sanitize 4.6.5 → 6.0.1

data/test/test_sanitize_css.rb

@@ -16,12 +16,12 @@ describe 'Sanitize::CSS' do
       it 'should sanitize CSS properties' do
         css = 'background: #fff; width: expression(alert("hi"));'
 
-        @default.properties(css).must_equal ' '
-        @relaxed.properties(css).must_equal 'background: #fff; '
-        @custom.properties(css).must_equal 'background: #fff; '
+        _(@default.properties(css)).must_equal ' '
+        _(@relaxed.properties(css)).must_equal 'background: #fff; '
+        _(@custom.properties(css)).must_equal 'background: #fff; '
       end
 
-      it 'should allow whitelisted URL protocols' do
+      it 'should allow allowlisted URL protocols' do
         [
           "background: url(relative.jpg)",
           "background: url('relative.jpg')",
@@ -30,13 +30,13 @@ describe 'Sanitize::CSS' do
           "background: url(https://example.com/https.jpg)",
           "background: url('https://example.com/https.jpg')",
         ].each do |css|
-          @default.properties(css).must_equal ''
-          @relaxed.properties(css).must_equal css
-          @custom.properties(css).must_equal ''
+          _(@default.properties(css)).must_equal ''
+          _(@relaxed.properties(css)).must_equal css
+          _(@custom.properties(css)).must_equal ''
         end
       end
 
-      it 'should not allow non-whitelisted URL protocols' do
+      it 'should not allow non-allowlisted URL protocols' do
         [
           "background: url(javascript:alert(0))",
           "background: url(ja\\56 ascript:alert(0))",
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
           "background: url('javas\\\ncript:alert(0)')",
           "background: url('java\\0script:foo')"
         ].each do |css|
-          @default.properties(css).must_equal ''
-          @relaxed.properties(css).must_equal ''
-          @custom.properties(css).must_equal ''
+          _(@default.properties(css)).must_equal ''
+          _(@relaxed.properties(css)).must_equal ''
+          _(@custom.properties(css)).must_equal ''
         end
       end
 
       it 'should not allow -moz-binding' do
         css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
 
-        @default.properties(css).must_equal ''
-        @relaxed.properties(css).must_equal ''
-        @custom.properties(css).must_equal ''
+        _(@default.properties(css)).must_equal ''
+        _(@relaxed.properties(css)).must_equal ''
+        _(@custom.properties(css)).must_equal ''
       end
 
       it 'should not allow expressions' do
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
           "xss:expression(alert(1))",
           "height: foo(expression(alert(1)));"
         ].each do |css|
-          @default.properties(css).must_equal ''
-          @relaxed.properties(css).must_equal ''
-          @custom.properties(css).must_equal ''
+          _(@default.properties(css)).must_equal ''
+          _(@relaxed.properties(css)).must_equal ''
+          _(@custom.properties(css)).must_equal ''
         end
       end
 
       it 'should not allow behaviors' do
         css = "behavior: url(xss.htc);"
 
-        @default.properties(css).must_equal ''
-        @relaxed.properties(css).must_equal ''
-        @custom.properties(css).must_equal ''
+        _(@default.properties(css)).must_equal ''
+        _(@relaxed.properties(css)).must_equal ''
+        _(@custom.properties(css)).must_equal ''
       end
 
       describe 'when :allow_comments is true' do
         it 'should preserve comments' do
-          @relaxed.properties('color: #fff; /* comment */ width: 100px;')
+          _(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
             .must_equal 'color: #fff; /* comment */ width: 100px;'
 
-          @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+          _(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
             .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
         end
       end
 
       describe 'when :allow_comments is false' do
         it 'should strip comments' do
-          @custom.properties('color: #fff; /* comment */ width: 100px;')
+          _(@custom.properties('color: #fff; /* comment */ width: 100px;'))
             .must_equal 'color: #fff;  width: 100px;'
 
-          @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+          _(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
             .must_equal 'color: #fff;  width: 100px;'
         end
       end
 
       describe 'when :allow_hacks is true' do
         it 'should allow common CSS hacks' do
-          @relaxed.properties('_border: 1px solid #fff; *width: 10px')
+          _(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
             .must_equal '_border: 1px solid #fff; *width: 10px'
         end
       end
 
       describe 'when :allow_hacks is false' do
         it 'should not allow common CSS hacks' do
-          @custom.properties('_border: 1px solid #fff; *width: 10px')
+          _(@custom.properties('_border: 1px solid #fff; *width: 10px'))
             .must_equal ' '
         end
       end
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
           }
         ].strip
 
