sanitize 3.0.4 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba375648ad289cc08ce45eafc47ed464ce6e7f9e
-  data.tar.gz: 88022411ca58369ad7f0699f022c67c344891e69
+  metadata.gz: 590de6883d3b0fe07e34fa62416a586e178146ff
+  data.tar.gz: b759297e620f13b37dd322c295c2dbfc974581b8
 SHA512:
-  metadata.gz: 24abf590a86b592353ca6b5602afef29c30b1063a5bb1c907bd9a51d6ee6962a2a733abd7b4ef8923aee0221eb2c3935221615c9f257363a1cc0cae906e34026
-  data.tar.gz: 4b18f5dd27ccb560f96189eb081ab100d33604c87e08f7d24ce183b5cc5c5b58f6848a30d3aad51e9cffd3228c9baa6f4090ea185d6aaee0f2f55fb253069f42
+  metadata.gz: e6844945a3a4de69cb1c8e91ae8134598b9757a39defc27a3390c34569129a2b0adeff04b403f51778fdcca3212e7d4d7f3586e10250f61b1f0894c1e5c8a13c
+  data.tar.gz: ba68e2d5e5145a3610248a16c988aac7e0f129d252c04dc1db8c2b562acac36f1c1bcb6db70516eae2d801d6dba0d110732df72b62a71445ab66deef9e7f80ef

data/HISTORY.md

@@ -1,6 +1,24 @@
 Sanitize History
 ================================================================================
 
+Version 3.1.0 (2013-12-22)
+--------------------------
+
+* Added the following CSS properties to the relaxed config. [@ehudc - #120][120]
+
+    - `-moz-text-size-adjust`
+    - `-ms-text-size-adjust`
+    - `-webkit-text-size-adjust`
+    - `text-size-adjust`
+
+* Updated Nokogumbo to 1.2.0 to pick up a fix for a Gumbo bug where the
+  entity `Æ` left its semicolon behind when it was converted to a
+  character during parsing. [#119][119]
+
+[119]:https://github.com/rgrove/sanitize/issues/119
+[120]:https://github.com/rgrove/sanitize/pull/120
+
+
 Version 3.0.4 (2014-12-12)
 --------------------------
 

data/lib/sanitize/config/relaxed.rb

@@ -62,6 +62,7 @@ class Sanitize
           -moz-text-decoration-color
           -moz-text-decoration-line
           -moz-text-decoration-style
+          -moz-text-size-adjust
           -ms-background-position-x
           -ms-background-position-y
           -ms-block-progression
@@ -132,6 +133,7 @@ class Sanitize
           -ms-text-justify
           -ms-text-kashida-space
           -ms-text-overflow
+          -ms-text-size-adjust
           -ms-text-underline-position
           -ms-touch-action
           -ms-user-select
@@ -300,6 +302,7 @@ class Sanitize
           -webkit-text-decoration-color
           -webkit-text-decoration-line
           -webkit-text-decoration-style
+          -webkit-text-size-adjust
           -webkit-touch-callout
           -webkit-transform
           -webkit-transform-origin
@@ -495,6 +498,7 @@ class Sanitize
           text-overflow
           text-rendering
           text-shadow
+          text-size-adjust
           text-transform
           text-underline-position
           top

data/lib/sanitize/css.rb

@@ -106,20 +106,34 @@ class Sanitize; class CSS
   #
   # @return [Array] Sanitized Crass CSS parse tree.
   def tree!(tree)
+    preceded_by_property = false
+
     tree.map! do |node|
       next nil if node.nil?
 
       case node[:node]
       when :at_rule
+        preceded_by_property = false
         next at_rule!(node)
 
       when :comment
         next node if @config[:allow_comments]
 
       when :property
-        next property!(node)
+        prop = property!(node)
+        preceded_by_property = !prop.nil?
+        next prop
+
+      when :semicolon
+        # Only preserve the semicolon if it was preceded by a whitelisted
+        # property. Otherwise, omit it in order to prevent redundant semicolons.
+        if preceded_by_property
+          preceded_by_property = false
+          next node
+        end
 
       when :style_rule
+        preceded_by_property = false
         tree!(node[:children])
         next node
 
