sanitize 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5d54b7ff5de5e70aa002451d1654015521de8c02
-  data.tar.gz: f326532bce90a02b4ca27664ea97778ffa81f594
+  metadata.gz: 8446f68552c50a6a2145f1e9898a75541099c430
+  data.tar.gz: b7bed4246c97064a0ba6551eeacf9e5a972b5f6d
 SHA512:
-  metadata.gz: 48d4d41b9e4ac666d1c67937e36cdce5ca8e47a4fdf90f478dd7a0f71e01aef03d45294e77fd9676983f20096c31740a5019eb1cb626df608ab20f134143d2cc
-  data.tar.gz: 6b134ba669333ce6715c69207304ca1a73682e8255314933ff78d9d2b8ff08f287c70da23e1d0c707e70c54a2f4833c79271670182f15879452764c3bbeb09ee
+  metadata.gz: 17403cd6e16d7d760e74c9549cde13d3f8c6fca545ae06812810128b561d1a04f58ac432847d58b90daa4231aff97bd5cbd87d03ac6b7c6d3f07b8710d788ebc
+  data.tar.gz: 54b94108167ccfbd31bf502aeb7c3dc270263e4d8d5cf149161f0a18c53324c6d84e4dc7251416f4e91824b8124433d6abc1f203e13c3627ea53cb8a3152533a

data/HISTORY.md

@@ -1,8 +1,18 @@
 Sanitize History
 ================================================================================
 
-Version 3.0.0 (git)
--------------------
+Version 3.0.1 (2014-09-02)
+--------------------------
+
+* Updated Nokogumbo to 1.1.11 to pick up a fix for a Gumbo bug in which certain
+  HTML character entities, such as `Ö`, were parsed incorrectly, leaving
+  the semicolon behind in the output. [#114][114]
+
+[114]:https://github.com/rgrove/sanitize/issues/114
+
+
+Version 3.0.0 (2014-06-21)
+--------------------------
 
 As of this version, Sanitize adheres strictly to the [SemVer 2.0.0][semver]
 versioning standard. This release contains API and output changes that are

data/README.md

@@ -30,6 +30,8 @@ Links
 * [Home](https://github.com/rgrove/sanitize/)
 * [API Docs](http://rubydoc.info/github/rgrove/sanitize/master)
 * [Issues](https://github.com/rgrove/sanitize/issues)
+* [Release History](https://github.com/rgrove/sanitize/blob/master/HISTORY.md#sanitize-history)
+* [Online Demo](https://sanitize.herokuapp.com/)
 * [Biased comparison of Ruby HTML sanitization libraries](https://github.com/rgrove/sanitize/blob/master/COMPARISON.md)
 
 Installation
@@ -541,6 +543,31 @@ Transformers have a tremendous amount of power, including the power to
 completely bypass Sanitize's built-in filtering. Be careful! Your safety is in
 your own hands.
 
+### Example: Transformer to whitelist image URLs by domain
+
+The following example demonstrates how to remove image elements unless they use
+a relative URL or are hosted on a specific domain. It assumes that the `<img>`
+element and its `src` attribute are already whitelisted.
+
+```ruby
+require 'uri'
+
+image_whitelist_transformer = lambda do |env|
+  # Ignore everything except <img> elements.
+  return unless env[:node_name] == 'img'
+
+  node      = env[:node]
+  image_uri = URI.parse(node['src'])
+
+  # Only allow relative URLs or URLs with the example.com domain. The
+  # image_uri.host.nil? check ensures that protocol-relative URLs like
+  # "//evil.com/foo.jpg".
+  unless image_uri.host == 'example.com' || (image_uri.host.nil? && image_uri.relative?)
+    node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
+  end
+end
+```
+
 ### Example: Transformer to whitelist YouTube video embeds
 
 The following example demonstrates how to create a transformer that will safely

data/lib/sanitize/version.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
 
 class Sanitize
-  VERSION = '3.0.0'
+  VERSION = '3.0.1'
 end

data/test/test_transformers.rb

@@ -5,36 +5,6 @@ describe 'Transformers' do
   make_my_diffs_pretty!
   parallelize_me!
 
