sanitize 6.1.1 → 6.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/HISTORY.md +8 -0
  3. data/lib/sanitize/css.rb +27 -0
  4. data/lib/sanitize/version.rb +1 -1
  5. data/test/test_sanitize_css.rb +6 -0
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ed64268ea99d49841046ad5977df0d4e622abe58a6374244bc9223631ee0ed95
4
- data.tar.gz: eb614786ac3167798532bdfef07c2abd65d5a72928af487432c775d9c878024d
3
+ metadata.gz: 22d5dc60d871deef3c8d6e70a9991369350f730165771eb5a026c5db3c54c706
4
+ data.tar.gz: 1c2e3c02ce6cd4df374675102470203c657188bf70ce8fa344930588d59359b8
5
5
  SHA512:
6
- metadata.gz: 176c443206f2880a84bca7d84a32a631e4237f5f3de4d69f45a9dcd80ba31999c7c7424c1ace1a09aa4566834a699e7ff149e956383ec91c2c98e7c63c01f3c6
7
- data.tar.gz: f492268ae71a8109b4857f9dced29d3ed4e3897b39fe2cb4d12cd1459395b58197179b2e9cdd32175e281a5aea04a13fa741809040289dbe47391b7367e1397d
6
+ metadata.gz: 4f6213a1274e9f4940aaedee5df9966d4d5ac26db5222fb8f14408b365be3bc6299fab02a275495516c0d9be0a1b2ebaddf622085321625c2773554728459760
7
+ data.tar.gz: b14dc3eeb2215eef2ffed29f4900d279ec6d3a5c32dc2c0d1d0f62e9adbf0b7241bd388064d3eda421819cb30c46b7d52924b182436535050402097945c8e4ca
data/HISTORY.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 6.1.2 (2024-07-27)
4
+
5
+ ### Bug Fixes
6
+
7
+ * The CSS URL protocol allowlist is now properly enforced in [CSS Images Module Level 4](https://drafts.csswg.org/css-images-4/) `image` and `image-set` functions. [@ltk - #240][240]
8
+
9
+ [240]:https://github.com/rgrove/sanitize/pull/240
10
+
3
11
  ## 6.1.1 (2024-06-12)
4
12
 
5
13
  ### Bug Fixes
data/lib/sanitize/css.rb CHANGED
@@ -272,6 +272,10 @@ class Sanitize; class CSS
272
272
  return nil unless valid_url?(child)
273
273
  end
274
274
 
275
+ if name == 'image-set' || name == 'image'
276
+ return nil unless valid_image?(child)
277
+ end
278
+
275
279
  combined_value << name
276
280
  return nil if name == 'expression' || combined_value == 'expression'
277
281
  end
@@ -345,4 +349,27 @@ class Sanitize; class CSS
345
349
  false
346
350
  end
347
351
 
352
+ # Returns `true` if the given node (which is an `image` or `image-set` function) contains only strings
353
+ # using an allowlisted protocol.
354
+ def valid_image?(node)
355
+ return false unless node[:node] == :function
356
+ return false unless node.key?(:name) && ['image', 'image-set'].include?(node[:name].downcase)
357
+ return false unless Array === node[:value]
358
+
359
+ node[:value].each do |token|
360
+ return false unless Hash === token
361
+
362
+ case token[:node]
363
+ when :string
364
+ if token[:value] =~ Sanitize::REGEX_PROTOCOL
365
+ return false unless @config[:protocols].include?($1.downcase)
366
+ else
367
+ return false unless @config[:protocols].include?(:relative)
368
+ end
369
+ else
370
+ next
371
+ end
372
+ end
373
+ end
374
+
348
375
  end; end
data/lib/sanitize/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  class Sanitize
2
- VERSION = '6.1.1'
2
+ VERSION = '6.1.2'
3
3
  end
data/test/test_sanitize_css.rb CHANGED
@@ -29,6 +29,12 @@ describe 'Sanitize::CSS' do
29
29
  "background: url('ht\\tp://example.com/http.jpg')",
30
30
  "background: url(https://example.com/https.jpg)",
31
31
  "background: url('https://example.com/https.jpg')",
32
+ "background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
33
+ "background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
34
+ "background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
35
+ "background: image('relative.jpg');",
36
+ "background: image('https://example.com/https.jpg');",
37
+ "background: image(rtl 'https://example.com/https.jpg');"
32
38
  ].each do |css|
33
39
  _(@default.properties(css)).must_equal ''
34
40
  _(@relaxed.properties(css)).must_equal css
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.1
4
+ version: 6.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-13 00:00:00.000000000 Z
11
+ date: 2024-07-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass
@@ -123,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
123
123
  - !ruby/object:Gem::Version
124
124
  version: 1.2.0
125
125
  requirements: []
126
- rubygems_version: 3.5.11
126
+ rubygems_version: 3.5.3
127
127
  signing_key:
128
128
  specification_version: 4
129
129
  summary: Allowlist-based HTML and CSS sanitizer.