-        @default.stylesheet(css).strip.must_equal %[
+        _(@default.stylesheet(css).strip).must_equal %[
           .foo {  }
           #bar {  }
         ].strip
 
-        @relaxed.stylesheet(css).must_equal css
+        _(@relaxed.stylesheet(css)).must_equal css
 
-        @custom.stylesheet(css).strip.must_equal %[
+        _(@custom.stylesheet(css).strip).must_equal %[
           .foo { color: #fff; }
           #bar {  }
         ].strip
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
 
       describe 'when :allow_comments is true' do
         it 'should preserve comments' do
-          @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+          _(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
             .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
 
-          @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+          _(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
             .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
         end
       end
 
       describe 'when :allow_comments is false' do
         it 'should strip comments' do
-          @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+          _(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
             .must_equal '.foo { color: #fff;  width: 100px; }'
 
-          @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+          _(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
             .must_equal '.foo { color: #fff;  width: 100px; }'
         end
       end
 
       describe 'when :allow_hacks is true' do
         it 'should allow common CSS hacks' do
-          @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+          _(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
             .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
         end
       end
 
       describe 'when :allow_hacks is false' do
         it 'should not allow common CSS hacks' do
-          @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+          _(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
             .must_equal '.foo {  }'
         end
       end
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
           ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
           "#bar { top: 125px; background: green; }")
 
-        @custom.tree!(tree).must_be_same_as tree
+        _(@custom.tree!(tree)).must_be_same_as tree
 
-        Crass::Parser.stringify(tree).must_equal String.new("\n") <<
+        _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
             ".foo { background: #fff;  }\n" <<
             "#bar {  background: green; }"
       end
@@ -196,26 +196,53 @@ describe 'Sanitize::CSS' do
 
   describe 'class methods' do
     describe '.properties' do
-      it 'should call #properties' do
-        Sanitize::CSS.stub_instance(:properties, proc {|css| css + 'bar' }) do
-          Sanitize::CSS.properties('foo').must_equal 'foobar'
-        end
+      it 'should sanitize CSS properties with the given config' do
+        css = 'background: #fff; width: expression(alert("hi"));'
+
+        _(Sanitize::CSS.properties(css)).must_equal ' '
+        _(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
+        _(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
       end
     end
 
     describe '.stylesheet' do
-      it 'should call #stylesheet' do
-        Sanitize::CSS.stub_instance(:stylesheet, proc {|css| css + 'bar' }) do
-          Sanitize::CSS.stylesheet('foo').must_equal 'foobar'
-        end
+      it 'should sanitize a CSS stylesheet with the given config' do
+        css = %[
+          /* Yay CSS! */
+          .foo { color: #fff; }
+          #bar { background: url(yay.jpg); }
+
+          @media screen (max-width:480px) {
+            .foo { width: 400px; }
+            #bar:not(.baz) { height: 100px; }
+          }
+        ].strip
+
+        _(Sanitize::CSS.stylesheet(css).strip).must_equal %[
+          .foo {  }
+          #bar {  }
+        ].strip
+
+        _(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
+
+        _(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
+          .foo { color: #fff; }
+          #bar {  }
+        ].strip
       end
     end
 
     describe '.tree!' do
-      it 'should call #tree!' do
-        Sanitize::CSS.stub_instance(:tree!, proc {|tree| tree + 'bar' }) do
-          Sanitize::CSS.tree!('foo').must_equal 'foobar'
-        end
+      it 'should sanitize a Crass CSS parse tree with the given config' do
+        tree = Crass.parse(String.new("@import url(foo.css);\n") <<
+          ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
+          "#bar { top: 125px; background: green; }")
+
+        _(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
+
+        _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
+            ".foo { background: #fff;  }\n" <<
+            "#bar {  background: green; }"
       end
     end
   end
@@ -229,7 +256,7 @@ describe 'Sanitize::CSS' do
     # https://github.com/rgrove/sanitize/issues/121
     it 'should parse the contents of @media rules properly' do
       css = '@media { p[class="center"] { text-align: center; }}'
-      @relaxed.stylesheet(css).must_equal css
+      _(@relaxed.stylesheet(css)).must_equal css
 
       css = %[
         @media (max-width: 720px) {
@@ -242,7 +269,7 @@ describe 'Sanitize::CSS' do
         }
       ].strip
 
-      @relaxed.stylesheet(css).must_equal %[
+      _(@relaxed.stylesheet(css)).must_equal %[
         @media (max-width: 720px) {
           p.foo > .bar { float: right;  }
           #baz { color: green; }
@@ -276,23 +303,23 @@ describe 'Sanitize::CSS' do
         }
       ].strip
 
