sanitize 5.2.1 → 6.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d1290690a9d32db9e06b8fb19c7e285c94a1d91ed51a4eb7e96389e427348d9
-  data.tar.gz: 5131063daf1763c83978954bed9ee3a783099e40aa71e50de26d06b8ae0c1054
+  metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
+  data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
 SHA512:
-  metadata.gz: bfcb7cda6aa70590f642583b41936bc09d8929210046cebdd0d0ff452ccb3213844b4c40d4e205e79c0cd64a2a0d56e16790e38f4c8f247b8abfa32dbec22297
-  data.tar.gz: 0ea5a6d6848f9a125f17e4e23145adff4d3c4ccfe30a3407466fae074ed33cbd4b1869eb5a9f0a72b808449b8cf166a3695c2a6d63b16a83b047fd260bfe50bd
+  metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
+  data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b

data/HISTORY.md

@@ -1,5 +1,135 @@
 # Sanitize History
 
+## 6.1.3 (2024-08-14)
+
+### Bug Fixes
+
+* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
+
+[242]:https://github.com/rgrove/sanitize/pull/242
+
+## 6.1.2 (2024-07-27)
+
+### Bug Fixes
+
+* The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
+
+[240]:https://github.com/rgrove/sanitize/pull/240
+
+## 6.1.1 (2024-06-12)
+
+### Bug Fixes
+
+* Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [@flavorjones - #238][238]
+
+[238]:https://github.com/rgrove/sanitize/pull/238
+
+## 6.1.0 (2023-09-14)
+
+### Features
+
+* Added the `text-decoration-skip-ink` and `text-decoration-thickness` CSS properties to the relaxed config. [@martineriksson - #228][228]
+
+[228]:https://github.com/rgrove/sanitize/pull/228
+
+## 6.0.2 (2023-07-06)
+
+### Bug Fixes
+
+* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
+  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
+  6.0.1.
+
+  When using Sanitize's relaxed config or a custom config that allows `<style>`
+  elements and one or more CSS at-rules, carefully crafted input could be used
+  to sneak arbitrary HTML through Sanitize.
+
+  See the following security advisory for additional details:
+  [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
+
+  Thanks to @cure53 for finding this issue.
+
+## 6.0.1 (2023-01-27)
+
+### Bug Fixes
+
+* Sanitize now always removes `<noscript>` elements and their contents, even
+  when `noscript` is in the allowlist.
+
+  This fixes a sanitization bypass that could occur when `noscript` was allowed
+  by a custom allowlist. In this scenario, carefully crafted input could sneak
+  arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site
+  scripting) attack.
+
+  Sanitize's default configs don't allow `<noscript>` elements and are not
+  vulnerable. This issue only affects users who are using a custom config that
+  adds `noscript` to the element allowlist.
+
+  The root cause of this issue is that HTML parsing rules treat the contents of
+  a `<noscript>` element differently depending on whether scripting is enabled
+  in the user agent. Nokogiri doesn't support scripting so it follows the
+  "scripting disabled" rules, but a web browser with scripting enabled will
+  follow the "scripting enabled" rules. This means that Sanitize can't reliably
+  make the contents of a `<noscript>` element safe for scripting enabled
+  browsers, so the safest thing to do is to remove the element and its contents
+  entirely.
+
+  See the following security advisory for additional details:
+  [GHSA-fw3g-2h3j-qmm7](https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7)
+
+  Thanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias)
+  (@leeN) for reporting this issue.
+
+* Fixed an edge case in which the contents of an "unescaped text" element (such
+  as `<noembed>` or `<xmp>`) were not properly escaped if that element was
+  allowlisted and was also inside an allowlisted `<math>` or `<svg>` element.
+
+  The only way to encounter this situation was to ignore multiple warnings in
+  the readme and create a custom config that allowlisted all the elements
+  involved, including `<math>` or `<svg>`. If you're using a default config or
+  if you heeded the warnings about MathML and SVG not being supported, you're
+  not affected by this issue.
+
+  Please let this be a reminder that Sanitize cannot safely sanitize MathML or
+  SVG content and does not support this use case. The default configs don't
+  allow MathML or SVG elements, and allowlisting MathML or SVG elements in a
+  custom config may create a security vulnerability in your application.
+
+  Documentation has been updated to add more warnings and to make the existing
+  warnings about this more prominent.
+
+  Thanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias)
+  (@leeN) for reporting this issue.
+
+## 6.0.0 (2021-08-03)
+
+### Potentially Breaking Changes
+
+* Ruby 2.5.0 is now the oldest officially supported Ruby version.
+
+* Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo.
+  The separate dependency on Nokogumbo has been removed. [@lis2 - #211][211]
+
+[211]:https://github.com/rgrove/sanitize/pull/211
+
+## 5.2.3 (2021-01-11)
+
+### Bug Fixes
+
+* Ensure protocol sanitization is applied to data attributes.
+  [@ccutrer - #207][207]
+
+[207]:https://github.com/rgrove/sanitize/pull/207
+
+## 5.2.2 (2021-01-06)
+
+### Bug Fixes
+
+* Fixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a
+  custom transformer. [@mscrivo - #206][206]
+
+[206]:https://github.com/rgrove/sanitize/pull/206
+
 ## 5.2.1 (2020-06-16)
 
 ### Bug Fixes

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015 Ryan Grove <ryan@wonko.com>
+Copyright (c) 2021 Ryan Grove <ryan@wonko.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the 'Software'), to deal in

data/README.md

@@ -11,27 +11,26 @@ protocols within attributes that contain URLs. You can also allow specific CSS
 properties, @ rules, and URL protocols in elements or attributes containing CSS.
 Any HTML or CSS that you don't explicitly allow will be removed.
 
-Sanitize is based on [Google's Gumbo HTML5 parser][gumbo], which parses HTML
-exactly the same way modern browsers do, and [Crass][crass], which parses CSS
-exactly the same way modern browsers do. As long as your allowlist config only
-allows safe markup and CSS, even the most malformed or malicious input will be
-transformed into safe output.
+Sanitize is based on the [Nokogiri HTML5 parser][nokogiri], which parses HTML
+the same way modern browsers do, and [Crass][crass], which parses CSS the same
+way modern browsers do. As long as your allowlist config only allows safe markup
+and CSS, even the most malformed or malicious input will be transformed into
+safe output.
 
-[![Build Status](https://travis-ci.org/rgrove/sanitize.svg?branch=master)](https://travis-ci.org/rgrove/sanitize)
 [![Gem Version](https://badge.fury.io/rb/sanitize.svg)](http://badge.fury.io/rb/sanitize)
+[![Tests](https://github.com/rgrove/sanitize/workflows/Tests/badge.svg)](https://github.com/rgrove/sanitize/actions?query=workflow%3ATests)
 
 [crass]:https://github.com/rgrove/crass
-[gumbo]:https://github.com/google/gumbo-parser
+[nokogiri]:https://github.com/sparklemotion/nokogiri
 
 Links
 -----
 
 * [Home](https://github.com/rgrove/sanitize/)
-* [API Docs](http://rubydoc.info/github/rgrove/sanitize/master)
+* [API Docs](https://rubydoc.info/github/rgrove/sanitize/Sanitize)
 * [Issues](https://github.com/rgrove/sanitize/issues)
-* [Release History](https://github.com/rgrove/sanitize/blob/master/HISTORY.md#sanitize-history)
-* [Online Demo](https://sanitize.herokuapp.com/)
-* [Biased comparison of Ruby HTML sanitization libraries](https://github.com/rgrove/sanitize/blob/master/COMPARISON.md)
+* [Release History](https://github.com/rgrove/sanitize/releases)
+* [Online Demo](https://sanitize-web.fly.dev/)
 
 Installation
 -------------
@@ -72,10 +71,11 @@ Sanitize can sanitize the following types of input:
 * Standalone CSS stylesheets
 * Standalone CSS properties
 
-However, please note that Sanitize _cannot_ fully sanitize the contents of
-`<math>` or `<svg>` elements, since these elements don't follow the same parsing
-rules as the rest of HTML. If this is something you need, you may want to look
-for another solution.
+> **Warning**
+>
+> Sanitize cannot fully sanitize the contents of `<math>` or `<svg>` elements. MathML and SVG elements are [foreign elements](https://html.spec.whatwg.org/multipage/syntax.html#foreign-elements) that don't follow normal HTML parsing rules.
+>
+> By default, Sanitize will remove all MathML and SVG elements. If you add MathML or SVG elements to a custom element allowlist, you may create a security vulnerability in your application.
 
