Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rails-html-sanitizer for
openSUSE:Factory checked in at 2023-03-08 14:52:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.31432
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rails-html-sanitizer"
Wed Mar 8 14:52:17 2023 rev:10 rq:1067311 version:1.5.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer/rubygem-rails-html-sanitizer.changes
2022-06-15 00:32:48.734571703 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.31432/rubygem-rails-html-sanitizer.changes
2023-03-08 14:52:20.734601872 +0100
@@ -1,0 +2,34 @@
+Wed Feb 22 16:23:02 UTC 2023 - Paolo Perego <[email protected]>
+
+- updated to version 1.5.0
+ * SafeListSanitizer, PermitScrubber, and TargetScrubber now all support
pruning of unsafe tags.
+
+ By default, unsafe tags are still stripped, but this behavior can be
+ changed to prune the elementand its children from the document by
passing
+ prune: true to any of these classes' constructors.
+
+ @seyerian
+
+ ## 1.4.4 / 2022-12-13
+
+ * Address inefficient regular expression complexity with certain
configurations of Rails::Html::Sanitizer.
+ Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.
+
+ _Mike Dalessio_
+
+ * Address improper sanitization of data URIs.
+ Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more
information.
+
+ _Mike Dalessio_
+
+ * Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+ Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.
+
+ _Mike Dalessio_
+
+ * Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+ Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.
+
+ _Mike Dalessio_
+
+-------------------------------------------------------------------
@@ -100 +133,0 @@
-
Old:
----
rails-html-sanitizer-1.4.3.gem
New:
----
rails-html-sanitizer-1.5.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rails-html-sanitizer.spec ++++++
--- /var/tmp/diff_new_pack.LmKJpj/_old 2023-03-08 14:52:21.950608493 +0100
+++ /var/tmp/diff_new_pack.LmKJpj/_new 2023-03-08 14:52:21.954608515 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rails-html-sanitizer
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rails-html-sanitizer
-Version: 1.4.3
+Version: 1.5.0
Release: 0
%define mod_name rails-html-sanitizer
%define mod_full_name %{mod_name}-%{version}
++++++ rails-html-sanitizer-1.4.3.gem -> rails-html-sanitizer-1.5.0.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-06-10 00:23:56.000000000 +0200
+++ new/CHANGELOG.md 2023-01-20 19:52:45.000000000 +0100
@@ -1,3 +1,47 @@
+## 1.5.0 / 2023-01-20
+
+* `SafeListSanitizer`, `PermitScrubber`, and `TargetScrubber` now all support
pruning of unsafe tags.
+
+ By default, unsafe tags are still stripped, but this behavior can be changed
to prune the element
+ and its children from the document by passing `prune: true` to any of these
classes' constructors.
+
+ *seyerian*
+
+## 1.4.4 / 2022-12-13
+
+* Address inefficient regular expression complexity with certain
configurations of Rails::Html::Sanitizer.
+
+ Fixes CVE-2022-23517. See
+
[GHSA-5x79-w82f-gw8w](https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w)
+ for more information.
+
+ *Mike Dalessio*
+
+* Address improper sanitization of data URIs.
+
+ Fixes CVE-2022-23518 and #135. See
+
[GHSA-mcvf-2q2m-x72m](https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m)
+ for more information.
+
+ *Mike Dalessio*
+
+* Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+
+ Fixes CVE-2022-23520. See
+
[GHSA-rrfc-7g8p-99q8](https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8)
+ for more information.
+
+ *Mike Dalessio*
+
+* Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+
+ Fixes CVE-2022-23519. See
+
[GHSA-9h9g-93gc-623h](https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h)
+ for more information.
+
+ *Mike Dalessio*
+
+
## 1.4.3 / 2022-06-09
* Address a possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
@@ -8,7 +52,6 @@
*Mike Dalessio*
-
## 1.4.2 / 2021-08-23
* Slightly improve performance.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2022-06-10 00:23:56.000000000 +0200
+++ new/README.md 2023-01-20 19:52:45.000000000 +0100
@@ -21,6 +21,35 @@
## Usage
+### A note on HTML entities
+
+__Rails::HTML sanitizers are intended to be used by the view layer, at
page-render time. They are *not* intended to sanitize persisted strings that
will sanitized *again* at page-render time.__
+
+Proper HTML sanitization will replace some characters with HTML entities. For
example, `<` will be replaced with `<` to ensure that the markup is
well-formed.
+
+This is important to keep in mind because __HTML entities will render
improperly if they are sanitized twice.__
+
+
+#### A concrete example showing the problem that can arise
+
+Imagine the user is asked to enter their employer's name, which will appear on
their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
+
+If you sanitize this before persisting it in the database, the stored string
will be `JPMorgan Chase & Co.`
+
+When the page is rendered, if this string is sanitized a second time by the
view layer, the HTML will contain `JPMorgan Chase &amp; Co.` which will
render as "JPMorgan Chase &amp; Co.".
+
+Another problem that can arise is rendering the sanitized string in a non-HTML
context (for example, if it ends up being part of an SMS message). In this
case, it may contain inappropriate HTML entities.
+
+
+#### Suggested alternatives
+
+You might simply choose to persist the untrusted string as-is (the raw input),
and then ensure that the string will be properly sanitized by the view layer.
+
+That raw string, if rendered in an non-HTML context (like SMS), must also be
sanitized by a method appropriate for that context. You may wish to look into
using [Loofah](https://github.com/flavorjones/loofah) or
[Sanitize](https://github.com/rgrove/sanitize) to customize how this
sanitization works, including omitting HTML entities in the final string.
+
+If you really want to sanitize the string that's stored in your database, you
may wish to look into
[Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord)
rather than use the Rails::HTML sanitizers.
+
+
### Sanitizers
All sanitizers respond to `sanitize`.
@@ -57,6 +86,9 @@
# safe list sanitizer can also sanitize css
safe_list_sanitizer.sanitize_css('background-color: #000;')
+
+# fully prune nodes from the tree instead of stripping tags and leaving inner
content
+safe_list_sanitizer = Rails::Html::SafeListSanitizer.new(prune: true)
```
### Scrubbers
@@ -78,6 +110,24 @@
html_fragment.to_s # => "<a></a>"
```
+By default, inner content is left, but it can be removed as well.
+
+```ruby
+scrubber = Rails::Html::PermitScrubber.new
+scrubber.tags = ['a']
+
+html_fragment = Loofah.fragment('<a><span>text</span></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a>text</a>"
+
+scrubber = Rails::Html::PermitScrubber.new(prune: true)
+scrubber.tags = ['a']
+
+html_fragment = Loofah.fragment('<a><span>text</span></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a></a>"
+```
+
#### `Rails::Html::TargetScrubber`
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
@@ -95,6 +145,23 @@
html_fragment.to_s # => "<a></a>"
```
+Similarly to `PermitScrubber`, nodes can be fully pruned.
+
+```ruby
+scrubber = Rails::Html::TargetScrubber.new
+scrubber.tags = ['span']
+
+html_fragment = Loofah.fragment('<a><span>text</span></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a>text</a>"
+
+scrubber = Rails::Html::TargetScrubber.new(prune: true)
+scrubber.tags = ['span']
+
+html_fragment = Loofah.fragment('<a><span>text</span></a>')
+html_fragment.scrub!(scrubber)
+html_fragment.to_s # => "<a></a>"
+```
#### Custom Scrubbers
You can also create custom scrubbers in your application if you want to.
@@ -138,5 +205,11 @@
See [CONTRIBUTING](CONTRIBUTING.md).
+### Security reports
+
+Trying to report a possible security vulnerability in this project? Please
+check out our [security policy](https://rubyonrails.org/security) for
+guidelines about how to proceed.
+
## License
Rails Html Sanitizers is released under the [MIT License](MIT-LICENSE).
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer/version.rb
new/lib/rails/html/sanitizer/version.rb
--- old/lib/rails/html/sanitizer/version.rb 2022-06-10 00:23:56.000000000
+0200
+++ new/lib/rails/html/sanitizer/version.rb 2023-01-20 19:52:45.000000000
+0100
@@ -1,7 +1,7 @@
module Rails
module Html
class Sanitizer
- VERSION = "1.4.3"
+ VERSION = "1.5.0"
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer.rb
new/lib/rails/html/sanitizer.rb
--- old/lib/rails/html/sanitizer.rb 2022-06-10 00:23:56.000000000 +0200
+++ new/lib/rails/html/sanitizer.rb 2023-01-20 19:52:45.000000000 +0100
@@ -110,8 +110,8 @@
acronym a img blockquote del ins))
self.allowed_attributes = Set.new(%w(href src width height alt cite
datetime title class name xml:lang abbr))
- def initialize
- @permit_scrubber = PermitScrubber.new
+ def initialize(prune: false)
+ @permit_scrubber = PermitScrubber.new(prune: prune)
end
def sanitize(html, options = {})
@@ -141,25 +141,8 @@
private
- def loofah_using_html5?
