sanitize 5.1.0 → 6.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sanitize might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +155 -18
- data/LICENSE +1 -1
- data/README.md +67 -74
- data/lib/sanitize/config/default.rb +6 -1
- data/lib/sanitize/config/relaxed.rb +1 -1
- data/lib/sanitize/css.rb +2 -2
- data/lib/sanitize/transformers/clean_comment.rb +1 -1
- data/lib/sanitize/transformers/clean_css.rb +3 -3
- data/lib/sanitize/transformers/clean_doctype.rb +1 -1
- data/lib/sanitize/transformers/clean_element.rb +62 -20
- data/lib/sanitize/version.rb +1 -1
- data/lib/sanitize.rb +17 -13
- data/test/test_clean_comment.rb +16 -16
- data/test/test_clean_css.rb +5 -5
- data/test/test_clean_doctype.rb +15 -15
- data/test/test_clean_element.rb +130 -97
- data/test/test_config.rb +9 -9
- data/test/test_malicious_css.rb +7 -7
- data/test/test_malicious_html.rb +153 -30
- data/test/test_parser.rb +9 -9
- data/test/test_sanitize.rb +29 -29
- data/test/test_sanitize_css.rb +57 -57
- data/test/test_transformers.rb +48 -42
- metadata +17 -31
data/test/test_sanitize_css.rb
CHANGED
@@ -16,12 +16,12 @@ describe 'Sanitize::CSS' do
|
|
16
16
|
it 'should sanitize CSS properties' do
|
17
17
|
css = 'background: #fff; width: expression(alert("hi"));'
|
18
18
|
|
19
|
-
@default.properties(css).must_equal ' '
|
20
|
-
@relaxed.properties(css).must_equal 'background: #fff; '
|
21
|
-
@custom.properties(css).must_equal 'background: #fff; '
|
19
|
+
_(@default.properties(css)).must_equal ' '
|
20
|
+
_(@relaxed.properties(css)).must_equal 'background: #fff; '
|
21
|
+
_(@custom.properties(css)).must_equal 'background: #fff; '
|
22
22
|
end
|
23
23
|
|
24
|
-
it 'should allow
|
24
|
+
it 'should allow allowlisted URL protocols' do
|
25
25
|
[
|
26
26
|
"background: url(relative.jpg)",
|
27
27
|
"background: url('relative.jpg')",
|
@@ -30,13 +30,13 @@ describe 'Sanitize::CSS' do
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
32
32
|
].each do |css|
|
33
|
-
@default.properties(css).must_equal ''
|
34
|
-
@relaxed.properties(css).must_equal css
|
35
|
-
@custom.properties(css).must_equal ''
|
33
|
+
_(@default.properties(css)).must_equal ''
|
34
|
+
_(@relaxed.properties(css)).must_equal css
|
35
|
+
_(@custom.properties(css)).must_equal ''
|
36
36
|
end
|
37
37
|
end
|
38
38
|
|
39
|
-
it 'should not allow non-
|
39
|
+
it 'should not allow non-allowlisted URL protocols' do
|
40
40
|
[
|
41
41
|
"background: url(javascript:alert(0))",
|
42
42
|
"background: url(ja\\56 ascript:alert(0))",
|
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
|
|
46
46
|
"background: url('javas\\\ncript:alert(0)')",
|
47
47
|
"background: url('java\\0script:foo')"
|
48
48
|
].each do |css|
|
49
|
-
@default.properties(css).must_equal ''
|
50
|
-
@relaxed.properties(css).must_equal ''
|
51
|
-
@custom.properties(css).must_equal ''
|
49
|
+
_(@default.properties(css)).must_equal ''
|
50
|
+
_(@relaxed.properties(css)).must_equal ''
|
51
|
+
_(@custom.properties(css)).must_equal ''
|
52
52
|
end
|
53
53
|
end
|
54
54
|
|
55
55
|
it 'should not allow -moz-binding' do
|
56
56
|
css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
|
57
57
|
|
58
|
-
@default.properties(css).must_equal ''
|
59
|
-
@relaxed.properties(css).must_equal ''
|
60
|
-
@custom.properties(css).must_equal ''
|
58
|
+
_(@default.properties(css)).must_equal ''
|
59
|
+
_(@relaxed.properties(css)).must_equal ''
|
60
|
+
_(@custom.properties(css)).must_equal ''
|
61
61
|
end
|
62
62
|
|
63
63
|
it 'should not allow expressions' do
|
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
|
|
69
69
|
"xss:expression(alert(1))",
|
70
70
|
"height: foo(expression(alert(1)));"
|
71
71
|
].each do |css|
|
72
|
-
@default.properties(css).must_equal ''