-  youtube_transformer = lambda do |env|
-    node      = env[:node]
-    node_name = env[:node_name]
-
-    # Don't continue if this node is already whitelisted or is not an element.
-    return if env[:is_whitelisted] || !node.element?
-
-    # Don't continue unless the node is an iframe.
-    return unless node_name == 'iframe'
-
-    # Verify that the video URL is actually a valid YouTube video URL.
-    return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|
-
-    # We're now certain that this is a YouTube embed, but we still need to run
-    # it through a special Sanitize step to ensure that no unwanted elements or
-    # attributes that don't belong in a YouTube embed can sneak in.
-    Sanitize.node!(node, {
-      :elements => %w[iframe],
-
-      :attributes => {
-        'iframe'  => %w[allowfullscreen frameborder height src width]
-      }
-    })
-
-    # Now that we're sure that this is a valid YouTube embed and that there are
-    # no unwanted elements or attributes hidden inside it, we can tell Sanitize
-    # to whitelist the current node.
-    {:node_whitelist => [node]}
-  end
-
   it 'should receive a complete env Hash as input' do
     Sanitize.fragment('<SPAN>foo</SPAN>',
       :foo => :bar,
@@ -107,38 +77,124 @@ describe 'Transformers' do
     called.must_equal true
   end
 
-  it 'should allow YouTube video embeds via the YouTube transformer' do
-    input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+  describe 'Image whitelist transformer' do
+    require 'uri'
 
-    Sanitize.fragment(input, :transformers => youtube_transformer)
-      .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
-  end
+    image_whitelist_transformer = lambda do |env|
+      # Ignore everything except <img> elements.
+      return unless env[:node_name] == 'img'
 
-  it 'should allow https YouTube video embeds via the YouTube transformer' do
-    input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+      node      = env[:node]
+      image_uri = URI.parse(node['src'])
 
-    Sanitize.fragment(input, :transformers => youtube_transformer)
-      .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
-  end
+      # Only allow relative URLs or URLs with the example.com domain. The
+      # image_uri.host.nil? check ensures that protocol-relative URLs like
+      # "//evil.com/foo.jpg".
+      unless image_uri.host == 'example.com' || (image_uri.host.nil? && image_uri.relative?)
+        node.unlink # `Nokogiri::XML::Node#unlink` removes a node from the document
+      end
+    end
 
-  it 'should allow protocol-relative YouTube video embeds via the YouTube transformer' do
-    input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+    before do
+      @s = Sanitize.new(Sanitize::Config.merge(Sanitize::Config::RELAXED,
+          :transformers => image_whitelist_transformer))
+    end
 
-    Sanitize.fragment(input, :transformers => youtube_transformer)
-      .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
-  end
+    it 'should allow images with relative URLs' do
+      input = '<img src="/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+    end
+
+    it 'should allow images at the example.com domain' do
+      input = '<img src="http://example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+
+      input = '<img src="https://example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+
+      input = '<img src="//example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal(input)
+    end
+
+    it 'should not allow images at other domains' do
+      input = '<img src="http://evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+
+      input = '<img src="https://evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
 
-  it 'should allow privacy-enhanced YouTube video embeds via the YouTube transformer' do
-    input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+      input = '<img src="//evil.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
 
-    Sanitize.fragment(input, :transformers => youtube_transformer)
-      .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+      input = '<img src="http://subdomain.example.com/foo/bar.jpg">'
+      @s.fragment(input).must_equal('')
+    end
   end
 
-  it 'should not allow non-YouTube video embeds via the YouTube transformer' do
-    input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
+  describe 'YouTube transformer' do
+    youtube_transformer = lambda do |env|
+      node      = env[:node]
+      node_name = env[:node_name]
+
+      # Don't continue if this node is already whitelisted or is not an element.
+      return if env[:is_whitelisted] || !node.element?
+
+      # Don't continue unless the node is an iframe.
+      return unless node_name == 'iframe'
+
+      # Verify that the video URL is actually a valid YouTube video URL.
+      return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|
+
+      # We're now certain that this is a YouTube embed, but we still need to run
+      # it through a special Sanitize step to ensure that no unwanted elements or
+      # attributes that don't belong in a YouTube embed can sneak in.
+      Sanitize.node!(node, {
+        :elements => %w[iframe],
+
+        :attributes => {
+          'iframe'  => %w[allowfullscreen frameborder height src width]
+        }
+      })
+
+      # Now that we're sure that this is a valid YouTube embed and that there are
+      # no unwanted elements or attributes hidden inside it, we can tell Sanitize
+      # to whitelist the current node.
+      {:node_whitelist => [node]}
+    end
+
+    it 'should allow HTTP YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+    end
+
+    it 'should allow HTTPS YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+    end
+
+    it 'should allow protocol-relative YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+    end
+
+    it 'should allow privacy-enhanced YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+    end
+
+    it 'should not allow non-YouTube video embeds' do
+      input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
 
-    Sanitize.fragment(input, :transformers => youtube_transformer)
-      .must_equal('')
+      Sanitize.fragment(input, :transformers => youtube_transformer)
+        .must_equal('')
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - Ryan Grove
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-21 00:00:00.000000000 Z
+date: 2014-09-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.11
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.11
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement