sanitize 6.1.3 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/{HISTORY.md → CHANGELOG.md} +32 -14
- data/LICENSE +3 -1
- data/README.md +120 -238
- data/lib/sanitize/config/basic.rb +15 -15
- data/lib/sanitize/config/default.rb +45 -45
- data/lib/sanitize/config/relaxed.rb +136 -32
- data/lib/sanitize/config/restricted.rb +2 -2
- data/lib/sanitize/config.rb +12 -14
- data/lib/sanitize/css.rb +308 -308
- data/lib/sanitize/transformers/clean_cdata.rb +9 -9
- data/lib/sanitize/transformers/clean_comment.rb +9 -9
- data/lib/sanitize/transformers/clean_css.rb +59 -55
- data/lib/sanitize/transformers/clean_doctype.rb +15 -15
- data/lib/sanitize/transformers/clean_element.rb +220 -237
- data/lib/sanitize/version.rb +3 -1
- data/lib/sanitize.rb +38 -38
- data/test/common.rb +4 -3
- data/test/test_clean_comment.rb +26 -25
- data/test/test_clean_css.rb +14 -13
- data/test/test_clean_doctype.rb +21 -20
- data/test/test_clean_element.rb +258 -273
- data/test/test_config.rb +22 -21
- data/test/test_malicious_css.rb +20 -19
- data/test/test_malicious_html.rb +100 -99
- data/test/test_parser.rb +26 -25
- data/test/test_sanitize.rb +70 -69
- data/test/test_sanitize_css.rb +149 -114
- data/test/test_transformers.rb +81 -83
- metadata +14 -43
@@ -1,13 +1,13 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
class Sanitize
|
3
|
+
class Sanitize
|
4
|
+
module Transformers
|
5
|
+
CleanCDATA = lambda do |env|
|
6
|
+
node = env[:node]
|
4
7
|
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
|
9
|
-
node.replace(Nokogiri::XML::Text.new(node.text, node.document))
|
8
|
+
if node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE
|
9
|
+
node.replace(Nokogiri::XML::Text.new(node.text, node.document))
|
10
|
+
end
|
10
11
|
end
|
11
12
|
end
|
12
|
-
|
13
|
-
end; end
|
13
|
+
end
|
@@ -1,13 +1,13 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
class Sanitize
|
3
|
+
class Sanitize
|
4
|
+
module Transformers
|
5
|
+
CleanComment = lambda do |env|
|
6
|
+
node = env[:node]
|
4
7
|
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
if node.type == Nokogiri::XML::Node::COMMENT_NODE
|
9
|
-
node.unlink unless env[:is_allowlisted]
|
8
|
+
if node.type == Nokogiri::XML::Node::COMMENT_NODE
|
9
|
+
node.unlink unless env[:is_allowlisted]
|
10
|
+
end
|
10
11
|
end
|
11
12
|
end
|
12
|
-
|
13
|
-
end; end
|
13
|
+
end
|
@@ -1,58 +1,62 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
class Sanitize
|
4
|
+
module Transformers
|
5
|
+
module CSS
|
6
|
+
# Enforces a CSS allowlist on the contents of `style` attributes.
|
7
|
+
class CleanAttribute
|
8
|
+
def initialize(sanitizer_or_config)
|
9
|
+
@scss = if Sanitize::CSS === sanitizer_or_config
|
10
|
+
sanitizer_or_config
|
11
|
+
else
|
12
|
+
Sanitize::CSS.new(sanitizer_or_config)
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
def call(env)
|
17
|
+
node = env[:node]
|
18
|
+
|
19
|
+
return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
|
20
|
+
node.key?("style") && !env[:is_allowlisted]
|
21
|
+
|
22
|
+
attr = node.attribute("style")
|
23
|
+
css = @scss.properties(attr.value)
|
24
|
+
|
25
|
+
if css.strip.empty?
|
26
|
+
attr.unlink
|
27
|
+
else
|
28
|
+
attr.value = css
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
# Enforces a CSS allowlist on the contents of `<style>` elements.
|
34
|
+
class CleanElement
|
35
|
+
def initialize(sanitizer_or_config)
|
36
|
+
@scss = if Sanitize::CSS === sanitizer_or_config
|
37
|
+
sanitizer_or_config
|
38
|
+
else
|
39
|
+
Sanitize::CSS.new(sanitizer_or_config)
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def call(env)
|
44
|
+
node = env[:node]
|
45
|
+
|
46
|
+
return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
|
47
|
+
env[:node_name] == "style"
|
48
|
+
|
49
|
+
css = @scss.stylesheet(node.content)
|
50
|
+
|
51
|
+
if css.strip.empty?
|
52
|
+
node.unlink
|
53
|
+
else
|
54
|
+
css.gsub!("</", '<\/')
|
55
|
+
node.children.unlink
|
56
|
+
node << Nokogiri::XML::Text.new(css, node.document)
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
26
60
|
end
|
27
61
|
end
|
28
62
|
end
|
29
|
-
|
30
|
-
# Enforces a CSS allowlist on the contents of `<style>` elements.
|
31
|
-
class CleanElement
|
32
|
-
def initialize(sanitizer_or_config)
|
33
|
-
if Sanitize::CSS === sanitizer_or_config
|
34
|
-
@scss = sanitizer_or_config
|
35
|
-
else
|
36
|
-
@scss = Sanitize::CSS.new(sanitizer_or_config)
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
|
-
def call(env)
|
41
|
-
node = env[:node]
|
42
|
-
|
43
|
-
return unless node.type == Nokogiri::XML::Node::ELEMENT_NODE &&
|
44
|
-
env[:node_name] == 'style'
|
45
|
-
|
46
|
-
css = @scss.stylesheet(node.content)
|
47
|
-
|
48
|
-
if css.strip.empty?
|
49
|
-
node.unlink
|
50
|
-
else
|
51
|
-
css.gsub!('</', '<\/')
|
52
|
-
node.children.unlink
|
53
|
-
node << Nokogiri::XML::Text.new(css, node.document)
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
end; end; end
|
@@ -1,23 +1,23 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
class Sanitize
|
3
|
+
class Sanitize
|
4
|
+
module Transformers
|
5
|
+
CleanDoctype = lambda do |env|
|
6
|
+
return if env[:is_allowlisted]
|
4
7
|
|
5
|
-
|
6
|
-
return if env[:is_allowlisted]
|
8
|
+
node = env[:node]
|
7
9
|
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
10
|
+
if node.type == Nokogiri::XML::Node::DTD_NODE
|
11
|
+
if env[:config][:allow_doctype]
|
12
|
+
if node.name != "html"
|
13
|
+
document = node.document
|
14
|
+
node.unlink
|
15
|
+
document.create_internal_subset("html", nil, nil)
|
16
|
+
end
|
17
|
+
else
|
14
18
|
node.unlink
|
15
|
-
document.create_internal_subset("html", nil, nil)
|
16
19
|
end
|
17
|
-
else
|
18
|
-
node.unlink
|
19
20
|
end
|
20
21
|
end
|
21
22
|
end
|
22
|
-
|
23
|
-
end; end
|
23
|
+
end
|