- # future-proofing, see https://github.com/flavorjones/loofah/pull/239
- Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
- end
-
- def remove_safelist_tag_combinations(tags)
- if !loofah_using_html5? && tags.include?("select") &&
tags.include?("style")
- warn("WARNING: #{self.class}: removing 'style' from safelist, should
not be combined with 'select'")
- tags.delete("style")
- end
- tags
- end
-
def allowed_tags(options)
- if options[:tags]
- remove_safelist_tag_combinations(options[:tags])
- else
- self.class.allowed_tags
- end
+ options[:tags] || self.class.allowed_tags
end
def allowed_attributes(options)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/scrubbers.rb
new/lib/rails/html/scrubbers.rb
--- old/lib/rails/html/scrubbers.rb 2022-06-10 00:23:56.000000000 +0200
+++ new/lib/rails/html/scrubbers.rb 2023-01-20 19:52:45.000000000 +0100
@@ -45,10 +45,11 @@
# See the documentation for +Nokogiri::XML::Node+ to understand what's
possible
# with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
class PermitScrubber < Loofah::Scrubber
- attr_reader :tags, :attributes
+ attr_reader :tags, :attributes, :prune
- def initialize
- @direction = :bottom_up
+ def initialize(prune: false)
+ @prune = prune
+ @direction = @prune ? :top_down : :bottom_up
@tags, @attributes = nil, nil
end
@@ -61,9 +62,9 @@
end
def scrub(node)
- if node.cdata?
- text = node.document.create_text_node node.text
- node.replace text
+ if Loofah::HTML5::Scrub.cdata_needs_escaping?(node)
+ replacement = Loofah::HTML5::Scrub.cdata_escape(node)
+ node.replace(replacement)
return CONTINUE
end
return CONTINUE if skip_node?(node)
@@ -98,7 +99,7 @@
end
def scrub_node(node)
- node.before(node.children) # strip
+ node.before(node.children) unless prune # strip
node.remove
end
@@ -139,15 +140,13 @@
end
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
- # this block lifted nearly verbatim from HTML5 sanitization
- val_unescaped =
CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
- if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && !
Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
- attr_node.remove
- end
+ return if Loofah::HTML5::Scrub.scrub_uri_attribute(attr_node)
end
+
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
- attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m,
' ') if attr_node.value
+ Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
end
+
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name)
&& attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-06-10 00:23:56.000000000 +0200
+++ new/metadata 2023-01-20 19:52:45.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rails-html-sanitizer
version: !ruby/object:Gem::Version
- version: 1.4.3
+ version: 1.5.0
platform: ruby
authors:
- Rafael Mendonça França
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2022-06-09 00:00:00.000000000 Z
+date: 2023-01-20 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: loofah
@@ -17,14 +17,20 @@
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '2.3'
+ version: '2.19'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.19.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '2.3'
+ version: '2.19'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 2.19.1
- !ruby/object:Gem::Dependency
name: bundler
requirement: !ruby/object:Gem::Requirement
@@ -103,9 +109,9 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
- changelog_uri:
https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/CHANGELOG.md
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.3
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.3
+ changelog_uri:
https://github.com/rails/rails-html-sanitizer/blob/v1.5.0/CHANGELOG.md
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.5.0
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.5.0
post_install_message:
rdoc_options: []
require_paths:
@@ -121,7 +127,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.3.5
+rubygems_version: 3.4.2
signing_key:
specification_version: 4
summary: This gem is responsible to sanitize HTML fragments in Rails
applications.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/sanitizer_test.rb new/test/sanitizer_test.rb
--- old/test/sanitizer_test.rb 2022-06-10 00:23:56.000000000 +0200
+++ new/test/sanitizer_test.rb 2023-01-20 19:52:45.000000000 +0100
@@ -54,7 +54,7 @@
def test_strip_tags_with_quote
input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
- expected = libxml_2_9_14_recovery? ? %{<" hi} : %{ hi}
+ expected = libxml_2_9_14_recovery_lt? ? %{<" hi} : %{ hi}
assert_equal(expected, full_sanitize(input))
end
@@ -77,19 +77,19 @@
def test_remove_unclosed_tags
input = "This is <-- not\n a comment here."
- expected = libxml_2_9_14_recovery? ? %{This is <-- not\n a comment
here.} : %{This is }
+ expected = libxml_2_9_14_recovery_lt? ? %{This is <-- not\n a comment
here.} : %{This is }
assert_equal(expected, full_sanitize(input))
end
def test_strip_cdata
input = "This has a <![CDATA[<section>]]> here."
- expected = libxml_2_9_14_recovery? ? %{This has a <![CDATA[]]>
here.} : %{This has a ]]> here.}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{This has a
<![CDATA[]]> here.} : %{This has a ]]> here.}
assert_equal(expected, full_sanitize(input))
end
def test_strip_unclosed_cdata
input = "This has an unclosed <![CDATA[<section>]] here..."
- expected = libxml_2_9_14_recovery? ? %{This has an unclosed <![CDATA[]]
here...} : %{This has an unclosed ]] here...}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{This has an unclosed
<![CDATA[]] here...} : %{This has an unclosed ]] here...}
assert_equal(expected, full_sanitize(input))
end
@@ -256,6 +256,12 @@
end
end
+ def test_should_allow_prune
+ sanitizer = Rails::Html::SafeListSanitizer.new(prune: true)
+ text = '<u>leave me <b>now</b></u>'
+ assert_equal "<u>leave me </u>", sanitizer.sanitize(text, tags: %w(u))
+ end
+
def test_should_allow_custom_tags
text = "<u>foo</u>"
assert_equal text, safe_list_sanitize(text, tags: %w(u))
@@ -458,13 +464,13 @@
def test_should_sanitize_cdata_section
input = "<![CDATA[<span>section</span>]]>"
- expected = libxml_2_9_14_recovery? ?
%{<![CDATA[<span>section</span>]]>} : %{section]]>}
+ expected = libxml_2_9_14_recovery_lt_bang? ?
%{<![CDATA[<span>section</span>]]>} : %{section]]>}
assert_sanitized(input, expected)
end
def test_should_sanitize_unterminated_cdata_section
input = "<![CDATA[<span>neverending..."
- expected = libxml_2_9_14_recovery? ?
%{<![CDATA[<span>neverending...</span>} : %{neverending...}
+ expected = libxml_2_9_14_recovery_lt_bang? ?
%{<![CDATA[<span>neverending...</span>} : %{neverending...}
assert_sanitized(input, expected)
end
@@ -581,23 +587,124 @@
assert_equal("<div>text</div><b>text</b>",
safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
end
- def test_disallow_the_dangerous_safelist_combination_of_select_and_style
- input = "<select><style><script>alert(1)</script></style></select>"
- tags = ["select", "style"]
- warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from
safelist/
- sanitized = nil
- invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
-
- if html5_mode?
- # if Loofah is using an HTML5 parser,
- # then "style" should be removed by the parser as an invalid child of
"select"
- assert_silent(&invocation)
- else
- # if Loofah is using an HTML4 parser,
- # then SafeListSanitizer should remove "style" from the safelist
- assert_output(nil, warning, &invocation)
+ %w[text/plain text/css image/png image/gif image/jpeg].each do |mediatype|
+ define_method "test_mediatype_#{mediatype}_allowed" do
+ input = %Q(<img
src="data:#{mediatype};base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = input
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+
+ input = %Q(<img
src="DATA:#{mediatype};base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = input
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+ end
+ end
+
+ def test_mediatype_text_html_disallowed
+ input = %q(<img
src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = %q(<img>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+
+ input = %q(<img
src="DATA:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = %q(<img>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+ end
+
+ def test_mediatype_image_svg_xml_disallowed
+ input = %q(<img
src="data:image/svg+xml;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = %q(<img>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+
+ input = %q(<img
src="DATA:image/svg+xml;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
+ expected = %q(<img>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+ end
+
+ def test_mediatype_other_disallowed
+ input = %q(<a
href="data:foo;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">foo</a>)
+ expected = %q(<a>foo</a>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+
+ input = %q(<a
href="DATA:foo;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">foo</a>)
+ expected = %q(<a>foo</a>)
+ actual = safe_list_sanitize(input)
+ assert_equal(expected, actual)
+ end
+
+ def test_scrubbing_svg_attr_values_that_allow_ref
+ input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
+ expected = %Q(<div fill="yellow #fff">hey</div>)
+ actual = scope_allowed_attributes %w(fill) do
+ safe_list_sanitize(input)
end
- refute_includes(sanitized, "style")
+
+ assert_equal(expected, actual)
+ end
+
+ def test_style_with_css_payload
+ input, tags = "<style>div > span { background: \"red\"; }</style>",
["style"]
+ expected = "<style>div > span { background: \"red\"; }</style>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+ end
+
+ def test_combination_of_select_and_style_with_css_payload
+ input, tags = "<select><style>div > span { background: \"red\";
}</style></select>", ["select", "style"]
+ expected = "<select><style>div > span { background: \"red\";
}</style></select>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+ end
+
+ def test_combination_of_select_and_style_with_script_payload
+ input, tags = "<select><style><script>alert(1)</script></style></select>",
["select", "style"]
+ expected =
"<select><style><script>alert(1)</script></style></select>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+ end
+
+ def test_combination_of_svg_and_style_with_script_payload
+ input, tags = "<svg><style><script>alert(1)</script></style></svg>",
["svg", "style"]
+ expected =
"<svg><style><script>alert(1)</script></style></svg>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+ end
+
+ def test_combination_of_math_and_style_with_img_payload
+ input, tags = "<math><style><img src=x onerror=alert(1)></style></math>",
["math", "style"]
+ expected = "<math><style><img src=x onerror=alert(1)></style></math>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+
+ input, tags = "<math><style><img src=x onerror=alert(1)></style></math>",
["math", "style", "img"]
+ expected = "<math><style><img src=x onerror=alert(1)></style></math>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+ end
+
+ def test_combination_of_svg_and_style_with_img_payload
+ input, tags = "<svg><style><img src=x onerror=alert(1)></style></svg>",
["svg", "style"]
+ expected = "<svg><style><img src=x onerror=alert(1)></style></svg>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
+
+ input, tags = "<svg><style><img src=x onerror=alert(1)></style></svg>",
["svg", "style", "img"]
+ expected = "<svg><style><img src=x onerror=alert(1)></style></svg>"
+ actual = safe_list_sanitize(input, tags: tags)
+
+ assert_equal(expected, actual)
end
protected
@@ -657,11 +764,14 @@
end.join
end
- def libxml_2_9_14_recovery?
+ def libxml_2_9_14_recovery_lt?
+ # changed in 2.9.14, see
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">=
2.9.14")
end
- def html5_mode?
- ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
+ def libxml_2_9_14_recovery_lt_bang?
+ # changed in 2.9.14, see
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
+ # then reverted in 2.10.0, see
https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
+ Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("=
2.9.14")
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/scrubbers_test.rb new/test/scrubbers_test.rb
--- old/test/scrubbers_test.rb 2022-06-10 00:23:56.000000000 +0200
+++ new/test/scrubbers_test.rb 2023-01-20 19:52:45.000000000 +0100
@@ -66,6 +66,13 @@
assert_scrubbed html, '<tag>leave me now</tag>'
end
+ def test_prunes_tags
+ @scrubber = Rails::Html::PermitScrubber.new(prune: true)
+ @scrubber.tags = %w(tag)
+ html = '<tag>leave me <span>now</span></tag>'
+ assert_scrubbed html, '<tag>leave me </tag>'
+ end
+
def test_leaves_comments_when_supplied_as_tag
@scrubber.tags = %w(div comment)
assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
@@ -157,6 +164,13 @@
html = '<tag remove="" other=""></tag><a remove="" other=""></a>'
assert_scrubbed html, '<a other=""></a>'
end
+
+ def test_prunes_tags
+ @scrubber = Rails::Html::TargetScrubber.new(prune: true)
+ @scrubber.tags = %w(span)
+ html = '<tag>leave me <span>now</span></tag>'
+ assert_scrubbed html, '<tag>leave me </tag>'
+ end
end
class TextOnlyScrubberTest < ScrubberTest
