sanitize 6.1.2 → 7.0.0

data/test/test_transformers.rb

@@ -1,123 +1,121 @@
-# encoding: utf-8
-require_relative 'common'
+# frozen_string_literal: true
 
-describe 'Transformers' do
+require_relative "common"
+
+describe "Transformers" do
   make_my_diffs_pretty!
   parallelize_me!
 
-  it 'should receive a complete env Hash as input' do
-    Sanitize.fragment('<SPAN>foo</SPAN>',
-      :foo => :bar,
-      :transformers => lambda {|env|
+  it "should receive a complete env Hash as input" do
+    Sanitize.fragment("<SPAN>foo</SPAN>",
+      foo: :bar,
+      transformers: lambda { |env|
         return unless env[:node].element?
 
         _(env[:config][:foo]).must_equal :bar
         _(env[:is_allowlisted]).must_equal false
         _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
         _(env[:node]).must_be_kind_of Nokogiri::XML::Node
-        _(env[:node_name]).must_equal 'span'
+        _(env[:node_name]).must_equal "span"
         _(env[:node_allowlist]).must_be_kind_of Set
         _(env[:node_allowlist]).must_be_empty
         _(env[:node_whitelist]).must_equal env[:node_allowlist]
-      }
-    )
+      })
   end
 
-  it 'should traverse all node types, including the fragment itself' do
+  it "should traverse all node types, including the fragment itself" do
     nodes = []
 
-    Sanitize.fragment('<div>foo</div><!--bar--><script>cdata!</script>',
-      :transformers => proc {|env| nodes << env[:node_name] }
-    )
+    Sanitize.fragment("<div>foo</div><!--bar--><script>cdata!</script>",
+      transformers: proc { |env| nodes << env[:node_name] })
 
     _(nodes).must_equal %w[
       #document-fragment div text text text comment script text
     ]
   end
 
-  it 'should perform top-down traversal' do
+  it "should perform top-down traversal" do
     nodes = []
 
-    Sanitize.fragment('<div><span><strong>foo</strong></span><b></b></div><p>bar</p>',
-      :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
-    )
+    Sanitize.fragment("<div><span><strong>foo</strong></span><b></b></div><p>bar</p>",
+      transformers: proc { |env| nodes << env[:node_name] if env[:node].element? })
 
     _(nodes).must_equal %w[div span strong b p]
   end
 
-  it 'should allowlist nodes in the node allowlist' do
+  it "should allowlist nodes in the node allowlist" do
     _(Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
-      :transformers => [
-        proc {|env|
-          {:node_allowlist => [env[:node]]} if env[:node_name] == 'div'
+      transformers: [
+        proc { |env|
+          {node_allowlist: [env[:node]]} if env[:node_name] == "div"
         },
 
-        proc {|env|
-          _(env[:is_allowlisted]).must_equal false unless env[:node_name] == 'div'
-          _(env[:is_allowlisted]).must_equal true if env[:node_name] == 'div'
-          _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == 'div'
+        proc { |env|
+          _(env[:is_allowlisted]).must_equal false unless env[:node_name] == "div"
+          _(env[:is_allowlisted]).must_equal true if env[:node_name] == "div"
+          _(env[:node_allowlist]).must_include env[:node] if env[:node_name] == "div"
           _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
           _(env[:node_whitelist]).must_equal env[:node_allowlist]
         }
-      ]
-    )).must_equal '<div class="foo">foo</div>bar'
+      ])).must_equal '<div class="foo">foo</div>bar'
   end
 
-  it 'should clear the node allowlist after each fragment' do
+  it "should clear the node allowlist after each fragment" do
     called = false
 
-    Sanitize.fragment('<div>foo</div>',
-      :transformers => proc {|env| {:node_allowlist => [env[:node]]}}
-    )
+    Sanitize.fragment("<div>foo</div>",
+      transformers: proc { |env| {node_allowlist: [env[:node]]} })
 
