trust_html 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +10 -9
- data/VERSION +1 -1
- data/assets/html-sanitizer.js +1 -2
- data/lib/trust_html/sanitizer.rb +6 -3
- data/trust_html.gemspec +1 -1
- metadata +14 -14
data/README.rdoc
CHANGED
|
@@ -1,16 +1,17 @@
|
|
|
1
1
|
= trust_html
|
|
2
2
|
|
|
3
|
+
== Usage
|
|
4
|
+
Pass HTML to:
|
|
5
|
+
* TrustHtml.sanitize("<div onclick=\"alert('hi';)\">Hello world</div><img src=\"javascript:alert('xss');\"/><SCRIPT>alert(\"xss\");</SCRIPT><body background=\"javascript:alert('xss')\">")
|
|
3
6
|
|
|
7
|
+
== Configuration
|
|
8
|
+
So far you can only customize the methods for processing URL's and DOM ID's that are in the HTML provided. These methods are in JS and are passed local variables 'url' and 'id' respectively for you to decide whether to allow/rewrite/deny the value.
|
|
9
|
+
* TrustHtml::Sanitizer::URL_SANITIZER_METHOD_BODY
|
|
10
|
+
* TrustHtml::Sanitizer::ID_SANITIZER_METHOD_BODY
|
|
4
11
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
*
|
|
8
|
-
* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
|
|
9
|
-
* Fork the project
|
|
10
|
-
* Start a feature/bugfix branch
|
|
11
|
-
* Commit and push until you are happy with your contribution
|
|
12
|
-
* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
|
|
13
|
-
* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
|
|
12
|
+
You can also customize further (rewrite attributes, more complex rules, change whitelists, etc) by customizing html-sanitizer.js and html4-defs.js. If modified you will need to set the following:
|
|
13
|
+
* TrustHtml::Sanitizer::HTML_SANITIZER_PATH
|
|
14
|
+
* TrustHtml::Sanitizer::HTML_DEFS_PATH
|
|
14
15
|
|
|
15
16
|
== Copyright
|
|
16
17
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.1
|
data/assets/html-sanitizer.js
CHANGED
|
@@ -503,8 +503,7 @@ function html_sanitize(htmlText, opt_uriPolicy, opt_nmTokenPolicy) {
|
|
|
503
503
|
value = null;
|
|
504
504
|
break;
|
|
505
505
|
case html4.atype.STYLE:
|
|
506
|
-
|
|
507
|
-
//value = null;
|
|
506
|
+
value = null;
|
|
508
507
|
break;
|
|
509
508
|
case html4.atype.ID:
|
|
510
509
|
case html4.atype.IDREF:
|
data/lib/trust_html/sanitizer.rb
CHANGED
|
@@ -16,7 +16,10 @@ module TrustHtml
|
|
|
16
16
|
# 'id' is local to the method
|
|
17
17
|
ID_SANITIZER_METHOD_BODY = "return id;"
|
|
18
18
|
|
|
19
|
-
|
|
19
|
+
HTML_SANITIZER_PATH = File.expand_path("../../../assets/html-sanitizer.js", __FILE__)
|
|
20
|
+
HTML_DEFS_PATH = File.expand_path("../../../assets/html4-defs.js", __FILE__)
|
|
21
|
+
|
|
22
|
+
def self.sanitize(html_to_sanitize)
|
|
20
23
|
sanitizer_js = "function urlX(url) {#{URL_SANITIZER_METHOD_BODY}};" +
|
|
21
24
|
"function idX(id) {#{ID_SANITIZER_METHOD_BODY}};" +
|
|
22
25
|
# Look at #escape_javascript as well...
|
|
@@ -24,8 +27,8 @@ module TrustHtml
|
|
|
24
27
|
"html_sanitize('#{html_to_sanitize.escape_single_quotes.remove_nonprintable}', urlX, idX);"
|
|
25
28
|
|
|
26
29
|
cxt = V8::Context.new
|
|
27
|
-
cxt.load(
|
|
28
|
-
cxt.load(
|
|
30
|
+
cxt.load(HTML_DEFS_PATH)
|
|
31
|
+
cxt.load(HTML_SANITIZER_PATH)
|
|
29
32
|
cxt.eval(sanitizer_js)
|
|
30
33
|
end
|
|
31
34
|
end
|
data/trust_html.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: trust_html
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -13,7 +13,7 @@ date: 2011-07-15 00:00:00.000000000Z
|
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: better
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &2152272220 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *2152272220
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: therubyracer
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &2152257680 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ! '>='
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: '0'
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *2152257680
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: shoulda
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &2152249880 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ! '>='
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: '0'
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *2152249880
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &2152247140 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ~>
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: 1.0.0
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *2152247140
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: jeweler
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &2152244460 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ~>
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: 1.6.4
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *2152244460
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: rcov
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &2152218160 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,7 +76,7 @@ dependencies:
|
|
|
76
76
|
version: '0'
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *2152218160
|
|
80
80
|
description: Make HTML trustworthy for rendering within your web app via Google HTML
|
|
81
81
|
sanitizers. This is _not_ about stripping HTML but rather about cleaning it of javascript
|
|
82
82
|
(onclicks, etc.) as well as CSS.
|
|
@@ -117,7 +117,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
117
117
|
version: '0'
|
|
118
118
|
segments:
|
|
119
119
|
- 0
|
|
120
|
-
hash:
|
|
120
|
+
hash: -3766334305255440814
|
|
121
121
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
122
122
|
none: false
|
|
123
123
|
requirements:
|