sanitize 6.1.1 → 6.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/HISTORY.md +16 -0
- data/lib/sanitize/css.rb +33 -0
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +9 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
|
|
4
|
+
data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
|
|
7
|
+
data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Sanitize History
|
|
2
2
|
|
|
3
|
+
## 6.1.3 (2024-08-14)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
|
|
8
|
+
|
|
9
|
+
[242]:https://github.com/rgrove/sanitize/pull/242
|
|
10
|
+
|
|
11
|
+
## 6.1.2 (2024-07-27)
|
|
12
|
+
|
|
13
|
+
### Bug Fixes
|
|
14
|
+
|
|
15
|
+
* The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
|
|
16
|
+
|
|
17
|
+
[240]:https://github.com/rgrove/sanitize/pull/240
|
|
18
|
+
|
|
3
19
|
## 6.1.1 (2024-06-12)
|
|
4
20
|
|
|
5
21
|
### Bug Fixes
|
data/lib/sanitize/css.rb
CHANGED
|
@@ -229,6 +229,12 @@ class Sanitize; class CSS
|
|
|
229
229
|
rule
|
|
230
230
|
end
|
|
231
231
|
|
|
232
|
+
# Returns `true` if the given CSS function name is an image-related function
|
|
233
|
+
# that may contain image URLs that need to be validated.
|
|
234
|
+
def image_function?(name)
|
|
235
|
+
['image', 'image-set', '-webkit-image-set'].include?(name)
|
|
236
|
+
end
|
|
237
|
+
|
|
232
238
|
# Passes the URL value of an @import rule to a block to ensure
|
|
233
239
|
# it's an allowed URL
|
|
234
240
|
def import_url_allowed?(rule)
|
|
@@ -272,6 +278,10 @@ class Sanitize; class CSS
|
|
|
272
278
|
return nil unless valid_url?(child)
|
|
273
279
|
end
|
|
274
280
|
|
|
281
|
+
if image_function?(name)
|
|
282
|
+
return nil unless valid_image?(child)
|
|
283
|
+
end
|
|
284
|
+
|
|
275
285
|
combined_value << name
|
|
276
286
|
return nil if name == 'expression' || combined_value == 'expression'
|
|
277
287
|
end
|
|
@@ -345,4 +355,27 @@ class Sanitize; class CSS
|
|
|
345
355
|
false
|
|
346
356
|
end
|
|
347
357
|
|
|
358
|
+
# Returns `true` if the given node is an image-related function and contains
|
|
359
|
+
# only strings that use an allowlisted protocol.
|
|
360
|
+
def valid_image?(node)
|
|
361
|
+
return false unless node[:node] == :function
|
|
362
|
+
return false unless node.key?(:name) && image_function?(node[:name].downcase)
|
|
363
|
+
return false unless Array === node[:value]
|
|
364
|
+
|
|
365
|
+
node[:value].each do |token|
|
|
366
|
+
return false unless Hash === token
|
|
367
|
+
|
|
368
|
+
case token[:node]
|
|
369
|
+
when :string
|
|
370
|
+
if token[:value] =~ Sanitize::REGEX_PROTOCOL
|
|
371
|
+
return false unless @config[:protocols].include?($1.downcase)
|
|
372
|
+
else
|
|
373
|
+
return false unless @config[:protocols].include?(:relative)
|
|
374
|
+
end
|
|
375
|
+
else
|
|
376
|
+
next
|
|
377
|
+
end
|
|
378
|
+
end
|
|
379
|
+
end
|
|
380
|
+
|
|
348
381
|
end; end
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
|
@@ -29,6 +29,15 @@ describe 'Sanitize::CSS' do
|
|
|
29
29
|
"background: url('ht\\tp://example.com/http.jpg')",
|
|
30
30
|
"background: url(https://example.com/https.jpg)",
|
|
31
31
|
"background: url('https://example.com/https.jpg')",
|
|
32
|
+
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
33
|
+
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
34
|
+
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
|
+
"background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
36
|
+
"background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
37
|
+
"background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
38
|
+
"background: image('relative.jpg');",
|
|
39
|
+
"background: image('https://example.com/https.jpg');",
|
|
40
|
+
"background: image(rtl 'https://example.com/https.jpg');"
|
|
32
41
|
].each do |css|
|
|
33
42
|
_(@default.properties(css)).must_equal ''
|
|
34
43
|
_(@relaxed.properties(css)).must_equal css
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-08-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: crass
|