whitewash 2.0

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'rspec'
+$LOAD_PATH.unshift(File.expand_path("../lib", File.dirname(__FILE__)))
+require 'whitewash'
+
+class Whitewash
+  remove_const :PATH
+  PATH = [ File.expand_path("../data/whitewash", File.dirname(__FILE__)) ]
+end

data/spec/whitewash_spec.rb

@@ -0,0 +1,99 @@
+require File.expand_path('spec/spec_helper')
+
+describe Whitewash do
+  it "loads default whitelist" do
+    whitelist = Whitewash.default_whitelist
+    whitelist.should be_a_kind_of Hash
+    whitelist.should include '_css'
+  end
+
+  it "drops <html> and <body> elements" do
+    w = Whitewash.new
+    input = '<html><head></head><body><p>test</p></body>'
+    output = w.sanitize(input)
+    output.should == '<p>test</p>'
+  end
+
+  it "understands fragments with multiple root elements" do
+    w = Whitewash.new
+    input = '<p>foo</p><p>bar</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo</p><p>bar</p>'
+  end
+
+  it "removes <script/> element" do
+    w = Whitewash.new
+    input = '<p>foo <script type="text/javascript" src="test.js">bar</script> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <![CDATA[bar]]> buzz</p>'
+  end
+
+  it "removes onclick attribute" do
+    w = Whitewash.new
+    input = '<p>foo <span onlick="test()">bar</span> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <span>bar</span> buzz</p>'
+  end
+
+  it "removes background CSS property" do
+    w = Whitewash.new
+    input = '<p>foo <span style="background: url(//test/t.js)">bar</span> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <span>bar</span> buzz</p>'
+  end
+
+  it "rewrites HTML when supplied with a block" do
+    w = Whitewash.new
+    input = '<p>foo <img src="in.jpg"/> buzz</p>'
+    output = w.sanitize(input) do |xml|
+      if xml.name == 'img'
+        xml['src'] = 'out.jpg'
+      end
+    end
+    output.should == '<p>foo <img src="out.jpg" /> buzz</p>'
+  end
+
+  it "fixes up invalid markup" do
+    w = Whitewash.new
+    input = '<p>foo <strong><em>bar</strong></em> buzz</p>'
+    output = w.sanitize(input)
+    output.should == '<p>foo <strong><em>bar</em></strong> buzz</p>'
+  end
+
+  # http://ha.ckers.org/xss.html
+
+  it "catches javascript: in img/src" do
+    w = Whitewash.new
+    input = %q{<IMG SRC=JaVaScRiPt:alert('XSS')>}
+    output = w.sanitize(input)
+    output.should == %q{<img />}
+  end
+
+  it "handles strings with null in the middle" do
+    w = Whitewash.new
+    input = %q{<IMG SRC=java\0script:alert("XSS")>}
+    output = w.sanitize(input)
+    output.should == %q{<img />}
+  end
+
+  it "handles extra open brackets" do
+    w = Whitewash.new
+    input = %q{<<SCRIPT>alert("XSS");//<</SCRIPT>}
+    output = w.sanitize(input)
+    output.should == '<p>alert("XSS");//</p>'
+  end
+
+  it "removes remote stylesheet link" do
+    w = Whitewash.new
+    input = %q{<P><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></P>}
+    output = w.sanitize(input)
+    output.should == '<p></p>'
+  end
+
+  it "removes XML data island with CDATA obfuscation" do
+    w = Whitewash.new
+    input = %{<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>}
+    output = w.sanitize(input)
+    output.should == ']]&gt; <span></span>'
+  end
+end

data/whitewash.gemspec

@@ -0,0 +1,18 @@
+Gem::Specification.new do |spec|
+  spec.name        = 'whitewash'
+  spec.version     = '2.0'
+  spec.author      = 'Dmitry Borodaenko'
+  spec.email       = 'angdraug@debian.org'
+  spec.homepage    = 'https://github.com/angdraug/whitewash'
+  spec.summary     = 'Whitelist-based HTML filter for Ruby'
+  spec.description = <<-EOF
+This module allows Ruby programs to clean up any HTML document or
+fragment coming from an untrusted source and to remove all dangerous
+constructs that could be used for cross-site scripting or request
+forgery.
+    EOF
+  spec.files       = `git ls-files`.split "\n"
+  spec.license     = 'GPL3+'
+#  spec.add_dependency('nokogiri')
+#  spec.add_development_dependency('rspec')
+end

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification 
+name: whitewash
+version: !ruby/object:Gem::Version 
+  hash: 3
+  prerelease: 
+  segments: 
+  - 2
+  - 0
+  version: "2.0"
+platform: ruby
+authors: 
+- Dmitry Borodaenko
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-02-05 00:00:00 Z
+dependencies: []
+
+description: |
+  This module allows Ruby programs to clean up any HTML document or
+  fragment coming from an untrusted source and to remove all dangerous
+  constructs that could be used for cross-site scripting or request
+  forgery.
+
+email: angdraug@debian.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- COPYING
+- ChangeLog.mtn
+- README.rdoc
+- data/whitewash/html5_whitelist.yaml
+- data/whitewash/whitelist.yaml
+- lib/whitewash.rb
+- setup.rb
+- spec/spec_helper.rb
+- spec/whitewash_spec.rb
+- whitewash.gemspec
+homepage: https://github.com/angdraug/whitewash
+licenses: 
+- GPL3+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Whitelist-based HTML filter for Ruby
+test_files: []
+