sanitize 4.6.6 → 5.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sanitize might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c5672f967be01303dd78eba5c0a1ab45729d15b604e2f2cbb6108c69864ad5f6
4
- data.tar.gz: 8ff91d1efafb67205b6ba07697d2c9f920e34df5e59f357433e54a6f9f0cca76
3
+ metadata.gz: 3d1290690a9d32db9e06b8fb19c7e285c94a1d91ed51a4eb7e96389e427348d9
4
+ data.tar.gz: 5131063daf1763c83978954bed9ee3a783099e40aa71e50de26d06b8ae0c1054
5
5
  SHA512:
6
- metadata.gz: '0981c67f49e789e6ccb6becb2a5407ac3db48b96823f48bef3a284fcc8b2fe539545ec0db8f0449dc5db5039d35a7a193970e3d72c076f99152c001d87be8659'
7
- data.tar.gz: 25af08d3f6524b70aaee67cab17a5e8568697be138954f1ff1e1bc8da591df5ccb405bc1212c24daeb81a3b2c4e659e56e60bdc76938b9a10e096449ba38b657
6
+ metadata.gz: bfcb7cda6aa70590f642583b41936bc09d8929210046cebdd0d0ff452ccb3213844b4c40d4e205e79c0cd64a2a0d56e16790e38f4c8f247b8abfa32dbec22297
7
+ data.tar.gz: 0ea5a6d6848f9a125f17e4e23145adff4d3c4ccfe30a3407466fae074ed33cbd4b1869eb5a9f0a72b808449b8cf166a3695c2a6d63b16a83b047fd260bfe50bd
data/HISTORY.md CHANGED
@@ -1,5 +1,116 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 5.2.1 (2020-06-16)
4
+
5
+ ### Bug Fixes
6
+
7
+ * Fixed an HTML sanitization bypass that could allow XSS. This issue affects
8
+ Sanitize versions 3.0.0 through 5.2.0.
9
+
10
+ When HTML was sanitized using the "relaxed" config or a custom config that
11
+ allows certain elements, some content in a `<math>` or `<svg>` element may not
12
+ have beeen sanitized correctly even if `math` and `svg` were not in the
13
+ allowlist. This could allow carefully crafted input to sneak arbitrary HTML
14
+ through Sanitize, potentially enabling an XSS (cross-site scripting) attack.
15
+
16
+ You are likely to be vulnerable to this issue if you use Sanitize's relaxed
17
+ config or a custom config that allows one or more of the following HTML
18
+ elements:
19
+
20
+ - `iframe`
21
+ - `math`
22
+ - `noembed`
23
+ - `noframes`
24
+ - `noscript`
25
+ - `plaintext`
26
+ - `script`
27
+ - `style`
28
+ - `svg`
29
+ - `xmp`
30
+
31
+ See the security advisory for more details, including a workaround if you're
32
+ not able to upgrade: [GHSA-p4x4-rw2p-8j8m]
33
+
34
+ Many thanks to Michał Bentkowski of Securitum for reporting this issue and
35
+ helping to verify the fix.
36
+
37
+ [GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
38
+
39
+ ## 5.2.0 (2020-06-06)
40
+
41
+ ### Changes
42
+
43
+ * The term "whitelist" has been replaced with "allowlist" throughout Sanitize's
44
+ source and documentation.
45
+
46
+ While the etymology of "whitelist" may not be explicitly racist in origin or
47
+ intent, there are inherent racial connotations in the implication that white
48
+ is good and black (as in "blacklist") is not.
49
+
50
+ This is a change I should have made long ago, and I apologize for not making
51
+ it sooner.
52
+
53
+ * In transformer input, the `:is_whitelisted` and `:node_whitelist` keys are now
54
+ deprecated. New `:is_allowlisted` and `:node_allowlist` keys have been added.
55
+ The old keys will continue to work in order to avoid breaking existing code,
56
+ but they are no longer documented and may be removed in a future semver major
57
+ release.
58
+
59
+ ## 5.1.0 (2019-09-07)
60
+
61
+ ### Features
62
+
63
+ * Added a `:parser_options` config hash, which makes it possible to pass custom
64
+ parsing options to Nokogumbo. [@austin-wang - #194][194]
65
+
66
+ ### Bug Fixes
67
+
68
+ * Non-characters and non-whitespace control characters are now stripped from
69
+ HTML input before parsing to comply with the HTML Standard's [preprocessing
70
+ guidelines][html-preprocessing]. Prior to this Sanitize had adhered to [older
71
+ W3C guidelines][unicode-xml] that have since been withdrawn. [#179][179]
72
+
73
+ [179]:https://github.com/rgrove/sanitize/issues/179
74
+ [194]:https://github.com/rgrove/sanitize/pull/194
75
+ [html-preprocessing]:https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream
76
+ [unicode-xml]:https://www.w3.org/TR/unicode-xml/
77
+
78
+ ## 5.0.0 (2018-10-14)
79
+
80
+ For most users, upgrading from 4.x shouldn't require any changes. However, the
81
+ minimum required Ruby version has changed, and Sanitize 5.x's HTML output may
82
+ differ in some small ways from 4.x's output. If this matters to you, please
83
+ review the changes below carefully.
84
+
85
+ ### Potentially Breaking Changes
86
+
87
+ * Ruby 2.3.0 is now the oldest officially supported Ruby version. Sanitize may
88
+ work in older 2.x Rubies, but they aren't actively tested. Sanitize definitely
89
+ no longer works in Ruby 1.9.x.
90
+
91
+ * Upgraded to Nokogumbo 2.x, which fixes various bugs and adds
92
+ standard-compliant HTML serialization. [@stevecheckoway - #189][189]
93
+
94
+ * Children of the following elements are now removed by default when these
95
+ elements are removed, rather than being preserved and escaped:
96
+
97
+ - `iframe`
98
+ - `noembed`
99
+ - `noframes`
100
+ - `noscript`
101
+ - `script`
102
+ - `style`
103
+
104
+ * Children of allowlisted `iframe` elements are now always removed. In modern
105
+ HTML, `iframe` elements should never have children. In HTML 4 and earlier
106
+ `iframe` elements were allowed to contain fallback content for legacy
107
+ browsers, but it's been almost two decades since that was useful.
108
+
109
+ * Fixed a bug that caused `:remove_contents` to behave as if it were set to
110
+ `true` when it was actually an Array.
111
+
112
+ [189]:https://github.com/rgrove/sanitize/pull/189
113
+
3
114
  ## 4.6.6 (2018-07-23)
4
115
 
