sanitize 3.1.2 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4449bae9ce55a4f01d76a2984b68a6ea79b0d71b
-  data.tar.gz: 85752ade687b9c6d54d9a4c13dac42dcee670853
+  metadata.gz: c091a4cdaf3adfc67749ddc66027e52a2da59f20
+  data.tar.gz: e4452cd3153dff04348fec739f669aa6508ca74b
 SHA512:
-  metadata.gz: 989d449b758fa4c69c5484e50fcc7f72b41888fe86708e2e459789c1187a8d15e7d70dcce6f335e98ef8b9b927d198b6452a4e3955eb728eaee10b9df3169beb
-  data.tar.gz: c8f1100f741d8211c990e34fc2bbdd1e42b013f704c2b56da30e0af984d220e03af9e88a4cfe0fac4025ed467bc6a1406d5da6bdef8280f1ec78f0dc315ef074
+  metadata.gz: c4bef65c744e3a500695f72853ece376e1dee02c4c4743482ffbf9d07e8dc845aff027c877d416caa2fbdf0abc28a4822797e856ad44b3057c877827b5710347
+  data.tar.gz: 9512c6f1b92e06be37d54e0e2bdd0ff5efbc271282a7c742a6c4b8b7e2af90bc76bee9ec10eae7dd1a941224e9b388fc98efb11cb6442e4ab9397cbb4c7075b4

data/HISTORY.md

@@ -1,6 +1,47 @@
 Sanitize History
 ================================================================================
 
+Version 4.0.0 (2015-04-20)
+--------------------------
+
+### Potentially breaking changes
+
+* Added two new CSS config settings, `:at_rules_with_properties` and
+  `:at_rules_with_styles`. These allow you to define which at-rules should be
+  allowed to contain properties and which should be allowed to contain style
+  rules. Previously this was hard-coded internally. [#111][111]
+
+  The previous `:at_rules` setting still exists, and defines at-rules that may
+  not have associated blocks, such as `@import`. If you have a custom config
+  that contains an `:at_rules` setting, you may need to move rules can have
+  blocks to either `:at_rules_with_properties` or `:at_rules_with_styles`.
+
+  See Sanitize's relaxed config for an example.
+
+### Other changes
+
+* Added full support for CSS `@page` rules in the relaxed config, including
+  support for all page-margin box rules (such as `@top-left`, `@bottom-center`,
+  etc.)
+
+* Added the following CSS at-rules to the relaxed config:
+
+    - `@-moz-keyframes`
+    - `@-o-keyframes`
+    - `@-webkit-keyframes`
+    - `@document`
+
+* Added a whole bunch of CSS properties to the relaxed config. View the complete
+  list [here](https://gist.github.com/rgrove/044cc7e9a5b44f583c05).
+
+* Small performance improvements.
+
+* Fixed: Upgraded Crass to 1.0.2 to pick up a fix that affected the parsing of
+  CSS `@page` rules.
+
+[111]:https://github.com/rgrove/sanitize/issues/111
+
+
 Version 3.1.2 (2015-02-22)
 --------------------------
 

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2014 Ryan Grove <ryan@wonko.com>
+Copyright (c) 2015 Ryan Grove <ryan@wonko.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the 'Software'), to deal in

data/README.md

@@ -364,11 +364,23 @@ default is `false`.
 
 ##### :css => :at_rules (Array or Set)
 
-Names of CSS [@ rules][at-rules] to allow. Names should be specified in
-lowercase.
+Names of CSS [at-rules][at-rules] to allow that may not have associated blocks,
+such as `import` or `charset`. Names should be specified in lowercase.
 
 [at-rules]:https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule
 
+##### :css => :at_rules_with_properties (Array or Set)
+
+Names of CSS [at-rules][at-rules] to allow that may have associated blocks
+containing CSS properties. At-rules like `font-face` and `page` fall into this
+category. Names should be specified in lowercase.
+
+##### :css => :at_rules_with_styles (Array or Set)
+
+Names of CSS [at-rules][at-rules] to allow that may have associated blocks
+containing style rules. At-rules like `media` and `keyframes` fall into this
+category. Names should be specified in lowercase.
+
 ##### :css => :properties (Array or Set)
 
