sanitize 4.6.6 → 6.0.0

data/test/test_sanitize_css.rb

@@ -21,7 +21,7 @@ describe 'Sanitize::CSS' do
         @custom.properties(css).must_equal 'background: #fff; '
       end
 
-      it 'should allow whitelisted URL protocols' do
+      it 'should allow allowlisted URL protocols' do
         [
           "background: url(relative.jpg)",
           "background: url('relative.jpg')",
@@ -36,7 +36,7 @@ describe 'Sanitize::CSS' do
         end
       end
 
-      it 'should not allow non-whitelisted URL protocols' do
+      it 'should not allow non-allowlisted URL protocols' do
         [
           "background: url(javascript:alert(0))",
           "background: url(ja\\56 ascript:alert(0))",
@@ -196,26 +196,53 @@ describe 'Sanitize::CSS' do
 
   describe 'class methods' do
     describe '.properties' do
-      it 'should call #properties' do
-        Sanitize::CSS.stub_instance(:properties, proc {|css| css + 'bar' }) do
-          Sanitize::CSS.properties('foo').must_equal 'foobar'
-        end
+      it 'should sanitize CSS properties with the given config' do
+        css = 'background: #fff; width: expression(alert("hi"));'
+
+        Sanitize::CSS.properties(css).must_equal ' '
+        Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
+        Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
       end
     end
 
     describe '.stylesheet' do
-      it 'should call #stylesheet' do
-        Sanitize::CSS.stub_instance(:stylesheet, proc {|css| css + 'bar' }) do
-          Sanitize::CSS.stylesheet('foo').must_equal 'foobar'
-        end
+      it 'should sanitize a CSS stylesheet with the given config' do
+        css = %[
+          /* Yay CSS! */
+          .foo { color: #fff; }
+          #bar { background: url(yay.jpg); }
+
+          @media screen (max-width:480px) {
+            .foo { width: 400px; }
+            #bar:not(.baz) { height: 100px; }
+          }
+        ].strip
+
+        Sanitize::CSS.stylesheet(css).strip.must_equal %[
+          .foo {  }
+          #bar {  }
+        ].strip
+
+        Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
+
+        Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
+          .foo { color: #fff; }
+          #bar {  }
+        ].strip
       end
     end
 
     describe '.tree!' do
-      it 'should call #tree!' do
-        Sanitize::CSS.stub_instance(:tree!, proc {|tree| tree + 'bar' }) do
-          Sanitize::CSS.tree!('foo').must_equal 'foobar'
-        end
+      it 'should sanitize a Crass CSS parse tree with the given config' do
+        tree = Crass.parse(String.new("@import url(foo.css);\n") <<
+          ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
+          "#bar { top: 125px; background: green; }")
+
+        Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
+
+        Crass::Parser.stringify(tree).must_equal String.new("\n") <<
+            ".foo { background: #fff;  }\n" <<
+            "#bar {  background: green; }"
       end
     end
   end
@@ -280,7 +307,7 @@ describe 'Sanitize::CSS' do
     end
 
     describe ":at_rules" do
-      it "should remove blockless at-rules that aren't whitelisted" do
+      it "should remove blockless at-rules that aren't allowlisted" do
         css = %[
           @charset 'utf-8';
           @import url('foo.css');
@@ -292,7 +319,7 @@ describe 'Sanitize::CSS' do
         ].strip
       end
 
-      describe "when blockless at-rules are whitelisted" do
+      describe "when blockless at-rules are allowlisted" do
         before do
           @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
             :at_rules => ['charset', 'import']

data/test/test_transformers.rb

@@ -12,11 +12,13 @@ describe 'Transformers' do
         return unless env[:node].element?
 
         env[:config][:foo].must_equal :bar
-        env[:is_whitelisted].must_equal false
+        env[:is_allowlisted].must_equal false
+        env[:is_whitelisted].must_equal env[:is_allowlisted]
         env[:node].must_be_kind_of Nokogiri::XML::Node
         env[:node_name].must_equal 'span'
-        env[:node_whitelist].must_be_kind_of Set
-        env[:node_whitelist].must_be_empty
+        env[:node_allowlist].must_be_kind_of Set
+        env[:node_allowlist].must_be_empty
+        env[:node_whitelist].must_equal env[:node_allowlist]
       }
     )
   end
@@ -43,34 +45,38 @@ describe 'Transformers' do
     nodes.must_equal %w[div span strong b p]
   end
 
