sanitize 6.1.1 → 6.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ed64268ea99d49841046ad5977df0d4e622abe58a6374244bc9223631ee0ed95
4
- data.tar.gz: eb614786ac3167798532bdfef07c2abd65d5a72928af487432c775d9c878024d
3
+ metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
4
+ data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
5
5
  SHA512:
6
- metadata.gz: 176c443206f2880a84bca7d84a32a631e4237f5f3de4d69f45a9dcd80ba31999c7c7424c1ace1a09aa4566834a699e7ff149e956383ec91c2c98e7c63c01f3c6
7
- data.tar.gz: f492268ae71a8109b4857f9dced29d3ed4e3897b39fe2cb4d12cd1459395b58197179b2e9cdd32175e281a5aea04a13fa741809040289dbe47391b7367e1397d
6
+ metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
7
+ data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b
data/HISTORY.md CHANGED
@@ -1,5 +1,21 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 6.1.3 (2024-08-14)
4
+
5
+ ### Bug Fixes
6
+
7
+ * The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
8
+
9
+ [242]:https://github.com/rgrove/sanitize/pull/242
10
+
11
+ ## 6.1.2 (2024-07-27)
12
+
13
+ ### Bug Fixes
14
+
15
+ * The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
16
+
17
+ [240]:https://github.com/rgrove/sanitize/pull/240
18
+
3
19
  ## 6.1.1 (2024-06-12)
4
20
 
5
21
  ### Bug Fixes
data/lib/sanitize/css.rb CHANGED
@@ -229,6 +229,12 @@ class Sanitize; class CSS
229
229
  rule
230
230
  end
231
231
 
232
+ # Returns `true` if the given CSS function name is an image-related function
233
+ # that may contain image URLs that need to be validated.
234
+ def image_function?(name)
235
+ ['image', 'image-set', '-webkit-image-set'].include?(name)
236
+ end
237
+
232
238
  # Passes the URL value of an @import rule to a block to ensure
233
239
  # it's an allowed URL
234
240
  def import_url_allowed?(rule)
@@ -272,6 +278,10 @@ class Sanitize; class CSS
272
278
  return nil unless valid_url?(child)
273
279
  end
274
280
 
281
+ if image_function?(name)
282
+ return nil unless valid_image?(child)
283
+ end
284
+
275
285
  combined_value << name
276
286
  return nil if name == 'expression' || combined_value == 'expression'
277
287
  end
@@ -345,4 +355,27 @@ class Sanitize; class CSS
345
355
  false
346
356
  end
347
357
 
358
+ # Returns `true` if the given node is an image-related function and contains
359
+ # only strings that use an allowlisted protocol.
360
+ def valid_image?(node)
361
+ return false unless node[:node] == :function
362
+ return false unless node.key?(:name) && image_function?(node[:name].downcase)
363
+ return false unless Array === node[:value]
364
+
365
+ node[:value].each do |token|
366
+ return false unless Hash === token
367
+
368
+ case token[:node]
369
+ when :string
370
+ if token[:value] =~ Sanitize::REGEX_PROTOCOL
371
+ return false unless @config[:protocols].include?($1.downcase)
372
+ else
373
+ return false unless @config[:protocols].include?(:relative)
374
+ end
375
+ else
376
+ next
377
+ end
378
+ end
379
+ end
380
+
348
381
  end; end
@@ -1,3 +1,3 @@
1
1
  class Sanitize
2
- VERSION = '6.1.1'
2
+ VERSION = '6.1.3'
3
3
  end
@@ -29,6 +29,15 @@ describe 'Sanitize::CSS' do
29
29
  "background: url('ht\\tp://example.com/http.jpg')",
30
30
  "background: url(https://example.com/https.jpg)",
31
31
  "background: url('https://example.com/https.jpg')",
32
+ "background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
33
+ "background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
34
+ "background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
35
+ "background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
36
+ "background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
37
+ "background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
38
+ "background: image('relative.jpg');",
39
+ "background: image('https://example.com/https.jpg');",
40
+ "background: image(rtl 'https://example.com/https.jpg');"
32
41
  ].each do |css|
33
42
  _(@default.properties(css)).must_equal ''
34
43
  _(@relaxed.properties(css)).must_equal css
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.1
4
+ version: 6.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-13 00:00:00.000000000 Z
11
+ date: 2024-08-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass