sanitize 6.1.3 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. checksums.yaml +4 -4
  2. data/{HISTORY.md → CHANGELOG.md} +32 -14
  3. data/LICENSE +3 -1
  4. data/README.md +120 -238
  5. data/lib/sanitize/config/basic.rb +15 -15
  6. data/lib/sanitize/config/default.rb +45 -45
  7. data/lib/sanitize/config/relaxed.rb +136 -32
  8. data/lib/sanitize/config/restricted.rb +2 -2
  9. data/lib/sanitize/config.rb +12 -14
  10. data/lib/sanitize/css.rb +308 -308
  11. data/lib/sanitize/transformers/clean_cdata.rb +9 -9
  12. data/lib/sanitize/transformers/clean_comment.rb +9 -9
  13. data/lib/sanitize/transformers/clean_css.rb +59 -55
  14. data/lib/sanitize/transformers/clean_doctype.rb +15 -15
  15. data/lib/sanitize/transformers/clean_element.rb +220 -237
  16. data/lib/sanitize/version.rb +3 -1
  17. data/lib/sanitize.rb +38 -38
  18. data/test/common.rb +4 -3
  19. data/test/test_clean_comment.rb +26 -25
  20. data/test/test_clean_css.rb +14 -13
  21. data/test/test_clean_doctype.rb +21 -20
  22. data/test/test_clean_element.rb +258 -273
  23. data/test/test_config.rb +22 -21
  24. data/test/test_malicious_css.rb +20 -19
  25. data/test/test_malicious_html.rb +100 -99
  26. data/test/test_parser.rb +26 -25
  27. data/test/test_sanitize.rb +70 -69
  28. data/test/test_sanitize_css.rb +149 -114
  29. data/test/test_transformers.rb +81 -83
  30. metadata +14 -43
data/lib/sanitize/transformers/clean_cdata.rb CHANGED
@@ -1,13 +1,13 @@
1
- # encoding: utf-8
1
+ # frozen_string_literal: true
2
2
 
3
- class Sanitize; module Transformers
3
+ class Sanitize
4
+ module Transformers
5
+ CleanCDATA = lambda do |env|
6
+ node = env[:node]
4
7
 
5
- CleanCDATA = lambda do |env|
6
- node = env[:node]
7
-
8
- if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
9
- node.replace(Nokogiri::XML::Text.new(node.text, node.document))
8
+ if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
9
+ node.replace(Nokogiri::XML::Text.new(node.text, node.document))
10
+ end
10
11
  end
11
12
  end
12
-
13
- end; end
13
+ end
data/lib/sanitize/transformers/clean_comment.rb CHANGED
@@ -1,13 +1,13 @@
1
- # encoding: utf-8
1
+ # frozen_string_literal: true
2
2
 
3
- class Sanitize; module Transformers
3
+ class Sanitize
4
+ module Transformers
5
+ CleanComment = lambda do |env|
6
+ node = env[:node]
4
7
 
5
- CleanComment = lambda do |env|
6
- node = env[:node]
7
-
8
- if node.type == Nokogiri::XML::Node::COMMENT_NODE
9
- node.unlink unless env[:is_allowlisted]
8
+ if node.type == Nokogiri::XML::Node::COMMENT_NODE
9
+ node.unlink unless env[:is_allowlisted]
10
+ end
10
11
  end
11
12
  end
12
-
13
- end; end
13
+ end
data/lib/sanitize/transformers/clean_css.rb CHANGED
@@ -1,58 +1,62 @@
1
- class Sanitize; module Transformers; module CSS
2
-
3
- # Enforces a CSS allowlist on the contents of `style` attributes.
4
- class CleanAttribute
5
- def initialize(sanitizer_or_config)
6
- if Sanitize::CSS === sanitizer_or_config
7
- @scss = sanitizer_or_config
8
- else
9
- @scss = Sanitize::CSS.new(sanitizer_or_config)
10
- end
11
- end
12
-
13
- def call(env)
14
- node = env[:node]
15
-
16
- return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
17
- node.key?('style') && !env[:is_allowlisted]
18
-
19
- attr = node.attribute('style')
20
- css = @scss.properties(attr.value)
21
-
22
- if css.strip.empty?
23
- attr.unlink
24
- else
25
- attr.value = css
1
+ # frozen_string_literal: true
2
+
3
+ class Sanitize
4
+ module Transformers
5
+ module CSS
6
+ # Enforces a CSS allowlist on the contents of `style` attributes.
7
+ class CleanAttribute
8
+ def initialize(sanitizer_or_config)
9
+ @scss = if Sanitize::CSS === sanitizer_or_config
10
+ sanitizer_or_config
11
+ else
12
+ Sanitize::CSS.new(sanitizer_or_config)
13
+ end
14
+ end
15
+
16
+ def call(env)
17
+ node = env[:node]
18
+
19
+ return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
20
+ node.key?("style") && !env[:is_allowlisted]
21
+
22
+ attr = node.attribute("style")
23
+ css = @scss.properties(attr.value)
24
+
25
+ if css.strip.empty?
26
+ attr.unlink
27
+ else
28
+ attr.value = css
29
+ end
30
+ end
31
+ end
32
+
33
+ # Enforces a CSS allowlist on the contents of `<style>` elements.
34
+ class CleanElement
35
+ def initialize(sanitizer_or_config)
36
+ @scss = if Sanitize::CSS === sanitizer_or_config
37
+ sanitizer_or_config
38
+ else
39
+ Sanitize::CSS.new(sanitizer_or_config)
40
+ end
41
+ end
42
+
43
+ def call(env)
44
+ node = env[:node]
45
+
46
+ return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
47
+ env[:node_name] == "style"
48
+
49
+ css = @scss.stylesheet(node.content)
50
+
51
+ if css.strip.empty?
52
+ node.unlink
53
+ else
54
+ css.gsub!("</", '<\/')
55
+ node.children.unlink
56
+ node << Nokogiri::XML::Text.new(css, node.document)
57
+ end
58
+ end
59
+ end
26
60
  end
27
61
  end
28
62
  end
29
-
30
- # Enforces a CSS allowlist on the contents of `<style>` elements.
31
- class CleanElement
32
- def initialize(sanitizer_or_config)
33
- if Sanitize::CSS === sanitizer_or_config
34
- @scss = sanitizer_or_config
35
- else
36
- @scss = Sanitize::CSS.new(sanitizer_or_config)
37
- end
38
- end
39
-
40
- def call(env)
41
- node = env[:node]
42
-
43
- return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
44
- env[:node_name] == 'style'
45
-
46
- css = @scss.stylesheet(node.content)
47
-
48
- if css.strip.empty?
49
- node.unlink
50
- else
51
- css.gsub!('</', '<\/')
52
- node.children.unlink
53
- node << Nokogiri::XML::Text.new(css, node.document)
54
- end
55
- end
56
- end
57
-
58
- end; end; end
data/lib/sanitize/transformers/clean_doctype.rb CHANGED
@@ -1,23 +1,23 @@
1
- # encoding: utf-8
1
+ # frozen_string_literal: true
2
2
 
3
- class Sanitize; module Transformers
3
+ class Sanitize
4
+ module Transformers
5
+ CleanDoctype = lambda do |env|
6
+ return if env[:is_allowlisted]
4
7
 
5
- CleanDoctype = lambda do |env|
6
- return if env[:is_allowlisted]
8
+ node = env[:node]
7
9
 
8
- node = env[:node]
9
-
10
- if node.type == Nokogiri::XML::Node::DTD_NODE
11
- if env[:config][:allow_doctype]
12
- if node.name != "html"
13
- document = node.document
10
+ if node.type == Nokogiri::XML::Node::DTD_NODE
11
+ if env[:config][:allow_doctype]
12
+ if node.name != "html"
13
+ document = node.document
14
+ node.unlink
15
+ document.create_internal_subset("html", nil, nil)
16
+ end
17
+ else
14
18
  node.unlink
15
- document.create_internal_subset("html", nil, nil)
16
19
  end
17
- else
18
- node.unlink
19
20
  end
20
21
  end
21
22
  end
22
-
23
- end; end
23
+ end