sanitize 6.1.3 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/{HISTORY.md → CHANGELOG.md} +32 -14
- data/LICENSE +3 -1
- data/README.md +120 -238
- data/lib/sanitize/config/basic.rb +15 -15
- data/lib/sanitize/config/default.rb +45 -45
- data/lib/sanitize/config/relaxed.rb +136 -32
- data/lib/sanitize/config/restricted.rb +2 -2
- data/lib/sanitize/config.rb +12 -14
- data/lib/sanitize/css.rb +308 -308
- data/lib/sanitize/transformers/clean_cdata.rb +9 -9
- data/lib/sanitize/transformers/clean_comment.rb +9 -9
- data/lib/sanitize/transformers/clean_css.rb +59 -55
- data/lib/sanitize/transformers/clean_doctype.rb +15 -15
- data/lib/sanitize/transformers/clean_element.rb +220 -237
- data/lib/sanitize/version.rb +3 -1
- data/lib/sanitize.rb +38 -38
- data/test/common.rb +4 -3
- data/test/test_clean_comment.rb +26 -25
- data/test/test_clean_css.rb +14 -13
- data/test/test_clean_doctype.rb +21 -20
- data/test/test_clean_element.rb +258 -273
- data/test/test_config.rb +22 -21
- data/test/test_malicious_css.rb +20 -19
- data/test/test_malicious_html.rb +100 -99
- data/test/test_parser.rb +26 -25
- data/test/test_sanitize.rb +70 -69
- data/test/test_sanitize_css.rb +149 -114
- data/test/test_transformers.rb +81 -83
- metadata +14 -43
data/test/test_clean_comment.rb
CHANGED
|
@@ -1,47 +1,48 @@
|
|
|
1
|
-
#
|
|
2
|
-
require_relative 'common'
|
|
1
|
+
# frozen_string_literal: true
|
|
3
2
|
|
|
4
|
-
|
|
3
|
+
require_relative "common"
|
|
4
|
+
|
|
5
|
+
describe "Sanitize::Transformers::CleanComment" do
|
|
5
6
|
make_my_diffs_pretty!
|
|
6
7
|
parallelize_me!
|
|
7
8
|
|
|
8
|
-
describe
|
|
9
|
+
describe "when :allow_comments is false" do
|
|
9
10
|
before do
|
|
10
|
-
@s = Sanitize.new(:
|
|
11
|
+
@s = Sanitize.new(allow_comments: false, elements: ["div"])
|
|
11
12
|
end
|
|
12
13
|
|
|
13
|
-
it
|
|
14
|
-
_(@s.fragment(
|
|
15
|
-
_(@s.fragment(
|
|
16
|
-
_(@s.fragment(
|
|
17
|
-
_(@s.fragment("foo <!--\n\n\n\n-->bar")).must_equal
|
|
18
|
-
_(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal
|
|
19
|
-
_(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal
|
|
14
|
+
it "should remove comments" do
|
|
15
|
+
_(@s.fragment("foo <!-- comment --> bar")).must_equal "foo bar"
|
|
16
|
+
_(@s.fragment("foo <!-- ")).must_equal "foo "
|
|
17
|
+
_(@s.fragment("foo <!-- - -> bar")).must_equal "foo "
|
|
18
|
+
_(@s.fragment("foo <!--\n\n\n\n-->bar")).must_equal "foo bar"
|
|
19
|
+
_(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal "foo --> -->bar"
|
|
20
|
+
_(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal "foo <div>>bar</div>"