 ### HTML Fragments
 
@@ -118,11 +118,10 @@ Sanitize.document(html,
   :elements      => ['html']
 )
 # => %[
-#   <!DOCTYPE html>
-#   <html>foo
+#      <!DOCTYPE html><html>foo
 #
-#   </html>
-# ]
+#      </html>
+#    ]
 ```
 
 ### CSS in HTML
@@ -420,15 +419,21 @@ elements not in this array will be removed.
 ]
 ```
 
-**Warning:** Sanitize cannot fully sanitize the contents of `<math>` or `<svg>`
-elements, since these elements don't follow the same parsing rules as the rest
-of HTML. If you add `math` or `svg` to the allowlist, you must assume that any
-content inside them will be allowed, even if that content would otherwise be
-removed by Sanitize.
+> **Warning**
+>
+> Sanitize cannot fully sanitize the contents of `<math>` or `<svg>` elements. MathML and SVG elements are [foreign elements](https://html.spec.whatwg.org/multipage/syntax.html#foreign-elements) that don't follow normal HTML parsing rules.
+>
+> By default, Sanitize will remove all MathML and SVG elements. If you add MathML or SVG elements to a custom element allowlist, you must assume that any content inside them will be allowed, even if that content would otherwise be removed or escaped by Sanitize. This may create a security vulnerability in your application.
+
+> **Note**
+>
+> Sanitize always removes `<noscript>` elements and their contents, even if `noscript` is in the allowlist.
+>
+> This is because a `<noscript>` element's content is parsed differently in browsers depending on whether or not scripting is enabled. Since Nokogiri doesn't support scripting, it always parses `<noscript>` elements as if scripting is disabled. This results in edge cases where it's not possible to reliably sanitize the contents of a `<noscript>` element because Nokogiri can't fully replicate the parsing behavior of a scripting-enabled browser.
 
 #### :parser_options (Hash)
 
-[Parsing options](https://github.com/rubys/nokogumbo/tree/v2.0.1#parsing-options) supplied to `nokogumbo`.
+[Parsing options](https://github.com/rubys/nokogumbo/tree/master#parsing-options) to be supplied to `nokogumbo`.
 
 ```ruby
 :parser_options => {
@@ -469,7 +474,7 @@ If this is an Array or Set of element names, then only the contents of the
 specified elements (when filtered) will be removed, and the contents of all
 other filtered elements will be left behind.
 
-The default value is `false`.
+The default value is `%w[iframe math noembed noframes noscript plaintext script style svg xmp]`.
 
 #### :transformers (Array or callable)
 
@@ -667,25 +672,3 @@ html = %[
 Sanitize.fragment(html, :transformers => youtube_transformer)
 # => '<iframe width="420" height="315" src="//www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen=""></iframe>'
 ```
-
-License
--------
-
-Copyright (c) 2015 Ryan Grove (ryan@wonko.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the 'Software'), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/sanitize/config/default.rb

@@ -54,6 +54,11 @@ class Sanitize
 
       # HTML elements to allow. By default, no elements are allowed (which means
       # that all HTML will be stripped).
+      #
+      # Warning: Sanitize cannot safely sanitize the contents of foreign
+      # elements (elements in the MathML or SVG namespaces). Do not add `math`
+      # or `svg` to this list! If you do, you may create a security
+      # vulnerability in your application.
       :elements => [],
 
