sanitize 6.1.1 → 6.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/HISTORY.md +8 -0
- data/lib/sanitize/css.rb +27 -0
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +6 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 22d5dc60d871deef3c8d6e70a9991369350f730165771eb5a026c5db3c54c706
|
|
4
|
+
data.tar.gz: 1c2e3c02ce6cd4df374675102470203c657188bf70ce8fa344930588d59359b8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4f6213a1274e9f4940aaedee5df9966d4d5ac26db5222fb8f14408b365be3bc6299fab02a275495516c0d9be0a1b2ebaddf622085321625c2773554728459760
|
|
7
|
+
data.tar.gz: b14dc3eeb2215eef2ffed29f4900d279ec6d3a5c32dc2c0d1d0f62e9adbf0b7241bd388064d3eda421819cb30c46b7d52924b182436535050402097945c8e4ca
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Sanitize History
|
|
2
2
|
|
|
3
|
+
## 6.1.2 (2024-07-27)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
|
|
8
|
+
|
|
9
|
+
[240]:https://github.com/rgrove/sanitize/pull/240
|
|
10
|
+
|
|
3
11
|
## 6.1.1 (2024-06-12)
|
|
4
12
|
|
|
5
13
|
### Bug Fixes
|
data/lib/sanitize/css.rb
CHANGED
|
@@ -272,6 +272,10 @@ class Sanitize; class CSS
|
|
|
272
272
|
return nil unless valid_url?(child)
|
|
273
273
|
end
|
|
274
274
|
|
|
275
|
+
if name == 'image-set' || name == 'image'
|
|
276
|
+
return nil unless valid_image?(child)
|
|
277
|
+
end
|
|
278
|
+
|
|
275
279
|
combined_value << name
|
|
276
280
|
return nil if name == 'expression' || combined_value == 'expression'
|
|
277
281
|
end
|
|
@@ -345,4 +349,27 @@ class Sanitize; class CSS
|
|
|
345
349
|
false
|
|
346
350
|
end
|
|
347
351
|
|
|
352
|
+
# Returns `true` if the given node (which is an `image` or `image-set` function) contains only strings
|
|
353
|
+
# using an allowlisted protocol.
|
|
354
|
+
def valid_image?(node)
|
|
355
|
+
return false unless node[:node] == :function
|
|
356
|
+
return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
|
|
357
|
+
return false unless Array === node[:value]
|
|
358
|
+
|
|
359
|
+
node[:value].each do |token|
|
|
360
|
+
return false unless Hash === token
|
|
361
|
+
|
|
362
|
+
case token[:node]
|
|
363
|
+
when :string
|
|
364
|
+
if token[:value] =~ Sanitize::REGEX_PROTOCOL
|
|
365
|
+
return false unless @config[:protocols].include?($1.downcase)
|
|
366
|
+
else
|
|
367
|
+
return false unless @config[:protocols].include?(:relative)
|
|
368
|
+
end
|
|
369
|
+
else
|
|
370
|
+
next
|
|
371
|
+
end
|
|
372
|
+
end
|
|
373
|
+
end
|
|
374
|
+
|
|
348
375
|
end; end
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
|
@@ -29,6 +29,12 @@ describe 'Sanitize::CSS' do
|
|
|
29
29
|
"background: url('ht\\tp://example.com/http.jpg')",
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
|
32
|
+
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
33
|
+
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
34
|
+
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
|
+
"background: image('relative.jpg');",
|
|
36
|
+
"background: image('https://example.com/https.jpg');",
|
|
37
|
+
"background: image(rtl 'https://example.com/https.jpg');"
|
|
32
38
|
].each do |css|
|
|
33
39
|
_(@default.properties(css)).must_equal ''
|
|
34
40
|
_(@relaxed.properties(css)).must_equal css
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-07-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: crass
|
|
@@ -123,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: 1.2.0
|
|
125
125
|
requirements: []
|
|
126
|
-
rubygems_version: 3.5.
|
|
126
|
+
rubygems_version: 3.5.3
|
|
127
127
|
signing_key:
|
|
128
128
|
specification_version: 4
|
|
129
129
|
summary: Allowlist-based HTML and CSS sanitizer.
|