|
|
20
21
|
|
|
21
22
|
# Special case: the comment markup is inside a <script>, which makes it
|
|
22
23
|
# text content and not an actual HTML comment.
|
|
23
|
-
_(@s.fragment("<script><!-- comment --></script>")).must_equal
|
|
24
|
+
_(@s.fragment("<script><!-- comment --></script>")).must_equal ""
|
|
24
25
|
|
|
25
|
-
_(Sanitize.fragment("<script><!-- comment --></script>", :
|
|
26
|
-
.must_equal
|
|
26
|
+
_(Sanitize.fragment("<script><!-- comment --></script>", allow_comments: false, elements: ["script"]))
|
|
27
|
+
.must_equal "<script><!-- comment --></script>"
|
|
27
28
|
end
|
|
28
29
|
end
|
|
29
30
|
|
|
30
|
-
describe
|
|
31
|
+
describe "when :allow_comments is true" do
|
|
31
32
|
before do
|
|
32
|
-
@s = Sanitize.new(:
|
|
33
|
+
@s = Sanitize.new(allow_comments: true, elements: ["div"])
|
|
33
34
|
end
|
|
34
35
|
|
|
35
|
-
it
|
|
36
|
-
_(@s.fragment(
|
|
37
|
-
_(@s.fragment(
|
|
38
|
-
_(@s.fragment(
|
|
36
|
+
it "should allow comments" do
|
|
37
|
+
_(@s.fragment("foo <!-- comment --> bar")).must_equal "foo <!-- comment --> bar"
|
|
38
|
+
_(@s.fragment("foo <!-- ")).must_equal "foo <!-- -->"
|
|
39
|
+
_(@s.fragment("foo <!-- - -> bar")).must_equal "foo <!-- - -> bar-->"
|
|
39
40
|
_(@s.fragment("foo <!--\n\n\n\n-->bar")).must_equal "foo <!--\n\n\n\n-->bar"
|
|
40
|
-
_(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal
|
|
41
|
-
_(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal
|
|
41
|
+
_(@s.fragment("foo <!-- <!-- <!-- --> --> -->bar")).must_equal "foo <!-- <!-- <!-- --> --> -->bar"
|
|
42
|
+
_(@s.fragment("foo <div <!-- comment -->>bar</div>")).must_equal "foo <div>>bar</div>"
|
|
42
43
|
|
|
43
|
-
_(Sanitize.fragment("<script><!-- comment --></script>", :
|
|
44
|
-
.must_equal
|
|
44
|
+
_(Sanitize.fragment("<script><!-- comment --></script>", allow_comments: true, elements: ["script"]))
|
|
45
|
+
.must_equal "<script><!-- comment --></script>"
|
|
45
46
|
end
|
|
46
47
|
end
|
|
47
48
|
end
|
data/test/test_clean_css.rb
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
#
|
|
2
|
-
require_relative 'common'
|
|
1
|
+
# frozen_string_literal: true
|
|
3
2
|
|
|
4
|
-
|
|
3
|
+
require_relative "common"
|
|
4
|
+
|
|
5
|
+
describe "Sanitize::Transformers::CSS::CleanAttribute" do
|
|
5
6
|
make_my_diffs_pretty!
|
|
6
7
|
parallelize_me!
|
|
7
8
|
|
|
@@ -9,21 +10,21 @@ describe 'Sanitize::Transformers::CSS::CleanAttribute' do
|
|
|
9
10
|
@s = Sanitize.new(Sanitize::Config::RELAXED)
|
|
10
11
|
end
|
|
11
12
|
|
|
12
|
-
it
|
|
13
|
+
it "should sanitize CSS properties in style attributes" do
|
|
13
14
|
_(@s.fragment(%[
|
|
14
15
|
<div style="color: #fff; width: expression(alert(1)); /* <-- evil! */"></div>
|
|
15
|
-
].strip)).must_equal %
|
|
16
|
+
].strip)).must_equal %(
|
|
16
17
|
<div style="color: #fff; /* <-- evil! */"></div>
|
|
17
|
-
|
|
18
|
+
).strip
|
|
18
19
|
end
|
|
19
20
|
|
|
20
|
-
it
|
|
21
|
-
_(@s.fragment('<div style="width: expression(alert(1))"></div>'))
|
|
22
|
-
must_equal
|
|
21
|
+
it "should remove the style attribute if the sanitized CSS is empty" do
|
|
22
|
+
_(@s.fragment('<div style="width: expression(alert(1))"></div>'))
|
|
23
|
+
.must_equal "<div></div>"
|
|
23
24
|
end
|
|
24
25
|
end
|
|
25
26
|
|
|
26
|
-
describe
|
|
27
|
+
describe "Sanitize::Transformers::CSS::CleanElement" do
|
|
27
28
|
make_my_diffs_pretty!
|
|
28
29
|
parallelize_me!
|
|
29
30
|
|
|
@@ -31,7 +32,7 @@ describe 'Sanitize::Transformers::CSS::CleanElement' do
|
|
|
31
32
|
@s = Sanitize.new(Sanitize::Config::RELAXED)
|
|
32
33
|
end
|
|
33
34
|
|
|
34
|
-
it
|
|
35
|
+
it "should sanitize CSS stylesheets in <style> elements" do
|
|
35
36
|
html = %[
|
|
36
37
|
<style>@import url(evil.css);
|
|
37
38
|
/* Yay CSS! */
|
|
@@ -61,7 +62,7 @@ describe 'Sanitize::Transformers::CSS::CleanElement' do
|
|
|
61
62
|
].strip
|
|
62
63
|
end
|
|
63
64
|
|
|
64
|
-
it
|
|
65
|
-
_(@s.fragment(
|
|
65
|
+
it "should remove the <style> element if the sanitized CSS is empty" do
|
|
66
|
+
_(@s.fragment("<style></style>")).must_equal ""
|
|
66
67
|
end
|
|
67
68
|
end
|
data/test/test_clean_doctype.rb
CHANGED
|
@@ -1,22 +1,23 @@
|
|
|
1
|
-
#
|
|
2
|
-
require_relative 'common'
|
|
1
|
+
# frozen_string_literal: true
|
|
3
2
|
|
|
4
|
-
|
|
3
|
+
require_relative "common"
|
|
4
|
+
|
|
5
|
+
describe "Sanitize::Transformers::CleanDoctype" do
|
|
5
6
|
make_my_diffs_pretty!