|
73
|
-
@relaxed.properties(css).must_equal ''
|
74
|
-
@custom.properties(css).must_equal ''
|
72
|
+
_(@default.properties(css)).must_equal ''
|
73
|
+
_(@relaxed.properties(css)).must_equal ''
|
74
|
+
_(@custom.properties(css)).must_equal ''
|
75
75
|
end
|
76
76
|
end
|
77
77
|
|
78
78
|
it 'should not allow behaviors' do
|
79
79
|
css = "behavior: url(xss.htc);"
|
80
80
|
|
81
|
-
@default.properties(css).must_equal ''
|
82
|
-
@relaxed.properties(css).must_equal ''
|
83
|
-
@custom.properties(css).must_equal ''
|
81
|
+
_(@default.properties(css)).must_equal ''
|
82
|
+
_(@relaxed.properties(css)).must_equal ''
|
83
|
+
_(@custom.properties(css)).must_equal ''
|
84
84
|
end
|
85
85
|
|
86
86
|
describe 'when :allow_comments is true' do
|
87
87
|
it 'should preserve comments' do
|
88
|
-
@relaxed.properties('color: #fff; /* comment */ width: 100px;')
|
88
|
+
_(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
|
89
89
|
.must_equal 'color: #fff; /* comment */ width: 100px;'
|
90
90
|
|
91
|
-
@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
|
91
|
+
_(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
|
92
92
|
.must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
96
|
describe 'when :allow_comments is false' do
|
97
97
|
it 'should strip comments' do
|
98
|
-
@custom.properties('color: #fff; /* comment */ width: 100px;')
|
98
|
+
_(@custom.properties('color: #fff; /* comment */ width: 100px;'))
|
99
99
|
.must_equal 'color: #fff; width: 100px;'
|
100
100
|
|
101
|
-
@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
|
101
|
+
_(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
|
102
102
|
.must_equal 'color: #fff; width: 100px;'
|
103
103
|
end
|
104
104
|
end
|
105
105
|
|
106
106
|
describe 'when :allow_hacks is true' do
|
107
107
|
it 'should allow common CSS hacks' do
|
108
|
-
@relaxed.properties('_border: 1px solid #fff; *width: 10px')
|
108
|
+
_(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
|
109
109
|
.must_equal '_border: 1px solid #fff; *width: 10px'
|
110
110
|
end
|
111
111
|
end
|
112
112
|
|
113
113
|
describe 'when :allow_hacks is false' do
|
114
114
|
it 'should not allow common CSS hacks' do
|
115
|
-
@custom.properties('_border: 1px solid #fff; *width: 10px')
|
115
|
+
_(@custom.properties('_border: 1px solid #fff; *width: 10px'))
|
116
116
|
.must_equal ' '
|
117
117
|
end
|
118
118
|
end
|
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
|
|
131
131
|
}
|
132
132
|
].strip
|
133
133
|
|
134
|
-
@default.stylesheet(css).strip.must_equal %[
|
134
|
+
_(@default.stylesheet(css).strip).must_equal %[
|
135
135
|
.foo { }
|
136
136
|
#bar { }
|
137
137
|
].strip
|
138
138
|
|
139
|
-
@relaxed.stylesheet(css).must_equal css
|
139
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
140
140
|
|
141
|
-
@custom.stylesheet(css).strip.must_equal %[
|
141
|
+
_(@custom.stylesheet(css).strip).must_equal %[
|
142
142
|
.foo { color: #fff; }
|
143
143
|
#bar { }
|
144
144
|
].strip
|
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
|
|
146
146
|
|
147
147
|
describe 'when :allow_comments is true' do
|
148
148
|
it 'should preserve comments' do
|
149
|
-
@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
|
149
|
+
_(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
|
150
150
|
.must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
|
151
151
|
|
152
|
-
@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
|
152
|
+
_(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
|
153
153
|
.must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
|
154
154
|
end
|
155
155
|
end
|
156
156
|
|
157
157
|
describe 'when :allow_comments is false' do
|
158
158
|
it 'should strip comments' do
|
159
|
-
@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
|
159
|
+
_(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
|
160
160
|
.must_equal '.foo { color: #fff; width: 100px; }'
|
161
161
|
|
162
|
-
@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
|
162
|
+
_(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
|
163
163
|
.must_equal '.foo { color: #fff; width: 100px; }'
|
164
164
|
end
|
165
165
|
end
|
166
166
|
|
167
167
|
describe 'when :allow_hacks is true' do
|
168
168
|
it 'should allow common CSS hacks' do
|
169
|
-
@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
|
169
|
+
_(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
|
170
170
|
.must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
|
171
171
|
end
|
172
172
|
end
|
173
173
|
|
174
174
|
describe 'when :allow_hacks is false' do
|
175
175
|
it 'should not allow common CSS hacks' do
|
176
|
-
@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
|
176
|
+
_(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
|
177
177
|
.must_equal '.foo { }'
|
178
178
|
end
|
179
179
|
end
|
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
|
|
185
185
|
".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
|
186
186
|
"#bar { top: 125px; background: green; }")
|
187
187
|
|
188
|
-
@custom.tree!(tree).must_be_same_as tree
|
188
|
+
_(@custom.tree!(tree)).must_be_same_as tree
|
189
189
|
|
190
|
-
Crass::Parser.stringify(tree).must_equal String.new("\n") <<
|
190
|
+
_(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
|
191
191
|
".foo { background: #fff; }\n" <<
|
192
192
|
"#bar { background: green; }"
|
193
193
|
end
|
@@ -199,9 +199,9 @@ describe 'Sanitize::CSS' do
|
|
199
199
|
it 'should sanitize CSS properties with the given config' do
|
200
200
|
css = 'background: #fff; width: expression(alert("hi"));'
|
201
201
|
|
202
|
-
Sanitize::CSS.properties(css).must_equal ' '
|
203
|
-
Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
|
204
|
-
Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
|
202
|
+
_(Sanitize::CSS.properties(css)).must_equal ' '
|
203
|
+
_(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
|
204
|
+
_(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
|
205
205
|
end
|
206
206
|
end
|
207
207
|
|
@@ -218,14 +218,14 @@ describe 'Sanitize::CSS' do
|
|
218
218
|
}
|
219
219
|
].strip
|
220
220
|
|
221
|
-
Sanitize::CSS.stylesheet(css).strip.must_equal %[
|
221
|
+
_(Sanitize::CSS.stylesheet(css).strip).must_equal %[
|
222
222
|
.foo { }
|
223
223
|
#bar { }
|
224
224
|
].strip
|
225
225
|
|
226
|
-
Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
|
226
|
+
_(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
|
227
227
|
|
228
|
-
Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
|
228
|
+
_(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
|
229
229
|
.foo { color: #fff; }
|
230
230
|
#bar { }
|
231
231
|
].strip
|
@@ -238,9 +238,9 @@ describe 'Sanitize::CSS' do
|
|
238
238
|
".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
|
239
239
|
"#bar { top: 125px; background: green; }")
|
240
240
|
|
241
|
-
Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
|
241
|
+
_(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
|
242
242
|
|
243
|
-
Crass::Parser.stringify(tree).must_equal String.new("\n") <<
|
243
|
+
_(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
|
244
244
|
".foo { background: #fff; }\n" <<
|
245
245
|
"#bar { background: green; }"
|
246
246
|
end
|
@@ -256,7 +256,7 @@ describe 'Sanitize::CSS' do
|
|
256
256
|
# https://github.com/rgrove/sanitize/issues/121
|
257
257
|
it 'should parse the contents of @media rules properly' do
|
258
258
|
css = '@media { p[class="center"] { text-align: center; }}'
|
259
|
-
@relaxed.stylesheet(css).must_equal css
|
259
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
260
260
|
|
261
261
|
css = %[
|
262
262
|
@media (max-width: 720px) {
|
@@ -269,7 +269,7 @@ describe 'Sanitize::CSS' do
|
|
269
269
|
}
|
270
270
|
].strip
|
271
271
|
|
272
|
-
@relaxed.stylesheet(css).must_equal %[
|
272
|
+
_(@relaxed.stylesheet(css)).must_equal %[
|
273
273
|
@media (max-width: 720px) {
|
274
274
|
p.foo > .bar { float: right; }
|
275
275
|
#baz { color: green; }
|
@@ -303,23 +303,23 @@ describe 'Sanitize::CSS' do
|
|
303
303
|
}
|
304
304
|
].strip
|
305
305
|
|
306
|
-
@relaxed.stylesheet(css).must_equal css
|
306
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
307
307
|
end
|
308
308
|
|
309
309
|
describe ":at_rules" do
|
310
|
-
it "should remove blockless at-rules that aren't
|
310
|
+
it "should remove blockless at-rules that aren't allowlisted" do
|
311
311
|
css = %[
|
312
312
|
@charset 'utf-8';
|
313
313
|
@import url('foo.css');
|
314
314
|
.foo { color: green; }
|
315
315
|
].strip
|
316
316
|
|
317
|
-
@relaxed.stylesheet(css).strip.must_equal %[
|
317
|
+
_(@relaxed.stylesheet(css).strip).must_equal %[
|
318
318
|
.foo { color: green; }
|
319
319
|
].strip
|
320
320
|
end
|
321
321
|
|
322
|
-
describe "when blockless at-rules are
|
322
|
+
describe "when blockless at-rules are allowlisted" do
|
323
323
|
before do
|
324
324
|
@scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
|
325
325
|
:at_rules => ['charset', 'import']
|
@@ -333,7 +333,7 @@ describe 'Sanitize::CSS' do
|
|
333
333
|
.foo { color: green; }
|
334
334
|
].strip
|
335
335
|
|
336
|
-
@scss.stylesheet(css).must_equal %[
|
336
|
+
_(@scss.stylesheet(css)).must_equal %[
|
337
337
|
@charset 'utf-8';
|
338
338
|
@import url('foo.css');
|
339
339
|
.foo { color: green; }
|
@@ -347,7 +347,7 @@ describe 'Sanitize::CSS' do
|
|
347
347
|
.foo { color: green; }
|
348
348
|
].strip
|
349
349
|
|
350
|
-
@scss.stylesheet(css).strip.must_equal %[
|
350
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
351
351
|
.foo { color: green; }
|
352
352
|
].strip
|
353
353
|
end
|
@@ -367,7 +367,7 @@ describe 'Sanitize::CSS' do
|
|
367
367
|
@import url('https://somesite.com/something.css');
|
368
368
|
].strip
|
369
369
|
|
370
|
-
@scss.stylesheet(css).strip.must_equal %[
|
370
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
371
371
|
@import url('https://somesite.com/something.css');
|
372
372
|
].strip
|
373
373
|
end
|
@@ -388,7 +388,7 @@ describe 'Sanitize::CSS' do
|
|
388
388
|
@import url('https://fonts.googleapis.com/css?family=Indie+Flower');
|
389
389
|
].strip
|
390
390
|
|
391
|
-
@scss.stylesheet(css).strip.must_equal %[
|
391
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
392
392
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
393
393
|
@import url('https://fonts.googleapis.com/css?family=Indie+Flower');
|
394
394
|
].strip
|
@@ -401,7 +401,7 @@ describe 'Sanitize::CSS' do
|
|
401
401
|
@import url('https://nastysite.com/nasty_hax0r.css');
|
402
402
|
].strip
|
403
403
|
|
404
|
-
@scss.stylesheet(css).strip.must_equal %[
|
404
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
405
405
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
406
406
|
].strip
|
407
407
|
end
|
@@ -413,7 +413,7 @@ describe 'Sanitize::CSS' do
|
|
413
413
|
@import url('');
|
414
414
|
].strip
|
415
415
|
|
416
|
-
@scss.stylesheet(css).strip.must_equal %[
|
416
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
417
417
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
418
418
|
].strip
|
419
419
|
end
|
data/test/test_transformers.rb
CHANGED
@@ -11,12 +11,14 @@ describe 'Transformers' do
|
|
11
11
|
:transformers => lambda {|env|
|
12
12
|
return unless env[:node].element?
|
13
13
|
|
14
|
-
env[:config][:foo].must_equal :bar
|
15
|
-
env[:
|
16
|
-
env[:
|
17
|
-
env[:
|
18
|
-
env[:
|
19
|
-
env[:
|
14
|
+
_(env[:config][:foo]).must_equal :bar
|
15
|
+
_(env[:is_allowlisted]).must_equal false
|
16
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
17
|
+
_(env[:node]).must_be_kind_of Nokogiri::XML::Node
|
18
|
+
_(env[:node_name]).must_equal 'span'
|
19
|
+
_(env[:node_allowlist]).must_be_kind_of Set
|
20
|
+
_(env[:node_allowlist]).must_be_empty
|
21
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
20
22
|
}
|
21
23
|
)
|
22
24
|
end
|
@@ -28,7 +30,7 @@ describe 'Transformers' do
|
|
28
30
|
:transformers => proc {|env| nodes << env[:node_name] }
|
29
31
|
)
|
30
32
|
|
31
|
-
nodes.must_equal %w[
|
33
|
+
_(nodes).must_equal %w[
|
32
34
|
#document-fragment div text text text comment script text
|
33
35
|
]
|
34
36
|
end
|
@@ -40,53 +42,57 @@ describe 'Transformers' do
|
|
40
42
|
:transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
|
41
43
|
)
|
42
44
|
|
43
|
-
nodes.must_equal %w[div span strong b p]
|
45
|
+
_(nodes).must_equal %w[div span strong b p]
|
44
46
|
end
|
45
47
|
|
46
|
-
it 'should
|
47
|
-
Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
|
48
|
+
it 'should allowlist nodes in the node allowlist' do
|
49
|
+
_(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
|
48
50
|
:transformers => [
|
49
51
|
proc {|env|
|
50
|
-
{:
|
52
|
+
{:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
|
51
53
|
},
|
52
54
|
|
53
55
|
proc {|env|
|
54
|
-
env[:
|
55
|
-
env[:
|
56
|
-
env[:
|
56
|
+
_(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
|
57
|
+
_(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
|
58
|
+
_(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
|
59
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
60
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
57
61
|
}
|
58
62
|
]
|
59
|
-
).must_equal '<div class="foo">foo</div>bar'
|
63
|
+
)).must_equal '<div class="foo">foo</div>bar'
|
60
64
|
end
|
61
65
|
|
62
|
-
it 'should clear the node
|
66
|
+
it 'should clear the node allowlist after each fragment' do
|
63
67
|
called = false
|
64
68
|
|
65
69
|
Sanitize.fragment('<div>foo</div>',
|
66
|
-
:transformers => proc {|env| {:
|
70
|
+
:transformers => proc {|env| {:node_allowlist => [env[:node]]}}
|
67
71
|
)
|
68
72
|
|
69
73
|
Sanitize.fragment('<div>foo</div>',
|
70
74
|
:transformers => proc {|env|
|
71
75
|
called = true
|
72
|
-
env[:
|
73
|
-
env[:
|
76
|
+
_(env[:is_allowlisted]).must_equal false
|
77
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
78
|
+
_(env[:node_allowlist]).must_be_empty
|
79
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
74
80
|
}
|
75
81
|
)
|
76
82
|
|
77
|
-
called.must_equal true
|
83
|
+
_(called).must_equal true
|
78
84
|
end
|
79
85
|
|
80
86
|
it 'should accept a method transformer' do
|
81
87
|
def transformer(env); end
|
82
|
-
Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
|
88
|
+
_(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
|
83
89
|
.must_equal(' foo ')
|
84
90
|
end
|
85
91
|
|
86
|
-
describe 'Image
|
92
|
+
describe 'Image allowlist transformer' do
|
87
93
|
require 'uri'
|
88
94
|
|
89
|
-
|
95
|
+
image_allowlist_transformer = lambda do |env|
|
90
96
|
# Ignore everything except <img> elements.
|
91
97
|
return unless env[:node_name] == 'img'
|
92
98
|
|
@@ -103,37 +109,37 @@ describe 'Transformers' do
|
|
103
109
|
|
104
110
|
before do
|
105
111
|
@s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
|
106
|
-
:transformers =>
|
112
|
+
:transformers => image_allowlist_transformer))
|
107
113
|
end
|
108
114
|
|
109
115
|
it 'should allow images with relative URLs' do
|
110
116
|
input = '<img src="/foo/bar.jpg">'
|
111
|
-
@s.fragment(input).must_equal(input)
|
117
|
+
_(@s.fragment(input)).must_equal(input)
|
112
118
|
end
|
113
119
|
|
114
120
|
it 'should allow images at the example.com domain' do
|
115
121
|
input = '<img src="http://example.com/foo/bar.jpg">'
|
116
|
-
@s.fragment(input).must_equal(input)
|
122
|
+
_(@s.fragment(input)).must_equal(input)
|
117
123
|
|
118
124
|
input = '<img src="https://example.com/foo/bar.jpg">'
|
119
|
-
@s.fragment(input).must_equal(input)
|
125
|
+
_(@s.fragment(input)).must_equal(input)
|
120
126
|
|
121
127
|
input = '<img src="//example.com/foo/bar.jpg">'
|
122
|
-
@s.fragment(input).must_equal(input)
|
128
|
+
_(@s.fragment(input)).must_equal(input)
|
123
129
|
end
|
124
130
|
|
125
131
|
it 'should not allow images at other domains' do
|
126
132
|
input = '<img src="http://evil.com/foo/bar.jpg">'
|
127
|
-
@s.fragment(input).must_equal('')
|
133
|
+
_(@s.fragment(input)).must_equal('')
|
128
134
|
|
129
135
|
input = '<img src="https://evil.com/foo/bar.jpg">'
|
130
|
-
@s.fragment(input).must_equal('')
|
136
|
+
_(@s.fragment(input)).must_equal('')
|
131
137
|
|
132
138
|
input = '<img src="//evil.com/foo/bar.jpg">'
|
133
|
-
@s.fragment(input).must_equal('')
|
139
|
+
_(@s.fragment(input)).must_equal('')
|
134
140
|
|
135
141
|
input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
|
136
|
-
@s.fragment(input).must_equal('')
|
142
|
+
_(@s.fragment(input)).must_equal('')
|
137
143
|
end
|
138
144
|
end
|
139
145
|
|
@@ -142,8 +148,8 @@ describe 'Transformers' do
|
|
142
148
|
node = env[:node]
|
143
149
|
node_name = env[:node_name]
|
144
150
|
|
145
|
-
# Don't continue if this node is already
|
146
|
-
return if env[:
|
151
|
+
# Don't continue if this node is already allowlisted or is not an element.
|
152
|
+
return if env[:is_allowlisted] || !node.element?
|
147
153
|
|
148
154
|
# Don't continue unless the node is an iframe.
|
149
155
|
return unless node_name == 'iframe'
|
@@ -164,42 +170,42 @@ describe 'Transformers' do
|
|
164
170
|
|
165
171
|
# Now that we're sure that this is a valid YouTube embed and that there are
|
166
172
|
# no unwanted elements or attributes hidden inside it, we can tell Sanitize
|
167
|
-
# to
|
168
|
-
{:
|
173
|
+
# to allowlist the current node.
|
174
|
+
{:node_allowlist => [node]}
|
169
175
|
end
|
170
176
|
|
171
177
|
it 'should allow HTTP YouTube video embeds' do
|
172
178
|
input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
173
179
|
|
174
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
180
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
175
181
|
.must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
176
182
|
end
|
177
183
|
|
178
184
|
it 'should allow HTTPS YouTube video embeds' do
|
179
185
|
input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
180
186
|
|
181
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
187
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
182
188
|
.must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
183
189
|
end
|
184
190
|
|
185
191
|
it 'should allow protocol-relative YouTube video embeds' do
|
186
192
|
input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
187
193
|
|
188
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
194
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
189
195
|
.must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
190
196
|
end
|
191
197
|
|
192
198
|
it 'should allow privacy-enhanced YouTube video embeds' do
|
193
199
|
input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
194
200
|
|
195
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
201
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
196
202
|
.must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
197
203
|
end
|
198
204
|
|
199
205
|
it 'should not allow non-YouTube video embeds' do
|
200
206
|
input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
|
201
207
|
|
202
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
208
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
203
209
|
.must_equal('')
|
204
210
|
end
|
205
211
|
end
|
@@ -217,7 +223,7 @@ describe 'Transformers' do
|
|
217
223
|
it 'should allow the <b> tag to be changed to a <strong> tag' do
|
218
224
|
input = '<b>text</b>'
|
219
225
|
|
220
|
-
Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
|
226
|
+
_(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
|
221
227
|
.must_equal '<strong>text</strong>'
|
222
228
|
end
|
223
229
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 6.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|
@@ -30,59 +30,45 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: 1.12.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
name: nokogumbo
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - "~>"
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '2.0'
|
48
|
-
type: :runtime
|
49
|
-
prerelease: false
|
50
|
-
version_requirements: !ruby/object:Gem::Requirement
|
51
|
-
requirements:
|
52
|
-
- - "~>"
|
53
|
-
- !ruby/object:Gem::Version
|
54
|
-
version: '2.0'
|
40
|
+
version: 1.12.0
|
55
41
|
- !ruby/object:Gem::Dependency
|
56
42
|
name: minitest
|
57
43
|
requirement: !ruby/object:Gem::Requirement
|
58
44
|
requirements:
|
59
45
|
- - "~>"
|
60
46
|
- !ruby/object:Gem::Version
|
61
|
-
version: 5.
|
47
|
+
version: 5.14.4
|
62
48
|
type: :development
|
63
49
|
prerelease: false
|
64
50
|
version_requirements: !ruby/object:Gem::Requirement
|
65
51
|
requirements:
|
66
52
|
- - "~>"
|
67
53
|
- !ruby/object:Gem::Version
|
68
|
-
version: 5.
|
54
|
+
version: 5.14.4
|
69
55
|
- !ruby/object:Gem::Dependency
|
70
56
|
name: rake
|
71
57
|
requirement: !ruby/object:Gem::Requirement
|
72
58
|
requirements:
|
73
59
|
- - "~>"
|
74
60
|
- !ruby/object:Gem::Version
|
75
|
-
version:
|
61
|
+
version: 13.0.6
|
76
62
|
type: :development
|
77
63
|
prerelease: false
|
78
64
|
version_requirements: !ruby/object:Gem::Requirement
|
79
65
|
requirements:
|
80
66
|
- - "~>"
|
81
67
|
- !ruby/object:Gem::Version
|
82
|
-
version:
|
83
|
-
description: Sanitize is
|
84
|
-
|
85
|
-
|
68
|
+
version: 13.0.6
|
69
|
+
description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
|
70
|
+
HTML and/or CSS from a string except the elements, attributes, and properties you
|
71
|
+
choose to allow.
|
86
72
|
email: ryan@wonko.com
|
87
73
|
executables: []
|
88
74
|
extensions: []
|
@@ -120,7 +106,7 @@ homepage: https://github.com/rgrove/sanitize/
|
|
120
106
|
licenses:
|
121
107
|
- MIT
|
122
108
|
metadata: {}
|
123
|
-
post_install_message:
|
109
|
+
post_install_message:
|
124
110
|
rdoc_options: []
|
125
111
|
require_paths:
|
126
112
|
- lib
|
@@ -128,15 +114,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
128
114
|
requirements:
|
129
115
|
- - ">="
|
130
116
|
- !ruby/object:Gem::Version
|
131
|
-
version: 2.
|
117
|
+
version: 2.5.0
|
132
118
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
133
119
|
requirements:
|
134
120
|
- - ">="
|
135
121
|
- !ruby/object:Gem::Version
|
136
122
|
version: 1.2.0
|
137
123
|
requirements: []
|
138
|
-
rubygems_version: 3.
|
139
|
-
signing_key:
|
124
|
+
rubygems_version: 3.4.1
|
125
|
+
signing_key:
|
140
126
|
specification_version: 4
|
141
|
-
summary:
|
127
|
+
summary: Allowlist-based HTML and CSS sanitizer.
|
142
128
|
test_files: []
|