5
116
  * Improved performance and memory usage by optimizing `Sanitize#transform_node!`
@@ -29,7 +140,7 @@
29
140
 
30
141
  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
31
142
  specially crafted HTML fragment can cause libxml2 to generate improperly
32
- escaped output, allowing non-whitelisted attributes to be used on whitelisted
143
+ escaped output, allowing non-allowlisted attributes to be used on allowlisted
33
144
  elements.
34
145
 
35
146
  Sanitize now performs additional escaping on affected attributes to prevent
@@ -73,7 +184,7 @@
73
184
 
74
185
  ## 4.4.0 (2016-09-29)
75
186
 
76
- * Added `srcset` to the attribute whitelist for `img` elements in the relaxed
187
+ * Added `srcset` to the attribute allowlist for `img` elements in the relaxed
77
188
  config. [@ejtttje - #156][156]
78
189
 
79
190
  [156]:https://github.com/rgrove/sanitize/pull/156
@@ -194,7 +305,7 @@
194
305
  ## 3.0.4 (2014-12-12)
195
306
 
196
307
  * Fixed: Harmless whitespace preceding a URL protocol (such as " http://")
197
- caused the URL to be removed even when the protocol was whitelisted.
308
+ caused the URL to be removed even when the protocol was allowlisted.
198
309
  [@benubois - #126][126]
199
310
 
200
311
  [126]:https://github.com/rgrove/sanitize/pull/126
@@ -203,7 +314,7 @@
203
314
  ## 3.0.3 (2014-10-29)
204
315
 
205
316
  * Fixed: Some CSS selectors weren't parsed correctly inside the body of a
206
- `@media` block, causing them to be removed even when whitelist rules should
317
+ `@media` block, causing them to be removed even when allowlist rules should
207
318
  have allowed them to remain. [#121][121]
208
319
 
209
320
  [121]:https://github.com/rgrove/sanitize/issues/121
@@ -268,7 +379,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
268
379
  * The `clean_node!` method was renamed to `node!`.
269
380
 
