RubyGems - sanitize - Versions diffs - 6.1.2 → 7.0.0 - Mend

sanitize 6.1.2 → 7.0.0

Files changed (30) hide show

checksums.yaml +4 -4
data/{HISTORY.md → CHANGELOG.md} +40 -14
data/LICENSE +3 -1
data/README.md +120 -238
data/lib/sanitize/config/basic.rb +15 -15
data/lib/sanitize/config/default.rb +45 -45
data/lib/sanitize/config/relaxed.rb +136 -32
data/lib/sanitize/config/restricted.rb +2 -2
data/lib/sanitize/config.rb +12 -14
data/lib/sanitize/css.rb +309 -303
data/lib/sanitize/transformers/clean_cdata.rb +9 -9
data/lib/sanitize/transformers/clean_comment.rb +9 -9
data/lib/sanitize/transformers/clean_css.rb +59 -55
data/lib/sanitize/transformers/clean_doctype.rb +15 -15
data/lib/sanitize/transformers/clean_element.rb +220 -237
data/lib/sanitize/version.rb +3 -1
data/lib/sanitize.rb +38 -38
data/test/common.rb +4 -3
data/test/test_clean_comment.rb +26 -25
data/test/test_clean_css.rb +14 -13
data/test/test_clean_doctype.rb +21 -20
data/test/test_clean_element.rb +258 -273
data/test/test_config.rb +22 -21
data/test/test_malicious_css.rb +20 -19
data/test/test_malicious_html.rb +100 -99
data/test/test_parser.rb +26 -25
data/test/test_sanitize.rb +70 -69
data/test/test_sanitize_css.rb +152 -114
data/test/test_transformers.rb +81 -83
metadata +14 -43

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22d5dc60d871deef3c8d6e70a9991369350f730165771eb5a026c5db3c54c706
-  data.tar.gz: 1c2e3c02ce6cd4df374675102470203c657188bf70ce8fa344930588d59359b8
+  metadata.gz: c7ec07b16780ba818a5fdbb0570fb6c84245c60b2656388cab0b03b0d00bbc6a
+  data.tar.gz: 650c2a0c59fd4af1d305051e5488bcacee3f5a638a96960163f6677b838a9661
 SHA512:
-  metadata.gz: 4f6213a1274e9f4940aaedee5df9966d4d5ac26db5222fb8f14408b365be3bc6299fab02a275495516c0d9be0a1b2ebaddf622085321625c2773554728459760
-  data.tar.gz: b14dc3eeb2215eef2ffed29f4900d279ec6d3a5c32dc2c0d1d0f62e9adbf0b7241bd388064d3eda421819cb30c46b7d52924b182436535050402097945c8e4ca
+  metadata.gz: ec33f841766422dda2ee1d889d2e3f42f6b3b479c2cf557cad80de0311969a4e132e02a5a33dda296af2e2a5fec8791aa6ba8eacd6ea370428cc40ff3f08a720
+  data.tar.gz: f4cf669dba8e416c38fb4b9eae30b86e9c7816718e80cc32eac1f536f1e2023c59cb74df7e701af717a157e1fe1ccc902a89b26992488a85400e4dc0c089d07a

data/{HISTORY.md → CHANGELOG.md} RENAMED Viewed

@@ -1,4 +1,32 @@
-# Sanitize History
+# Sanitize Changelog
+All notable changes to Sanitize are documented in this file. The format (since version 7.0.0) is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## 7.0.0 (2024-12-29)
+Sanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!
+### Added
+- Added over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of "Working Draft" or better in the latest [W3C "All Properties" list](https://www.w3.org/Style/CSS/all-properties.en.html).
+- Added the `@container` CSS at-rule to the relaxed config.
+- Added the `-webkit-text-fill-color` CSS property to the relaxed config. [@radar - #244](https://github.com/rgrove/sanitize/pull/244)
+### Changed
+- Ruby 3.1.0 is now the oldest supported Ruby version.
+- Sanitize now requires Nokogiri 1.16.8 or higher.
+## 6.1.3 (2024-08-14)
+### Bug Fixes
+* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
+[242]:https://github.com/rgrove/sanitize/pull/242
 ## 6.1.2 (2024-07-27)
@@ -271,8 +299,6 @@ review the changes below carefully.
   Many thanks to the Shopify Application Security Team for responsibly reporting
   this issue.
-[176]:https://github.com/rgrove/sanitize/issues/176
 ## 4.6.2 (2018-03-19)
 * Reduced string allocations to optimize memory usage. [@janklimo - #175][175]
@@ -610,7 +636,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
 ## 2.0.4 (2013-06-12)
 * Added `Sanitize.clean_document`, which sanitizes a full HTML document rather
-  than just a fragment. [Ben Anderson]
+  than just a fragment. \[Ben Anderson]
 * Nokogiri dependency bumped to 1.6.x.
@@ -633,7 +659,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
 ## 2.0.1 (2011-03-16)
 * Updated the protocol regex to anchor at the beginning of the string rather
-  than the beginning of a line. [Eaden McKee]
+  than the beginning of a line. \[Eaden McKee]
 ## 2.0.0 (2011-01-15)
@@ -679,7 +705,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
   remove the contents of all non-allowlisted elements in addition to the
   elements themselves. If set to an array of element names, Sanitize will
   remove the contents of only those elements (when filtered), and leave the
-  contents of other filtered elements. [Thanks to Rafael Souza for the array
+  contents of other filtered elements. \[Thanks to Rafael Souza for the array
   option]
 * Added an `:output_encoding` config setting to allow the character encoding
@@ -704,27 +730,27 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
 * Added `Sanitize.clean_node!`, which sanitizes a `Nokogiri::XML::Node` and
   all its children.
-* Added elements `<h1>` through `<h6>` to the Relaxed allowlist. [Suggested by
+* Added elements `<h1>` through `<h6>` to the Relaxed allowlist. \[Suggested by
   David Reese]
 ## 1.1.0 (2009-10-11)
-* Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 [Adam Hooper]
+* Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 \[Adam Hooper]
 * Added an `:output` config setting to allow the output format to be
   specified. Supported formats are `:xhtml` (the default) and `:html` (which
   outputs HTML4).
 * Changed protocol regex to ensure Sanitize doesn't kill URLs with colons in
-  path segments. [Peter Cooper]
+  path segments. \[Peter Cooper]
 ## 1.0.8 (2009-04-23)
 * Added a workaround for an Hpricot bug that prevents attribute names from
   being downcased in recent versions of Hpricot. This was exploitable to
-  prevent non-allowlisted protocols from being cleaned. [Reported by Ben
+  prevent non-allowlisted protocols from being cleaned. \[Reported by Ben
   Wanicur]
@@ -733,7 +759,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
 * Requires Hpricot 0.8.1+, which is finally compatible with Ruby 1.9.1.
 * Fixed a bug that caused named character entities containing digits (like
-  `&sup2;`) to be escaped when they shouldn't have been. [Reported by
+  `&sup2;`) to be escaped when they shouldn't have been. \[Reported by
   Sebastian Steinmetz]
@@ -748,14 +774,14 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
   problems in IE6.
 * You can now specify the symbol `:all` in place of an element name in the
-  attributes config hash to allow certain attributes on all elements. [Thanks
+  attributes config hash to allow certain attributes on all elements. \[Thanks
   to Mutwin Kraus]
 ## 1.0.5 (2009-02-05)
 * Fixed a bug introduced in version 1.0.3 that prevented non-allowlisted
-  protocols from being cleaned when relative URLs were allowed. [Reported by
+  protocols from being cleaned when relative URLs were allowed. \[Reported by
   Dev Purkayastha]
 * Fixed "undefined method `parent='" exceptions caused by parser changes in
@@ -766,7 +792,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
 * Fixed a bug that made it possible to sneak a non-allowlisted element through
   by repeating it several times in a row. All versions of Sanitize prior to
-  1.0.4 are vulnerable. [Reported by Cristobal]
+  1.0.4 are vulnerable. \[Reported by Cristobal]
 ## 1.0.3 (2009-01-15)

data/LICENSE CHANGED Viewed

@@ -1,4 +1,6 @@
-Copyright (c) 2021 Ryan Grove <ryan@wonko.com>
+MIT License
+Copyright Ryan Grove <ryan@wonko.com>
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the 'Software'), to deal in