-      @relaxed.stylesheet(css).must_equal css
+      _(@relaxed.stylesheet(css)).must_equal css
     end
 
     describe ":at_rules" do
-      it "should remove blockless at-rules that aren't whitelisted" do
+      it "should remove blockless at-rules that aren't allowlisted" do
         css = %[
           @charset 'utf-8';
           @import url('foo.css');
           .foo { color: green; }
         ].strip
 
-        @relaxed.stylesheet(css).strip.must_equal %[
+        _(@relaxed.stylesheet(css).strip).must_equal %[
           .foo { color: green; }
         ].strip
       end
 
-      describe "when blockless at-rules are whitelisted" do
+      describe "when blockless at-rules are allowlisted" do
         before do
           @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
             :at_rules => ['charset', 'import']
@@ -306,7 +333,7 @@ describe 'Sanitize::CSS' do
             .foo { color: green; }
           ].strip
 
-          @scss.stylesheet(css).must_equal %[
+          _(@scss.stylesheet(css)).must_equal %[
             @charset 'utf-8';
             @import url('foo.css');
             .foo { color: green; }
@@ -320,7 +347,7 @@ describe 'Sanitize::CSS' do
             .foo { color: green; }
           ].strip
 
-          @scss.stylesheet(css).strip.must_equal %[
+          _(@scss.stylesheet(css).strip).must_equal %[
             .foo { color: green; }
           ].strip
         end
@@ -340,7 +367,7 @@ describe 'Sanitize::CSS' do
               @import url('https://somesite.com/something.css');
             ].strip
 
-            @scss.stylesheet(css).strip.must_equal %[
+            _(@scss.stylesheet(css).strip).must_equal %[
               @import url('https://somesite.com/something.css');
             ].strip
           end
@@ -361,7 +388,7 @@ describe 'Sanitize::CSS' do
               @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
             ].strip
 
-            @scss.stylesheet(css).strip.must_equal %[
+            _(@scss.stylesheet(css).strip).must_equal %[
               @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
               @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
             ].strip
@@ -374,7 +401,7 @@ describe 'Sanitize::CSS' do
               @import url('https://nastysite.com/nasty_hax0r.css');
             ].strip
 
-            @scss.stylesheet(css).strip.must_equal %[
+            _(@scss.stylesheet(css).strip).must_equal %[
               @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
             ].strip
           end
@@ -386,7 +413,7 @@ describe 'Sanitize::CSS' do
               @import url('');
             ].strip
 
-            @scss.stylesheet(css).strip.must_equal %[
+            _(@scss.stylesheet(css).strip).must_equal %[
               @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
             ].strip
           end

data/test/test_transformers.rb

@@ -11,12 +11,14 @@ describe 'Transformers' do
       :transformers => lambda {|env|
         return unless env[:node].element?
 
-        env[:config][:foo].must_equal :bar
-        env[:is_whitelisted].must_equal false
-        env[:node].must_be_kind_of Nokogiri::XML::Node
-        env[:node_name].must_equal 'span'
-        env[:node_whitelist].must_be_kind_of Set
-        env[:node_whitelist].must_be_empty
+        _(env[:config][:foo]).must_equal :bar
+        _(env[:is_allowlisted]).must_equal false
+        _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
+        _(env[:node]).must_be_kind_of Nokogiri::XML::Node
+        _(env[:node_name]).must_equal 'span'
+        _(env[:node_allowlist]).must_be_kind_of Set
+        _(env[:node_allowlist]).must_be_empty
+        _(env[:node_whitelist]).must_equal env[:node_allowlist]
       }
     )
   end
@@ -28,7 +30,7 @@ describe 'Transformers' do
       :transformers => proc {|env| nodes << env[:node_name] }
     )
 
-    nodes.must_equal %w[
+    _(nodes).must_equal %w[
       #document-fragment div text text text comment script text
     ]
   end
@@ -40,53 +42,57 @@ describe 'Transformers' do
       :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
     )
 
-    nodes.must_equal %w[div span strong b p]
+    _(nodes).must_equal %w[div span strong b p]
   end
 
