sanitize 5.1.0 → 6.0.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sanitize might be problematic. Click here for more details.

@@ -16,12 +16,12 @@ describe 'Sanitize::CSS' do
16
16
  it 'should sanitize CSS properties' do
17
17
  css = 'background: #fff; width: expression(alert("hi"));'
18
18
 
19
- @default.properties(css).must_equal ' '
20
- @relaxed.properties(css).must_equal 'background: #fff; '
21
- @custom.properties(css).must_equal 'background: #fff; '
19
+ _(@default.properties(css)).must_equal ' '
20
+ _(@relaxed.properties(css)).must_equal 'background: #fff; '
21
+ _(@custom.properties(css)).must_equal 'background: #fff; '
22
22
  end
23
23
 
24
- it 'should allow whitelisted URL protocols' do
24
+ it 'should allow allowlisted URL protocols' do
25
25
  [
26
26
  "background: url(relative.jpg)",
27
27
  "background: url('relative.jpg')",
@@ -30,13 +30,13 @@ describe 'Sanitize::CSS' do
30
30
  "background: url(https://example.com/https.jpg)",
31
31
  "background: url('https://example.com/https.jpg')",
32
32
  ].each do |css|
33
- @default.properties(css).must_equal ''
34
- @relaxed.properties(css).must_equal css
35
- @custom.properties(css).must_equal ''
33
+ _(@default.properties(css)).must_equal ''
34
+ _(@relaxed.properties(css)).must_equal css
35
+ _(@custom.properties(css)).must_equal ''
36
36
  end
37
37
  end
38
38
 
39
- it 'should not allow non-whitelisted URL protocols' do
39
+ it 'should not allow non-allowlisted URL protocols' do
40
40
  [
41
41
  "background: url(javascript:alert(0))",
42
42
  "background: url(ja\\56 ascript:alert(0))",
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
46
46
  "background: url('javas\\\ncript:alert(0)')",
47
47
  "background: url('java\\0script:foo')"
48
48
  ].each do |css|
49
- @default.properties(css).must_equal ''
50
- @relaxed.properties(css).must_equal ''
51
- @custom.properties(css).must_equal ''
49
+ _(@default.properties(css)).must_equal ''
50
+ _(@relaxed.properties(css)).must_equal ''
51
+ _(@custom.properties(css)).must_equal ''
52
52
  end
53
53
  end
54
54
 
55
55
  it 'should not allow -moz-binding' do
56
56
  css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
57
57
 
58
- @default.properties(css).must_equal ''
59
- @relaxed.properties(css).must_equal ''
60
- @custom.properties(css).must_equal ''
58
+ _(@default.properties(css)).must_equal ''
59
+ _(@relaxed.properties(css)).must_equal ''
60
+ _(@custom.properties(css)).must_equal ''
61
61
  end
62
62
 
63
63
  it 'should not allow expressions' do
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
69
69
  "xss:expression(alert(1))",
70
70
  "height: foo(expression(alert(1)));"
71
71
  ].each do |css|
72
- @default.properties(css).must_equal ''
73
- @relaxed.properties(css).must_equal ''
74
- @custom.properties(css).must_equal ''
72
+ _(@default.properties(css)).must_equal ''
73
+ _(@relaxed.properties(css)).must_equal ''
74
+ _(@custom.properties(css)).must_equal ''
75
75
  end
76
76
  end
77
77
 
78
78
  it 'should not allow behaviors' do
79
79
  css = "behavior: url(xss.htc);"
80
80
 
81
- @default.properties(css).must_equal ''
82
- @relaxed.properties(css).must_equal ''
83
- @custom.properties(css).must_equal ''
81
+ _(@default.properties(css)).must_equal ''
82
+ _(@relaxed.properties(css)).must_equal ''
83
+ _(@custom.properties(css)).must_equal ''
84
84
  end
85
85
 
86
86
  describe 'when :allow_comments is true' do
87
87
  it 'should preserve comments' do
88
- @relaxed.properties('color: #fff; /* comment */ width: 100px;')
88
+ _(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
89
89
  .must_equal 'color: #fff; /* comment */ width: 100px;'
90
90
 
91
- @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
91
+ _(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
92
92
  .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
93
93
  end
94
94
  end
95
95
 
96
96
  describe 'when :allow_comments is false' do
97
97
  it 'should strip comments' do
98
- @custom.properties('color: #fff; /* comment */ width: 100px;')
98
+ _(@custom.properties('color: #fff; /* comment */ width: 100px;'))
99
99
  .must_equal 'color: #fff; width: 100px;'
100
100
 
101
- @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
101
+ _(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
102
102
  .must_equal 'color: #fff; width: 100px;'
103
103
  end
104
104
  end
105
105
 
106
106
  describe 'when :allow_hacks is true' do
107
107
  it 'should allow common CSS hacks' do
108
- @relaxed.properties('_border: 1px solid #fff; *width: 10px')
108
+ _(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
109
109
  .must_equal '_border: 1px solid #fff; *width: 10px'
110
110
  end
111
111
  end
112
112
 
113
113
  describe 'when :allow_hacks is false' do
114
114
  it 'should not allow common CSS hacks' do
115
- @custom.properties('_border: 1px solid #fff; *width: 10px')
115
+ _(@custom.properties('_border: 1px solid #fff; *width: 10px'))
116
116
  .must_equal ' '
117
117
  end
118
118
  end
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
131
131
  }
132
132
  ].strip
133
133
 
134
- @default.stylesheet(css).strip.must_equal %[
134
+ _(@default.stylesheet(css).strip).must_equal %[
135
135
  .foo { }
136
136
  #bar { }
137
137
  ].strip
138
138
 
139
- @relaxed.stylesheet(css).must_equal css
139
+ _(@relaxed.stylesheet(css)).must_equal css
140
140
 
141
- @custom.stylesheet(css).strip.must_equal %[
141
+ _(@custom.stylesheet(css).strip).must_equal %[
142
142
  .foo { color: #fff; }
143
143
  #bar { }
144
144
  ].strip
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
146
146
 
147
147
  describe 'when :allow_comments is true' do
148
148
  it 'should preserve comments' do
149
- @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
149
+ _(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
150
150
  .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
151
151
 
152
- @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
152
+ _(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
153
153
  .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
154
154
  end
155
155
  end
156
156
 
157
157
  describe 'when :allow_comments is false' do
158
158
  it 'should strip comments' do
159
- @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
159
+ _(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
160
160
  .must_equal '.foo { color: #fff; width: 100px; }'
161
161
 
162
- @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
162
+ _(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
163
163
  .must_equal '.foo { color: #fff; width: 100px; }'
164
164
  end
165
165
  end
166
166
 
167
167
  describe 'when :allow_hacks is true' do
168
168
  it 'should allow common CSS hacks' do
169
- @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
169
+ _(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
170
170
  .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
171
171
  end
172
172
  end
173
173
 
174
174
  describe 'when :allow_hacks is false' do
175
175
  it 'should not allow common CSS hacks' do
176
- @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
176
+ _(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
177
177
  .must_equal '.foo { }'
178
178
  end
179
179
  end
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
185
185
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
186
186
  "#bar { top: 125px; background: green; }")
187
187
 
188
- @custom.tree!(tree).must_be_same_as tree
188
+ _(@custom.tree!(tree)).must_be_same_as tree
189
189
 
190
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
190
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
191
191
  ".foo { background: #fff; }\n" <<
192
192
  "#bar { background: green; }"
193
193
  end
@@ -199,9 +199,9 @@ describe 'Sanitize::CSS' do
199
199
  it 'should sanitize CSS properties with the given config' do
200
200
  css = 'background: #fff; width: expression(alert("hi"));'
201
201
 
202
- Sanitize::CSS.properties(css).must_equal ' '
203
- Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
204
- Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
202
+ _(Sanitize::CSS.properties(css)).must_equal ' '
203
+ _(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
204
+ _(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
205
205
  end
206
206
  end
207
207
 
@@ -218,14 +218,14 @@ describe 'Sanitize::CSS' do
218
218
  }
219
219
  ].strip
220
220
 
221
- Sanitize::CSS.stylesheet(css).strip.must_equal %[
221
+ _(Sanitize::CSS.stylesheet(css).strip).must_equal %[
222
222
  .foo { }
223
223
  #bar { }
224
224
  ].strip
225
225
 
