sanitize 5.2.1 → 5.2.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sanitize might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +18 -0
- data/README.md +2 -2
- data/lib/sanitize/config/relaxed.rb +1 -1
- data/lib/sanitize/transformers/clean_element.rb +8 -11
- data/lib/sanitize/version.rb +1 -1
- data/lib/sanitize.rb +1 -1
- data/test/test_clean_element.rb +16 -0
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6ca971107ac89b0f3ce8523e5377c9f476d117a954c5a56af4b92dc926fc6ad8
|
4
|
+
data.tar.gz: ce25b03a97cd03958ec2a9698154a01b8b2b6f21e9e9bf3f118ba2bcee414f77
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0b6f4f1b6ea5bc243f6246d8490dfae58508058e7f16c3a78c12fd1b6edeee2a468e877f93bc7e2a868f6af151c2cf039ea1cc46e10b3404a7433bca3367b16b
|
7
|
+
data.tar.gz: 1abcace0d5409a63b815330b7e3533ac2e08b09a8a8dfef70d07296a898e51c7f9303d1f5218c55fe93651414f867f1bbc3725f87fbfe0acfa68910fbff7b399
|
data/HISTORY.md
CHANGED
@@ -1,5 +1,23 @@
|
|
1
1
|
# Sanitize History
|
2
2
|
|
3
|
+
## 5.2.3 (2021-01-11)
|
4
|
+
|
5
|
+
### Bug Fixes
|
6
|
+
|
7
|
+
* Ensure protocol sanitization is applied to data attributes.
|
8
|
+
[@ccutrer - #207][207]
|
9
|
+
|
10
|
+
[207]:https://github.com/rgrove/sanitize/pull/207
|
11
|
+
|
12
|
+
## 5.2.2 (2021-01-06)
|
13
|
+
|
14
|
+
### Bug Fixes
|
15
|
+
|
16
|
+
* Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a
|
17
|
+
custom transformer. [@mscrivo - #206][206]
|
18
|
+
|
19
|
+
[206]:https://github.com/rgrove/sanitize/pull/206
|
20
|
+
|
3
21
|
## 5.2.1 (2020-06-16)
|
4
22
|
|
5
23
|
### Bug Fixes
|
data/README.md
CHANGED
@@ -17,8 +17,8 @@ exactly the same way modern browsers do. As long as your allowlist config only
|
|
17
17
|
allows safe markup and CSS, even the most malformed or malicious input will be
|
18
18
|
transformed into safe output.
|
19
19
|
|
20
|
-
[![Build Status](https://travis-ci.org/rgrove/sanitize.svg?branch=master)](https://travis-ci.org/rgrove/sanitize)
|
21
20
|
[![Gem Version](https://badge.fury.io/rb/sanitize.svg)](http://badge.fury.io/rb/sanitize)
|
21
|
+
[![Tests](https://github.com/rgrove/sanitize/workflows/Tests/badge.svg)](https://github.com/rgrove/sanitize/actions?query=workflow%3ATests)
|
22
22
|
|
23
23
|
[crass]:https://github.com/rgrove/crass
|
24
24
|
[gumbo]:https://github.com/google/gumbo-parser
|
@@ -469,7 +469,7 @@ If this is an Array or Set of element names, then only the contents of the
|
|
469
469
|
specified elements (when filtered) will be removed, and the contents of all
|
470
470
|
other filtered elements will be left behind.
|
471
471
|
|
472
|
-
The default value is
|
472
|
+
The default value is `%w[iframe math noembed noframes noscript plaintext script style svg xmp]`.
|
473
473
|
|
474
474
|
#### :transformers (Array or callable)
|
475
475
|
|
@@ -6,7 +6,7 @@ class Sanitize
|
|
6
6
|
:elements => BASIC[:elements] + %w[
|
7
7
|
address article aside bdi bdo body caption col colgroup data del div
|
8
8
|
figcaption figure footer h1 h2 h3 h4 h5 h6 head header hgroup hr html
|
9
|
-
img ins main nav rp rt ruby section span style summary
|
9
|
+
img ins main nav rp rt ruby section span style summary table tbody
|
10
10
|
td tfoot th thead title tr wbr
|
11
11
|
],
|
12
12
|
|
@@ -120,18 +120,15 @@ class Sanitize; module Transformers; class CleanElement
|
|
120
120
|
attr_name = attr.name.downcase
|
121
121
|
|
122
122
|
unless attr_allowlist.include?(attr_name)
|
123
|
-
# The attribute isn't allowed
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
# attribute
|
128
|
-
|
123
|
+
# The attribute isn't in the allowlist, but may still be allowed if
|
124
|
+
# it's a data attribute.
|
125
|
+
|
126
|
+
unless allow_data_attributes && attr_name.start_with?('data-') && attr_name =~ REGEX_DATA_ATTR
|
127
|
+
# Either the attribute isn't a data attribute or arbitrary data
|
128
|
+
# attributes aren't allowed. Remove the attribute.
|
129
|
+
attr.unlink
|
130
|
+
next
|
129
131
|
end
|
130
|
-
|
131
|
-
# Either the attribute isn't a data attribute or arbitrary data
|
132
|
-
# attributes aren't allowed. Remove the attribute.
|
133
|
-
attr.unlink
|
134
|
-
next
|
135
132
|
end
|
136
133
|
|
137
134
|
# The attribute is allowed.
|
data/lib/sanitize/version.rb
CHANGED
data/lib/sanitize.rb
CHANGED
@@ -204,7 +204,7 @@ class Sanitize
|
|
204
204
|
config[:node_name] = node.name.downcase
|
205
205
|
config[:node_allowlist] = config[:node_whitelist] = node_allowlist
|
206
206
|
|
207
|
-
result = transformer.call(config)
|
207
|
+
result = transformer.call(**config)
|
208
208
|
|
209
209
|
if result.is_a?(Hash)
|
210
210
|
result_allowlist = result[:node_allowlist] || result[:node_whitelist]
|
data/test/test_clean_element.rb
CHANGED
@@ -491,6 +491,22 @@ describe 'Sanitize::Transformers::CleanElement' do
|
|
491
491
|
}).must_equal "<a>Text</a>"
|
492
492
|
end
|
493
493
|
|
494
|
+
it 'should sanitize protocols in data attributes even if data attributes are generically allowed' do
|
495
|
+
input = '<a data-url="mailto:someone@example.com">Text</a>'
|
496
|
+
|
497
|
+
Sanitize.fragment(input, {
|
498
|
+
:elements => ['a'],
|
499
|
+
:attributes => {'a' => [:data]},
|
500
|
+
:protocols => {'a' => {'data-url' => ['https']}}
|
501
|
+
}).must_equal "<a>Text</a>"
|
502
|
+
|
503
|
+
Sanitize.fragment(input, {
|
504
|
+
:elements => ['a'],
|
505
|
+
:attributes => {'a' => [:data]},
|
506
|
+
:protocols => {'a' => {'data-url' => ['mailto']}}
|
507
|
+
}).must_equal input
|
508
|
+
end
|
509
|
+
|
494
510
|
it 'should prevent `<meta>` tags from being used to set a non-UTF-8 charset' do
|
495
511
|
Sanitize.document('<html><head><meta charset="utf-8"></head><body>Howdy!</body></html>',
|
496
512
|
:elements => %w[html head meta body],
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|
@@ -120,7 +120,7 @@ homepage: https://github.com/rgrove/sanitize/
|
|
120
120
|
licenses:
|
121
121
|
- MIT
|
122
122
|
metadata: {}
|
123
|
-
post_install_message:
|
123
|
+
post_install_message:
|
124
124
|
rdoc_options: []
|
125
125
|
require_paths:
|
126
126
|
- lib
|
@@ -135,8 +135,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
135
135
|
- !ruby/object:Gem::Version
|
136
136
|
version: 1.2.0
|
137
137
|
requirements: []
|
138
|
-
rubygems_version: 3.
|
139
|
-
signing_key:
|
138
|
+
rubygems_version: 3.2.3
|
139
|
+
signing_key:
|
140
140
|
specification_version: 4
|
141
141
|
summary: Allowlist-based HTML and CSS sanitizer.
|
142
142
|
test_files: []
|