Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rubygem-loofah for openSUSE:Factory checked in at 2021-01-21 21:55:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old) and /work/SRC/openSUSE:Factory/.rubygem-loofah.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-loofah" Thu Jan 21 21:55:02 2021 rev:16 rq:864570 version:2.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes 2020-12-11 20:16:22.640651231 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new.28504/rubygem-loofah.changes 2021-01-21 21:55:04.169786454 +0100 @@ -1,0 +2,8 @@ +Wed Jan 20 07:36:46 UTC 2021 - Manuel Schnitzer <mschnit...@suse.com> + +- updated to version 2.9.0 + + * Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), + [#200](https://github.com/flavorjones/loofah/issues/200)] + +------------------------------------------------------------------- Old: ---- loofah-2.8.0.gem New: ---- loofah-2.9.0.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-loofah.spec ++++++ --- /var/tmp/diff_new_pack.A0JO1U/_old 2021-01-21 21:55:04.689786650 +0100 +++ /var/tmp/diff_new_pack.A0JO1U/_new 2021-01-21 21:55:04.689786650 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-loofah # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-loofah -Version: 2.8.0 +Version: 2.9.0 Release: 0 %define mod_name loofah %define mod_full_name %{mod_name}-%{version} ++++++ loofah-2.8.0.gem -> loofah-2.9.0.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2020-11-25 22:12:09.000000000 +0100 +++ new/CHANGELOG.md 2021-01-14 22:36:18.000000000 +0100 @@ -1,5 +1,10 @@ # Changelog +### 2.9.0 / 2021-01-14 + +* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)] + + ### 2.8.0 / 2020-11-25 * Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!) Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah/html5/scrub.rb new/lib/loofah/html5/scrub.rb --- old/lib/loofah/html5/scrub.rb 2020-11-25 22:12:09.000000000 +0100 +++ new/lib/loofah/html5/scrub.rb 2021-01-14 22:36:18.000000000 +0100 @@ -7,22 +7,22 @@ module Scrub CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/ - CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } + CRASS_SEMICOLON = { node: :semicolon, raw: ";" } CSS_IMPORTANT = '!important' class << self def allowed_element?(element_name) - ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name + ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name) end # alternative implementation of the html5lib attribute scrubbing algorithm def scrub_attributes(node) node.attribute_nodes.each do |attr_node| attr_name = if attr_node.namespace - "#{attr_node.namespace.prefix}:#{attr_node.node_name}" - else - attr_node.node_name - end + "#{attr_node.namespace.prefix}:#{attr_node.node_name}" + else + attr_node.node_name + end if attr_name =~ /\Adata-[\w-]+\z/ next @@ -58,13 +58,13 @@ end end - scrub_css_attribute node + scrub_css_attribute(node) node.attribute_nodes.each do |attr_node| node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/ end - force_correct_attribute_escaping! node + force_correct_attribute_escaping!(node) end def scrub_css_attribute(node) @@ -73,33 +73,50 @@ end def scrub_css(style) - style_tree = Crass.parse_properties style + style_tree = Crass.parse_properties(style) sanitized_tree = [] style_tree.each do |node| next unless node[:node] == :property next if node[:children].any? do |child| - [:url, :bad_url].include?(child[:node]) || (child[:node] == :function && !SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase)) + [:url, :bad_url].include?(child[:node]) end + name = node[:name].downcase - if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name) - sanitized_tree << node << CRASS_SEMICOLON - elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) - value = node[:value].split.map do |keyword| - if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH + next unless SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || + SafeList::ALLOWED_SVG_PROPERTIES.include?(name) || + SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) + + value = node[:children].map do |child| + case child[:node] + when :whitespace + nil + when :string + nil + when :function + if SafeList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase) + Crass::Parser.stringify(child) + end + when :ident + keyword = child[:value] + if !SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) || + SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || + (keyword =~ CSS_KEYWORDISH) keyword end - end.compact - unless value.empty? - value << CSS_IMPORTANT if node[:important] - propstring = sprintf "%s:%s", name, value.join(" ") - sanitized_node = Crass.parse_properties(propstring).first - sanitized_tree << sanitized_node << CRASS_SEMICOLON + else + child[:raw] end - end + end.compact + + next if value.empty? + value << CSS_IMPORTANT if node[:important] + propstring = format("%s:%s", name, value.join(" ")) + sanitized_node = Crass.parse_properties(propstring).first + sanitized_tree << sanitized_node << CRASS_SEMICOLON end - Crass::Parser.stringify sanitized_tree + Crass::Parser.stringify(sanitized_tree) end # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah/version.rb new/lib/loofah/version.rb --- old/lib/loofah/version.rb 2020-11-25 22:12:09.000000000 +0100 +++ new/lib/loofah/version.rb 2021-01-14 22:36:18.000000000 +0100 @@ -1,5 +1,5 @@ # frozen_string_literal: true module Loofah # The version of Loofah you are using - VERSION = "2.8.0" + VERSION = "2.9.0" end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-11-25 22:12:09.000000000 +0100 +++ new/metadata 2021-01-14 22:36:18.000000000 +0100 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: loofah version: !ruby/object:Gem::Version - version: 2.8.0 + version: 2.9.0 platform: ruby authors: - Mike Dalessio @@ -9,7 +9,7 @@ autorequire: bindir: bin cert_chain: [] -date: 2020-11-25 00:00:00.000000000 Z +date: 2021-01-14 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nokogiri
