+      case node[:node]
+      when :at_rule
+        preceded_by_property = false
+        next at_rule!(node)
+
+      when :comment
+        next node if @config[:allow_comments]
+
+      when :property
+        prop = property!(node)
+        preceded_by_property = !prop.nil?
+        next prop
+
+      when :semicolon
+        # Only preserve the semicolon if it was preceded by an allowlisted
+        # property. Otherwise, omit it in order to prevent redundant semicolons.
+        if preceded_by_property
+          preceded_by_property = false
+          next node
+        end
+
+      when :style_rule
+        preceded_by_property = false
+        tree!(node[:children])
+        next node
+
+      when :whitespace
+        next node
+      end
+
+      nil
+    end
+
+    tree
+  end
+
+  # -- Protected Instance Methods ----------------------------------------------
+  protected
+
+  # Sanitizes a CSS at-rule node. Returns the sanitized node, or `nil` if the
+  # current config doesn't allow this at-rule.
+  def at_rule!(rule)
+    name = rule[:name].downcase
+
+    if @at_rules_with_styles.include?(name)
+      styles = Crass::Parser.parse_rules(rule[:block],
+        :preserve_comments => @config[:allow_comments],
+        :preserve_hacks    => @config[:allow_hacks])
+
+      rule[:block] = tree!(styles)
+
+    elsif @at_rules_with_properties.include?(name)
+      props = Crass::Parser.parse_properties(rule[:block],
+        :preserve_comments => @config[:allow_comments],
+        :preserve_hacks    => @config[:allow_hacks])
+
+      rule[:block] = tree!(props)
+
+    elsif @at_rules.include?(name)
+      return nil if name == "import" && !import_url_allowed?(rule)
+      return nil if rule.has_key?(:block)
+    else
+      return nil
+    end
+
+    rule
+  end
+
+  # Passes the URL value of an @import rule to a block to ensure
+  # it's an allowed URL
+  def import_url_allowed?(rule)
+    return true unless @import_url_validator
+
+    url_token = rule[:tokens].detect { |t| t[:node] == :url || t[:node] == :string }
+
+    # don't allow @imports with no URL value
+    return false unless url_token && (import_url = url_token[:value])
+
+    @import_url_validator.call(import_url)
+  end
+
+  # Sanitizes a CSS property node. Returns the sanitized node, or `nil` if the
+  # current config doesn't allow this property.
+  def property!(prop)
+    name = prop[:name].downcase
+
+    # Preserve IE * and _ hacks if desired.
+    if @config[:allow_hacks]
+      name.slice!(0) if name =~ /\A[*_]/
+    end
+
+    return nil unless @config[:properties].include?(name)
+
+    nodes          = prop[:children].dup
+    combined_value = String.new
+
+    nodes.each do |child|
+      value = child[:value]
+
+      case child[:node]
+      when :ident
+        combined_value << value.downcase if String === value
+
+      when :function
+        if child.key?(:name)
+          name = child[:name].downcase
+
+          if name == 'url'
+            return nil unless valid_url?(child)
+          end
+
+          combined_value << name
+          return nil if name == 'expression' || combined_value == 'expression'
+        end
+
+        if Array === value
+          nodes.concat(value)
+        elsif String === value
+          lowercase_value = value.downcase
+          combined_value << lowercase_value
+          return nil if lowercase_value == 'expression' || combined_value == 'expression'
+        end
+
+      when :url
+        return nil unless valid_url?(child)
+
+      when :bad_url
+        return nil
+      end
+    end
+
+    prop
+  end
+
+  # Returns `true` if the given node (which may be of type `:url` or
+  # `:function`, since the CSS syntax can produce both) uses an allowlisted
+  # protocol.
+  def valid_url?(node)
+    type = node[:node]
+
+    if type == :function
+      return false unless node.key?(:name) && node[:name].downcase == 'url'
+      return false unless Array === node[:value]
+
+      # A URL function's `:value` should be an array containing no more than one
+      # `:string` node and any number of `:whitespace` nodes.
+      #
+      # If it contains more than one `:string` node, or if it contains any other
+      # nodes except `:whitespace` nodes, it's not valid.
+      url_string_node = nil
+
+      node[:value].each do |token|
+        return false unless Hash === token
+
+        case token[:node]
+          when :string
+            return false unless url_string_node.nil?
+            url_string_node = token
+
+          when :whitespace
+            next
+
+          else
+            return false
+        end
+      end
+
+      return false if url_string_node.nil?
+      url = url_string_node[:value]
+    elsif type == :url
+      url = node[:value]
+    else
+      return false
+    end
+
+    if url =~ Sanitize::REGEX_PROTOCOL
+      return @config[:protocols].include?($1.downcase)
+    else
+      return @config[:protocols].include?(:relative)
+    end
+
+    false
+  end
+
+end; end