 Whitelist of CSS property names to allow. Names should be specified in
@@ -618,7 +630,7 @@ Sanitize.fragment(html, :transformers => youtube_transformer)
 License
 -------
 
-Copyright (c) 2014 Ryan Grove (ryan@wonko.com)
+Copyright (c) 2015 Ryan Grove (ryan@wonko.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the 'Software'), to deal in

data/lib/sanitize.rb

@@ -131,7 +131,7 @@ class Sanitize
     end
 
     frag = doc.fragment
-    doc.xpath(path).each {|node| frag << node }
+    frag << doc.xpath(path)
 
     node!(frag)
     to_html(frag)
@@ -237,7 +237,7 @@ class Sanitize
   # Performs top-down traversal of the given node, operating first on the node
   # itself, then traversing each child (if any) in order.
   def traverse(node, &block)
-    block.call(node)
+    yield node
 
     child = node.child
 
@@ -245,13 +245,13 @@ class Sanitize
       prev = child.previous_sibling
       traverse(child, &block)
 
-      if child.parent != node
+      if child.parent == node
+        child = child.next_sibling
+      else
         # The child was unlinked or reparented, so traverse the previous node's
         # next sibling, or the parent's first child if there is no previous
         # node.
         child = prev ? prev.next_sibling : node.child
-      else
-        child = child.next_sibling
       end
     end
   end

data/lib/sanitize/config/default.rb

@@ -32,11 +32,20 @@ class Sanitize
         # invalid CSS.
         :allow_hacks => false,
 
-        # CSS @ rules to allow.
+        # CSS at-rules to allow that may not have associated blocks (e.g.
+        # "import").
+        #
         # https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule
         :at_rules => [],
 
-        # CSS style properties to allow.
+        # CSS at-rules to allow whose blocks may contain properties (e.g.
+        # "font-face").
+        :at_rules_with_properties => [],
+
+        # CSS at-rules to allow whose blocks may contain styles (e.g. "media").
+        :at_rules_with_styles => [],
+
+        # CSS properties to allow.
         :properties => [],
 
         # URL protocols to allow in CSS URLs.

data/lib/sanitize/config/relaxed.rb

@@ -40,7 +40,37 @@ class Sanitize
         :allow_comments => true,
         :allow_hacks    => true,
 
-        :at_rules  => %w[font-face keyframes media page supports],
+        :at_rules_with_properties => %w[
+          bottom-center
+          bottom-left
+          bottom-left-corner
+          bottom-right
+          bottom-right-corner
+          font-face
+          left-bottom
+          left-middle
+          left-top
+          page
+          right-bottom
+          right-middle
+          right-top
+          top-center
+          top-left
+          top-left-corner
+          top-right
+          top-right-corner
+        ],
+
+        :at_rules_with_styles => %w[
+          -moz-keyframes
+          -o-keyframes
+          -webkit-keyframes
+          document
+          keyframes
+          media
+          supports
+        ],
+
         :protocols => ['http', 'https', :relative],
 
         :properties => %w[
@@ -321,6 +351,10 @@ class Sanitize
           align-content
           align-items
           align-self
+          alignment-adjust
+          alignment-baseline
+          all
+          anchor-point
           animation
           animation-delay
           animation-direction
@@ -330,6 +364,7 @@ class Sanitize
           animation-name
           animation-play-state
           animation-timing-function
+          azimuth
           backface-visibility
           background
           background-attachment
@@ -340,6 +375,12 @@ class Sanitize
           background-position
           background-repeat
           background-size
+          baseline-shift
+          binding
+          bleed
+          bookmark-label
+          bookmark-level
+          bookmark-state
           border
           border-bottom
           border-bottom-color
@@ -377,14 +418,19 @@ class Sanitize
           box-decoration-break
           box-shadow
           box-sizing
+          box-snap
+          box-suppress
           break-after
           break-before
           break-inside
           caption-side
+          chains
           clear
           clip
           clip-path
+          clip-rule
           color
+          color-interpolation-filters
           column-count
           column-fill
           column-gap
@@ -395,12 +441,23 @@ class Sanitize
           column-span
           column-width
           columns
+          contain
           content
           counter-increment
           counter-reset
+          counter-set
+          crop
+          cue
+          cue-after
+          cue-before
           cursor
           direction
           display
+          display-inside
+          display-list
+          display-outside
+          dominant-baseline
+          elevation
           empty-cells
           filter
           flex
@@ -411,6 +468,11 @@ class Sanitize
           flex-shrink
           flex-wrap
           float
+          float-offset
+          flood-color
+          flood-opacity
+          flow-from
+          flow-into
           font
           font-family
           font-feature-settings
@@ -429,6 +491,22 @@ class Sanitize
           font-variant-numeric
           font-variant-position
           font-weight
+          grid
+          grid-area
+          grid-auto-columns
+          grid-auto-flow
+          grid-auto-rows
+          grid-column
+          grid-column-end
+          grid-column-start
+          grid-row
+          grid-row-end
+          grid-row-start
+          grid-template
+          grid-template-areas
+          grid-template-columns
+          grid-template-rows
+          hanging-punctuation
           height
           hyphens
           icon
@@ -436,10 +514,23 @@ class Sanitize
           image-rendering
           image-resolution
           ime-mode
+          initial-letters
+          inline-box-align
           justify-content
+          justify-items
+          justify-self
           left
           letter-spacing
+          lighting-color
+          line-box-contain
+          line-break
+          line-grid
           line-height
+          line-snap
+          line-stacking
+          line-stacking-ruby
+          line-stacking-shift
+          line-stacking-strategy
           list-style
           list-style-image
           list-style-position
@@ -449,13 +540,35 @@ class Sanitize
           margin-left
           margin-right
           margin-top
+          marker-offset
+          marker-side
           marks
           mask
+          mask-box
+          mask-box-outset
+          mask-box-repeat
+          mask-box-slice
+          mask-box-source
+          mask-box-width
+          mask-clip
+          mask-image
+          mask-origin
+          mask-position
+          mask-repeat
+          mask-size
+          mask-source-type
           mask-type
           max-height
+          max-lines
           max-width
           min-height
           min-width
+          move-to
+          nav-down
+          nav-index
+          nav-left
+          nav-right
+          nav-up
           object-fit
           object-position
           opacity
@@ -475,32 +588,73 @@ class Sanitize
           padding-left
           padding-right
           padding-top
+          page
           page-break-after
           page-break-before
           page-break-inside
+          page-policy
+          pause
+          pause-after
+          pause-before
           perspective
           perspective-origin
+          pitch
+          pitch-range
+          play-during
           position
+          presentation-level
           quotes
+          region-fragment
           resize
+          rest
+          rest-after
+          rest-before
+          richness
           right
+          rotation
+          rotation-point
+          ruby-align
+          ruby-merge
+          ruby-position
+          shape-image-threshold
+          shape-margin
+          shape-outside
+          size
+          speak
+          speak-as
+          speak-header
+          speak-numeral
+          speak-punctuation
+          speech-rate
+          stress
+          string-set
           tab-size
           table-layout
           text-align
           text-align-last
           text-combine-horizontal
+          text-combine-upright
           text-decoration
           text-decoration-color
           text-decoration-line
+          text-decoration-skip
           text-decoration-style
+          text-emphasis
+          text-emphasis-color
+          text-emphasis-position
+          text-emphasis-style
+          text-height
           text-indent
+          text-justify
           text-orientation
           text-overflow
           text-rendering
           text-shadow
           text-size-adjust
+          text-space-collapse
           text-transform
           text-underline-position
+          text-wrap
           top
           touch-action
           transform
@@ -515,12 +669,24 @@ class Sanitize
           unicode-range
           vertical-align
           visibility
+          voice-balance
+          voice-duration
+          voice-family
+          voice-pitch
+          voice-range
+          voice-rate
+          voice-stress
+          voice-volume
+          volume
           white-space
           widows
           width
+          will-change
           word-break
           word-spacing
           word-wrap
+          wrap-flow
+          wrap-through
           writing-mode
           z-index
         ]

data/lib/sanitize/css.rb

@@ -6,12 +6,6 @@ require 'set'
 class Sanitize; class CSS
   attr_reader :config
 
-  # Names of CSS at-rules whose blocks may contain properties.
-  AT_RULES_WITH_PROPERTIES = Set.new(%w[font-face page])
-
-  # Names of CSS at-rules whose blocks may contain style rules.
-  AT_RULES_WITH_STYLES = Set.new(%w[document media supports])
-
   # -- Class Methods -----------------------------------------------------------
 