       # HTML parsing options to pass to Nokogumbo.

data/lib/sanitize/config/relaxed.rb

@@ -6,7 +6,7 @@ class Sanitize
       :elements => BASIC[:elements] + %w[
         address article aside bdi bdo body caption col colgroup data del div
         figcaption figure footer h1 h2 h3 h4 h5 h6 head header hgroup hr html
-        img ins main nav rp rt ruby section span style summary sup table tbody
+        img ins main nav rp rt ruby section span style summary table tbody
         td tfoot th thead title tr wbr
       ],
 
@@ -666,7 +666,9 @@ class Sanitize
           text-decoration-color
           text-decoration-line
           text-decoration-skip
+          text-decoration-skip-ink
           text-decoration-style
+          text-decoration-thickness
           text-emphasis
           text-emphasis-color
           text-emphasis-position

data/lib/sanitize/css.rb

@@ -229,6 +229,12 @@ class Sanitize; class CSS
     rule
   end
 
+  # Returns `true` if the given CSS function name is an image-related function
+  # that may contain image URLs that need to be validated.
+  def image_function?(name)
+    ['image', 'image-set', '-webkit-image-set'].include?(name)
+  end
+
   # Passes the URL value of an @import rule to a block to ensure
   # it's an allowed URL
   def import_url_allowed?(rule)
@@ -272,6 +278,10 @@ class Sanitize; class CSS
             return nil unless valid_url?(child)
           end
 
+          if image_function?(name)
+            return nil unless valid_image?(child)
+          end
+
           combined_value << name
           return nil if name == 'expression' || combined_value == 'expression'
         end
@@ -345,4 +355,27 @@ class Sanitize; class CSS
     false
   end
 
+  # Returns `true` if the given node is an image-related function and contains
+  # only strings that use an allowlisted protocol.
+  def valid_image?(node)
+    return false unless node[:node] == :function
+    return false unless node.key?(:name) && image_function?(node[:name].downcase)
+    return false unless Array === node[:value]
+
+    node[:value].each do |token|
+        return false unless Hash === token
+
+        case token[:node]
+          when :string
+            if token[:value] =~ Sanitize::REGEX_PROTOCOL
+              return false unless @config[:protocols].include?($1.downcase)
+            else
+              return false unless @config[:protocols].include?(:relative)
+            end
+          else
+            next
+        end
+      end
+  end
+
 end; end

data/lib/sanitize/transformers/clean_css.rb

@@ -48,6 +48,7 @@ class CleanElement
     if css.strip.empty?
       node.unlink
     else
+      css.gsub!('</', '<\/')
       node.children.unlink
       node << Nokogiri::XML::Text.new(css, node.document)
     end

data/lib/sanitize/transformers/clean_doctype.rb

@@ -9,7 +9,11 @@ class Sanitize; module Transformers
 
     if node.type == Nokogiri::XML::Node::DTD_NODE
       if env[:config][:allow_doctype]
-        node.name = 'html'
+        if node.name != "html"
+          document = node.document
+          node.unlink
+          document.create_internal_subset("html", nil, nil)
+        end
       else
         node.unlink
       end

data/lib/sanitize/transformers/clean_element.rb

@@ -1,5 +1,6 @@
 # encoding: utf-8
 
+require 'cgi'
 require 'set'
 
 class Sanitize; module Transformers; class CleanElement
@@ -18,6 +19,18 @@ class Sanitize; module Transformers; class CleanElement
   # http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#embedding-custom-non-visible-data-with-the-data-*-attributes
   REGEX_DATA_ATTR = /\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u
 
+  # Elements whose content is treated as unescaped text by HTML parsers.
+  UNESCAPED_TEXT_ELEMENTS = Set.new(%w[
+    iframe
+    noembed
+    noframes
+    noscript
+    plaintext
+    script
+    style
+    xmp
+  ])
+
   # Attributes that need additional escaping on `<a>` elements due to unsafe
   # libxml2 behavior.
   UNSAFE_LIBXML_ATTRS_A = Set.new(%w[
@@ -120,18 +133,15 @@ class Sanitize; module Transformers; class CleanElement
         attr_name = attr.name.downcase
 
         unless attr_allowlist.include?(attr_name)
-          # The attribute isn't allowed.
-
-          if allow_data_attributes && attr_name.start_with?('data-')
-            # Arbitrary data attributes are allowed. If this is a data
-            # attribute, continue.
-            next if attr_name =~ REGEX_DATA_ATTR
+          # The attribute isn't in the allowlist, but may still be allowed if
+          # it's a data attribute.
+
+          unless allow_data_attributes && attr_name.start_with?('data-') && attr_name =~ REGEX_DATA_ATTR
+            # Either the attribute isn't a data attribute or arbitrary data
+            # attributes aren't allowed. Remove the attribute.
+            attr.unlink
+            next
           end
-
-          # Either the attribute isn't a data attribute or arbitrary data
-          # attributes aren't allowed. Remove the attribute.
-          attr.unlink
-          next
         end
 
         # The attribute is allowed.
@@ -188,6 +198,28 @@ class Sanitize; module Transformers; class CleanElement
       @add_attributes[name].each {|key, val| node[key] = val }
     end
 
+    # Make a best effort to ensure that text nodes in invalid "unescaped text"
+    # elements that are inside a math or svg namespace are properly escaped so
+    # that they don't get parsed as HTML.
+    #
+    # Sanitize is explicitly documented as not supporting MathML or SVG, but
+    # people sometimes allow `<math>` and `<svg>` elements in their custom
+    # configs without realizing that it's not safe. This workaround makes it
+    # slightly less unsafe, but you still shouldn't allow `<math>` or `<svg>`
+    # because Nokogiri doesn't parse them the same way browsers do and Sanitize
+    # can't guarantee that their contents are safe.
+    unless node.namespace.nil?
+      prefix = node.namespace.prefix
+
+      if (prefix == 'math' || prefix == 'svg') && UNESCAPED_TEXT_ELEMENTS.include?(name)
+        node.children.each do |child|
+          if child.type == Nokogiri::XML::Node::TEXT_NODE
+            child.content = CGI.escapeHTML(child.content)
+          end
+        end
+      end
+    end
+
     # Element-specific special cases.
     case name
 
@@ -220,6 +252,16 @@ class Sanitize; module Transformers; class CleanElement
 
         node['content'] = node['content'].gsub(/;\s*charset\s*=.+\z/, ';charset=utf-8')
       end
+
+    # A `<noscript>` element's content is parsed differently in browsers
+    # depending on whether or not scripting is enabled. Since Nokogiri doesn't
+    # support scripting, it always parses `<noscript>` elements as if scripting
+    # is disabled. This results in edge cases where it's not possible to
+    # reliably sanitize the contents of a `<noscript>` element because Nokogiri
+    # can't fully replicate the parsing behavior of a scripting-enabled browser.
+    # The safest thing to do is to simply remove all `<noscript>` elements.
+    when 'noscript'
+      node.unlink
     end
   end
 

data/lib/sanitize/version.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 class Sanitize
-  VERSION = '5.2.1'
+  VERSION = '6.1.3'
 end

data/lib/sanitize.rb

@@ -1,6 +1,6 @@
 # encoding: utf-8
 
-require 'nokogumbo'
+require 'nokogiri'
 require 'set'
 
 require_relative 'sanitize/version'
@@ -204,7 +204,7 @@ class Sanitize
       config[:node_name] = node.name.downcase
       config[:node_allowlist] = config[:node_whitelist] = node_allowlist
 
-      result = transformer.call(config)
+      result = transformer.call(**config)
 
       if result.is_a?(Hash)
         result_allowlist = result[:node_allowlist] || result[:node_whitelist]

data/test/test_clean_comment.rb

@@ -11,18 +11,18 @@ describe 'Sanitize::Transformers::CleanComment' do
     end
 
     it 'should remove comments' do
-      @s.fragment('foo <!-- comment --> bar').must_equal 'foo  bar'
-      @s.fragment('foo <!-- ').must_equal 'foo '
-      @s.fragment('foo <!-- - -> bar').must_equal 'foo '
-      @s.fragment("foo <!--\n\n\n\n-->bar").must_equal 'foo bar'
-      @s.fragment("foo <!-- <!-- <!-- --> --> -->bar").must_equal 'foo  --&gt; --&gt;bar'
-      @s.fragment("foo <div <!-- comment -->>bar</div>").must_equal 'foo <div>&gt;bar</div>'
+      _(@s.fragment('foo <!-- comment --> bar')).must_equal 'foo  bar'
+      _(@s.fragment('foo <!-- ')).must_equal 'foo '
+      _(@s.fragment('foo <!-- - -> bar')).must_equal 'foo '
+      _(@s.fragment("foo <!--\n\n\n\n-->bar")).must_equal 'foo bar'
+      _(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal 'foo  --&gt; --&gt;bar'
+      _(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal 'foo <div>&gt;bar</div>'
 
       # Special case: the comment markup is inside a <script>, which makes it
       # text content and not an actual HTML comment.
-      @s.fragment("<script><!-- comment --></script>").must_equal ''
+      _(@s.fragment("<script><!-- comment --></script>")).must_equal ''
 
-      Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => false, :elements => ['script'])
+      _(Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => false, :elements => ['script']))
         .must_equal '<script><!-- comment --></script>'
     end
   end
@@ -33,14 +33,14 @@ describe 'Sanitize::Transformers::CleanComment' do
     end
 
     it 'should allow comments' do
-      @s.fragment('foo <!-- comment --> bar').must_equal 'foo <!-- comment --> bar'
-      @s.fragment('foo <!-- ').must_equal 'foo <!-- -->'
-      @s.fragment('foo <!-- - -> bar').must_equal 'foo <!-- - -> bar-->'
-      @s.fragment("foo <!--\n\n\n\n-->bar").must_equal "foo <!--\n\n\n\n-->bar"
-      @s.fragment("foo <!-- <!-- <!-- --> --> -->bar").must_equal 'foo <!-- <!-- <!-- --> --&gt; --&gt;bar'
-      @s.fragment("foo <div <!-- comment -->>bar</div>").must_equal 'foo <div>&gt;bar</div>'
-
-      Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => true, :elements => ['script'])
+      _(@s.fragment('foo <!-- comment --> bar')).must_equal 'foo <!-- comment --> bar'
+      _(@s.fragment('foo <!-- ')).must_equal 'foo <!-- -->'
+      _(@s.fragment('foo <!-- - -> bar')).must_equal 'foo <!-- - -> bar-->'
+      _(@s.fragment("foo <!--\n\n\n\n-->bar")).must_equal "foo <!--\n\n\n\n-->bar"
+      _(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal 'foo <!-- <!-- <!-- --> --&gt; --&gt;bar'
+      _(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal 'foo <div>&gt;bar</div>'
+
+      _(Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => true, :elements => ['script']))
         .must_equal '<script><!-- comment --></script>'
     end
   end

data/test/test_clean_css.rb

@@ -10,15 +10,15 @@ describe 'Sanitize::Transformers::CSS::CleanAttribute' do
   end
 
   it 'should sanitize CSS properties in style attributes' do
-    @s.fragment(%[
+    _(@s.fragment(%[
       <div style="color: #fff; width: expression(alert(1)); /* <-- evil! */"></div>
-    ].strip).must_equal %[
+    ].strip)).must_equal %[
       <div style="color: #fff;  /* <-- evil! */"></div>
     ].strip
   end
 
   it 'should remove the style attribute if the sanitized CSS is empty' do
-    @s.fragment('<div style="width: expression(alert(1))"></div>').
+    _(@s.fragment('<div style="width: expression(alert(1))"></div>')).
       must_equal '<div></div>'
   end
 end
@@ -46,7 +46,7 @@ describe 'Sanitize::Transformers::CSS::CleanElement' do
       </style>
     ].strip
 
-    @s.fragment(html).must_equal %[
+    _(@s.fragment(html)).must_equal %[
       <style>
       /* Yay CSS! */
       .foo { color: #fff; }
@@ -62,6 +62,6 @@ describe 'Sanitize::Transformers::CSS::CleanElement' do
   end
 
   it 'should remove the <style> element if the sanitized CSS is empty' do
-    @s.fragment('<style></style>').must_equal ''
+    _(@s.fragment('<style></style>')).must_equal ''
   end
 end