sanitize 5.2.3 → 6.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/HISTORY.md +80 -0
- data/LICENSE +1 -1
- data/README.md +26 -42
- data/lib/sanitize/config/default.rb +5 -0
- data/lib/sanitize/transformers/clean_css.rb +1 -0
- data/lib/sanitize/transformers/clean_element.rb +45 -0
- data/lib/sanitize/version.rb +1 -3
- data/lib/sanitize.rb +1 -1
- data/test/test_clean_comment.rb +16 -16
- data/test/test_clean_css.rb +5 -5
- data/test/test_clean_doctype.rb +15 -15
- data/test/test_clean_element.rb +99 -92
- data/test/test_config.rb +9 -9
- data/test/test_malicious_css.rb +20 -7
- data/test/test_malicious_html.rb +135 -31
- data/test/test_parser.rb +8 -8
- data/test/test_sanitize.rb +28 -28
- data/test/test_sanitize_css.rb +53 -53
- data/test/test_transformers.rb +37 -37
- metadata +10 -24
data/test/test_sanitize_css.rb
CHANGED
@@ -16,9 +16,9 @@ describe 'Sanitize::CSS' do
|
|
16
16
|
it 'should sanitize CSS properties' do
|
17
17
|
css = 'background: #fff; width: expression(alert("hi"));'
|
18
18
|
|
19
|
-
@default.properties(css).must_equal ' '
|
20
|
-
@relaxed.properties(css).must_equal 'background: #fff; '
|
21
|
-
@custom.properties(css).must_equal 'background: #fff; '
|
19
|
+
_(@default.properties(css)).must_equal ' '
|
20
|
+
_(@relaxed.properties(css)).must_equal 'background: #fff; '
|
21
|
+
_(@custom.properties(css)).must_equal 'background: #fff; '
|
22
22
|
end
|
23
23
|
|
24
24
|
it 'should allow allowlisted URL protocols' do
|
@@ -30,9 +30,9 @@ describe 'Sanitize::CSS' do
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
32
32
|
].each do |css|
|
33
|
-
@default.properties(css).must_equal ''
|
34
|
-
@relaxed.properties(css).must_equal css
|
35
|
-
@custom.properties(css).must_equal ''
|
33
|
+
_(@default.properties(css)).must_equal ''
|
34
|
+
_(@relaxed.properties(css)).must_equal css
|
35
|
+
_(@custom.properties(css)).must_equal ''
|
36
36
|
end
|
37
37
|
end
|
38
38
|
|
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
|
|
46
46
|
"background: url('javas\\\ncript:alert(0)')",
|
47
47
|
"background: url('java\\0script:foo')"
|
48
48
|
].each do |css|
|
49
|
-
@default.properties(css).must_equal ''
|
50
|
-
@relaxed.properties(css).must_equal ''
|
51
|
-
@custom.properties(css).must_equal ''
|
49
|
+
_(@default.properties(css)).must_equal ''
|
50
|
+
_(@relaxed.properties(css)).must_equal ''
|
51
|
+
_(@custom.properties(css)).must_equal ''
|
52
52
|
end
|
53
53
|
end
|
54
54
|
|
55
55
|
it 'should not allow -moz-binding' do
|
56
56
|
css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
|
57
57
|
|
58
|
-
@default.properties(css).must_equal ''
|
59
|
-
@relaxed.properties(css).must_equal ''
|
60
|
-
@custom.properties(css).must_equal ''
|
58
|
+
_(@default.properties(css)).must_equal ''
|
59
|
+
_(@relaxed.properties(css)).must_equal ''
|
60
|
+
_(@custom.properties(css)).must_equal ''
|
61
61
|
end
|
62
62
|
|
63
63
|
it 'should not allow expressions' do
|
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
|
|
69
69
|
"xss:expression(alert(1))",
|
70
70
|
"height: foo(expression(alert(1)));"
|
71
71
|
].each do |css|
|
72
|
-
@default.properties(css).must_equal ''
|
73
|
-
@relaxed.properties(css).must_equal ''
|
74
|
-
@custom.properties(css).must_equal ''
|
72
|
+
_(@default.properties(css)).must_equal ''
|
73
|
+
_(@relaxed.properties(css)).must_equal ''
|
74
|
+
_(@custom.properties(css)).must_equal ''
|
75
75
|
end
|
76
76
|
end
|
77
77
|
|
78
78
|
it 'should not allow behaviors' do