-    Sanitize.fragment('<div>foo</div>',
-      :transformers => proc {|env|
+    Sanitize.fragment("<div>foo</div>",
+      transformers: proc { |env|
         called = true
         _(env[:is_allowlisted]).must_equal false
         _(env[:is_whitelisted]).must_equal env[:is_allowlisted]
         _(env[:node_allowlist]).must_be_empty
         _(env[:node_whitelist]).must_equal env[:node_allowlist]
-      }
-    )
+      })
 
     _(called).must_equal true
   end
 
-  it 'should accept a method transformer' do
-    def transformer(env); end
-    _(Sanitize.fragment('<div>foo</div>', :transformers => method(:transformer)))
-      .must_equal(' foo ')
+  it "should accept a method transformer" do
+    def transformer(env)
+    end
+    _(Sanitize.fragment("<div>foo</div>", transformers: method(:transformer)))
+      .must_equal(" foo ")
   end
 
-  describe 'Image allowlist transformer' do
-    require 'uri'
+  describe "Image allowlist transformer" do
+    require "uri"
 
     image_allowlist_transformer = lambda do |env|
       # Ignore everything except <img> elements.
-      return unless env[:node_name] == 'img'
+      return unless env[:node_name] == "img"
 
-      node      = env[:node]
-      image_uri = URI.parse(node['src'])
+      node = env[:node]
+      image_uri = URI.parse(node["src"])
 
       # Only allow relative URLs or URLs with the example.com domain. The
       # image_uri.host.nil? check ensures that protocol-relative URLs like
-      # "//evil.com/foo.jpg".
-      unless image_uri.host == 'example.com' || (image_uri.host.nil? && image_uri.relative?)
-        node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
+      # "//evil.com/foo.jpg" are not allowed.
+      unless image_uri.host == "example.com"
+        unless image_uri.host.nil? && image_uri.relative?
+          node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
+        end
       end
     end
 
     before do
       @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
-          :transformers => image_allowlist_transformer))
+        transformers: image_allowlist_transformer))
     end
 
-    it 'should allow images with relative URLs' do
+    it "should allow images with relative URLs" do
       input = '<img src="/foo/bar.jpg">'
       _(@s.fragment(input)).must_equal(input)
     end
 
-    it 'should allow images at the example.com domain' do
+    it "should allow images at the example.com domain" do
       input = '<img src="http://example.com/foo/bar.jpg">'
       _(@s.fragment(input)).must_equal(input)
 
@@ -128,103 +126,103 @@ describe 'Transformers' do
       _(@s.fragment(input)).must_equal(input)
     end
 
-    it 'should not allow images at other domains' do
+    it "should not allow images at other domains" do
       input = '<img src="http://evil.com/foo/bar.jpg">'
-      _(@s.fragment(input)).must_equal('')
+      _(@s.fragment(input)).must_equal("")
 
       input = '<img src="https://evil.com/foo/bar.jpg">'
-      _(@s.fragment(input)).must_equal('')
+      _(@s.fragment(input)).must_equal("")
 
       input = '<img src="//evil.com/foo/bar.jpg">'
-      _(@s.fragment(input)).must_equal('')
+      _(@s.fragment(input)).must_equal("")
 
       input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
-      _(@s.fragment(input)).must_equal('')
+      _(@s.fragment(input)).must_equal("")
     end
   end
 
-  describe 'YouTube transformer' do
+  describe "YouTube transformer" do
     youtube_transformer = lambda do |env|
-      node      = env[:node]
+      node = env[:node]
       node_name = env[:node_name]
 
       # Don't continue if this node is already allowlisted or is not an element.
       return if env[:is_allowlisted] || !node.element?
 
