sanitize 6.1.2 → 6.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/HISTORY.md +8 -0
- data/lib/sanitize/css.rb +10 -4
- data/lib/sanitize/version.rb +1 -1
- data/test/test_sanitize_css.rb +3 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8811451060f77afcf698da8e589994af3c5683d08a0032a279f76b3b556b5f33
|
|
4
|
+
data.tar.gz: d2617a785428b5b99717ef1743cc75dc1f8c53bda53fea59050725a1218b5fe8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 33b4b13b4369ba159031a1298bd5965b9dbe15921121b58d55155d3e717dd7cadf3495e10683613cd1439055f6d5a57249e540824fd9f98a11ae62db08167573
|
|
7
|
+
data.tar.gz: 40f149e0e3c51283b72332efb4598a81263fba029ea121ede31bb578634de339ed5c162fd49355601568c5cbc08f617879f058bcdfe5ce35afa6322e155cff8b
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Sanitize History
|
|
2
2
|
|
|
3
|
+
## 6.1.3 (2024-08-14)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* The CSS URL protocol allowlist is now enforced on the nonstandard `-webkit-image-set` CSS function. [@ltk - #242][242]
|
|
8
|
+
|
|
9
|
+
[242]:https://github.com/rgrove/sanitize/pull/242
|
|
10
|
+
|
|
3
11
|
## 6.1.2 (2024-07-27)
|
|
4
12
|
|
|
5
13
|
### Bug Fixes
|
data/lib/sanitize/css.rb
CHANGED
|
@@ -229,6 +229,12 @@ class Sanitize; class CSS
|
|
|
229
229
|
rule
|
|
230
230
|
end
|
|
231
231
|
|
|
232
|
+
# Returns `true` if the given CSS function name is an image-related function
|
|
233
|
+
# that may contain image URLs that need to be validated.
|
|
234
|
+
def image_function?(name)
|
|
235
|
+
['image', 'image-set', '-webkit-image-set'].include?(name)
|
|
236
|
+
end
|
|
237
|
+
|
|
232
238
|
# Passes the URL value of an @import rule to a block to ensure
|
|
233
239
|
# it's an allowed URL
|
|
234
240
|
def import_url_allowed?(rule)
|
|
@@ -272,7 +278,7 @@ class Sanitize; class CSS
|
|
|
272
278
|
return nil unless valid_url?(child)
|
|
273
279
|
end
|
|
274
280
|
|
|
275
|
-
if name
|
|
281
|
+
if image_function?(name)
|
|
276
282
|
return nil unless valid_image?(child)
|
|
277
283
|
end
|
|
278
284
|
|
|
@@ -349,11 +355,11 @@ class Sanitize; class CSS
|
|
|
349
355
|
false
|
|
350
356
|
end
|
|
351
357
|
|
|
352
|
-
# Returns `true` if the given node
|
|
353
|
-
#
|
|
358
|
+
# Returns `true` if the given node is an image-related function and contains
|
|
359
|
+
# only strings that use an allowlisted protocol.
|
|
354
360
|
def valid_image?(node)
|
|
355
361
|
return false unless node[:node] == :function
|
|
356
|
-
return false unless node.key?(:name) &&
|
|
362
|
+
return false unless node.key?(:name) && image_function?(node[:name].downcase)
|
|
357
363
|
return false unless Array === node[:value]
|
|
358
364
|
|
|
359
365
|
node[:value].each do |token|
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_sanitize_css.rb
CHANGED
|
@@ -32,6 +32,9 @@ describe 'Sanitize::CSS' do
|
|
|
32
32
|
"background: image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
33
33
|
"background: image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
34
34
|
"background: image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
|
+
"background: -webkit-image-set('relative.jpg' 1x, 'relative-2x.jpg' 2x)",
|
|
36
|
+
"background: -webkit-image-set('https://example.com/https.jpg' 1x, 'https://example.com/https-2x.jpg' 2x)",
|
|
37
|
+
"background: -webkit-image-set('https://example.com/https.jpg' type('image/jpeg'), 'https://example.com/https.avif' type('image/avif'))",
|
|
35
38
|
"background: image('relative.jpg');",
|
|
36
39
|
"background: image('https://example.com/https.jpg');",
|
|
37
40
|
"background: image(rtl 'https://example.com/https.jpg');"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanitize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Grove
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-08-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: crass
|
|
@@ -123,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: 1.2.0
|
|
125
125
|
requirements: []
|
|
126
|
-
rubygems_version: 3.5.
|
|
126
|
+
rubygems_version: 3.5.11
|
|
127
127
|
signing_key:
|
|
128
128
|
specification_version: 4
|
|
129
129
|
summary: Allowlist-based HTML and CSS sanitizer.
|