@@ -143,21 +157,18 @@ class Sanitize; class CSS
     return nil unless @config[:at_rules].include?(name)
 
     if AT_RULES_WITH_STYLES.include?(name)
-      # Remove the { and } tokens surrounding the @media block.
-      tokens = rule[:block][:tokens][1...-1]
-
-      styles = Crass::Parser.parse_rules(tokens,
+      styles = Crass::Parser.parse_rules(rule[:block],
         :preserve_comments => @config[:allow_comments],
         :preserve_hacks    => @config[:allow_hacks])
 
-      rule[:block][:value] = tree!(styles)
+      rule[:block] = tree!(styles)
 
     elsif AT_RULES_WITH_PROPERTIES.include?(name)
-      props = Crass::Parser.parse_properties(rule[:block][:value],
+      props = Crass::Parser.parse_properties(rule[:block],
         :preserve_comments => @config[:allow_comments],
         :preserve_hacks    => @config[:allow_hacks])
 
-      rule[:block][:value] = tree!(props)
+      rule[:block] = tree!(props)
 
     else
       rule.delete(:block)
@@ -186,29 +197,30 @@ class Sanitize; class CSS
 
       case child[:node]
       when :ident
-        combined_value << value if String === value
+        combined_value << value.downcase if String === value
 
       when :function
         if child.key?(:name)
-          return nil if child[:name].downcase == 'expression'
+          name = child[:name].downcase
+
+          if name == 'url'
+            return nil unless valid_url?(child)
+          end
+
+          combined_value << name
+          return nil if name == 'expression' || combined_value == 'expression'
         end
 
         if Array === value
           nodes.concat(value)
         elsif String === value
-          combined_value << value
-
-          if value.downcase == 'expression' || combined_value.downcase == 'expression'
-            return nil
-          end
+          lowercase_value = value.downcase
+          combined_value << lowercase_value
+          return nil if lowercase_value == 'expression' || combined_value == 'expression'
         end
 
       when :url
-        if value =~ Sanitize::REGEX_PROTOCOL
-          return nil unless @config[:protocols].include?($1.downcase)
-        else
-          return nil unless @config[:protocols].include?(:relative)
-        end
+        return nil unless valid_url?(child)
 
       when :bad_url
         return nil
@@ -218,4 +230,54 @@ class Sanitize; class CSS
     prop
   end
 
+  # Returns `true` if the given node (which may be of type `:url` or
+  # `:function`, since the CSS syntax can produce both) uses a whitelisted
+  # protocol.
+  def valid_url?(node)
+    type = node[:node]
+
+    if type == :function
+      return false unless node.key?(:name) && node[:name].downcase == 'url'
+      return false unless Array === node[:value]
+
+      # A URL function's `:value` should be an array containing no more than one
+      # `:string` node and any number of `:whitespace` nodes.
+      #
+      # If it contains more than one `:string` node, or if it contains any other
+      # nodes except `:whitespace` nodes, it's not valid.
+      url_string_node = nil
+
+      node[:value].each do |token|
+        return false unless Hash === token
+
+        case token[:node]
+          when :string
+            return false unless url_string_node.nil?
+            url_string_node = token
+
+          when :whitespace
+            next
+
+          else
+            return false
+        end
+      end
+
+      return false if url_string_node.nil?
+      url = url_string_node[:value]
+    elsif type == :url
+      url = node[:value]
+    else
+      return false
+    end
+
+    if url =~ Sanitize::REGEX_PROTOCOL
+      return @config[:protocols].include?($1.downcase)
+    else
+      return @config[:protocols].include?(:relative)
+    end
+
+    false
+  end
+
 end; end

data/lib/sanitize/version.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
 
 class Sanitize
-  VERSION = '3.0.4'
+  VERSION = '3.1.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 3.0.4
+  version: 3.1.0
 platform: ruby
 authors:
 - Ryan Grove
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-12 00:00:00.000000000 Z
+date: 2014-12-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 1.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 1.0.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.12
+        version: 1.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.12
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -165,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.2.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Whitelist-based HTML and CSS sanitizer.