sanitize 6.1.0 → 6.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/HISTORY.md +16 -0
- data/README.md +3 -4
- data/lib/sanitize/css.rb +27 -0
- data/lib/sanitize/transformers/clean_doctype.rb +5 -1
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +6 -0
- metadata +8 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 22d5dc60d871deef3c8d6e70a9991369350f730165771eb5a026c5db3c54c706
|
|
4
|
+
data.tar.gz: 1c2e3c02ce6cd4df374675102470203c657188bf70ce8fa344930588d59359b8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4f6213a1274e9f4940aaedee5df9966d4d5ac26db5222fb8f14408b365be3bc6299fab02a275495516c0d9be0a1b2ebaddf622085321625c2773554728459760
|
|
7
|
+
data.tar.gz: b14dc3eeb2215eef2ffed29f4900d279ec6d3a5c32dc2c0d1d0f62e9adbf0b7241bd388064d3eda421819cb30c46b7d52924b182436535050402097945c8e4ca
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Sanitize History
|
|
2
2
|
|
|
3
|
+
## 6.1.2 (2024-07-27)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
|
|
8
|
+
|
|
9
|
+
[240]:https://github.com/rgrove/sanitize/pull/240
|
|
10
|
+
|
|
11
|
+
## 6.1.1 (2024-06-12)
|
|
12
|
+
|
|
13
|
+
### Bug Fixes
|
|
14
|
+
|
|
15
|
+
* Proactively fixed a compatibility issue with libxml >= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [@flavorjones - #238][238]
|
|
16
|
+
|
|
17
|
+
[238]:https://github.com/rgrove/sanitize/pull/238
|
|
18
|
+
|
|
3
19
|
## 6.1.0 (2023-09-14)
|
|
4
20
|
|
|
5
21
|
### Features
|
data/README.md
CHANGED
data/lib/sanitize/css.rb
CHANGED
|
@@ -272,6 +272,10 @@ class Sanitize; class CSS
|
|
|
272
272
|
return nil unless valid_url?(child)
|
|
273
273
|
end
|
|
274
274
|
|
|
275
|
+
if name == 'image-set' || name == 'image'
|
|
276
|
+
return nil unless valid_image?(child)
|
|
277
|
+
end
|
|
278
|
+
|
|
275
279
|
combined_value << name
|
|
276
280
|
return nil if name == 'expression' || combined_value == 'expression'
|
|
277
281
|
end
|
|
@@ -345,4 +349,27 @@ class Sanitize; class CSS
|
|
|
345
349
|
false
|
|
346
350
|
end
|
|
347
351
|
|
|
352
|
+
# Returns `true` if the given node (which is an `image` or `image-set` function) contains only strings
|
|
353
|
+
# using an allowlisted protocol.
|
|
354
|
+
def valid_image?(node)
|
|
355
|
+
return false unless node[:node] == :function
|
|
356
|
+
return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
|
|
357
|
+
return false unless Array === node[:value]
|
|
358
|
+
|
|
359
|
+
node[:value].each do |token|
|
|
360
|
+
return false unless Hash === token
|
|
361
|
+
|
|
362
|
+
case token[:node]
|
|
363
|
+
when :string
|
|
364
|
+
if token[:value] =~ Sanitize::REGEX_PROTOCOL
|
|
365
|
+
return false unless @config[:protocols].include?($1.downcase)
|
|
366
|
+
else
|
|
367
|
+
return false unless @config[:protocols].include?(:relative)
|
|
368
|
+
end
|
|
369
|
+
else
|
|
370
|
+
next
|
|
371
|
+
end
|
|
372
|
+
end
|
|
373
|
+
end
|
|
374
|
+
|
|
348
375
|
end; end
|
|
@@ -9,7 +9,11 @@ class Sanitize; module Transformers
|
|
|
9
9
|
|
|
10
10
|
if node.type == Nokogiri::XML::Node::DTD_NODE
|
|
11
11
|
if env[:config][:allow_doctype]
|
|
12
|
-
node.name
|
|
12
|
+
if node.name != "html"
|
|
13
|
+
document = node.document
|
|
14
|
+
node.unlink
|
|
15
|
+
document.create_internal_subset("html", nil, nil)
|
|
16
|
+
end
|
|
13
17
|
else
|
|
14
18
|
node.unlink
|
|
15
19
|
end
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
|
@@ -29,6 +29,12 @@ describe 'Sanitize::CSS' do
|
|
|
29
29
|
"background: url('ht\\tp://example.com/http.jpg')",
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
|
32
|
+
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
33
|
+
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
34
|
+
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
|
+
"background: image('relative.jpg');",
|
|
36
|
+
"background: image('https://example.com/https.jpg');",
|
|
37
|
+
"background: image(rtl 'https://example.com/https.jpg');"
|
|
32
38
|
].each do |css|
|
|
33
39
|
_(@default.properties(css)).must_equal ''
|
|
34
40
|
_(@relaxed.properties(css)).must_equal css
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-07-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: crass
|
|
@@ -44,14 +44,14 @@ dependencies:
|
|
|
44
44
|
requirements:
|
|
45
45
|
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: 5.
|
|
47
|
+
version: '5.15'
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: 5.
|
|
54
|
+
version: '5.15'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: rake
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -105,7 +105,9 @@ files:
|
|
|
105
105
|
homepage: https://github.com/rgrove/sanitize/
|
|
106
106
|
licenses:
|
|
107
107
|
- MIT
|
|
108
|
-
metadata:
|
|
108
|
+
metadata:
|
|
109
|
+
changelog_uri: https://github.com/rgrove/sanitize/blob/main/HISTORY.md
|
|
110
|
+
documentation_uri: https://rubydoc.info/github/rgrove/sanitize
|
|
109
111
|
post_install_message:
|
|
110
112
|
rdoc_options: []
|
|
111
113
|
require_paths:
|
|
@@ -121,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
121
123
|
- !ruby/object:Gem::Version
|
|
122
124
|
version: 1.2.0
|
|
123
125
|
requirements: []
|
|
124
|
-
rubygems_version: 3.
|
|
126
|
+
rubygems_version: 3.5.3
|
|
125
127
|
signing_key:
|
|
126
128
|
specification_version: 4
|
|
127
129
|
summary: Allowlist-based HTML and CSS sanitizer.
|