   # Sanitizes inline CSS style properties.
@@ -28,10 +22,50 @@ class Sanitize; class CSS
     self.new(config).properties(css)
   end
 
+  # Sanitizes a full CSS stylesheet.
+  #
+  # A stylesheet may include selectors, at-rules, and comments. To sanitize only
+  # inline style properties such as the contents of an HTML `style` attribute,
+  # use {.properties}.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   Sanitize::CSS.stylesheet(css, Sanitize::Config::RELAXED)
+  #
+  # @return [String] Sanitized CSS stylesheet.
   def self.stylesheet(css, config = {})
     self.new(config).stylesheet(css)
   end
 
+  # Sanitizes the given Crass CSS parse tree and all its children, modifying it
+  # in place.
+  #
+  # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
+  #   tree = Crass.parse(css)
+  #   Sanitize::CSS.tree!(tree, Sanitize::Config::RELAXED)
+  #
+  # @return [Array] Sanitized Crass CSS parse tree.
   def self.tree!(tree, config = {})
     self.new(config).tree!(tree)
   end
@@ -42,6 +76,10 @@ class Sanitize; class CSS
   # _config_.
   def initialize(config = {})
     @config = Config.merge(Config::DEFAULT[:css], config[:css] || config)
+
+    @at_rules                 = Set.new(@config[:at_rules])
+    @at_rules_with_properties = Set.new(@config[:at_rules_with_properties])
+    @at_rules_with_styles     = Set.new(@config[:at_rules_with_styles])
   end
 
   # Sanitizes inline CSS style properties.
@@ -66,7 +104,7 @@ class Sanitize; class CSS
 
   # Sanitizes a full CSS stylesheet.
   #
-  # A stylesheet may include selectors, @ rules, and comments. To sanitize only
+  # A stylesheet may include selectors, at-rules, and comments. To sanitize only
   # inline style properties such as the contents of an HTML `style` attribute,
   # use {#properties}.
   #
@@ -99,6 +137,17 @@ class Sanitize; class CSS
   # in place.
   #
   # @example
+  #   css = %[
+  #     .foo {
+  #       background: url(foo.png);
+  #       color: #fff;
+  #     }
+  #
+  #     #bar {
+  #       font: 42pt 'Comic Sans MS';
+  #     }
+  #   ]
+  #
   #   scss = Sanitize::CSS.new(Sanitize::Config::RELAXED)
   #   tree = Crass.parse(css)
   #
@@ -154,24 +203,25 @@ class Sanitize; class CSS
   # current config doesn't allow this at-rule.
   def at_rule!(rule)
     name = rule[:name].downcase
-    return nil unless @config[:at_rules].include?(name)
 
-    if AT_RULES_WITH_STYLES.include?(name)
+    if @at_rules_with_styles.include?(name)
       styles = Crass::Parser.parse_rules(rule[:block],
         :preserve_comments => @config[:allow_comments],
         :preserve_hacks    => @config[:allow_hacks])
 
       rule[:block] = tree!(styles)
 
-    elsif AT_RULES_WITH_PROPERTIES.include?(name)
+    elsif @at_rules_with_properties.include?(name)
       props = Crass::Parser.parse_properties(rule[:block],
         :preserve_comments => @config[:allow_comments],
         :preserve_hacks    => @config[:allow_hacks])
 
       rule[:block] = tree!(props)
 
+    elsif @at_rules.include?(name)
+      return nil if rule.has_key?(:block)
     else
-      rule.delete(:block)
+      return nil
     end
 
     rule

data/lib/sanitize/transformers/clean_comment.rb

@@ -6,7 +6,7 @@ class Sanitize; module Transformers
     node = env[:node]
 
     if node.type == Nokogiri::XML::Node::COMMENT_NODE
-        node.unlink unless env[:is_whitelisted]
+      node.unlink unless env[:is_whitelisted]
     end
   end
 

data/lib/sanitize/transformers/clean_doctype.rb

@@ -6,7 +6,7 @@ class Sanitize; module Transformers
     node = env[:node]
 
     if node.type == Nokogiri::XML::Node::DTD_NODE
-        node.unlink unless env[:is_whitelisted]
+      node.unlink unless env[:is_whitelisted]
     end
   end
 

