sanitize 5.2.2 → 5.2.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sanitize might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e67616d2378cfe4e0ea979d76d206630a9edc4ed6d31f97e6801f6022a0ea08b
4
- data.tar.gz: 8bce2fda8409782d0b25e143eb36912bc32183eff3314033f54e74560c9988d5
3
+ metadata.gz: 6ca971107ac89b0f3ce8523e5377c9f476d117a954c5a56af4b92dc926fc6ad8
4
+ data.tar.gz: ce25b03a97cd03958ec2a9698154a01b8b2b6f21e9e9bf3f118ba2bcee414f77
5
5
  SHA512:
6
- metadata.gz: e37c472801a5082c6019fd58f1d47c90c68c4a64a2cba7fc6149ac0c8d9a4c1f3c8c0baa3b659ba8f8bf384a5c6e3a95b30d15553aa3d5bcbc0f5a2dd7aa70fd
7
- data.tar.gz: cb6db6ed39956a2f02e024d3745908a4c8b9bccf7f7fc3beebbfd2072a3a73948cc8320a1cb4622563ef2a158bcd73d75607adb94b4ce6e924efbabc7fe6a216
6
+ metadata.gz: 0b6f4f1b6ea5bc243f6246d8490dfae58508058e7f16c3a78c12fd1b6edeee2a468e877f93bc7e2a868f6af151c2cf039ea1cc46e10b3404a7433bca3367b16b
7
+ data.tar.gz: 1abcace0d5409a63b815330b7e3533ac2e08b09a8a8dfef70d07296a898e51c7f9303d1f5218c55fe93651414f867f1bbc3725f87fbfe0acfa68910fbff7b399
data/HISTORY.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 5.2.3 (2021-01-11)
4
+
5
+ ### Bug Fixes
6
+
7
+ * Ensure protocol sanitization is applied to data attributes.
8
+ [@ccutrer - #207][207]
9
+
10
+ [207]:https://github.com/rgrove/sanitize/pull/207
11
+
3
12
  ## 5.2.2 (2021-01-06)
4
13
 
5
14
  ### Bug Fixes
data/README.md CHANGED
@@ -17,8 +17,8 @@ exactly the same way modern browsers do. As long as your allowlist config only
17
17
  allows safe markup and CSS, even the most malformed or malicious input will be
18
18
  transformed into safe output.
19
19
 
20
- [![Build Status](https://travis-ci.org/rgrove/sanitize.svg?branch=master)](https://travis-ci.org/rgrove/sanitize)
21
20
  [![Gem Version](https://badge.fury.io/rb/sanitize.svg)](http://badge.fury.io/rb/sanitize)
21
+ [![Tests](https://github.com/rgrove/sanitize/workflows/Tests/badge.svg)](https://github.com/rgrove/sanitize/actions?query=workflow%3ATests)
22
22
 
23
23
  [crass]:https://github.com/rgrove/crass
24
24
  [gumbo]:https://github.com/google/gumbo-parser
@@ -120,18 +120,15 @@ class Sanitize; module Transformers; class CleanElement
120
120
  attr_name = attr.name.downcase
121
121
 
122
122
  unless attr_allowlist.include?(attr_name)
123
- # The attribute isn't allowed.
124
-
125
- if allow_data_attributes && attr_name.start_with?('data-')
126
- # Arbitrary data attributes are allowed. If this is a data
127
- # attribute, continue.
128
- next if attr_name =~ REGEX_DATA_ATTR
123
+ # The attribute isn't in the allowlist, but may still be allowed if
124
+ # it's a data attribute.
125
+
126
+ unless allow_data_attributes && attr_name.start_with?('data-') && attr_name =~ REGEX_DATA_ATTR
127
+ # Either the attribute isn't a data attribute or arbitrary data
128
+ # attributes aren't allowed. Remove the attribute.
129
+ attr.unlink
130
+ next
129
131
  end
130
-
131
- # Either the attribute isn't a data attribute or arbitrary data
132
- # attributes aren't allowed. Remove the attribute.
133
- attr.unlink
134
- next
135
132
  end
136
133
 
137
134
  # The attribute is allowed.
@@ -1,5 +1,5 @@
1
1
  # encoding: utf-8
2
2
 
3
3
  class Sanitize
4
- VERSION = '5.2.2'
4
+ VERSION = '5.2.3'
5
5
  end
@@ -491,6 +491,22 @@ describe 'Sanitize::Transformers::CleanElement' do
491
491
  }).must_equal "<a>Text</a>"
492
492
  end
493
493
 
494
+ it 'should sanitize protocols in data attributes even if data attributes are generically allowed' do
495
+ input = '<a data-url="mailto:someone@example.com">Text</a>'
496
+
497
+ Sanitize.fragment(input, {
498
+ :elements => ['a'],
499
+ :attributes => {'a' => [:data]},
500
+ :protocols => {'a' => {'data-url' => ['https']}}
501
+ }).must_equal "<a>Text</a>"
502
+
503
+ Sanitize.fragment(input, {
504
+ :elements => ['a'],
505
+ :attributes => {'a' => [:data]},
506
+ :protocols => {'a' => {'data-url' => ['mailto']}}
507
+ }).must_equal input
508
+ end
509
+
494
510
  it 'should prevent `<meta>` tags from being used to set a non-UTF-8 charset' do
495
511
  Sanitize.document('<html><head><meta charset="utf-8"></head><body>Howdy!</body></html>',
496
512
  :elements => %w[html head meta body],
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.2
4
+ version: 5.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-06 00:00:00.000000000 Z
11
+ date: 2021-01-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass