sanitize 6.0.0 → 6.0.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of sanitize might be problematic. Click here for more details.

Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/HISTORY.md +52 -0
  3. data/README.md +25 -19
  4. data/lib/sanitize/config/default.rb +5 -0
  5. data/lib/sanitize/transformers/clean_element.rb +45 -0
  6. data/lib/sanitize/version.rb +1 -1
  7. data/test/test_clean_comment.rb +16 -16
  8. data/test/test_clean_css.rb +5 -5
  9. data/test/test_clean_doctype.rb +15 -15
  10. data/test/test_clean_element.rb +99 -92
  11. data/test/test_config.rb +9 -9
  12. data/test/test_malicious_css.rb +7 -7
  13. data/test/test_malicious_html.rb +135 -31
  14. data/test/test_parser.rb +8 -8
  15. data/test/test_sanitize.rb +24 -24
  16. data/test/test_sanitize_css.rb +53 -53
  17. data/test/test_transformers.rb +37 -37
  18. metadata +3 -3
data/test/test_sanitize_css.rb CHANGED
@@ -16,9 +16,9 @@ describe 'Sanitize::CSS' do
16
16
  it 'should sanitize CSS properties' do
17
17
  css = 'background: #fff; width: expression(alert("hi"));'
18
18
 
19
- @default.properties(css).must_equal ' '
20
- @relaxed.properties(css).must_equal 'background: #fff; '
21
- @custom.properties(css).must_equal 'background: #fff; '
19
+ _(@default.properties(css)).must_equal ' '
20
+ _(@relaxed.properties(css)).must_equal 'background: #fff; '
21
+ _(@custom.properties(css)).must_equal 'background: #fff; '
22
22
  end
23
23
 
24
24
  it 'should allow allowlisted URL protocols' do
@@ -30,9 +30,9 @@ describe 'Sanitize::CSS' do
30
30
  "background: url(https://example.com/https.jpg)",
31
31
  "background: url('https://example.com/https.jpg')",
32
32
  ].each do |css|
33
- @default.properties(css).must_equal ''
34
- @relaxed.properties(css).must_equal css
35
- @custom.properties(css).must_equal ''
33
+ _(@default.properties(css)).must_equal ''
34
+ _(@relaxed.properties(css)).must_equal css
35
+ _(@custom.properties(css)).must_equal ''
36
36
  end
37
37
  end
38
38
 
@@ -46,18 +46,18 @@ describe 'Sanitize::CSS' do
46
46
  "background: url('javas\\\ncript:alert(0)')",
47
47
  "background: url('java\\0script:foo')"
48
48
  ].each do |css|
49
- @default.properties(css).must_equal ''
50
- @relaxed.properties(css).must_equal ''
51
- @custom.properties(css).must_equal ''
49
+ _(@default.properties(css)).must_equal ''
50
+ _(@relaxed.properties(css)).must_equal ''
51
+ _(@custom.properties(css)).must_equal ''
52
52
  end
53
53
  end
54
54
 
55
55
  it 'should not allow -moz-binding' do
56
56
  css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
57
57
 
58
- @default.properties(css).must_equal ''
59
- @relaxed.properties(css).must_equal ''
60
- @custom.properties(css).must_equal ''
58
+ _(@default.properties(css)).must_equal ''
59
+ _(@relaxed.properties(css)).must_equal ''
60
+ _(@custom.properties(css)).must_equal ''
61
61
  end
62
62
 
63
63
  it 'should not allow expressions' do
@@ -69,50 +69,50 @@ describe 'Sanitize::CSS' do
69
69
  "xss:expression(alert(1))",
70
70
  "height: foo(expression(alert(1)));"
71
71
  ].each do |css|
72
- @default.properties(css).must_equal ''
73
- @relaxed.properties(css).must_equal ''
74
- @custom.properties(css).must_equal ''
72
+ _(@default.properties(css)).must_equal ''
73
+ _(@relaxed.properties(css)).must_equal ''
74
+ _(@custom.properties(css)).must_equal ''
75
75
  end
76
76
  end
77
77
 
78
78
  it 'should not allow behaviors' do
79
79
  css = "behavior: url(xss.htc);"
80
80
 
81
- @default.properties(css).must_equal ''
82
- @relaxed.properties(css).must_equal ''
83
- @custom.properties(css).must_equal ''
81
+ _(@default.properties(css)).must_equal ''
82
+ _(@relaxed.properties(css)).must_equal ''
83
+ _(@custom.properties(css)).must_equal ''
84
84
  end
85
85
 
86
86
  describe 'when :allow_comments is true' do
87
87
  it 'should preserve comments' do
88
- @relaxed.properties('color: #fff; /* comment */ width: 100px;')
88
+ _(@relaxed.properties('color: #fff; /* comment */ width: 100px;'))
89
89
  .must_equal 'color: #fff; /* comment */ width: 100px;'
90
90
 
91
- @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
91
+ _(@relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
92
92
  .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
93
93
  end
94
94
  end
95
95
 
96
96
  describe 'when :allow_comments is false' do
97
97
  it 'should strip comments' do
98
- @custom.properties('color: #fff; /* comment */ width: 100px;')
98
+ _(@custom.properties('color: #fff; /* comment */ width: 100px;'))
99
99
  .must_equal 'color: #fff; width: 100px;'
100
100
 
101
- @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
101
+ _(@custom.properties("color: #fff; /* \n\ncomment */ width: 100px;"))
102
102
  .must_equal 'color: #fff; width: 100px;'
103
103
  end
104
104
  end
105
105
 
106
106
  describe 'when :allow_hacks is true' do
107
107
  it 'should allow common CSS hacks' do
108
- @relaxed.properties('_border: 1px solid #fff; *width: 10px')
108
+ _(@relaxed.properties('_border: 1px solid #fff; *width: 10px'))
109
109
  .must_equal '_border: 1px solid #fff; *width: 10px'
110
110
  end
111
111
  end
112
112
 
113
113
  describe 'when :allow_hacks is false' do
114
114
  it 'should not allow common CSS hacks' do
115
- @custom.properties('_border: 1px solid #fff; *width: 10px')
115
+ _(@custom.properties('_border: 1px solid #fff; *width: 10px'))
116
116
  .must_equal ' '
117
117
  end
118
118
  end
@@ -131,14 +131,14 @@ describe 'Sanitize::CSS' do
131
131
  }
132
132
  ].strip
133
133
 
134
- @default.stylesheet(css).strip.must_equal %[
134
+ _(@default.stylesheet(css).strip).must_equal %[
135
135
  .foo { }
136
136
  #bar { }
137
137
  ].strip
138
138
 
139
- @relaxed.stylesheet(css).must_equal css
139
+ _(@relaxed.stylesheet(css)).must_equal css
140
140
 
141
- @custom.stylesheet(css).strip.must_equal %[
141
+ _(@custom.stylesheet(css).strip).must_equal %[
142
142
  .foo { color: #fff; }
143
143
  #bar { }
144
144
  ].strip
@@ -146,34 +146,34 @@ describe 'Sanitize::CSS' do
146
146
 
147
147
  describe 'when :allow_comments is true' do
148
148
  it 'should preserve comments' do
149
- @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
149
+ _(@relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
150
150
  .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
151
151
 
152
- @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
152
+ _(@relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
153
153
  .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
154
154
  end
155
155
  end
156
156
 
157
157
  describe 'when :allow_comments is false' do
158
158
  it 'should strip comments' do
159
- @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
159
+ _(@custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }'))
160
160
  .must_equal '.foo { color: #fff; width: 100px; }'
161
161
 
162
- @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
162
+ _(@custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }"))
163
163
  .must_equal '.foo { color: #fff; width: 100px; }'
164
164
  end
165
165
  end
166
166
 
167
167
  describe 'when :allow_hacks is true' do
168
168
  it 'should allow common CSS hacks' do
169
- @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
169
+ _(@relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
170
170
  .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
171
171
  end
172
172
  end
173
173
 
174
174
  describe 'when :allow_hacks is false' do
175
175
  it 'should not allow common CSS hacks' do
176
- @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
176
+ _(@custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }'))
177
177
  .must_equal '.foo { }'
178
178
  end
179
179
  end
@@ -185,9 +185,9 @@ describe 'Sanitize::CSS' do
185
185
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
186
186
  "#bar { top: 125px; background: green; }")
187
187
 
188
- @custom.tree!(tree).must_be_same_as tree
188
+ _(@custom.tree!(tree)).must_be_same_as tree
189
189
 
190
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
190
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
191
191
  ".foo { background: #fff; }\n" <<
192
192
  "#bar { background: green; }"
193
193
  end
@@ -199,9 +199,9 @@ describe 'Sanitize::CSS' do
199
199
  it 'should sanitize CSS properties with the given config' do
200
200
  css = 'background: #fff; width: expression(alert("hi"));'
201
201
 
202
- Sanitize::CSS.properties(css).must_equal ' '
203
- Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css]).must_equal 'background: #fff; '
204
- Sanitize::CSS.properties(css, :properties => %w[background color width]).must_equal 'background: #fff; '
202
+ _(Sanitize::CSS.properties(css)).must_equal ' '
203
+ _(Sanitize::CSS.properties(css, Sanitize::Config::RELAXED[:css])).must_equal 'background: #fff; '
204
+ _(Sanitize::CSS.properties(css, :properties => %w[background color width])).must_equal 'background: #fff; '
205
205
  end
206
206
  end
207
207
 
@@ -218,14 +218,14 @@ describe 'Sanitize::CSS' do
218
218
  }
219
219
  ].strip
220
220
 
221
- Sanitize::CSS.stylesheet(css).strip.must_equal %[
221
+ _(Sanitize::CSS.stylesheet(css).strip).must_equal %[
222
222
  .foo { }
223
223
  #bar { }
224
224
  ].strip
225
225
 
226
- Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css]).must_equal css
226
+ _(Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED[:css])).must_equal css
227
227
 
228
- Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip.must_equal %[
228
+ _(Sanitize::CSS.stylesheet(css, :properties => %w[background color width]).strip).must_equal %[
229
229
  .foo { color: #fff; }
230
230
  #bar { }
231
231
  ].strip
@@ -238,9 +238,9 @@ describe 'Sanitize::CSS' do
238
238
  ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
239
239
  "#bar { top: 125px; background: green; }")
240
240
 
241
- Sanitize::CSS.tree!(tree, :properties => %w[background color width]).must_be_same_as tree
241
+ _(Sanitize::CSS.tree!(tree, :properties => %w[background color width])).must_be_same_as tree
242
242
 
243
- Crass::Parser.stringify(tree).must_equal String.new("\n") <<
243
+ _(Crass::Parser.stringify(tree)).must_equal String.new("\n") <<
244
244
  ".foo { background: #fff; }\n" <<
245
245
  "#bar { background: green; }"
246
246
  end
@@ -256,7 +256,7 @@ describe 'Sanitize::CSS' do
256
256
  # https://github.com/rgrove/sanitize/issues/121
257
257
  it 'should parse the contents of @media rules properly' do
258
258
  css = '@media { p[class="center"] { text-align: center; }}'
259
- @relaxed.stylesheet(css).must_equal css
259
+ _(@relaxed.stylesheet(css)).must_equal css
260
260
 
261
261
  css = %[
262
262
  @media (max-width: 720px) {
@@ -269,7 +269,7 @@ describe 'Sanitize::CSS' do
269
269
  }
270
270
  ].strip
271
271
 
272
- @relaxed.stylesheet(css).must_equal %[
272
+ _(@relaxed.stylesheet(css)).must_equal %[
273
273
  @media (max-width: 720px) {
274
274
  p.foo > .bar { float: right; }
275
275
  #baz { color: green; }
@@ -303,7 +303,7 @@ describe 'Sanitize::CSS' do
303
303
  }
304
304
  ].strip
305
305
 
306
- @relaxed.stylesheet(css).must_equal css
306
+ _(@relaxed.stylesheet(css)).must_equal css
307
307
  end
308
308
 
309
309
  describe ":at_rules" do
@@ -314,7 +314,7 @@ describe 'Sanitize::CSS' do
314
314
  .foo { color: green; }
315
315
  ].strip
316
316
 
317
- @relaxed.stylesheet(css).strip.must_equal %[
317
+ _(@relaxed.stylesheet(css).strip).must_equal %[
318
318
  .foo { color: green; }
319
319
  ].strip
320
320
  end
@@ -333,7 +333,7 @@ describe 'Sanitize::CSS' do
333
333
  .foo { color: green; }
334
334
  ].strip
335
335
 
336
- @scss.stylesheet(css).must_equal %[
336
+ _(@scss.stylesheet(css)).must_equal %[
337
337
  @charset 'utf-8';
338
338
  @import url('foo.css');
339
339
  .foo { color: green; }
@@ -347,7 +347,7 @@ describe 'Sanitize::CSS' do
347
347
  .foo { color: green; }
348
348
  ].strip
349
349
 
350
- @scss.stylesheet(css).strip.must_equal %[
350
+ _(@scss.stylesheet(css).strip).must_equal %[
351
351
  .foo { color: green; }
352
352
  ].strip
353
353
  end
@@ -367,7 +367,7 @@ describe 'Sanitize::CSS' do
367
367
  @import url('https://somesite.com/something.css');
368
368
  ].strip
369
369
 
370
- @scss.stylesheet(css).strip.must_equal %[
370
+ _(@scss.stylesheet(css).strip).must_equal %[
371
371
  @import url('https://somesite.com/something.css');
372
372
  ].strip
373
373
  end
@@ -388,7 +388,7 @@ describe 'Sanitize::CSS' do
388
388
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
389
389
  ].strip
390
390
 
391
- @scss.stylesheet(css).strip.must_equal %[
391
+ _(@scss.stylesheet(css).strip).must_equal %[
392
392
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
393
393
  @import url('https://fonts.googleapis.com/css?family=Indie+Flower');
394
394
  ].strip
@@ -401,7 +401,7 @@ describe 'Sanitize::CSS' do
401
401
  @import url('https://nastysite.com/nasty_hax0r.css');
402
402
  ].strip
403
403
 
404
- @scss.stylesheet(css).strip.must_equal %[
404
+ _(@scss.stylesheet(css).strip).must_equal %[
405
405
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
406
406
  ].strip
407
407
  end
@@ -413,7 +413,7 @@ describe 'Sanitize::CSS' do
413
413
  @import url('');
414
414
  ].strip
415
415
 
416
- @scss.stylesheet(css).strip.must_equal %[
416
+ _(@scss.stylesheet(css).strip).must_equal %[
417
417
  @import 'https://fonts.googleapis.com/css?family=Indie+Flower';
418
418
  ].strip
419
419
  end
data/test/test_transformers.rb CHANGED
@@ -11,14 +11,14 @@ describe 'Transformers' do
11
11
  :transformers => lambda {|env|
12
12
  return unless env[:node].element?
13
13
 
14
- env[:config][:foo].must_equal :bar
15
- env[:is_allowlisted].must_equal false
16
- env[:is_whitelisted].must_equal env[:is_allowlisted]
17
- env[:node].must_be_kind_of Nokogiri::XML::Node
18
- env[:node_name].must_equal 'span'
19
- env[:node_allowlist].must_be_kind_of Set
20
- env[:node_allowlist].must_be_empty
21
- env[:node_whitelist].must_equal env[:node_allowlist]
14
+ _(env[:config][:foo]).must_equal :bar
15
+ _(env[:is_allowlisted]).must_equal false
16
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
17
+ _(env[:node]).must_be_kind_of Nokogiri::XML::Node
18
+ _(env[:node_name]).must_equal 'span'
19
+ _(env[:node_allowlist]).must_be_kind_of Set
20
+ _(env[:node_allowlist]).must_be_empty
21
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
22
22
  }
23
23
  )
24
24
  end
@@ -30,7 +30,7 @@ describe 'Transformers' do
30
30
  :transformers => proc {|env| nodes << env[:node_name] }
31
31
  )
32
32
 
33
- nodes.must_equal %w[
33
+ _(nodes).must_equal %w[
34
34
  #document-fragment div text text text comment script text
35
35
  ]
36
36
  end
@@ -42,25 +42,25 @@ describe 'Transformers' do
42
42
  :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
43
43
  )
44
44
 
45
- nodes.must_equal %w[div span strong b p]
45
+ _(nodes).must_equal %w[div span strong b p]
46
46
  end
47
47
 
48
48
  it 'should allowlist nodes in the node allowlist' do
49
- Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
49
+ _(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
50
50
  :transformers => [
51
51
  proc {|env|
52
52
  {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
53
53
  },
54
54
 
55
55
  proc {|env|
56
- env[:is_allowlisted].must_equal false unless env[:node_name] == 'div'
57
- env[:is_allowlisted].must_equal true if env[:node_name] == 'div'
58
- env[:node_allowlist].must_include env[:node] if env[:node_name] == 'div'
59
- env[:is_whitelisted].must_equal env[:is_allowlisted]
60
- env[:node_whitelist].must_equal env[:node_allowlist]
56
+ _(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
57
+ _(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
58
+ _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
59
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
60
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
61
61
  }
62
62
  ]
63
- ).must_equal '<div class="foo">foo</div>bar'
63
+ )).must_equal '<div class="foo">foo</div>bar'
64
64
  end
65
65
 
66
66
  it 'should clear the node allowlist after each fragment' do
@@ -73,19 +73,19 @@ describe 'Transformers' do
73
73
  Sanitize.fragment('<div>foo</div>',
74
74
  :transformers => proc {|env|
75
75
  called = true
76
- env[:is_allowlisted].must_equal false
77
- env[:is_whitelisted].must_equal env[:is_allowlisted]
78
- env[:node_allowlist].must_be_empty
79
- env[:node_whitelist].must_equal env[:node_allowlist]
76
+ _(env[:is_allowlisted]).must_equal false
77
+ _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
78
+ _(env[:node_allowlist]).must_be_empty
79
+ _(env[:node_whitelist]).must_equal env[:node_allowlist]
80
80
  }
81
81
  )
82
82
 
83
- called.must_equal true
83
+ _(called).must_equal true
84
84
  end
85
85
 
86
86
  it 'should accept a method transformer' do
87
87
  def transformer(env); end
88
- Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer))
88
+ _(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
89
89
  .must_equal(' foo ')
90
90
  end
91
91
 
@@ -114,32 +114,32 @@ describe 'Transformers' do
114
114
 
115
115
  it 'should allow images with relative URLs' do
116
116
  input = '<img src="/foo/bar.jpg">'
117
- @s.fragment(input).must_equal(input)
117
+ _(@s.fragment(input)).must_equal(input)
118
118
  end
119
119
 
120
120
  it 'should allow images at the example.com domain' do
121
121
  input = '<img src="http://example.com/foo/bar.jpg">'
122
- @s.fragment(input).must_equal(input)
122
+ _(@s.fragment(input)).must_equal(input)
123
123
 
124
124
  input = '<img src="https://example.com/foo/bar.jpg">'
125
- @s.fragment(input).must_equal(input)
125
+ _(@s.fragment(input)).must_equal(input)
126
126
 
127
127
  input = '<img src="//example.com/foo/bar.jpg">'
128
- @s.fragment(input).must_equal(input)
128
+ _(@s.fragment(input)).must_equal(input)
129
129
  end
130
130
 
131
131
  it 'should not allow images at other domains' do
132
132
  input = '<img src="http://evil.com/foo/bar.jpg">'
133
- @s.fragment(input).must_equal('')
133
+ _(@s.fragment(input)).must_equal('')
134
134
 
135
135
  input = '<img src="https://evil.com/foo/bar.jpg">'
136
- @s.fragment(input).must_equal('')
136
+ _(@s.fragment(input)).must_equal('')
137
137
 
138
138
  input = '<img src="//evil.com/foo/bar.jpg">'
139
- @s.fragment(input).must_equal('')
139
+ _(@s.fragment(input)).must_equal('')
140
140
 
141
141
  input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
142
- @s.fragment(input).must_equal('')
142
+ _(@s.fragment(input)).must_equal('')
143
143
  end
144
144
  end
145
145
 
@@ -177,35 +177,35 @@ describe 'Transformers' do
177
177
  it 'should allow HTTP YouTube video embeds' do
178
178
  input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
179
179
 
180
- Sanitize.fragment(input, :transformers => youtube_transformer)
180
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
181
181
  .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
182
182
  end
183
183
 
184
184
  it 'should allow HTTPS YouTube video embeds' do
185
185
  input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
186
186
 
187
- Sanitize.fragment(input, :transformers => youtube_transformer)
187
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
188
188
  .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
189
189
  end
190
190
 
191
191
  it 'should allow protocol-relative YouTube video embeds' do
192
192
  input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
193
193
 
194
- Sanitize.fragment(input, :transformers => youtube_transformer)
194
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
195
195
  .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
196
196
  end
197
197
 
198
198
  it 'should allow privacy-enhanced YouTube video embeds' do
199
199
  input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
200
200
 
201
- Sanitize.fragment(input, :transformers => youtube_transformer)
201
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
202
202
  .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
203
203
  end
204
204
 
205
205
  it 'should not allow non-YouTube video embeds' do
206
206
  input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
207
207
 
208
- Sanitize.fragment(input, :transformers => youtube_transformer)
208
+ _(Sanitize.fragment(input, :transformers => youtube_transformer))
209
209
  .must_equal('')
210
210
  end
211
211
  end
@@ -223,7 +223,7 @@ describe 'Transformers' do
223
223
  it 'should allow the <b> tag to be changed to a <strong> tag' do
224
224
  input = '<b>text</b>'
225
225
 
226
- Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer)
226
+ _(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
227
227
  .must_equal '<strong>text</strong>'
228
228
  end
229
229
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.0
4
+ version: 6.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-08-04 00:00:00.000000000 Z
11
+ date: 2023-01-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass
@@ -121,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
121
121
  - !ruby/object:Gem::Version
122
122
  version: 1.2.0
123
123
  requirements: []
124
- rubygems_version: 3.2.22
124
+ rubygems_version: 3.4.1
125
125
  signing_key:
126
126
  specification_version: 4
127
127
  summary: Allowlist-based HTML and CSS sanitizer.