       # Don't continue unless the node is an iframe.
-      return unless node_name == 'iframe'
+      return unless node_name == "iframe"
 
       # Verify that the video URL is actually a valid YouTube video URL.
-      return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|
+      return unless %r{\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/}.match?(node["src"])
 
       # We're now certain that this is a YouTube embed, but we still need to run
       # it through a special Sanitize step to ensure that no unwanted elements or
       # attributes that don't belong in a YouTube embed can sneak in.
       Sanitize.node!(node, {
-        :elements => %w[iframe],
+        elements: %w[iframe],
 
-        :attributes => {
-          'iframe'  => %w[allowfullscreen frameborder height src width]
+        attributes: {
+          "iframe" => %w[allowfullscreen frameborder height src width]
         }
       })
 
       # Now that we're sure that this is a valid YouTube embed and that there are
       # no unwanted elements or attributes hidden inside it, we can tell Sanitize
       # to allowlist the current node.
-      {:node_allowlist => [node]}
+      {node_allowlist: [node]}
     end
 
-    it 'should allow HTTP YouTube video embeds' do
+    it "should allow HTTP YouTube video embeds" do
       input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+      _(Sanitize.fragment(input, transformers: youtube_transformer))
         .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
-    it 'should allow HTTPS YouTube video embeds' do
+    it "should allow HTTPS YouTube video embeds" do
       input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+      _(Sanitize.fragment(input, transformers: youtube_transformer))
         .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
-    it 'should allow protocol-relative YouTube video embeds' do
+    it "should allow protocol-relative YouTube video embeds" do
       input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+      _(Sanitize.fragment(input, transformers: youtube_transformer))
         .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
-    it 'should allow privacy-enhanced YouTube video embeds' do
+    it "should allow privacy-enhanced YouTube video embeds" do
       input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
 
-      _(Sanitize.fragment(input, :transformers => youtube_transformer))
+      _(Sanitize.fragment(input, transformers: youtube_transformer))
         .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen=""></iframe>'
     end
 
-    it 'should not allow non-YouTube video embeds' do
+    it "should not allow non-YouTube video embeds" do
       input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
 
-      _(Sanitize.fragment(input, :transformers => youtube_transformer))
-        .must_equal('')
+      _(Sanitize.fragment(input, transformers: youtube_transformer))
+        .must_equal("")
     end
   end
 
-  describe 'DOM modification transformer' do
+  describe "DOM modification transformer" do
     b_to_strong_tag_transformer = lambda do |env|
-      node      = env[:node]
+      node = env[:node]
       node_name = env[:node_name]
 
-      if node_name == 'b'
-        node.name = 'strong'
+      if node_name == "b"
+        node.name = "strong"
       end
     end
 
-    it 'should allow the <b> tag to be changed to a <strong> tag' do
-      input = '<b>text</b>'
+    it "should allow the <b> tag to be changed to a <strong> tag" do
+      input = "<b>text</b>"
 
-      _(Sanitize.fragment(input, :elements => ['strong'], :transformers => b_to_strong_tag_transformer))
-        .must_equal '<strong>text</strong>'
+      _(Sanitize.fragment(input, elements: ["strong"], transformers: b_to_strong_tag_transformer))
+        .must_equal "<strong>text</strong>"
     end
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 6.1.2
+  version: 7.0.0
 platform: ruby
 authors:
 - Ryan Grove
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-27 00:00:00.000000000 Z
+date: 2024-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -30,51 +29,24 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.16.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.12.0
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.15'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.15'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 13.0.6
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 13.0.6
-description: Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all
-  HTML and/or CSS from a string except the elements, attributes, and properties you
-  choose to allow.
+        version: 1.16.8
+description: |
+  Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all HTML
+  and/or CSS from a string except the elements, attributes, and properties you
+  choose to allow.'
 email: ryan@wonko.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- HISTORY.md
+- CHANGELOG.md
 - LICENSE
 - README.md
 - lib/sanitize.rb
@@ -106,9 +78,9 @@ homepage: https://github.com/rgrove/sanitize/
 licenses:
 - MIT
 metadata:
-  changelog_uri: https://github.com/rgrove/sanitize/blob/main/HISTORY.md
+  changelog_uri: https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rgrove/sanitize
-post_install_message:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -116,15 +88,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.2.0
+      version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Allowlist-based HTML and CSS sanitizer.
 test_files: []