270
381
  * The `document` method now raises a `Sanitize::Error` if the `<html>` element
271
- isn't whitelisted, rather than a `RuntimeError`. This error is also now raised
382
+ isn't allowlisted, rather than a `RuntimeError`. This error is also now raised
272
383
  regardless of the `:remove_contents` config setting.
273
384
 
274
385
  * The `:output` config has been removed. Output is now always HTML, not XHTML.
@@ -279,7 +390,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
279
390
 
280
391
  * Added advanced CSS sanitization support using [Crass][crass], which is fully
281
392
  compliant with the CSS Syntax Module Level 3 parsing spec. The contents of
282
- whitelisted `<style>` elements and `style` attributes in HTML will be
393
+ allowlisted `<style>` elements and `style` attributes in HTML will be
283
394
  sanitized as CSS, or you can use the `Sanitize::CSS` class to manually
284
395
  sanitize CSS stylesheets or properties.
285
396
 
@@ -324,9 +435,29 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
324
435
  [n1008]:https://github.com/sparklemotion/nokogiri/issues/1008
325
436
 
326
437
 
438
+ ## 2.1.1 (2018-09-30)
439
+
440
+ * [CVE-2018-3740][176]: Fixed an HTML injection vulnerability that could allow
441
+ XSS (backported from Sanitize 4.6.3). [@dometto - #188][188]
442
+
443
+ When Sanitize <= 2.1.0 is used in combination with libxml2 >= 2.9.2, a
444
+ specially crafted HTML fragment can cause libxml2 to generate improperly
445
+ escaped output, allowing non-allowlisted attributes to be used on allowlisted
446
+ elements.
447
+
448
+ Sanitize now performs additional escaping on affected attributes to prevent
449
+ this.
450
+
451
+ Many thanks to the Shopify Application Security Team for responsibly reporting
452
+ this issue.
453
+
454
+ [176]:https://github.com/rgrove/sanitize/issues/176
455
+ [188]:https://github.com/rgrove/sanitize/pull/188
456
+
457
+
327
458
  ## 2.1.0 (2014-01-13)
328
459
 
329
- * Added support for whitelisting arbitrary HTML5 `data-*` attributes. Use the
460
+ * Added support for allowlisting arbitrary HTML5 `data-*` attributes. Use the
330
461
  symbol `:data` instead of an attribute name in the `:attributes` config to
331
462
  indicate that arbitrary data attributes should be allowed on an element.
332
463
 
@@ -407,12 +538,12 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
407
538
  the default depth-first mode.
408
539
 
409
540
  * Added the `abbr`, `dfn`, `kbd`, `mark`, `s`, `samp`, `time`, and `var`
410
- elements to the whitelists for the basic and relaxed configs.
541
+ elements to the allowlists for the basic and relaxed configs.
411
542
 
412
543
  * Added the `bdo`, `del`, `figcaption`, `figure`, `hgroup`, `ins`, `rp`, `rt`,
413
- `ruby`, and `wbr` elements to the whitelist for the relaxed config.
544
+ `ruby`, and `wbr` elements to the allowlist for the relaxed config.
414
545
 
415
- * The `dir`, `lang`, and `title` attributes are now whitelisted for all
546
+ * The `dir`, `lang`, and `title` attributes are now allowlisted for all
416
547
  elements in the relaxed config.
417
548
 
418
549
  * Bumped minimum Nokogiri version to 1.4.4 to avoid a bug in 1.4.2+
@@ -423,7 +554,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
423
554
  ## 1.2.1 (2010-04-20)
424
555
 
425
556
  * Added a `:remove_contents` config setting. If set to `true`, Sanitize will
426
- remove the contents of all non-whitelisted elements in addition to the
557
+ remove the contents of all non-allowlisted elements in addition to the
427
558
  elements themselves. If set to an array of element names, Sanitize will
428
559
  remove the contents of only those elements (when filtered), and leave the
429
560
  contents of other filtered elements. [Thanks to Rafael Souza for the array
@@ -451,7 +582,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
451
582
  * Added `Sanitize.clean_node!`, which sanitizes a `Nokogiri::XML::Node` and
452
583
  all its children.
453
584
 
454
- * Added elements `<h1>` through `<h6>` to the Relaxed whitelist. [Suggested by
585
+ * Added elements `<h1>` through `<h6>` to the Relaxed allowlist. [Suggested by
455
586
  David Reese]
456
587
 
457
588
 
@@ -471,7 +602,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
471
602
 
472
603
  * Added a workaround for an Hpricot bug that prevents attribute names from
473
604
  being downcased in recent versions of Hpricot. This was exploitable to
474
- prevent non-whitelisted protocols from being cleaned. [Reported by Ben
605
+ prevent non-allowlisted protocols from being cleaned. [Reported by Ben
475
606
  Wanicur]
476
607
 
477
608
 
@@ -501,7 +632,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
501
632
 
502
633
  ## 1.0.5 (2009-02-05)
503
634
 
504
- * Fixed a bug introduced in version 1.0.3 that prevented non-whitelisted
635
+ * Fixed a bug introduced in version 1.0.3 that prevented non-allowlisted
505
636
  protocols from being cleaned when relative URLs were allowed. [Reported by
506
637
  Dev Purkayastha]
507
638
 
@@ -511,7 +642,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
511
642
 
512
643
  ## 1.0.4 (2009-01-16)
513
644
 
514
- * Fixed a bug that made it possible to sneak a non-whitelisted element through
645
+ * Fixed a bug that made it possible to sneak a non-allowlisted element through
515
646
  by repeating it several times in a row. All versions of Sanitize prior to
516
647
  1.0.4 are vulnerable. [Reported by Cristobal]
517
648
 
@@ -519,7 +650,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
519
650
  ## 1.0.3 (2009-01-15)
520
651
 
521
652
  * Fixed a bug whereby incomplete Unicode or hex entities could be used to
522
- prevent non-whitelisted protocols from being cleaned. Since IE6 and Opera
653
+ prevent non-allowlisted protocols from being cleaned. Since IE6 and Opera
523
654
  still decode the incomplete entities, users of those browsers may be
524
655
  vulnerable to malicious script injection on websites using versions of
525
656
  Sanitize prior to 1.0.3.
data/README.md CHANGED
@@ -1,20 +1,19 @@
1
1
  Sanitize
2
2
  ========
3
3
 
4
- Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable
5
- elements, attributes, and CSS properties, Sanitize will remove all unacceptable
6
- HTML and/or CSS from a string.
4
+ Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all HTML
5
+ and/or CSS from a string except the elements, attributes, and properties you
6
+ choose to allow.
7
7
 
8
8
  Using a simple configuration syntax, you can tell Sanitize to allow certain HTML
9
9
  elements, certain attributes within those elements, and even certain URL
10
- protocols within attributes that contain URLs. You can also whitelist CSS
11
- properties, @ rules, and URL protocols you wish to allow in elements or
12
- attributes containing CSS. Any HTML or CSS that you don't explicitly allow will
13
- be removed.
10
+ protocols within attributes that contain URLs. You can also allow specific CSS
11
+ properties, @ rules, and URL protocols in elements or attributes containing CSS.
12
+ Any HTML or CSS that you don't explicitly allow will be removed.
14
13
 
15
14
  Sanitize is based on [Google's Gumbo HTML5 parser][gumbo], which parses HTML
16
15
  exactly the same way modern browsers do, and [Crass][crass], which parses CSS
17
- exactly the same way modern browsers do. As long as your whitelist config only
16
+ exactly the same way modern browsers do. As long as your allowlist config only
18
17
  allows safe markup and CSS, even the most malformed or malicious input will be
19
18
  transformed into safe output.
20
19
 
@@ -73,6 +72,11 @@ Sanitize can sanitize the following types of input:
73
72
  * Standalone CSS stylesheets
74
73
  * Standalone CSS properties
75
74
 
75
+ However, please note that Sanitize _cannot_ fully sanitize the contents of
76
+ `<math>` or `<svg>` elements, since these elements don't follow the same parsing
77
+ rules as the rest of HTML. If this is something you need, you may want to look
78
+ for another solution.
79
+
76
80
  ### HTML Fragments
77
81
 
78
82
  A fragment is a snippet of HTML that doesn't contain a root-level `<html>`
@@ -88,7 +92,7 @@ Sanitize.fragment(html)
88
92
  # => 'foo'
89
93
  ```
90
94
 
91
- To keep certain elements, add them to the element whitelist.
95
+ To keep certain elements, add them to the element allowlist.
92
96
 
93
97
  ```ruby
94
98
  Sanitize.fragment(html, :elements => ['b'])
@@ -97,7 +101,7 @@ Sanitize.fragment(html, :elements => ['b'])
97
101
 
98
102
  ### HTML Documents
99
103
 
100
- When sanitizing a document, the `<html>` element must be whitelisted. You can
104
+ When sanitizing a document, the `<html>` element must be allowlisted. You can
101
105
  also set `:allow_doctype` to `true` to allow well-formed document type
102
106
  definitions.
103
107
 
@@ -123,8 +127,8 @@ Sanitize.document(html,
123
127
 
124
128
  ### CSS in HTML
125
129
 
126
- To sanitize CSS in an HTML fragment or document, first whitelist the `<style>`
127
- element and/or the `style` attribute. Then whitelist the CSS properties,
130
+ To sanitize CSS in an HTML fragment or document, first allowlist the `<style>`
131
+ element and/or the `style` attribute. Then allowlist the CSS properties,
128
132
  @ rules, and URL protocols you wish to allow. You can also choose whether to
129
133
  allow CSS comments or browser compatibility hacks.
130
134
 
@@ -267,7 +271,7 @@ new copy using `Sanitize::Config.merge()`, like so:
267
271
 
268
272
  ```ruby
269
273
  # Create a customized copy of the Basic config, adding <div> and <table> to the
270
- # existing whitelisted elements.
274
+ # existing allowlisted elements.
271
275
  Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
272
276
  :elements => Sanitize::Config::BASIC[:elements] + ['div', 'table'],
273
277
  :remove_contents => true
@@ -395,8 +399,7 @@ Proc.new { |url| url.start_with?("https://fonts.googleapis.com") }
395
399
 
396
400
  ##### :css => :properties (Array or Set)
397
401
 
398
- Whitelist of CSS property names to allow. Names should be specified in
399
- lowercase.
402
+ List of CSS property names to allow. Names should be specified in lowercase.
400
403
 
401
404
  ##### :css => :protocols (Array or Set)
402
405
 
@@ -417,6 +420,23 @@ elements not in this array will be removed.
417
420
  ]
418
421
  ```
419
422
 
423
+ **Warning:** Sanitize cannot fully sanitize the contents of `<math>` or `<svg>`
424
+ elements, since these elements don't follow the same parsing rules as the rest
425
+ of HTML. If you add `math` or `svg` to the allowlist, you must assume that any
426
+ content inside them will be allowed, even if that content would otherwise be
427
+ removed by Sanitize.
428
+
429
+ #### :parser_options (Hash)
430
+
431
+ [Parsing options](https://github.com/rubys/nokogumbo/tree/v2.0.1#parsing-options) supplied to `nokogumbo`.
432
+
433
+ ```ruby
434
+ :parser_options => {
435
+ max_errors: -1,
436
+ max_tree_depth: -1
437
+ }
438
+ ```
439
+
420
440
  #### :protocols (Hash)
421
441
 
422
442
  URL protocols to allow in specific attributes. If an attribute is listed here
@@ -441,13 +461,13 @@ include the symbol `:relative` in the protocol array:
441
461
 
442
462
  #### :remove_contents (boolean or Array or Set)
443
463
 
444
- If set to `true`, Sanitize will remove the contents of any non-whitelisted
464
+ If this is `true`, Sanitize will remove the contents of any non-allowlisted
445
465
  elements in addition to the elements themselves. By default, Sanitize leaves the
446
466
  safe parts of an element's contents behind when the element is removed.
447
467
 
448
- If set to an array of element names, then only the contents of the specified
449
- elements (when filtered) will be removed, and the contents of all other filtered
450
- elements will be left behind.
468
+ If this is an Array or Set of element names, then only the contents of the
469
+ specified elements (when filtered) will be removed, and the contents of all
470
+ other filtered elements will be left behind.
451
471
 
452
472
  The default value is `false`.
453
473
 
@@ -507,33 +527,33 @@ argument a Hash that contains the following items:
507
527
 
508
528
  * **:config** - The current Sanitize configuration Hash.
509
529
 
510
- * **:is_whitelisted** - `true` if the current node has been whitelisted by a
530
+ * **:is_allowlisted** - `true` if the current node has been allowlisted by a
511
531
  previous transformer, `false` otherwise. It's generally bad form to remove
512
- a node that a previous transformer has whitelisted.
532
+ a node that a previous transformer has allowlisted.
513
533
 
514
534
  * **:node** - A `Nokogiri::XML::Node` object representing an HTML node. The
515
535
  node may be an element, a text node, a comment, a CDATA node, or a document
516
536
  fragment. Use Nokogiri's inspection methods (`element?`, `text?`, etc.) to
517
537
  selectively ignore node types you aren't interested in.
518
538
 
539
+ * **:node_allowlist** - Set of `Nokogiri::XML::Node` objects in the current
540
+ document that have been allowlisted by previous transformers, if any. It's
541
+ generally bad form to remove a node that a previous transformer has
542
+ allowlisted.
543
+
519
544
  * **:node_name** - The name of the current HTML node, always lowercase (e.g.
520
545
  "div" or "span"). For non-element nodes, the name will be something like
521
546
  "text", "comment", "#cdata-section", "#document-fragment", etc.
522
547
 
523
- * **:node_whitelist** - Set of `Nokogiri::XML::Node` objects in the current
524
- document that have been whitelisted by previous transformers, if any. It's
525
- generally bad form to remove a node that a previous transformer has
526
- whitelisted.
527
-
528
548
  ### Output
529
549
 
530
550
  A transformer doesn't have to return anything, but may optionally return a Hash,
531
551
  which may contain the following items:
532
552
 
533
- * **:node_whitelist** - Array or Set of specific Nokogiri::XML::Node objects
534
- to add to the document's whitelist, bypassing the current Sanitize config.
535
- These specific nodes and all their attributes will be whitelisted, but
536
- their children will not be.
553
+ * **:node_allowlist** - Array or Set of specific `Nokogiri::XML::Node`
554
+ objects to add to the document's allowlist, bypassing the current Sanitize
555
+ config. These specific nodes and all their attributes will be allowlisted,
556
+ but their children will not be.
537
557
 
538
558
  If a transformer returns anything other than a Hash, the return value will be
539
559
  ignored.
@@ -576,16 +596,16 @@ Transformers have a tremendous amount of power, including the power to
576
596
  completely bypass Sanitize's built-in filtering. Be careful! Your safety is in
577
597
  your own hands.
578
598
 
579
- ### Example: Transformer to whitelist image URLs by domain
599
+ ### Example: Transformer to allow image URLs by domain
580
600
 
581
601
  The following example demonstrates how to remove image elements unless they use
582
602
  a relative URL or are hosted on a specific domain. It assumes that the `<img>`
583
- element and its `src` attribute are already whitelisted.
603
+ element and its `src` attribute are already allowlisted.
584
604
 
585
605
  ```ruby
586
606
  require 'uri'
587
607
 
588
- image_whitelist_transformer = lambda do |env|
608
+ image_allowlist_transformer = lambda do |env|
589
609
  # Ignore everything except <img> elements.
590
610
  return unless env[:node_name] == 'img'
591
611
 
@@ -601,20 +621,20 @@ image_whitelist_transformer = lambda do |env|
601
621
  end
602
622
  ```
603
623
 
604
- ### Example: Transformer to whitelist YouTube video embeds
624
+ ### Example: Transformer to allow YouTube video embeds
605
625
 
606
626
  The following example demonstrates how to create a transformer that will safely
607
- whitelist valid YouTube video embeds without having to blindly allow other kinds
608
- of embedded content, which would be the case if you tried to do this by just
609
- whitelisting all `<iframe>` elements:
627
+ allow valid YouTube video embeds without having to allow other kinds of embedded
628
+ content, which would be the case if you tried to do this by just allowing all
629
+ `<iframe>` elements:
610
630
 
611
631
  ```ruby
612
632
  youtube_transformer = lambda do |env|
613
633
  node = env[:node]
614
634
  node_name = env[:node_name]
615
635
 
616
- # Don't continue if this node is already whitelisted or is not an element.
617
- return if env[:is_whitelisted] || !node.element?
636
+ # Don't continue if this node is already allowlisted or is not an element.
637
+ return if env[:is_allowlisted] || !node.element?
618
638
 
619
639
  # Don't continue unless the node is an iframe.
620
640
  return unless node_name == 'iframe'
@@ -635,8 +655,8 @@ youtube_transformer = lambda do |env|
635
655
 
636
656
  # Now that we're sure that this is a valid YouTube embed and that there are
637
657
  # no unwanted elements or attributes hidden inside it, we can tell Sanitize
638
- # to whitelist the current node.
639
- {:node_whitelist => [node]}
658
+ # to allowlist the current node.
659
+ {:node_allowlist => [node]}
640
660
  end
641
661
 
642
662
  html = %[