data/lib/sanitize/transformers/clean_element.rb

@@ -73,7 +73,7 @@ class Sanitize; module Transformers; class CleanElement
       end
 
       unless @remove_all_contents || @remove_element_contents.include?(name)
-        node.children.each {|n| node.add_previous_sibling(n) }
+        node.add_previous_sibling(node.children)
       end
 
       node.unlink

data/lib/sanitize/version.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
 
 class Sanitize
-  VERSION = '3.1.2'
+  VERSION = '4.0.0'
 end

data/test/test_clean_css.rb

@@ -62,5 +62,6 @@ describe 'Sanitize::Transformers::CSS::CleanElement' do
   end
 
   it 'should remove the <style> element if the sanitized CSS is empty' do
+    @s.fragment('<style></style>').must_equal ''
   end
 end

data/test/test_sanitize_css.rb

@@ -220,7 +220,7 @@ describe 'Sanitize::CSS' do
     end
   end
 
-  describe 'bugs' do
+  describe 'functionality' do
     before do
       @default = Sanitize::CSS.new
       @relaxed = Sanitize::CSS.new(Sanitize::Config::RELAXED[:css])
@@ -235,6 +235,10 @@ describe 'Sanitize::CSS' do
         @media (max-width: 720px) {
           p.foo > .bar { float: right; width: expression(body.scrollLeft + 50 + 'px'); }
           #baz { color: green; }
+
+          @media (orientation: portrait) {
+            #baz { color: red; }
+          }
         }
       ].strip
 
@@ -242,8 +246,85 @@ describe 'Sanitize::CSS' do
         @media (max-width: 720px) {
           p.foo > .bar { float: right;  }
           #baz { color: green; }
+
+          @media (orientation: portrait) {
+            #baz { color: red; }
+          }
+        }
+      ].strip
+    end
+
+    it 'should parse @page rules properly' do
+      css = %[
+        @page { margin: 2cm } /* All margins set to 2cm */
+
+        @page :right {
+          @top-center { content: "Preliminary edition" }
+          @bottom-center { content: counter(page) }
+        }
+
+        @page {
+          size: 8.5in 11in;
+          margin: 10%;
+
+          @top-left {
+            content: "Hamlet";
+          }
+          @top-right {
+            content: "Page " counter(page);
+          }
         }
       ].strip
+
+      @relaxed.stylesheet(css).must_equal css
+    end
+
+    describe ":at_rules" do
+      it "should remove blockless at-rules that aren't whitelisted" do
+        css = %[
+          @charset 'utf-8';
+          @import url('foo.css');
+          .foo { color: green; }
+        ].strip
+
+        @relaxed.stylesheet(css).strip.must_equal %[
+          .foo { color: green; }
+        ].strip
+      end
+
+      describe "when blockless at-rules are whitelisted" do
+        before do
+          @scss = Sanitize::CSS.new(Sanitize::Config.merge(Sanitize::Config::RELAXED[:css], {
+            :at_rules => ['charset', 'import']
+          }))
+        end
+
+        it "should not remove them" do
+          css = %[
+            @charset 'utf-8';
+            @import url('foo.css');
+            .foo { color: green; }
+          ].strip
+
+          @scss.stylesheet(css).must_equal %[
+            @charset 'utf-8';
+            @import url('foo.css');
+            .foo { color: green; }
+          ].strip
+        end
+
+        it "should remove them if they have invalid blocks" do
+          css = %[
+            @charset { color: green }
+            @import { color: green }
+            .foo { color: green; }
+          ].strip
+
+          @scss.stylesheet(css).strip.must_equal %[
+            .foo { color: green; }
+          ].strip
+        end
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanitize
 version: !ruby/object:Gem::Version
-  version: 3.1.2
+  version: 4.0.0
 platform: ruby
 authors:
 - Ryan Grove
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-22 00:00:00.000000000 Z
+date: 2015-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: crass
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: 1.0.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: 1.0.2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -44,56 +44,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.4.1
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.3.4
+        version: 5.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.3.4
+        version: 5.6.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.1'
+        version: 10.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.1'
+        version: 10.4.2
 - !ruby/object:Gem::Dependency
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: 3.2.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: 3.2.3
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement