RubyGems - selma - Versions diffs - 0.2.2-x86_64-darwin → 0.4.0-x86_64-darwin - Mend

selma 0.2.2-x86_64-darwin → 0.4.0-x86_64-darwin

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/README.md +122 -24
data/lib/selma/3.1/selma.bundle +0 -0
data/lib/selma/3.2/selma.bundle +0 -0
data/lib/selma/3.3/selma.bundle +0 -0
data/lib/selma/config.rb +12 -0
data/lib/selma/sanitizer/config/default.rb +1 -1
data/lib/selma/sanitizer/config/relaxed.rb +1 -0
data/lib/selma/sanitizer.rb +6 -1
data/lib/selma/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da44321197848529fd6fb90ec2b6265f17441d380efa47fd5836492d9ef616fb
-  data.tar.gz: 17e40218b475fda8e86dc160b04b5259ce2978c92ec4677cbf8b0e4db0f82b36
+  metadata.gz: 0e44202bd34d77e68a8c2c1af2ef9a1650c7b126a0a0617f76b60fb19f437365
+  data.tar.gz: 2b77c9bfaacc1ae7f3af965f187c71ac1661b22205dcddeb6cc27f1a3536db2e
 SHA512:
-  metadata.gz: 6f0174d4954d0e4f22fe0e89239bee643ea24f6c9c05652b2ce79935bf30529b74fcb66ba96eb6b4f4fbc56c1f3a44557d77033ee7fc47952deda885430bc6e3
-  data.tar.gz: eb7c917db6fc9085db53879fac0c5b1cc4843ca37c5931199e1fcf3f8e12da64959cf30fbf276f0bac8cc1da8f665e22c87621a12b15c5c9160f6d5d95867ec7
+  metadata.gz: f6de84a3a8c74ccd7d7bd387a11730ce03abdcfde05676d08b66b03903d9a66008aa4c92d73a90e77dcfc215dc2ab2e6921697cdcb15fa630098f44fbb4305d2
+  data.tar.gz: a0a3e20a2022c2b9dbaae65003ecbf1800d01b7b4569d8a23691a07f065d102570f12b5bb84dd7738cc8a1038b98fce2cf49e1a9f116304ffe98a93f1d5a42e0

data/README.md CHANGED Viewed

@@ -76,7 +76,7 @@ attributes: {
 # URL handling protocols to allow in specific attributes. By default, no
 # protocols are allowed. Use :relative in place of a protocol if you want
-# to allow relative URLs sans protocol.
+# to allow relative URLs sans protocol. Set to `:all` to allow any protocol.
 protocols: {
     "a" => { "href" => ["http", "https", "mailto", :relative] },
     "img" => { "href" => ["http", "https"] },
@@ -103,7 +103,11 @@ Here's an example which rewrites the `href` attribute on `a` and the `src` attri
 ```ruby
 class MatchAttribute
-  SELECTOR = Selma::Selector(match_element: %(a[href^="http:"], img[src^="http:"]"))
+  SELECTOR = Selma::Selector.new(match_element: %(a[href^="http:"], img[src^="http:"]"))
+  def selector
+    SELECTOR
+  end
   def handle_element(element)
     if element.tag_name == "a"
@@ -176,40 +180,134 @@ The `element` argument in `handle_element` has the following methods:
 - `after(content, as: content_type)`: Inserts `content` after the text. `content_type` is either `:text` or `:html` and determines how the content will be applied.
 - `replace(content, as: content_type)`: Replaces the text node with `content`. `content_type` is either `:text` or `:html` and determines how the content will be applied.
+## Security
+Theoretically, a malicious user can provide a very large document for processing, which can exhaust the memory of the host machine. To set a limit on how much string content is processed at once, you can provide two options into the `memory` namespace:
+```ruby
+memory: {
+  max_allowed_memory_usage: 1000,
+  preallocated_parsing_buffer_size: 100,
+},
+```
+Note that `preallocated_parsing_buffer_size` must always be less than `max_allowed_memory_usage`. See [the`lol_html` project documentation](https://docs.rs/lol_html/1.2.1/lol_html/struct.MemorySettings.html) to learn more about the default values.
 ## Benchmarks
+When `bundle exec rake benchmark`, two different benchmarks are calculated. Here are those results on my machine.
+### Benchmarks for just the sanitization process
+Comparing Selma against popular Ruby sanitization gems:
+<!-- prettier-ignore-start -->
 <details>
 <pre>
-ruby test/benchmark.rb
-ruby test/benchmark.rb
+input size = 25309 bytes, 0.03 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-huge
-                         1.000  i/100ms
- selma-document-huge     1.000  i/100ms
+         sanitize-sm    16.000 i/100ms
+            selma-sm   214.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-huge
-                          0.257  (± 0.0%) i/s -      2.000  in   7.783398s
- selma-document-huge      4.602  (± 0.0%) i/s -     23.000  in   5.002870s
+         sanitize-sm    171.670 (± 1.2%) i/s -      5.152k in  30.017081s
+            selma-sm      2.146k (± 3.0%) i/s -     64.414k in  30.058470s
+Comparison:
+            selma-sm:     2145.8 i/s
+         sanitize-sm:      171.7 i/s - 12.50x  slower
+input size = 86686 bytes, 0.09 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-medium
-                         2.000  i/100ms
-selma-document-medium
-                        22.000  i/100ms
+         sanitize-md     4.000 i/100ms
+            selma-md    56.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-medium
-                         28.676  (± 3.5%) i/s -    144.000  in   5.024669s
-selma-document-medium
-                        121.500  (±22.2%) i/s -    594.000  in   5.135410s
+         sanitize-md     44.397 (± 2.3%) i/s -      1.332k in  30.022430s
+            selma-md    558.448 (± 1.4%) i/s -     16.800k in  30.089196s
+Comparison:
+            selma-md:      558.4 i/s
+         sanitize-md:       44.4 i/s - 12.58x  slower
+input size = 7172510 bytes, 7.17 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         sanitize-lg     1.000 i/100ms
+            selma-lg     1.000 i/100ms
+Calculating -------------------------------------
+         sanitize-lg      0.163 (± 0.0%) i/s -      6.000 in  37.375628s
+            selma-lg      6.750 (± 0.0%) i/s -    203.000 in  30.080976s
+Comparison:
+            selma-lg:        6.7 i/s
+         sanitize-lg:        0.2 i/s - 41.32x  slower
+</pre>
+</details>
+<!-- prettier-ignore-end -->
+### Benchmarks for just the rewriting process
+Comparing Selma against popular Ruby HTML parsing gems:
+<!-- prettier-ignore-start -->
+<details>
+<pre>input size = 25309 bytes, 0.03 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         nokogiri-sm   107.000 i/100ms
+       nokolexbor-sm   340.000 i/100ms
+            selma-sm   380.000 i/100ms
+Calculating -------------------------------------
+         nokogiri-sm      1.073k (± 2.1%) i/s -     32.207k in  30.025474s
+       nokolexbor-sm      3.300k (±13.2%) i/s -     27.540k in  36.788212s
+            selma-sm      3.779k (± 3.4%) i/s -    113.240k in  30.013908s
+Comparison:
+            selma-sm:     3779.4 i/s
+       nokolexbor-sm:     3300.1 i/s - same-ish: difference falls within error
+         nokogiri-sm:     1073.1 i/s - 3.52x  slower
+input size = 86686 bytes, 0.09 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         nokogiri-md    11.000 i/100ms
+       nokolexbor-md    48.000 i/100ms
+            selma-md    53.000 i/100ms
+Calculating -------------------------------------
+         nokogiri-md    103.998 (± 5.8%) i/s -      3.113k in  30.029932s
+       nokolexbor-md    428.928 (± 7.9%) i/s -     12.816k in  30.066662s
+            selma-md    492.190 (± 6.9%) i/s -     14.734k in  30.082943s
+Comparison:
+            selma-md:      492.2 i/s
+       nokolexbor-md:      428.9 i/s - same-ish: difference falls within error
+         nokogiri-md:      104.0 i/s - 4.73x  slower
+input size = 7172510 bytes, 7.17 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-small
-                        10.000  i/100ms
-selma-document-small    20.000  i/100ms
+         nokogiri-lg     1.000 i/100ms
+       nokolexbor-lg     1.000 i/100ms
+            selma-lg     1.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-small
-                        107.280  (± 0.9%) i/s -    540.000  in   5.033850s
-selma-document-small    118.867  (±31.1%) i/s -    540.000  in   5.080726s
+         nokogiri-lg      0.874 (± 0.0%) i/s -     27.000 in  30.921090s
+       nokolexbor-lg      2.227 (± 0.0%) i/s -     67.000 in  30.137903s
+            selma-lg      8.354 (± 0.0%) i/s -    251.000 in  30.075227s
+Comparison:
+            selma-lg:        8.4 i/s
+       nokolexbor-lg:        2.2 i/s - 3.75x  slower
+         nokogiri-lg:        0.9 i/s - 9.56x  slower
 </pre>
 </details>
+<!-- prettier-ignore-end -->
 ## Contributing

data/lib/selma/3.1/selma.bundle CHANGED Viewed

Binary file

data/lib/selma/3.2/selma.bundle CHANGED Viewed

Binary file

data/lib/selma/3.3/selma.bundle CHANGED Viewed

Binary file

data/lib/selma/config.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+module Selma
+  module Config
+    OPTIONS = {
+      memory: {
+        max_allowed_memory_usage: nil,
+        preallocated_parsing_buffer_size: nil,
+      },
+    }
+  end
+end

data/lib/selma/sanitizer/config/default.rb CHANGED Viewed

@@ -28,7 +28,7 @@ module Selma
         # URL handling protocols to allow in specific attributes. By default, no
         # protocols are allowed. Use :relative in place of a protocol if you want
-        # to allow relative URLs sans protocol.
+        # to allow relative URLs sans protocol. Set to `:all` to allow any protocol.
         protocols: {},
         # An Array of element names whose contents will be removed. The contents

data/lib/selma/sanitizer/config/relaxed.rb CHANGED Viewed

@@ -16,6 +16,7 @@ module Selma
           "colgroup",
           "data",
           "del",
+          "details",
           "div",
           "figcaption",
           "figure",

data/lib/selma/sanitizer.rb CHANGED Viewed

@@ -66,7 +66,12 @@ module Selma
     end
     def allow_protocol(element, attr, protos)
-      protos = [protos] unless protos.is_a?(Array)
+      if protos.is_a?(Array)
+        raise ArgumentError, "`:all` must be passed outside of an array" if protos.include?(:all)
+      else
+        protos = [protos]
+      end
       set_allowed_protocols(element, attr, protos)
     end

data/lib/selma/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Selma
-  VERSION = "0.2.2"
+  VERSION = "0.4.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: selma
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.4.0
 platform: x86_64-darwin
 authors:
 - Garen J. Torikian
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-01-03 00:00:00.000000000 Z
+date: 2024-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -51,6 +51,7 @@ files:
 - lib/selma/3.1/selma.bundle
 - lib/selma/3.2/selma.bundle
 - lib/selma/3.3/selma.bundle
+- lib/selma/config.rb
 - lib/selma/extension.rb
 - lib/selma/html.rb
 - lib/selma/rewriter.rb