-  it 'should whitelist nodes in the node whitelist' do
+  it 'should allowlist nodes in the node allowlist' do
     Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
       :transformers => [
         proc {|env|
-          {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
+          {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
         },
 
         proc {|env|
-          env[:is_whitelisted].must_equal false unless env[:node_name] == 'div'
-          env[:is_whitelisted].must_equal true if env[:node_name] == 'div'
-          env[:node_whitelist].must_include env[:node] if env[:node_name] == 'div'
+          env[:is_allowlisted].must_equal false unless env[:node_name] == 'div'
+          env[:is_allowlisted].must_equal true if env[:node_name] == 'div'
+          env[:node_allowlist].must_include env[:node] if env[:node_name] == 'div'
+          env[:is_whitelisted].must_equal env[:is_allowlisted]
+          env[:node_whitelist].must_equal env[:node_allowlist]
         }
       ]
     ).must_equal '<div class="foo">foo</div>bar'
   end
 
-  it 'should clear the node whitelist after each fragment' do
+  it 'should clear the node allowlist after each fragment' do
     called = false
 
     Sanitize.fragment('<div>foo</div>',
-      :transformers => proc {|env| {:node_whitelist => [env[:node]]}}
+      :transformers => proc {|env| {:node_allowlist => [env[:node]]}}
     )
 
     Sanitize.fragment('<div>foo</div>',
       :transformers => proc {|env|
         called = true
-        env[:is_whitelisted].must_equal false
-        env[:node_whitelist].must_be_empty
+        env[:is_allowlisted].must_equal false
+        env[:is_whitelisted].must_equal env[:is_allowlisted]
+        env[:node_allowlist].must_be_empty
+        env[:node_whitelist].must_equal env[:node_allowlist]
       }
     )
 
@@ -83,10 +89,10 @@ describe 'Transformers' do
       .must_equal(' foo ')
   end
 
-  describe 'Image whitelist transformer' do
+  describe 'Image allowlist transformer' do
     require 'uri'
 
-    image_whitelist_transformer = lambda do |env|
+    image_allowlist_transformer = lambda do |env|
       # Ignore everything except <img> elements.
       return unless env[:node_name] == 'img'
 
@@ -103,7 +109,7 @@ describe 'Transformers' do
 
     before do
       @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
-          :transformers => image_whitelist_transformer))
+          :transformers => image_allowlist_transformer))
     end
 
     it 'should allow images with relative URLs' do
@@ -142,8 +148,8 @@ describe 'Transformers' do
       node      = env[:node]
       node_name = env[:node_name]
 
-      # Don't continue if this node is already whitelisted or is not an element.
-      return if env[:is_whitelisted] || !node.element?
+      # Don't continue if this node is already allowlisted or is not an element.
+      return if env[:is_allowlisted] || !node.element?
 
       # Don't continue unless the node is an iframe.
       return unless node_name == 'iframe'
@@ -164,36 +170,36 @@ describe 'Transformers' do
 
       # Now that we're sure that this is a valid YouTube embed and that there are
       # no unwanted elements or attributes hidden inside it, we can tell Sanitize
-      # to whitelist the current node.
-      {:node_whitelist => [node]}
+      # to allowlist the current node.
+      {:node_allowlist => [node]}
     end
 
     it 'should allow HTTP YouTube video embeds' do
       input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
       Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow HTTPS YouTube video embeds' do
       input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
       Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow protocol-relative YouTube video embeds' do
       input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
       Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should allow privacy-enhanced YouTube video embeds' do
       input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
       Sanitize.fragment(input, :transformers => youtube_transformer)
-        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
     it 'should not allow non-YouTube video embeds' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 4.6.6
+  version: 6.0.0
 platform: ruby
 authors:
 - Ryan Grove
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-07-24 00:00:00.000000000 Z
+date: 2021-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -30,59 +30,45 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.4
+        version: 1.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.4
-- !ruby/object:Gem::Dependency
-  name: nokogumbo
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.4'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 1.12.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.10.2
+        version: 5.14.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.10.2
+        version: 5.14.4
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.0.0
+        version: 13.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.0.0
-description: Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of
-  acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable
-  HTML and/or CSS from a string.
+        version: 13.0.6
+description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
+  HTML and/or CSS from a string except the elements, attributes, and properties you
+  choose to allow.
 email: ryan@wonko.com
 executables: []
 extensions: []
@@ -116,12 +102,11 @@ files:
 - test/test_sanitize.rb
 - test/test_sanitize_css.rb
 - test/test_transformers.rb
-- test/test_unicode.rb
 homepage: https://github.com/rgrove/sanitize/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -129,16 +114,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.2
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: 1.2.0
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
-summary: Whitelist-based HTML and CSS sanitizer.
+summary: Allowlist-based HTML and CSS sanitizer.
 test_files: []

