sanitize 6.1.1 → 6.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/HISTORY.md +16 -0
- data/lib/sanitize/css.rb +33 -0
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +9 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
|
|
4
|
+
data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
|
|
7
|
+
data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Sanitize History
|
|
2
2
|
|
|
3
|
+
## 6.1.3 (2024-08-14)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
|
|
8
|
+
|
|
9
|
+
[242]:https://github.com/rgrove/sanitize/pull/242
|
|
10
|
+
|
|
11
|
+
## 6.1.2 (2024-07-27)
|
|
12
|
+
|
|
13
|
+
### Bug Fixes
|
|
14
|
+
|
|
15
|
+
* The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
|
|
16
|
+
|
|
17
|
+
[240]:https://github.com/rgrove/sanitize/pull/240
|
|
18
|
+
|
|
3
19
|
## 6.1.1 (2024-06-12)
|
|
4
20
|
|
|
5
21
|
### Bug Fixes
|
data/lib/sanitize/css.rb
CHANGED
|
@@ -229,6 +229,12 @@ class Sanitize; class CSS
|
|
|
229
229
|
rule
|
|
230
230
|
end
|
|
231
231
|
|
|
232
|
+
# Returns `true` if the given CSS function name is an image-related function
|
|
233
|
+
# that may contain image URLs that need to be validated.
|
|
234
|
+
def image_function?(name)
|
|
235
|
+
['image', 'image-set', '-webkit-image-set'].include?(name)
|
|
236
|
+
end
|
|
237
|
+
|
|
232
238
|
# Passes the URL value of an @import rule to a block to ensure
|
|
233
239
|
# it's an allowed URL
|
|
234
240
|
def import_url_allowed?(rule)
|
|
@@ -272,6 +278,10 @@ class Sanitize; class CSS
|
|
|
272
278
|
return nil unless valid_url?(child)
|
|
273
279
|
end
|
|
274
280
|
|
|
281
|
+
if image_function?(name)
|
|
282
|
+
return nil unless valid_image?(child)
|
|
283
|
+
end
|
|
284
|
+
|
|
275
285
|
combined_value << name
|
|
276
286
|
return nil if name == 'expression' || combined_value == 'expression'
|
|
277
287
|
end
|
|
@@ -345,4 +355,27 @@ class Sanitize; class CSS
|
|
|
345
355
|
false
|
|
346
356
|
end
|
|
347
357
|
|
|
358
|
+
# Returns `true` if the given node is an image-related function and contains
|
|
359
|
+
# only strings that use an allowlisted protocol.
|
|
360
|
+
def valid_image?(node)
|
|
361
|
+
return false unless node[:node] == :function
|
|
362
|
+
return false unless node.key?(:name) && image_function?(node[:name].downcase)
|
|
363
|
+
return false unless Array === node[:value]
|
|
364
|
+
|
|
365
|
+
node[:value].each do |token|
|
|
366
|
+
return false unless Hash === token
|
|
367
|
+
|
|
368
|
+
case token[:node]
|
|
369
|
+
when :string
|
|
370
|
+
if token[:value] =~ Sanitize::REGEX_PROTOCOL
|
|
371
|
+
return false unless @config[:protocols].include?($1.downcase)
|
|
372
|
+
else
|
|
373
|
+
return false unless @config[:protocols].include?(:relative)
|
|
374
|
+
end
|
|
375
|
+
else
|
|
376
|
+
next
|
|
377
|
+
end
|
|
378
|
+
end
|
|
379
|
+
end
|
|
380
|
+
|
|
348
381
|
end; end
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
|
@@ -29,6 +29,15 @@ describe 'Sanitize::CSS' do
|
|
|
29
29
|
"background: url('ht\\tp://example.com/http.jpg')",
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
|
32
|
+
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
33
|
+
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
34
|
+
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
|
+
"background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
36
|
+
"background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
37
|
+
"background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
38
|
+
"background: image('relative.jpg');",
|
|
39
|
+
"background: image('https://example.com/https.jpg');",
|
|
40
|
+
"background: image(rtl 'https://example.com/https.jpg');"
|
|
32
41
|
].each do |css|
|
|
33
42
|
_(@default.properties(css)).must_equal ''
|
|
34
43
|
_(@relaxed.properties(css)).must_equal css
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-08-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: crass
|