|
|
6
7
|
parallelize_me!
|
|
7
8
|
|
|
8
|
-
describe
|
|
9
|
+
describe "when :allow_doctype is false" do
|
|
9
10
|
before do
|
|
10
|
-
@s = Sanitize.new(:
|
|
11
|
+
@s = Sanitize.new(allow_doctype: false, elements: ["html"])
|
|
11
12
|
end
|
|
12
13
|
|
|
13
|
-
it
|
|
14
|
-
_(@s.document(
|
|
15
|
-
_(@s.fragment(
|
|
14
|
+
it "should remove doctype declarations" do
|
|
15
|
+
_(@s.document("<!DOCTYPE html><html>foo</html>")).must_equal "<html>foo</html>"
|
|
16
|
+
_(@s.fragment("<!DOCTYPE html>foo")).must_equal "foo"
|
|
16
17
|
end
|
|
17
18
|
|
|
18
|
-
it
|
|
19
|
-
_(@s.fragment(
|
|
19
|
+
it "should not allow doctype definitions in fragments" do
|
|
20
|
+
_(@s.fragment("<!DOCTYPE html><html>foo</html>"))
|
|
20
21
|
.must_equal "foo"
|
|
21
22
|
|
|
22
23
|
_(@s.fragment('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>'))
|
|
@@ -27,13 +28,13 @@ describe 'Sanitize::Transformers::CleanDoctype' do
|
|
|
27
28
|
end
|
|
28
29
|
end
|
|
29
30
|
|
|
30
|
-
describe
|
|
31
|
+
describe "when :allow_doctype is true" do
|
|
31
32
|
before do
|
|
32
|
-
@s = Sanitize.new(:
|
|
33
|
+
@s = Sanitize.new(allow_doctype: true, elements: ["html"])
|
|
33
34
|
end
|
|
34
35
|
|
|
35
|
-
it
|
|
36
|
-
_(@s.document(
|
|
36
|
+
it "should allow doctype declarations in documents" do
|
|
37
|
+
_(@s.document("<!DOCTYPE html><html>foo</html>"))
|
|
37
38
|
.must_equal "<!DOCTYPE html><html>foo</html>"
|
|
38
39
|
|
|
39
40
|
_(@s.document('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>'))
|
|
@@ -43,22 +44,22 @@ describe 'Sanitize::Transformers::CleanDoctype' do
|
|
|
43
44
|
.must_equal "<!DOCTYPE html><html>foo</html>"
|
|
44
45
|
end
|
|
45
46
|
|
|
46
|
-
it
|
|
47
|
-
_(@s.document(
|
|
47
|
+
it "should not allow obviously invalid doctype declarations in documents" do
|
|
48
|
+
_(@s.document("<!DOCTYPE blah blah blah><html>foo</html>"))
|
|
48
49
|
.must_equal "<!DOCTYPE html><html>foo</html>"
|
|
49
50
|
|
|
50
|
-
_(@s.document(
|
|
51
|
+
_(@s.document("<!DOCTYPE blah><html>foo</html>"))
|
|
51
52
|
.must_equal "<!DOCTYPE html><html>foo</html>"
|
|
52
53
|
|
|
53
54
|
_(@s.document('<!DOCTYPE html BLAH "-//W3C//DTD HTML 4.01//EN"><html>foo</html>'))
|
|
54
55
|
.must_equal "<!DOCTYPE html><html>foo</html>"
|
|
55
56
|
|
|
56
|
-
_(@s.document(
|
|
57
|
+
_(@s.document("<!whatever><html>foo</html>"))
|
|
57
58
|
.must_equal "<html>foo</html>"
|
|
58
59
|
end
|
|
59
60
|
|
|
60
|
-
it
|
|
61
|
-
_(@s.fragment(
|
|
61
|
+
it "should not allow doctype definitions in fragments" do
|
|
62
|
+
_(@s.fragment("<!DOCTYPE html><html>foo</html>"))
|
|
62
63
|
.must_equal "foo"
|
|
63
64
|
|
|
64
65
|
_(@s.fragment('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>'))
|