226
- Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
226
+ _(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
227
227
 
228
- Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
228
+ _(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
229
229
  .foo { color: #fff; }
230
230
  #bar { }
231
231
  ].strip
@@ -238,9 +238,9 @@ describe 'Sanitize::CSS' do
238
238
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
239
239
  "#bar { top: 125px; background: green; }")
240
240
 
241
- Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
241
+ _(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
242
242
 
243
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
243
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
244
244
  ".foo { background: #fff; }\n" <<
245
245
  "#bar { background: green; }"
246
246
  end
@@ -256,7 +256,7 @@ describe 'Sanitize::CSS' do
256
256
  # https://github.com/rgrove/sanitize/issues/121
257
257
  it 'should parse the contents of @media rules properly' do
258
258
  css = '@media { p[class="center"] { text-align: center; }}'
259
- @relaxed.stylesheet(css).must_equal css
259
+ _(@relaxed.stylesheet(css)).must_equal css
260
260
 
261
261
  css = %[
262
262
  @media (max-width: 720px) {
@@ -269,7 +269,7 @@ describe 'Sanitize::CSS' do
269
269
  }
270
270
  ].strip
271
271
 
272
- @relaxed.stylesheet(css).must_equal %[
272
+ _(@relaxed.stylesheet(css)).must_equal %[
273
273
  @media (max-width: 720px) {
274
274
  p.foo > .bar { float: right; }
275
275
  #baz { color: green; }
@@ -303,23 +303,23 @@ describe 'Sanitize::CSS' do
303
303
  }
304
304
  ].strip
305
305
 
306
- @relaxed.stylesheet(css).must_equal css
306
+ _(@relaxed.stylesheet(css)).must_equal css
307
307
  end
308
308
 
309
309
  describe ":at_rules" do
310
- it "should remove blockless at-rules that aren't whitelisted" do
310
+ it "should remove blockless at-rules that aren't allowlisted" do
311
311
  css = %[
312
312
  @charset 'utf-8';
313
313
  @import url('foo.css');
314
314
  .foo { color: green; }
315
315
  ].strip
316
316
 
317
- @relaxed.stylesheet(css).strip.must_equal %[
317
+ _(@relaxed.stylesheet(css).strip).must_equal %[
318
318
  .foo { color: green; }
319
319
  ].strip
320
320
  end
321
321
 
322
- describe "when blockless at-rules are whitelisted" do
322
+ describe "when blockless at-rules are allowlisted" do
323
323
  before do
324
324
  @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
325
325
  :at_rules => ['charset', 'import']
@@ -333,7 +333,7 @@ describe 'Sanitize::CSS' do
333
333
  .foo { color: green; }
334
334
  ].strip
335
335
 
336
- @scss.stylesheet(css).must_equal %[
336
+ _(@scss.stylesheet(css)).must_equal %[
337
337
  @charset 'utf-8';
338
338
  @import url('foo.css');
339
339
  .foo { color: green; }
@@ -347,7 +347,7 @@ describe 'Sanitize::CSS' do
347
347
  .foo { color: green; }
348
348
  ].strip
349
349
 
350
- @scss.stylesheet(css).strip.must_equal %[
350
+ _(@scss.stylesheet(css).strip).must_equal %[
351
351
  .foo { color: green; }
352
352
  ].strip
353
353
  end
@@ -367,7 +367,7 @@ describe 'Sanitize::CSS' do
367
367
  @import url('https://somesite.com/something.css');
368
368
  ].strip
369
369
 
370
- @scss.stylesheet(css).strip.must_equal %[
370
+ _(@scss.stylesheet(css).strip).must_equal %[
371
371
  @import url('https://somesite.com/something.css');
372
372
  ].strip
373
373
  end
@@ -388,7 +388,7 @@ describe 'Sanitize::CSS' do
388
388
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
389
389
  ].strip
390
390
 
391
- @scss.stylesheet(css).strip.must_equal %[
391
+ _(@scss.stylesheet(css).strip).must_equal %[
392
392
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
393
393
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
394
394
  ].strip
@@ -401,7 +401,7 @@ describe 'Sanitize::CSS' do
401
401
  @import url('https://nastysite.com/nasty_hax0r.css');
402
402
  ].strip
403
403
 
404
- @scss.stylesheet(css).strip.must_equal %[
404
+ _(@scss.stylesheet(css).strip).must_equal %[
405
405
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
406
406
  ].strip
407
407
  end
@@ -413,7 +413,7 @@ describe 'Sanitize::CSS' do
413
413
  @import url('');
414
414
  ].strip
415
415
 
416
- @scss.stylesheet(css).strip.must_equal %[
416
+ _(@scss.stylesheet(css).strip).must_equal %[
417
417
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
418
418
  ].strip
419
419
  end
@@ -11,12 +11,14 @@ describe 'Transformers' do
11
11
  :transformers => lambda {|env|
12
12
  return unless env[:node].element?
13
13
 
14
- env[:config][:foo].must_equal :bar
15
- env[:is_whitelisted].must_equal false
16
- env[:node].must_be_kind_of Nokogiri::XML::Node
17
- env[:node_name].must_equal 'span'
18
- env[:node_whitelist].must_be_kind_of Set
19
- env[:node_whitelist].must_be_empty
14
+ _(env[:config][:foo]).must_equal :bar
15
+ _(env[:is_allowlisted]).must_equal false
16
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
17
+ _(env[:node]).must_be_kind_of Nokogiri::XML::Node
18
+ _(env[:node_name]).must_equal 'span'
19
+ _(env[:node_allowlist]).must_be_kind_of Set
20
+ _(env[:node_allowlist]).must_be_empty
21
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
20
22
  }
21
23
  )
22
24
  end
@@ -28,7 +30,7 @@ describe 'Transformers' do
28
30
  :transformers => proc {|env| nodes << env[:node_name] }
29
31
  )
30
32
 
31
- nodes.must_equal %w[
33
+ _(nodes).must_equal %w[
32
34
  #document-fragment div text text text comment script text
33
35
  ]
34
36
  end
@@ -40,53 +42,57 @@ describe 'Transformers' do
40
42
  :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
41
43
  )
42
44
 
43
- nodes.must_equal %w[div span strong b p]
45
+ _(nodes).must_equal %w[div span strong b p]
44
46
  end
45
47
 
46
- it 'should whitelist nodes in the node whitelist' do
47
- Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
48
+ it 'should allowlist nodes in the node allowlist' do
49
+ _(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
48
50
  :transformers => [
49
51
  proc {|env|
50
- {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
52
+ {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
51
53
  },
52
54
 
53
55
  proc {|env|
54
- env[:is_whitelisted].must_equal false unless env[:node_name] == 'div'
55
- env[:is_whitelisted].must_equal true if env[:node_name] == 'div'
56
- env[:node_whitelist].must_include env[:node] if env[:node_name] == 'div'
56
+ _(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
57
+ _(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
58
+ _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
59
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
60
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
57
61
  }
58
62
  ]
59
- ).must_equal '<div class="foo">foo</div>bar'
63
+ )).must_equal '<div class="foo">foo</div>bar'
60
64
  end
61
65
 
62
- it 'should clear the node whitelist after each fragment' do
66
+ it 'should clear the node allowlist after each fragment' do
63
67
  called = false
64
68
 
65
69
  Sanitize.fragment('<div>foo</div>',
66
- :transformers => proc {|env| {:node_whitelist => [env[:node]]}}
70
+ :transformers => proc {|env| {:node_allowlist => [env[:node]]}}
67
71
  )
68
72
 
69
73
  Sanitize.fragment('<div>foo</div>',
70
74
  :transformers => proc {|env|
71
75
  called = true
72
- env[:is_whitelisted].must_equal false
73
- env[:node_whitelist].must_be_empty
76
+ _(env[:is_allowlisted]).must_equal false
77
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
78
+ _(env[:node_allowlist]).must_be_empty
79
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
74
80
  }
75
81
  )
76
82
 
77
- called.must_equal true
83
+ _(called).must_equal true
78
84
  end
79
85
 
80
86
  it 'should accept a method transformer' do
81
87
  def transformer(env); end
82
- Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
88
+ _(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
83
89
  .must_equal(' foo ')
84
90
  end
85
91
 
86
- describe 'Image whitelist transformer' do
92
+ describe 'Image allowlist transformer' do
87
93
  require 'uri'
88
94
 
89
- image_whitelist_transformer = lambda do |env|
95
+ image_allowlist_transformer = lambda do |env|
90
96
  # Ignore everything except <img> elements.
91
97
  return unless env[:node_name] == 'img'
92
98
 
@@ -103,37 +109,37 @@ describe 'Transformers' do
103
109
 
104
110
  before do
105
111
  @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
106
- :transformers => image_whitelist_transformer))
112
+ :transformers => image_allowlist_transformer))
107
113
  end
108
114
 
109
115
  it 'should allow images with relative URLs' do
110
116
  input = '<img src="/foo/bar.jpg">'
111
- @s.fragment(input).must_equal(input)
117
+ _(@s.fragment(input)).must_equal(input)
112
118
  end
113
119
 
114
120
  it 'should allow images at the example.com domain' do
115
121
  input = '<img src="http://example.com/foo/bar.jpg">'
116
- @s.fragment(input).must_equal(input)
122
+ _(@s.fragment(input)).must_equal(input)
117
123
 
118
124
  input = '<img src="https://example.com/foo/bar.jpg">'
119
- @s.fragment(input).must_equal(input)
125
+ _(@s.fragment(input)).must_equal(input)
120
126
 
121
127
  input = '<img src="//example.com/foo/bar.jpg">'
122
- @s.fragment(input).must_equal(input)
128
+ _(@s.fragment(input)).must_equal(input)
123
129
  end
124
130
 
125
131
  it 'should not allow images at other domains' do
126
132
  input = '<img src="http://evil.com/foo/bar.jpg">'
127
- @s.fragment(input).must_equal('')
133
+ _(@s.fragment(input)).must_equal('')
128
134
 
129
135
  input = '<img src="https://evil.com/foo/bar.jpg">'
130
- @s.fragment(input).must_equal('')
136
+ _(@s.fragment(input)).must_equal('')
131
137
 
132
138
  input = '<img src="//evil.com/foo/bar.jpg">'
133
- @s.fragment(input).must_equal('')
139
+ _(@s.fragment(input)).must_equal('')
134
140
 
135
141
  input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
136
- @s.fragment(input).must_equal('')
142
+ _(@s.fragment(input)).must_equal('')
137
143
  end
138
144
  end
139
145
 
@@ -142,8 +148,8 @@ describe 'Transformers' do
142
148
  node = env[:node]
143
149
  node_name = env[:node_name]
144
150
 
145
- # Don't continue if this node is already whitelisted or is not an element.
146
- return if env[:is_whitelisted] || !node.element?
151
+ # Don't continue if this node is already allowlisted or is not an element.
152
+ return if env[:is_allowlisted] || !node.element?
147
153
 
148
154
  # Don't continue unless the node is an iframe.
149
155
  return unless node_name == 'iframe'
@@ -164,42 +170,42 @@ describe 'Transformers' do
164
170
 
165
171
  # Now that we're sure that this is a valid YouTube embed and that there are
166
172
  # no unwanted elements or attributes hidden inside it, we can tell Sanitize
167
- # to whitelist the current node.
168
- {:node_whitelist => [node]}
173
+ # to allowlist the current node.
174
+ {:node_allowlist => [node]}
169
175
  end
170
176
 
171
177
  it 'should allow HTTP YouTube video embeds' do
172
178
  input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
173
179
 
174
- Sanitize.fragment(input, :transformers => youtube_transformer)
180
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
175
181
  .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
176
182
  end
177
183
 
178
184
  it 'should allow HTTPS YouTube video embeds' do
179
185
  input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
180
186
 
181
- Sanitize.fragment(input, :transformers => youtube_transformer)
187
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
182
188
  .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
183
189
  end
184
190
 
185
191
  it 'should allow protocol-relative YouTube video embeds' do
186
192
  input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
187
193
 
188
- Sanitize.fragment(input, :transformers => youtube_transformer)
194
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
189
195
  .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
190
196
  end
191
197
 
192
198
  it 'should allow privacy-enhanced YouTube video embeds' do
193
199
  input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
194
200
 
195
- Sanitize.fragment(input, :transformers => youtube_transformer)
201
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
196
202
  .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
197
203
  end
198
204
 
199
205
  it 'should not allow non-YouTube video embeds' do
200
206
  input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
201
207
 
202
- Sanitize.fragment(input, :transformers => youtube_transformer)
208
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
203
209
  .must_equal('')
204
210
  end
205
211
  end
@@ -217,7 +223,7 @@ describe 'Transformers' do
217
223
  it 'should allow the <b> tag to be changed to a <strong> tag' do
218
224
  input = '<b>text</b>'
219
225
 
220
- Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
226
+ _(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
221
227
  .must_equal '<strong>text</strong>'
222
228
  end
223
229
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.1.0
4
+ version: 6.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-09-08 00:00:00.000000000 Z
11
+ date: 2023-01-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass
@@ -30,59 +30,45 @@ dependencies:
30
30
  requirements:
31
31
  - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: 1.8.0
33
+ version: 1.12.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: 1.8.0
41
- - !ruby/object:Gem::Dependency
42
- name: nokogumbo
43
- requirement: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - "~>"
46
- - !ruby/object:Gem::Version
47
- version: '2.0'
48
- type: :runtime
49
- prerelease: false
50
- version_requirements: !ruby/object:Gem::Requirement
51
- requirements:
52
- - - "~>"
53
- - !ruby/object:Gem::Version
54
- version: '2.0'
40
+ version: 1.12.0
55
41
  - !ruby/object:Gem::Dependency
56
42
  name: minitest
57
43
  requirement: !ruby/object:Gem::Requirement
58
44
  requirements:
59
45
  - - "~>"
60
46
  - !ruby/object:Gem::Version
61
- version: 5.11.3
47
+ version: 5.14.4
62
48
  type: :development
63
49
  prerelease: false
64
50
  version_requirements: !ruby/object:Gem::Requirement
65
51
  requirements:
66
52
  - - "~>"
67
53
  - !ruby/object:Gem::Version
68
- version: 5.11.3
54
+ version: 5.14.4
69
55
  - !ruby/object:Gem::Dependency
70
56
  name: rake
71
57
  requirement: !ruby/object:Gem::Requirement
72
58
  requirements:
73
59
  - - "~>"
74
60
  - !ruby/object:Gem::Version
75
- version: 12.3.1
61
+ version: 13.0.6
76
62
  type: :development
77
63
  prerelease: false
78
64
  version_requirements: !ruby/object:Gem::Requirement
79
65
  requirements:
80
66
  - - "~>"
81
67
  - !ruby/object:Gem::Version
82
- version: 12.3.1
83
- description: Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of
84
- acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable
85
- HTML and/or CSS from a string.
68
+ version: 13.0.6
69
+ description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
70
+ HTML and/or CSS from a string except the elements, attributes, and properties you
71
+ choose to allow.
86
72
  email: ryan@wonko.com
87
73
  executables: []
88
74
  extensions: []
@@ -120,7 +106,7 @@ homepage: https://github.com/rgrove/sanitize/
120
106
  licenses:
121
107
  - MIT
122
108
  metadata: {}
123
- post_install_message:
109
+ post_install_message:
124
110
  rdoc_options: []
125
111
  require_paths:
126
112
  - lib
@@ -128,15 +114,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
128
114
  requirements:
129
115
  - - ">="
130
116
  - !ruby/object:Gem::Version
131
- version: 2.1.0
117
+ version: 2.5.0
132
118
  required_rubygems_version: !ruby/object:Gem::Requirement
133
119
  requirements:
134
120
  - - ">="
135
121
  - !ruby/object:Gem::Version
136
122
  version: 1.2.0
137
123
  requirements: []
138
- rubygems_version: 3.0.3
139
- signing_key:
124
+ rubygems_version: 3.4.1
125
+ signing_key:
140
126
  specification_version: 4
141
- summary: Whitelist-based HTML and CSS sanitizer.
127
+ summary: Allowlist-based HTML and CSS sanitizer.
142
128
  test_files: []