-  it 'should whitelist nodes in the node whitelist' do
-    Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
+  it 'should allowlist nodes in the node allowlist' do
+    _(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
       :transformers => [
         proc {|env|
-          {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
+          {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
         },
 
         proc {|env|
-          env[:is_whitelisted].must_equal false unless env[:node_name] == 'div'
-          env[:is_whitelisted].must_equal true if env[:node_name] == 'div'
-          env[:node_whitelist].must_include env[:node] if env[:node_name] == 'div'
+          _(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
+          _(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
+          _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
+          _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
+          _(env[:node_whitelist]).must_equal env[:node_allowlist]
         }
       ]
-    ).must_equal '<div class="foo">foo</div>bar'
+    )).must_equal '<div class="foo">foo</div>bar'
   end
 
-  it 'should clear the node whitelist after each fragment' do
+  it 'should clear the node allowlist after each fragment' do
     called = false
 
     Sanitize.fragment('<div>foo</div>',
-      :transformers => proc {|env| {:node_whitelist => [env[:node]]}}
+      :transformers => proc {|env| {:node_allowlist => [env[:node]]}}
     )
 
     Sanitize.fragment('<div>foo</div>',
       :transformers => proc {|env|
         called = true
-        env[:is_whitelisted].must_equal false
-        env[:node_whitelist].must_be_empty
+        _(env[:is_allowlisted]).must_equal false
+        _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
+        _(env[:node_allowlist]).must_be_empty
+        _(env[:node_whitelist]).must_equal env[:node_allowlist]
       }
     )
 
-    called.must_equal true
+    _(called).must_equal true
   end
 
   it 'should accept a method transformer' do
     def transformer(env); end
-    Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
+    _(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
       .must_equal(' foo ')
   end
 
-  describe 'Image whitelist transformer' do
+  describe 'Image allowlist transformer' do
     require 'uri'
 
-    image_whitelist_transformer = lambda do |env|
+    image_allowlist_transformer = lambda do |env|
       # Ignore everything except <img> elements.
       return unless env[:node_name] == 'img'
 
@@ -103,37 +109,37 @@ describe 'Transformers' do
 
     before do
       @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
-          :transformers => image_whitelist_transformer))
+          :transformers => image_allowlist_transformer))
     end
 
     it 'should allow images with relative URLs' do
       input = '<img src="/foo/bar.jpg">'
-      @s.fragment(input).must_equal(input)
+      _(@s.fragment(input)).must_equal(input)
     end
 
     it 'should allow images at the example.com domain' do
       input = '<img src="http://example.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal(input)
+      _(@s.fragment(input)).must_equal(input)
 
       input = '<img src="https://example.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal(input)
+      _(@s.fragment(input)).must_equal(input)
 
       input = '<img src="//example.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal(input)
+      _(@s.fragment(input)).must_equal(input)
     end
 
     it 'should not allow images at other domains' do
       input = '<img src="http://evil.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal('')
+      _(@s.fragment(input)).must_equal('')
 
       input = '<img src="https://evil.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal('')
+      _(@s.fragment(input)).must_equal('')
 
       input = '<img src="//evil.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal('')
+      _(@s.fragment(input)).must_equal('')
 
       input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
-      @s.fragment(input).must_equal('')
+      _(@s.fragment(input)).must_equal('')
     end
   end
 
@@ -142,8 +148,8 @@ describe 'Transformers' do
       node      = env[:node]
       node_name = env[:node_name]
 
-      # Don't continue if this node is already whitelisted or is not an element.
-      return if env[:is_whitelisted] || !node.element?
+      # Don't continue if this node is already allowlisted or is not an element.
+      return if env[:is_allowlisted] || !node.element?
 
       # Don't continue unless the node is an iframe.
       return unless node_name == 'iframe'
@@ -164,42 +170,42 @@ describe 'Transformers' do
 
       # Now that we're sure that this is a valid YouTube embed and that there are
       # no unwanted elements or attributes hidden inside it, we can tell Sanitize
-      # to whitelist the current node.
-      {:node_whitelist => [node]}
+      # to allowlist the current node.
+      {:node_allowlist => [node]}
     end
 
     it 'should allow HTTP YouTube video embeds' do
       input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow HTTPS YouTube video embeds' do
       input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow protocol-relative YouTube video embeds' do
       input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow privacy-enhanced YouTube video embeds' do
       input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should not allow non-YouTube video embeds' do
       input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
 
-      Sanitize.fragment(input, :transformers => youtube_transformer)
+      _(Sanitize.fragment(input, :transformers => youtube_transformer))
         .must_equal('')
     end
   end
@@ -217,7 +223,7 @@ describe 'Transformers' do
     it 'should allow the <b> tag to be changed to a <strong> tag' do
       input = '<b>text</b>'
 
-      Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
+      _(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
         .must_equal '<strong>text</strong>'
     end
   end