|
79
79
|
css = "behavior: url(xss.htc);"
|
80
80
|
|
81
|
-
@default.properties(css).must_equal ''
|
82
|
-
@relaxed.properties(css).must_equal ''
|
83
|
-
@custom.properties(css).must_equal ''
|
81
|
+
_(@default.properties(css)).must_equal ''
|
82
|
+
_(@relaxed.properties(css)).must_equal ''
|
83
|
+
_(@custom.properties(css)).must_equal ''
|
84
84
|
end
|
85
85
|
|
86
86
|
describe 'when :allow_comments is true' do
|
87
87
|
it 'should preserve comments' do
|
88
|
-
@relaxed.properties('color: #fff; /* comment */ width: 100px;')
|
88
|
+
_(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
|
89
89
|
.must_equal 'color: #fff; /* comment */ width: 100px;'
|
90
90
|
|
91
|
-
@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
|
91
|
+
_(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
|
92
92
|
.must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
96
|
describe 'when :allow_comments is false' do
|
97
97
|
it 'should strip comments' do
|
98
|
-
@custom.properties('color: #fff; /* comment */ width: 100px;')
|
98
|
+
_(@custom.properties('color: #fff; /* comment */ width: 100px;'))
|
99
99
|
.must_equal 'color: #fff; width: 100px;'
|
100
100
|
|
101
|
-
@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
|
101
|
+
_(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
|
102
102
|
.must_equal 'color: #fff; width: 100px;'
|
103
103
|
end
|
104
104
|
end
|
105
105
|
|
106
106
|
describe 'when :allow_hacks is true' do
|
107
107
|
it 'should allow common CSS hacks' do
|
108
|
-
@relaxed.properties('_border: 1px solid #fff; *width: 10px')
|
108
|
+
_(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
|
109
109
|
.must_equal '_border: 1px solid #fff; *width: 10px'
|
110
110
|
end
|
111
111
|
end
|
112
112
|
|
113
113
|
describe 'when :allow_hacks is false' do
|
114
114
|
it 'should not allow common CSS hacks' do
|
115
|
-
@custom.properties('_border: 1px solid #fff; *width: 10px')
|
115
|
+
_(@custom.properties('_border: 1px solid #fff; *width: 10px'))
|
116
116
|
.must_equal ' '
|
117
117
|
end
|
118
118
|
end
|
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
|
|
131
131
|
}
|
132
132
|
].strip
|
133
133
|
|
134
|
-
@default.stylesheet(css).strip.must_equal %[
|
134
|
+
_(@default.stylesheet(css).strip).must_equal %[
|
135
135
|
.foo { }
|
136
136
|
#bar { }
|
137
137
|
].strip
|
138
138
|
|
139
|
-
@relaxed.stylesheet(css).must_equal css
|
139
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
140
140
|
|
141
|
-
@custom.stylesheet(css).strip.must_equal %[
|
141
|
+
_(@custom.stylesheet(css).strip).must_equal %[
|
142
142
|
.foo { color: #fff; }
|
143
143
|
#bar { }
|
144
144
|
].strip
|
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
|
|
146
146
|
|
147
147
|
describe 'when :allow_comments is true' do
|
148
148
|
it 'should preserve comments' do
|
149
|
-
@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
|
149
|
+
_(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
|
150
150
|
.must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
|
151
151
|
|
152
|
-
@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
|
152
|
+
_(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
|
153
153
|
.must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
|
154
154
|
end
|
155
155
|
end
|
156
156
|
|
157
157
|
describe 'when :allow_comments is false' do
|
158
158
|
it 'should strip comments' do
|
159
|
-
@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
|
159
|
+
_(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
|
160
160
|
.must_equal '.foo { color: #fff; width: 100px; }'
|
161
161
|
|
162
|
-
@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
|
162
|
+
_(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
|
163
163
|
.must_equal '.foo { color: #fff; width: 100px; }'
|
164
164
|
end
|
165
165
|
end
|
166
166
|
|
167
167
|
describe 'when :allow_hacks is true' do
|
168
168
|
it 'should allow common CSS hacks' do
|
169
|
-
@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
|
169
|
+
_(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
|
170
170
|
.must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
|
171
171
|
end
|
172
172
|
end
|
173
173
|
|
174
174
|
describe 'when :allow_hacks is false' do
|
175
175
|
it 'should not allow common CSS hacks' do
|
176
|
-
@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
|
176
|
+
_(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
|
177
177
|
.must_equal '.foo { }'
|
178
178
|
end
|
179
179
|
end
|
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
|
|
185
185
|
".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
|
186
186
|
"#bar { top: 125px; background: green; }")
|
187
187
|
|
188
|
-
@custom.tree!(tree).must_be_same_as tree
|
188
|
+
_(@custom.tree!(tree)).must_be_same_as tree
|
189
189
|
|
190
|
-
Crass::Parser.stringify(tree).must_equal String.new("\n") <<
|
190
|
+
_(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
|
191
191
|
".foo { background: #fff; }\n" <<
|
192
192
|
"#bar { background: green; }"
|
193
193
|
end
|
@@ -199,9 +199,9 @@ describe 'Sanitize::CSS' do
|
|
199
199
|
it 'should sanitize CSS properties with the given config' do
|
200
200
|
css = 'background: #fff; width: expression(alert("hi"));'
|
201
201
|
|
202
|
-
Sanitize::CSS.properties(css).must_equal ' '
|
203
|
-
Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
|
204
|
-
Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
|
202
|
+
_(Sanitize::CSS.properties(css)).must_equal ' '
|
203
|
+
_(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
|
204
|
+
_(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
|
205
205
|
end
|
206
206
|
end
|
207
207
|
|
@@ -218,14 +218,14 @@ describe 'Sanitize::CSS' do
|
|
218
218
|
}
|
219
219
|
].strip
|
220
220
|
|
221
|
-
Sanitize::CSS.stylesheet(css).strip.must_equal %[
|
221
|
+
_(Sanitize::CSS.stylesheet(css).strip).must_equal %[
|
222
222
|
.foo { }
|
223
223
|
#bar { }
|
224
224
|
].strip
|
225
225
|
|
226
|
-
Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
|
226
|
+
_(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
|
227
227
|
|
228
|
-
Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
|
228
|
+
_(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
|
229
229
|
.foo { color: #fff; }
|
230
230
|
#bar { }
|
231
231
|
].strip
|
@@ -238,9 +238,9 @@ describe 'Sanitize::CSS' do
|
|
238
238
|
".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
|
239
239
|
"#bar { top: 125px; background: green; }")
|
240
240
|
|
241
|
-
Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
|
241
|
+
_(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
|
242
242
|
|
243
|
-
Crass::Parser.stringify(tree).must_equal String.new("\n") <<
|
243
|
+
_(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
|
244
244
|
".foo { background: #fff; }\n" <<
|
245
245
|
"#bar { background: green; }"
|
246
246
|
end
|
@@ -256,7 +256,7 @@ describe 'Sanitize::CSS' do
|
|
256
256
|
# https://github.com/rgrove/sanitize/issues/121
|
257
257
|
it 'should parse the contents of @media rules properly' do
|
258
258
|
css = '@media { p[class="center"] { text-align: center; }}'
|
259
|
-
@relaxed.stylesheet(css).must_equal css
|
259
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
260
260
|
|
261
261
|
css = %[
|
262
262
|
@media (max-width: 720px) {
|
@@ -269,7 +269,7 @@ describe 'Sanitize::CSS' do
|
|
269
269
|
}
|
270
270
|
].strip
|
271
271
|
|
272
|
-
@relaxed.stylesheet(css).must_equal %[
|
272
|
+
_(@relaxed.stylesheet(css)).must_equal %[
|
273
273
|
@media (max-width: 720px) {
|
274
274
|
p.foo > .bar { float: right; }
|
275
275
|
#baz { color: green; }
|
@@ -303,7 +303,7 @@ describe 'Sanitize::CSS' do
|
|
303
303
|
}
|
304
304
|
].strip
|
305
305
|
|
306
|
-
@relaxed.stylesheet(css).must_equal css
|
306
|
+
_(@relaxed.stylesheet(css)).must_equal css
|
307
307
|
end
|
308
308
|
|
309
309
|
describe ":at_rules" do
|
@@ -314,7 +314,7 @@ describe 'Sanitize::CSS' do
|
|
314
314
|
.foo { color: green; }
|
315
315
|
].strip
|
316
316
|
|
317
|
-
@relaxed.stylesheet(css).strip.must_equal %[
|
317
|
+
_(@relaxed.stylesheet(css).strip).must_equal %[
|
318
318
|
.foo { color: green; }
|
319
319
|
].strip
|
320
320
|
end
|
@@ -333,7 +333,7 @@ describe 'Sanitize::CSS' do
|
|
333
333
|
.foo { color: green; }
|
334
334
|
].strip
|
335
335
|
|
336
|
-
@scss.stylesheet(css).must_equal %[
|
336
|
+
_(@scss.stylesheet(css)).must_equal %[
|
337
337
|
@charset 'utf-8';
|
338
338
|
@import url('foo.css');
|
339
339
|
.foo { color: green; }
|
@@ -347,7 +347,7 @@ describe 'Sanitize::CSS' do
|
|
347
347
|
.foo { color: green; }
|
348
348
|
].strip
|
349
349
|
|
350
|
-
@scss.stylesheet(css).strip.must_equal %[
|
350
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
351
351
|
.foo { color: green; }
|
352
352
|
].strip
|
353
353
|
end
|
@@ -367,7 +367,7 @@ describe 'Sanitize::CSS' do
|
|
367
367
|
@import url('https://somesite.com/something.css');
|
368
368
|
].strip
|
369
369
|
|
370
|
-
@scss.stylesheet(css).strip.must_equal %[
|
370
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
371
371
|
@import url('https://somesite.com/something.css');
|
372
372
|
].strip
|
373
373
|
end
|
@@ -388,7 +388,7 @@ describe 'Sanitize::CSS' do
|
|
388
388
|
@import url('https://fonts.googleapis.com/css?family=Indie+Flower');
|
389
389
|
].strip
|
390
390
|
|
391
|
-
@scss.stylesheet(css).strip.must_equal %[
|
391
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
392
392
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
393
393
|
@import url('https://fonts.googleapis.com/css?family=Indie+Flower');
|
394
394
|
].strip
|
@@ -401,7 +401,7 @@ describe 'Sanitize::CSS' do
|
|
401
401
|
@import url('https://nastysite.com/nasty_hax0r.css');
|
402
402
|
].strip
|
403
403
|
|
404
|
-
@scss.stylesheet(css).strip.must_equal %[
|
404
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
405
405
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
406
406
|
].strip
|
407
407
|
end
|
@@ -413,7 +413,7 @@ describe 'Sanitize::CSS' do
|
|
413
413
|
@import url('');
|
414
414
|
].strip
|
415
415
|
|
416
|
-
@scss.stylesheet(css).strip.must_equal %[
|
416
|
+
_(@scss.stylesheet(css).strip).must_equal %[
|
417
417
|
@import 'https://fonts.googleapis.com/css?family=Indie+Flower';
|
418
418
|
].strip
|
419
419
|
end
|
data/test/test_transformers.rb
CHANGED
@@ -11,14 +11,14 @@ describe 'Transformers' do
|
|
11
11
|
:transformers => lambda {|env|
|
12
12
|
return unless env[:node].element?
|
13
13
|
|
14
|
-
env[:config][:foo].must_equal :bar
|
15
|
-
env[:is_allowlisted].must_equal false
|
16
|
-
env[:is_whitelisted].must_equal env[:is_allowlisted]
|
17
|
-
env[:node].must_be_kind_of Nokogiri::XML::Node
|
18
|
-
env[:node_name].must_equal 'span'
|
19
|
-
env[:node_allowlist].must_be_kind_of Set
|
20
|
-
env[:node_allowlist].must_be_empty
|
21
|
-
env[:node_whitelist].must_equal env[:node_allowlist]
|
14
|
+
_(env[:config][:foo]).must_equal :bar
|
15
|
+
_(env[:is_allowlisted]).must_equal false
|
16
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
17
|
+
_(env[:node]).must_be_kind_of Nokogiri::XML::Node
|
18
|
+
_(env[:node_name]).must_equal 'span'
|
19
|
+
_(env[:node_allowlist]).must_be_kind_of Set
|
20
|
+
_(env[:node_allowlist]).must_be_empty
|
21
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
22
22
|
}
|
23
23
|
)
|
24
24
|
end
|
@@ -30,7 +30,7 @@ describe 'Transformers' do
|
|
30
30
|
:transformers => proc {|env| nodes << env[:node_name] }
|
31
31
|
)
|
32
32
|
|
33
|
-
nodes.must_equal %w[
|
33
|
+
_(nodes).must_equal %w[
|
34
34
|
#document-fragment div text text text comment script text
|
35
35
|
]
|
36
36
|
end
|
@@ -42,25 +42,25 @@ describe 'Transformers' do
|
|
42
42
|
:transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
|
43
43
|
)
|
44
44
|
|
45
|
-
nodes.must_equal %w[div span strong b p]
|
45
|
+
_(nodes).must_equal %w[div span strong b p]
|
46
46
|
end
|
47
47
|
|
48
48
|
it 'should allowlist nodes in the node allowlist' do
|
49
|
-
Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
|
49
|
+
_(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
|
50
50
|
:transformers => [
|
51
51
|
proc {|env|
|
52
52
|
{:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
|
53
53
|
},
|
54
54
|
|
55
55
|
proc {|env|
|
56
|
-
env[:is_allowlisted].must_equal false unless env[:node_name] == 'div'
|
57
|
-
env[:is_allowlisted].must_equal true if env[:node_name] == 'div'
|
58
|
-
env[:node_allowlist].must_include env[:node] if env[:node_name] == 'div'
|
59
|
-
env[:is_whitelisted].must_equal env[:is_allowlisted]
|
60
|
-
env[:node_whitelist].must_equal env[:node_allowlist]
|
56
|
+
_(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
|
57
|
+
_(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
|
58
|
+
_(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
|
59
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
60
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
61
61
|
}
|
62
62
|
]
|
63
|
-
).must_equal '<div class="foo">foo</div>bar'
|
63
|
+
)).must_equal '<div class="foo">foo</div>bar'
|
64
64
|
end
|
65
65
|
|
66
66
|
it 'should clear the node allowlist after each fragment' do
|
@@ -73,19 +73,19 @@ describe 'Transformers' do
|
|
73
73
|
Sanitize.fragment('<div>foo</div>',
|
74
74
|
:transformers => proc {|env|
|
75
75
|
called = true
|
76
|
-
env[:is_allowlisted].must_equal false
|
77
|
-
env[:is_whitelisted].must_equal env[:is_allowlisted]
|
78
|
-
env[:node_allowlist].must_be_empty
|
79
|
-
env[:node_whitelist].must_equal env[:node_allowlist]
|
76
|
+
_(env[:is_allowlisted]).must_equal false
|
77
|
+
_(env[:is_whitelisted]).must_equal env[:is_allowlisted]
|
78
|
+
_(env[:node_allowlist]).must_be_empty
|
79
|
+
_(env[:node_whitelist]).must_equal env[:node_allowlist]
|
80
80
|
}
|
81
81
|
)
|
82
82
|
|
83
|
-
called.must_equal true
|
83
|
+
_(called).must_equal true
|
84
84
|
end
|
85
85
|
|
86
86
|
it 'should accept a method transformer' do
|
87
87
|
def transformer(env); end
|
88
|
-
Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
|
88
|
+
_(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
|
89
89
|
.must_equal(' foo ')
|
90
90
|
end
|
91
91
|
|
@@ -114,32 +114,32 @@ describe 'Transformers' do
|
|
114
114
|
|
115
115
|
it 'should allow images with relative URLs' do
|
116
116
|
input = '<img src="/foo/bar.jpg">'
|
117
|
-
@s.fragment(input).must_equal(input)
|
117
|
+
_(@s.fragment(input)).must_equal(input)
|
118
118
|
end
|
119
119
|
|
120
120
|
it 'should allow images at the example.com domain' do
|
121
121
|
input = '<img src="http://example.com/foo/bar.jpg">'
|
122
|
-
@s.fragment(input).must_equal(input)
|
122
|
+
_(@s.fragment(input)).must_equal(input)
|
123
123
|
|
124
124
|
input = '<img src="https://example.com/foo/bar.jpg">'
|
125
|
-
@s.fragment(input).must_equal(input)
|
125
|
+
_(@s.fragment(input)).must_equal(input)
|
126
126
|
|
127
127
|
input = '<img src="//example.com/foo/bar.jpg">'
|
128
|
-
@s.fragment(input).must_equal(input)
|
128
|
+
_(@s.fragment(input)).must_equal(input)
|
129
129
|
end
|
130
130
|
|
131
131
|
it 'should not allow images at other domains' do
|
132
132
|
input = '<img src="http://evil.com/foo/bar.jpg">'
|
133
|
-
@s.fragment(input).must_equal('')
|
133
|
+
_(@s.fragment(input)).must_equal('')
|
134
134
|
|
135
135
|
input = '<img src="https://evil.com/foo/bar.jpg">'
|
136
|
-
@s.fragment(input).must_equal('')
|
136
|
+
_(@s.fragment(input)).must_equal('')
|
137
137
|
|
138
138
|
input = '<img src="//evil.com/foo/bar.jpg">'
|
139
|
-
@s.fragment(input).must_equal('')
|
139
|
+
_(@s.fragment(input)).must_equal('')
|
140
140
|
|
141
141
|
input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
|
142
|
-
@s.fragment(input).must_equal('')
|
142
|
+
_(@s.fragment(input)).must_equal('')
|
143
143
|
end
|
144
144
|
end
|
145
145
|
|
@@ -177,35 +177,35 @@ describe 'Transformers' do
|
|
177
177
|
it 'should allow HTTP YouTube video embeds' do
|
178
178
|
input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
179
179
|
|
180
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
180
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
181
181
|
.must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
182
182
|
end
|
183
183
|
|
184
184
|
it 'should allow HTTPS YouTube video embeds' do
|
185
185
|
input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
186
186
|
|
187
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
187
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
188
188
|
.must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
189
189
|
end
|
190
190
|
|
191
191
|
it 'should allow protocol-relative YouTube video embeds' do
|
192
192
|
input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
193
193
|
|
194
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
194
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
195
195
|
.must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
196
196
|
end
|
197
197
|
|
198
198
|
it 'should allow privacy-enhanced YouTube video embeds' do
|
199
199
|
input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
|
200
200
|
|
201
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
201
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
202
202
|
.must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
|
203
203
|
end
|
204
204
|
|
205
205
|
it 'should not allow non-YouTube video embeds' do
|
206
206
|
input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
|
207
207
|
|
208
|
-
Sanitize.fragment(input, :transformers => youtube_transformer)
|
208
|
+
_(Sanitize.fragment(input, :transformers => youtube_transformer))
|
209
209
|
.must_equal('')
|
210
210
|
end
|
211
211
|
end
|
@@ -223,7 +223,7 @@ describe 'Transformers' do
|
|
223
223
|
it 'should allow the <b> tag to be changed to a <strong> tag' do
|
224
224
|
input = '<b>text</b>'
|
225
225
|
|
226
|
-
Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
|
226
|
+
_(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
|
227
227
|
.must_equal '<strong>text</strong>'
|
228
228
|
end
|
229
229
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 6.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-07-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|
@@ -30,56 +30,42 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: 1.12.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
name: nokogumbo
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - "~>"
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '2.0'
|
48
|
-
type: :runtime
|
49
|
-
prerelease: false
|
50
|
-
version_requirements: !ruby/object:Gem::Requirement
|
51
|
-
requirements:
|
52
|
-
- - "~>"
|
53
|
-
- !ruby/object:Gem::Version
|
54
|
-
version: '2.0'
|
40
|
+
version: 1.12.0
|
55
41
|
- !ruby/object:Gem::Dependency
|
56
42
|
name: minitest
|
57
43
|
requirement: !ruby/object:Gem::Requirement
|
58
44
|
requirements:
|
59
45
|
- - "~>"
|
60
46
|
- !ruby/object:Gem::Version
|
61
|
-
version: 5.
|
47
|
+
version: 5.14.4
|
62
48
|
type: :development
|
63
49
|
prerelease: false
|
64
50
|
version_requirements: !ruby/object:Gem::Requirement
|
65
51
|
requirements:
|
66
52
|
- - "~>"
|
67
53
|
- !ruby/object:Gem::Version
|
68
|
-
version: 5.
|
54
|
+
version: 5.14.4
|
69
55
|
- !ruby/object:Gem::Dependency
|
70
56
|
name: rake
|
71
57
|
requirement: !ruby/object:Gem::Requirement
|
72
58
|
requirements:
|
73
59
|
- - "~>"
|
74
60
|
- !ruby/object:Gem::Version
|
75
|
-
version:
|
61
|
+
version: 13.0.6
|
76
62
|
type: :development
|
77
63
|
prerelease: false
|
78
64
|
version_requirements: !ruby/object:Gem::Requirement
|
79
65
|
requirements:
|
80
66
|
- - "~>"
|
81
67
|
- !ruby/object:Gem::Version
|
82
|
-
version:
|
68
|
+
version: 13.0.6
|
83
69
|
description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
|
84
70
|
HTML and/or CSS from a string except the elements, attributes, and properties you
|
85
71
|
choose to allow.
|
@@ -128,14 +114,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
128
114
|
requirements:
|
129
115
|
- - ">="
|
130
116
|
- !ruby/object:Gem::Version
|
131
|
-
version: 2.
|
117
|
+
version: 2.5.0
|
132
118
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
133
119
|
requirements:
|
134
120
|
- - ">="
|
135
121
|
- !ruby/object:Gem::Version
|
136
122
|
version: 1.2.0
|
137
123
|
requirements: []
|
138
|
-
rubygems_version: 3.
|
124
|
+
rubygems_version: 3.4.10
|
139
125
|
signing_key:
|
140
126
|
specification_version: 4
|
141
127
|
summary: Allowlist-based HTML and CSS sanitizer.
|