sanitize 6.1.2 → 6.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/HISTORY.md +8 -0
- data/lib/sanitize/css.rb +10 -4
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +3 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
|
4
|
+
data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
|
7
|
+
data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b
|
data/HISTORY.md
CHANGED
@@ -1,5 +1,13 @@
|
|
1
1
|
# Sanitize History
|
2
2
|
|
3
|
+
## 6.1.3 (2024-08-14)
|
4
|
+
|
5
|
+
### Bug Fixes
|
6
|
+
|
7
|
+
* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
|
8
|
+
|
9
|
+
[242]:https://github.com/rgrove/sanitize/pull/242
|
10
|
+
|
3
11
|
## 6.1.2 (2024-07-27)
|
4
12
|
|
5
13
|
### Bug Fixes
|
data/lib/sanitize/css.rb
CHANGED
@@ -229,6 +229,12 @@ class Sanitize; class CSS
|
|
229
229
|
rule
|
230
230
|
end
|
231
231
|
|
232
|
+
# Returns `true` if the given CSS function name is an image-related function
|
233
|
+
# that may contain image URLs that need to be validated.
|
234
|
+
def image_function?(name)
|
235
|
+
['image', 'image-set', '-webkit-image-set'].include?(name)
|
236
|
+
end
|
237
|
+
|
232
238
|
# Passes the URL value of an @import rule to a block to ensure
|
233
239
|
# it's an allowed URL
|
234
240
|
def import_url_allowed?(rule)
|
@@ -272,7 +278,7 @@ class Sanitize; class CSS
|
|
272
278
|
return nil unless valid_url?(child)
|
273
279
|
end
|
274
280
|
|
275
|
-
if name
|
281
|
+
if image_function?(name)
|
276
282
|
return nil unless valid_image?(child)
|
277
283
|
end
|
278
284
|
|
@@ -349,11 +355,11 @@ class Sanitize; class CSS
|
|
349
355
|
false
|
350
356
|
end
|
351
357
|
|
352
|
-
# Returns `true` if the given node
|
353
|
-
#
|
358
|
+
# Returns `true` if the given node is an image-related function and contains
|
359
|
+
# only strings that use an allowlisted protocol.
|
354
360
|
def valid_image?(node)
|
355
361
|
return false unless node[:node] == :function
|
356
|
-
return false unless node.key?(:name) &&
|
362
|
+
return false unless node.key?(:name) && image_function?(node[:name].downcase)
|
357
363
|
return false unless Array === node[:value]
|
358
364
|
|
359
365
|
node[:value].each do |token|
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
@@ -32,6 +32,9 @@ describe 'Sanitize::CSS' do
|
|
32
32
|
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
33
33
|
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
34
34
|
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
35
|
+
"background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
36
|
+
"background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
37
|
+
"background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
35
38
|
"background: image('relative.jpg');",
|
36
39
|
"background: image('https://example.com/https.jpg');",
|
37
40
|
"background: image(rtl 'https://example.com/https.jpg');"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-08-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|
@@ -123,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
123
123
|
- !ruby/object:Gem::Version
|
124
124
|
version: 1.2.0
|
125
125
|
requirements: []
|
126
|
-
rubygems_version: 3.5.
|
126
|
+
rubygems_version: 3.5.11
|
127
127
|
signing_key:
|
128
128
|
specification_version: 4
|
129
129
|
summary: Allowlist-based HTML and CSS sanitizer.
|