data/test/test_unicode.rb

@@ -1,95 +0,0 @@
-# encoding: utf-8
-require_relative 'common'
-
-describe 'Unicode' do
-  make_my_diffs_pretty!
-  parallelize_me!
-
-  # http://www.w3.org/TR/unicode-xml/#Charlist
-  describe 'Unsuitable characters' do
-    before do
-      @s = Sanitize.new(Sanitize::Config::RELAXED)
-    end
-
-    it 'should not modify the input string' do
-      fragment = "a\u0340b\u0341c"
-      document = "a\u0340b\u0341c"
-
-      @s.document(document)
-      @s.fragment(fragment)
-
-      fragment.must_equal "a\u0340b\u0341c"
-      document.must_equal "a\u0340b\u0341c"
-    end
-
-    it 'should strip deprecated grave and acute clones' do
-      @s.document("a\u0340b\u0341c").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u0340b\u0341c").must_equal 'abc'
-    end
-
-    it 'should strip deprecated Khmer characters' do
-      @s.document("a\u17a3b\u17d3c").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u17a3b\u17d3c").must_equal 'abc'
-    end
-
-    it 'should strip line and paragraph separator punctuation' do
-      @s.document("a\u2028b\u2029c").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u2028b\u2029c").must_equal 'abc'
-    end
-
-    it 'should strip bidi embedding control characters' do
-      @s.document("a\u202ab\u202bc\u202cd\u202de\u202e")
-        .must_equal "<html><head></head><body>abcde</body></html>\n"
-
-      @s.fragment("a\u202ab\u202bc\u202cd\u202de\u202e")
-        .must_equal 'abcde'
-    end
-
-    it 'should strip deprecated symmetric swapping characters' do
-      @s.document("a\u206ab\u206bc").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u206ab\u206bc").must_equal 'abc'
-    end
-
-    it 'should strip deprecated Arabic form shaping characters' do
-      @s.document("a\u206cb\u206dc").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u206cb\u206dc").must_equal 'abc'
-    end
-
-    it 'should strip deprecated National digit shape characters' do
-      @s.document("a\u206eb\u206fc").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\u206eb\u206fc").must_equal 'abc'
-    end
-
-    it 'should strip interlinear annotation characters' do
-      @s.document("a\ufff9b\ufffac\ufffb").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\ufff9b\ufffac\ufffb").must_equal 'abc'
-    end
-
-    it 'should strip BOM/zero-width non-breaking space characters' do
-      @s.document("a\ufeffbc").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\ufeffbc").must_equal 'abc'
-    end
-
-    it 'should strip object replacement characters' do
-      @s.document("a\ufffcbc").must_equal "<html><head></head><body>abc</body></html>\n"
-      @s.fragment("a\ufffcbc").must_equal 'abc'
-    end
-
-    it 'should strip musical notation scoping characters' do
-      @s.document("a\u{1d173}b\u{1d174}c\u{1d175}d\u{1d176}e\u{1d177}f\u{1d178}g\u{1d179}h\u{1d17a}")
-        .must_equal "<html><head></head><body>abcdefgh</body></html>\n"
-
-      @s.fragment("a\u{1d173}b\u{1d174}c\u{1d175}d\u{1d176}e\u{1d177}f\u{1d178}g\u{1d179}h\u{1d17a}")
-        .must_equal 'abcdefgh'
-    end
-
-    it 'should strip language tag code point characters' do
-      str = String.new 'a'
-      (0xE0000..0xE007F).each {|n| str << [n].pack('U') }
-      str << 'b'
-
-      @s.document(str).must_equal "<html><head></head><body>ab</body></html>\n"
-      @s.fragment(str).must_equal 'ab'
-    end
-  end
-end