sanitize 5.2.2 → 5.2.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sanitize might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +9 -0
- data/README.md +1 -1
- data/lib/sanitize/transformers/clean_element.rb +8 -11
- data/lib/sanitize/version.rb +1 -1
- data/test/test_clean_element.rb +16 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6ca971107ac89b0f3ce8523e5377c9f476d117a954c5a56af4b92dc926fc6ad8
|
4
|
+
data.tar.gz: ce25b03a97cd03958ec2a9698154a01b8b2b6f21e9e9bf3f118ba2bcee414f77
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0b6f4f1b6ea5bc243f6246d8490dfae58508058e7f16c3a78c12fd1b6edeee2a468e877f93bc7e2a868f6af151c2cf039ea1cc46e10b3404a7433bca3367b16b
|
7
|
+
data.tar.gz: 1abcace0d5409a63b815330b7e3533ac2e08b09a8a8dfef70d07296a898e51c7f9303d1f5218c55fe93651414f867f1bbc3725f87fbfe0acfa68910fbff7b399
|
data/HISTORY.md
CHANGED
@@ -1,5 +1,14 @@
|
|
1
1
|
# Sanitize History
|
2
2
|
|
3
|
+
## 5.2.3 (2021-01-11)
|
4
|
+
|
5
|
+
### Bug Fixes
|
6
|
+
|
7
|
+
* Ensure protocol sanitization is applied to data attributes.
|
8
|
+
[@ccutrer - #207][207]
|
9
|
+
|
10
|
+
[207]:https://github.com/rgrove/sanitize/pull/207
|
11
|
+
|
3
12
|
## 5.2.2 (2021-01-06)
|
4
13
|
|
5
14
|
### Bug Fixes
|
data/README.md
CHANGED
@@ -17,8 +17,8 @@ exactly the same way modern browsers do. As long as your allowlist config only
|
|
17
17
|
allows safe markup and CSS, even the most malformed or malicious input will be
|
18
18
|
transformed into safe output.
|
19
19
|
|
20
|
-
[![Build Status](https://travis-ci.org/rgrove/sanitize.svg?branch=master)](https://travis-ci.org/rgrove/sanitize)
|
21
20
|
[![Gem Version](https://badge.fury.io/rb/sanitize.svg)](http://badge.fury.io/rb/sanitize)
|
21
|
+
[![Tests](https://github.com/rgrove/sanitize/workflows/Tests/badge.svg)](https://github.com/rgrove/sanitize/actions?query=workflow%3ATests)
|
22
22
|
|
23
23
|
[crass]:https://github.com/rgrove/crass
|
24
24
|
[gumbo]:https://github.com/google/gumbo-parser
|
@@ -120,18 +120,15 @@ class Sanitize; module Transformers; class CleanElement
|
|
120
120
|
attr_name = attr.name.downcase
|
121
121
|
|
122
122
|
unless attr_allowlist.include?(attr_name)
|
123
|
-
# The attribute isn't allowed
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
# attribute
|
128
|
-
|
123
|
+
# The attribute isn't in the allowlist, but may still be allowed if
|
124
|
+
# it's a data attribute.
|
125
|
+
|
126
|
+
unless allow_data_attributes && attr_name.start_with?('data-') && attr_name =~ REGEX_DATA_ATTR
|
127
|
+
# Either the attribute isn't a data attribute or arbitrary data
|
128
|
+
# attributes aren't allowed. Remove the attribute.
|
129
|
+
attr.unlink
|
130
|
+
next
|
129
131
|
end
|
130
|
-
|
131
|
-
# Either the attribute isn't a data attribute or arbitrary data
|
132
|
-
# attributes aren't allowed. Remove the attribute.
|
133
|
-
attr.unlink
|
134
|
-
next
|
135
132
|
end
|
136
133
|
|
137
134
|
# The attribute is allowed.
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_clean_element.rb
CHANGED
@@ -491,6 +491,22 @@ describe 'Sanitize::Transformers::CleanElement' do
|
|
491
491
|
}).must_equal "<a>Text</a>"
|
492
492
|
end
|
493
493
|
|
494
|
+
it 'should sanitize protocols in data attributes even if data attributes are generically allowed' do
|
495
|
+
input = '<a data-url="mailto:someone@example.com">Text</a>'
|
496
|
+
|
497
|
+
Sanitize.fragment(input, {
|
498
|
+
:elements => ['a'],
|
499
|
+
:attributes => {'a' => [:data]},
|
500
|
+
:protocols => {'a' => {'data-url' => ['https']}}
|
501
|
+
}).must_equal "<a>Text</a>"
|
502
|
+
|
503
|
+
Sanitize.fragment(input, {
|
504
|
+
:elements => ['a'],
|
505
|
+
:attributes => {'a' => [:data]},
|
506
|
+
:protocols => {'a' => {'data-url' => ['mailto']}}
|
507
|
+
}).must_equal input
|
508
|
+
end
|
509
|
+
|
494
510
|
it 'should prevent `<meta>` tags from being used to set a non-UTF-8 charset' do
|
495
511
|
Sanitize.document('<html><head><meta charset="utf-8"></head><body>Howdy!</body></html>',
|
496
512
|
:elements => %w[html head meta body],
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-01-
|
11
|
+
date: 2021-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|