sanitize 5.2.3 → 6.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/HISTORY.md +80 -0
  3. data/LICENSE +1 -1
  4. data/README.md +26 -42
  5. data/lib/sanitize/config/default.rb +5 -0
  6. data/lib/sanitize/transformers/clean_css.rb +1 -0
  7. data/lib/sanitize/transformers/clean_element.rb +45 -0
  8. data/lib/sanitize/version.rb +1 -3
  9. data/lib/sanitize.rb +1 -1
  10. data/test/test_clean_comment.rb +16 -16
  11. data/test/test_clean_css.rb +5 -5
  12. data/test/test_clean_doctype.rb +15 -15
  13. data/test/test_clean_element.rb +99 -92
  14. data/test/test_config.rb +9 -9
  15. data/test/test_malicious_css.rb +20 -7
  16. data/test/test_malicious_html.rb +135 -31
  17. data/test/test_parser.rb +8 -8
  18. data/test/test_sanitize.rb +28 -28
  19. data/test/test_sanitize_css.rb +53 -53
  20. data/test/test_transformers.rb +37 -37
  21. metadata +10 -24
data/test/test_sanitize_css.rb CHANGED
@@ -16,9 +16,9 @@ describe 'Sanitize::CSS' do
16
16
  it 'should sanitize CSS properties' do
17
17
  css = 'background: #fff; width: expression(alert("hi"));'
18
18
 
19
- @default.properties(css).must_equal ' '
20
- @relaxed.properties(css).must_equal 'background: #fff; '
21
- @custom.properties(css).must_equal 'background: #fff; '
19
+ _(@default.properties(css)).must_equal ' '
20
+ _(@relaxed.properties(css)).must_equal 'background: #fff; '
21
+ _(@custom.properties(css)).must_equal 'background: #fff; '
22
22
  end
23
23
 
24
24
  it 'should allow allowlisted URL protocols' do
@@ -30,9 +30,9 @@ describe 'Sanitize::CSS' do
30
30
  "background: url(https://example.com/https.jpg)",
31
31
  "background: url('https://example.com/https.jpg')",
32
32
  ].each do |css|
33
- @default.properties(css).must_equal ''
34
- @relaxed.properties(css).must_equal css
35
- @custom.properties(css).must_equal ''
33
+ _(@default.properties(css)).must_equal ''
34
+ _(@relaxed.properties(css)).must_equal css
35
+ _(@custom.properties(css)).must_equal ''
36
36
  end
37
37
  end
38
38
 
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
46
46
  "background: url('javas\\\ncript:alert(0)')",
47
47
  "background: url('java\\0script:foo')"
48
48
  ].each do |css|
49
- @default.properties(css).must_equal ''
50
- @relaxed.properties(css).must_equal ''
51
- @custom.properties(css).must_equal ''
49
+ _(@default.properties(css)).must_equal ''
50
+ _(@relaxed.properties(css)).must_equal ''
51
+ _(@custom.properties(css)).must_equal ''
52
52
  end
53
53
  end
54
54
 
55
55
  it 'should not allow -moz-binding' do
56
56
  css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
57
57
 
58
- @default.properties(css).must_equal ''
59
- @relaxed.properties(css).must_equal ''
60
- @custom.properties(css).must_equal ''
58
+ _(@default.properties(css)).must_equal ''
59
+ _(@relaxed.properties(css)).must_equal ''
60
+ _(@custom.properties(css)).must_equal ''
61
61
  end
62
62
 
63
63
  it 'should not allow expressions' do
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
69
69
  "xss:expression(alert(1))",
70
70
  "height: foo(expression(alert(1)));"
71
71
  ].each do |css|
72
- @default.properties(css).must_equal ''
73
- @relaxed.properties(css).must_equal ''
74
- @custom.properties(css).must_equal ''
72
+ _(@default.properties(css)).must_equal ''
73
+ _(@relaxed.properties(css)).must_equal ''
74
+ _(@custom.properties(css)).must_equal ''
75
75
  end
76
76
  end
77
77
 
78
78
  it 'should not allow behaviors' do
79
79
  css = "behavior: url(xss.htc);"
80
80
 
81
- @default.properties(css).must_equal ''
82
- @relaxed.properties(css).must_equal ''
83
- @custom.properties(css).must_equal ''
81
+ _(@default.properties(css)).must_equal ''
82
+ _(@relaxed.properties(css)).must_equal ''
83
+ _(@custom.properties(css)).must_equal ''
84
84
  end
85
85
 
86
86
  describe 'when :allow_comments is true' do
87
87
  it 'should preserve comments' do
88
- @relaxed.properties('color: #fff; /* comment */ width: 100px;')
88
+ _(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
89
89
  .must_equal 'color: #fff; /* comment */ width: 100px;'
90
90
 
91
- @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
91
+ _(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
92
92
  .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
93
93
  end
94
94
  end
95
95
 
96
96
  describe 'when :allow_comments is false' do
97
97
  it 'should strip comments' do
98
- @custom.properties('color: #fff; /* comment */ width: 100px;')
98
+ _(@custom.properties('color: #fff; /* comment */ width: 100px;'))
99
99
  .must_equal 'color: #fff; width: 100px;'
100
100
 
101
- @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
101
+ _(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
102
102
  .must_equal 'color: #fff; width: 100px;'
103
103
  end
104
104
  end
105
105
 
106
106
  describe 'when :allow_hacks is true' do
107
107
  it 'should allow common CSS hacks' do
108
- @relaxed.properties('_border: 1px solid #fff; *width: 10px')
108
+ _(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
109
109
  .must_equal '_border: 1px solid #fff; *width: 10px'
110
110
  end
111
111
  end
112
112
 
113
113
  describe 'when :allow_hacks is false' do
114
114
  it 'should not allow common CSS hacks' do
115
- @custom.properties('_border: 1px solid #fff; *width: 10px')
115
+ _(@custom.properties('_border: 1px solid #fff; *width: 10px'))
116
116
  .must_equal ' '
117
117
  end
118
118
  end
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
131
131
  }
132
132
  ].strip
133
133
 
134
- @default.stylesheet(css).strip.must_equal %[
134
+ _(@default.stylesheet(css).strip).must_equal %[
135
135
  .foo { }
136
136
  #bar { }
137
137
  ].strip
138
138
 
139
- @relaxed.stylesheet(css).must_equal css
139
+ _(@relaxed.stylesheet(css)).must_equal css
140
140
 
141
- @custom.stylesheet(css).strip.must_equal %[
141
+ _(@custom.stylesheet(css).strip).must_equal %[
142
142
  .foo { color: #fff; }
143
143
  #bar { }
144
144
  ].strip
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
146
146
 
147
147
  describe 'when :allow_comments is true' do
148
148
  it 'should preserve comments' do
149
- @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
149
+ _(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
150
150
  .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
151
151
 
152
- @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
152
+ _(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
153
153
  .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
154
154
  end
155
155
  end
156
156
 
157
157
  describe 'when :allow_comments is false' do
158
158
  it 'should strip comments' do
159
- @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
159
+ _(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
160
160
  .must_equal '.foo { color: #fff; width: 100px; }'
161
161
 
162
- @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
162
+ _(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
163
163
  .must_equal '.foo { color: #fff; width: 100px; }'
164
164
  end
165
165
  end
166
166
 
167
167
  describe 'when :allow_hacks is true' do
168
168
  it 'should allow common CSS hacks' do
169
- @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
169
+ _(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
170
170
  .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
171
171
  end
172
172
  end
173
173
 
174
174
  describe 'when :allow_hacks is false' do
175
175
  it 'should not allow common CSS hacks' do
176
- @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
176
+ _(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
177
177
  .must_equal '.foo { }'
178
178
  end
179
179
  end
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
185
185
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
186
186
  "#bar { top: 125px; background: green; }")
187
187
 
188
- @custom.tree!(tree).must_be_same_as tree
188
+ _(@custom.tree!(tree)).must_be_same_as tree
189
189
 
190
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
190
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
191
191
  ".foo { background: #fff; }\n" <<
192
192
  "#bar { background: green; }"
193
193
  end
@@ -199,9 +199,9 @@ describe 'Sanitize::CSS' do
199
199
  it 'should sanitize CSS properties with the given config' do
200
200
  css = 'background: #fff; width: expression(alert("hi"));'
201
201
 
202
- Sanitize::CSS.properties(css).must_equal ' '
203
- Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
204
- Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
202
+ _(Sanitize::CSS.properties(css)).must_equal ' '
203
+ _(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
204
+ _(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
205
205
  end
206
206
  end
207
207
 
@@ -218,14 +218,14 @@ describe 'Sanitize::CSS' do
218
218
  }
219
219
  ].strip
220
220
 
221
- Sanitize::CSS.stylesheet(css).strip.must_equal %[
221
+ _(Sanitize::CSS.stylesheet(css).strip).must_equal %[
222
222
  .foo { }
223
223
  #bar { }
224
224
  ].strip
225
225
 
226
- Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
226
+ _(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
227
227
 
228
- Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
228
+ _(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
229
229
  .foo { color: #fff; }
230
230
  #bar { }
231
231
  ].strip
@@ -238,9 +238,9 @@ describe 'Sanitize::CSS' do
238
238
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
239
239
  "#bar { top: 125px; background: green; }")
240
240
 
241
- Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
241
+ _(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
242
242
 
243
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
243
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
244
244
  ".foo { background: #fff; }\n" <<
245
245
  "#bar { background: green; }"
246
246
  end
@@ -256,7 +256,7 @@ describe 'Sanitize::CSS' do
256
256
  # https://github.com/rgrove/sanitize/issues/121
257
257
  it 'should parse the contents of @media rules properly' do
258
258
  css = '@media { p[class="center"] { text-align: center; }}'
259
- @relaxed.stylesheet(css).must_equal css
259
+ _(@relaxed.stylesheet(css)).must_equal css
260
260
 
261
261
  css = %[
262
262
  @media (max-width: 720px) {
@@ -269,7 +269,7 @@ describe 'Sanitize::CSS' do
269
269
  }
270
270
  ].strip
271
271
 
272
- @relaxed.stylesheet(css).must_equal %[
272
+ _(@relaxed.stylesheet(css)).must_equal %[
273
273
  @media (max-width: 720px) {
274
274
  p.foo > .bar { float: right; }
275
275
  #baz { color: green; }
@@ -303,7 +303,7 @@ describe 'Sanitize::CSS' do
303
303
  }
304
304
  ].strip
305
305
 
306
- @relaxed.stylesheet(css).must_equal css
306
+ _(@relaxed.stylesheet(css)).must_equal css
307
307
  end
308
308
 
309
309
  describe ":at_rules" do
@@ -314,7 +314,7 @@ describe 'Sanitize::CSS' do
314
314
  .foo { color: green; }
315
315
  ].strip
316
316
 
317
- @relaxed.stylesheet(css).strip.must_equal %[
317
+ _(@relaxed.stylesheet(css).strip).must_equal %[
318
318
  .foo { color: green; }
319
319
  ].strip
320
320
  end
@@ -333,7 +333,7 @@ describe 'Sanitize::CSS' do
333
333
  .foo { color: green; }
334
334
  ].strip
335
335
 
336
- @scss.stylesheet(css).must_equal %[
336
+ _(@scss.stylesheet(css)).must_equal %[
337
337
  @charset 'utf-8';
338
338
  @import url('foo.css');
339
339
  .foo { color: green; }
@@ -347,7 +347,7 @@ describe 'Sanitize::CSS' do
347
347
  .foo { color: green; }
348
348
  ].strip
349
349
 
350
- @scss.stylesheet(css).strip.must_equal %[
350
+ _(@scss.stylesheet(css).strip).must_equal %[
351
351
  .foo { color: green; }
352
352
  ].strip
353
353
  end
@@ -367,7 +367,7 @@ describe 'Sanitize::CSS' do
367
367
  @import url('https://somesite.com/something.css');
368
368
  ].strip
369
369
 
370
- @scss.stylesheet(css).strip.must_equal %[
370
+ _(@scss.stylesheet(css).strip).must_equal %[
371
371
  @import url('https://somesite.com/something.css');
372
372
  ].strip
373
373
  end
@@ -388,7 +388,7 @@ describe 'Sanitize::CSS' do
388
388
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
389
389
  ].strip
390
390
 
391
- @scss.stylesheet(css).strip.must_equal %[
391
+ _(@scss.stylesheet(css).strip).must_equal %[
392
392
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
393
393
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
394
394
  ].strip
@@ -401,7 +401,7 @@ describe 'Sanitize::CSS' do
401
401
  @import url('https://nastysite.com/nasty_hax0r.css');
402
402
  ].strip
403
403
 
404
- @scss.stylesheet(css).strip.must_equal %[
404
+ _(@scss.stylesheet(css).strip).must_equal %[
405
405
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
406
406
  ].strip
407
407
  end
@@ -413,7 +413,7 @@ describe 'Sanitize::CSS' do
413
413
  @import url('');
414
414
  ].strip
415
415
 
416
- @scss.stylesheet(css).strip.must_equal %[
416
+ _(@scss.stylesheet(css).strip).must_equal %[
417
417
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
418
418
  ].strip
419
419
  end
data/test/test_transformers.rb CHANGED
@@ -11,14 +11,14 @@ describe 'Transformers' do
11
11
  :transformers => lambda {|env|
12
12
  return unless env[:node].element?
13
13
 
14
- env[:config][:foo].must_equal :bar
15
- env[:is_allowlisted].must_equal false
16
- env[:is_whitelisted].must_equal env[:is_allowlisted]
17
- env[:node].must_be_kind_of Nokogiri::XML::Node
18
- env[:node_name].must_equal 'span'
19
- env[:node_allowlist].must_be_kind_of Set
20
- env[:node_allowlist].must_be_empty
21
- env[:node_whitelist].must_equal env[:node_allowlist]
14
+ _(env[:config][:foo]).must_equal :bar
15
+ _(env[:is_allowlisted]).must_equal false
16
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
17
+ _(env[:node]).must_be_kind_of Nokogiri::XML::Node
18
+ _(env[:node_name]).must_equal 'span'
19
+ _(env[:node_allowlist]).must_be_kind_of Set
20
+ _(env[:node_allowlist]).must_be_empty
21
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
22
22
  }
23
23
  )
24
24
  end
@@ -30,7 +30,7 @@ describe 'Transformers' do
30
30
  :transformers => proc {|env| nodes << env[:node_name] }
31
31
  )
32
32
 
33
- nodes.must_equal %w[
33
+ _(nodes).must_equal %w[
34
34
  #document-fragment div text text text comment script text
35
35
  ]
36
36
  end
@@ -42,25 +42,25 @@ describe 'Transformers' do
42
42
  :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
43
43
  )
44
44
 
45
- nodes.must_equal %w[div span strong b p]
45
+ _(nodes).must_equal %w[div span strong b p]
46
46
  end
47
47
 
48
48
  it 'should allowlist nodes in the node allowlist' do
49
- Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
49
+ _(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
50
50
  :transformers => [
51
51
  proc {|env|
52
52
  {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
53
53
  },
54
54
 
55
55
  proc {|env|
56
- env[:is_allowlisted].must_equal false unless env[:node_name] == 'div'
57
- env[:is_allowlisted].must_equal true if env[:node_name] == 'div'
58
- env[:node_allowlist].must_include env[:node] if env[:node_name] == 'div'
59
- env[:is_whitelisted].must_equal env[:is_allowlisted]
60
- env[:node_whitelist].must_equal env[:node_allowlist]
56
+ _(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
57
+ _(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
58
+ _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
59
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
60
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
61
61
  }
62
62
  ]
63
- ).must_equal '<div class="foo">foo</div>bar'
63
+ )).must_equal '<div class="foo">foo</div>bar'
64
64
  end
65
65
 
66
66
  it 'should clear the node allowlist after each fragment' do
@@ -73,19 +73,19 @@ describe 'Transformers' do
73
73
  Sanitize.fragment('<div>foo</div>',
74
74
  :transformers => proc {|env|
75
75
  called = true
76
- env[:is_allowlisted].must_equal false
77
- env[:is_whitelisted].must_equal env[:is_allowlisted]
78
- env[:node_allowlist].must_be_empty
79
- env[:node_whitelist].must_equal env[:node_allowlist]
76
+ _(env[:is_allowlisted]).must_equal false
77
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
78
+ _(env[:node_allowlist]).must_be_empty
79
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
80
80
  }
81
81
  )
82
82
 
83
- called.must_equal true
83
+ _(called).must_equal true
84
84
  end
85
85
 
86
86
  it 'should accept a method transformer' do
87
87
  def transformer(env); end
88
- Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
88
+ _(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
89
89
  .must_equal(' foo ')
90
90
  end
91
91
 
@@ -114,32 +114,32 @@ describe 'Transformers' do
114
114
 
115
115
  it 'should allow images with relative URLs' do
116
116
  input = '<img src="/foo/bar.jpg">'
117
- @s.fragment(input).must_equal(input)
117
+ _(@s.fragment(input)).must_equal(input)
118
118
  end
119
119
 
120
120
  it 'should allow images at the example.com domain' do
121
121
  input = '<img src="http://example.com/foo/bar.jpg">'
122
- @s.fragment(input).must_equal(input)
122
+ _(@s.fragment(input)).must_equal(input)
123
123
 
124
124
  input = '<img src="https://example.com/foo/bar.jpg">'
125
- @s.fragment(input).must_equal(input)
125
+ _(@s.fragment(input)).must_equal(input)
126
126
 
127
127
  input = '<img src="//example.com/foo/bar.jpg">'
128
- @s.fragment(input).must_equal(input)
128
+ _(@s.fragment(input)).must_equal(input)
129
129
  end
130
130
 
131
131
  it 'should not allow images at other domains' do
132
132
  input = '<img src="http://evil.com/foo/bar.jpg">'
133
- @s.fragment(input).must_equal('')
133
+ _(@s.fragment(input)).must_equal('')
134
134
 
135
135
  input = '<img src="https://evil.com/foo/bar.jpg">'
136
- @s.fragment(input).must_equal('')
136
+ _(@s.fragment(input)).must_equal('')
137
137
 
138
138
  input = '<img src="//evil.com/foo/bar.jpg">'
139
- @s.fragment(input).must_equal('')
139
+ _(@s.fragment(input)).must_equal('')
140
140
 
141
141
  input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
142
- @s.fragment(input).must_equal('')
142
+ _(@s.fragment(input)).must_equal('')
143
143
  end
144
144
  end
145
145
 
@@ -177,35 +177,35 @@ describe 'Transformers' do
177
177
  it 'should allow HTTP YouTube video embeds' do
178
178
  input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
179
179
 
180
- Sanitize.fragment(input, :transformers => youtube_transformer)
180
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
181
181
  .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
182
182
  end
183
183
 
184
184
  it 'should allow HTTPS YouTube video embeds' do
185
185
  input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
186
186
 
187
- Sanitize.fragment(input, :transformers => youtube_transformer)
187
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
188
188
  .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
189
189
  end
190
190
 
191
191
  it 'should allow protocol-relative YouTube video embeds' do
192
192
  input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
193
193
 
194
- Sanitize.fragment(input, :transformers => youtube_transformer)
194
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
195
195
  .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
196
196
  end
197
197
 
198
198
  it 'should allow privacy-enhanced YouTube video embeds' do
199
199
  input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
200
200
 
201
- Sanitize.fragment(input, :transformers => youtube_transformer)
201
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
202
202
  .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
203
203
  end
204
204
 
205
205
  it 'should not allow non-YouTube video embeds' do
206
206
  input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
207
207
 
208
- Sanitize.fragment(input, :transformers => youtube_transformer)
208
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
209
209
  .must_equal('')
210
210
  end
211
211
  end
@@ -223,7 +223,7 @@ describe 'Transformers' do
223
223
  it 'should allow the <b> tag to be changed to a <strong> tag' do
224
224
  input = '<b>text</b>'
225
225
 
226
- Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
226
+ _(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
227
227
  .must_equal '<strong>text</strong>'
228
228
  end
229
229
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.3
4
+ version: 6.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-11 00:00:00.000000000 Z
11
+ date: 2023-07-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass
@@ -30,56 +30,42 @@ dependencies:
30
30
  requirements:
31
31
  - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: 1.8.0
33
+ version: 1.12.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: 1.8.0
41
- - !ruby/object:Gem::Dependency
42
- name: nokogumbo
43
- requirement: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - "~>"
46
- - !ruby/object:Gem::Version
47
- version: '2.0'
48
- type: :runtime
49
- prerelease: false
50
- version_requirements: !ruby/object:Gem::Requirement
51
- requirements:
52
- - - "~>"
53
- - !ruby/object:Gem::Version
54
- version: '2.0'
40
+ version: 1.12.0
55
41
  - !ruby/object:Gem::Dependency
56
42
  name: minitest
57
43
  requirement: !ruby/object:Gem::Requirement
58
44
  requirements:
59
45
  - - "~>"
60
46
  - !ruby/object:Gem::Version
61
- version: 5.11.3
47
+ version: 5.14.4
62
48
  type: :development
63
49
  prerelease: false
64
50
  version_requirements: !ruby/object:Gem::Requirement
65
51
  requirements:
66
52
  - - "~>"
67
53
  - !ruby/object:Gem::Version
68
- version: 5.11.3
54
+ version: 5.14.4
69
55
  - !ruby/object:Gem::Dependency
70
56
  name: rake
71
57
  requirement: !ruby/object:Gem::Requirement
72
58
  requirements:
73
59
  - - "~>"
74
60
  - !ruby/object:Gem::Version
75
- version: 12.3.1
61
+ version: 13.0.6
76
62
  type: :development
77
63
  prerelease: false
78
64
  version_requirements: !ruby/object:Gem::Requirement
79
65
  requirements:
80
66
  - - "~>"
81
67
  - !ruby/object:Gem::Version
82
- version: 12.3.1
68
+ version: 13.0.6
83
69
  description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
84
70
  HTML and/or CSS from a string except the elements, attributes, and properties you
85
71
  choose to allow.
@@ -128,14 +114,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
128
114
  requirements:
129
115
  - - ">="
130
116
  - !ruby/object:Gem::Version
131
- version: 2.1.0
117
+ version: 2.5.0
132
118
  required_rubygems_version: !ruby/object:Gem::Requirement
133
119
  requirements:
134
120
  - - ">="
135
121
  - !ruby/object:Gem::Version
136
122
  version: 1.2.0
137
123
  requirements: []
138
- rubygems_version: 3.2.3
124
+ rubygems_version: 3.4.10
139
125
  signing_key:
140
126
  specification_version: 4
141
127
  summary: Allowlist-based HTML and CSS sanitizer.