data/lib/sanitize/transformers/clean_cdata.rb

@@ -1,11 +1,11 @@
+# encoding: utf-8
+
 class Sanitize; module Transformers
 
   CleanCDATA = lambda do |env|
-    return if env[:is_whitelisted]
-
     node = env[:node]
 
-    if node.cdata?
+    if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
       node.replace(Nokogiri::XML::Text.new(node.text, node.document))
     end
   end

data/lib/sanitize/transformers/clean_comment.rb

@@ -1,10 +1,13 @@
+# encoding: utf-8
+
 class Sanitize; module Transformers
 
   CleanComment = lambda do |env|
-    return if env[:is_whitelisted]
-
     node = env[:node]
-    node.unlink if node.comment? && !env[:config][:allow_comments]
+
+    if node.type == Nokogiri::XML::Node::COMMENT_NODE
+      node.unlink unless env[:is_allowlisted]
+    end
   end
 
 end; end

data/lib/sanitize/transformers/clean_css.rb

@@ -0,0 +1,57 @@
+class Sanitize; module Transformers; module CSS
+
+# Enforces a CSS allowlist on the contents of `style` attributes.
+class CleanAttribute
+  def initialize(sanitizer_or_config)
+    if Sanitize::CSS === sanitizer_or_config
+      @scss = sanitizer_or_config
+    else
+      @scss = Sanitize::CSS.new(sanitizer_or_config)
+    end
+  end
+
+  def call(env)
+    node = env[:node]
+
+    return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
+        node.key?('style') && !env[:is_allowlisted]
+
+    attr = node.attribute('style')
+    css  = @scss.properties(attr.value)
+
+    if css.strip.empty?
+      attr.unlink
+    else
+      attr.value = css
+    end
+  end
+end
+
+# Enforces a CSS allowlist on the contents of `<style>` elements.
+class CleanElement
+  def initialize(sanitizer_or_config)
+    if Sanitize::CSS === sanitizer_or_config
+      @scss = sanitizer_or_config
+    else
+      @scss = Sanitize::CSS.new(sanitizer_or_config)
+    end
+  end
+
+  def call(env)
+    node = env[:node]
+
+    return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
+        env[:node_name] == 'style'
+
+    css = @scss.stylesheet(node.content)
+
+    if css.strip.empty?
+      node.unlink
+    else
+      node.children.unlink
+      node << Nokogiri::XML::Text.new(css, node.document)
+    end
+  end
+end
+
+end; end; end

data/lib/sanitize/transformers/clean_doctype.rb

@@ -0,0 +1,19 @@
+# encoding: utf-8
+
+class Sanitize; module Transformers
+
+  CleanDoctype = lambda do |env|
+    return if env[:is_allowlisted]
+
+    node = env[:node]
+
+    if node.type == Nokogiri::XML::Node::DTD_NODE
+      if env[:config][:allow_doctype]
+        node.name = 'html'
+      else
+        node.unlink
+      end
+    end
+  end
+
+end; end