Control: tags 963808 + patch Control: tags 963808 + pending
Dear maintainer, I've prepared an NMU for ruby-sanitize (versioned as 4.6.6-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ruby-sanitize-4.6.6/debian/changelog ruby-sanitize-4.6.6/debian/changelog --- ruby-sanitize-4.6.6/debian/changelog 2019-02-07 21:15:34.000000000 +0100 +++ ruby-sanitize-4.6.6/debian/changelog 2020-07-12 15:02:54.000000000 +0200 @@ -1,3 +1,13 @@ +ruby-sanitize (4.6.6-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * fix: Don't treat :remove_contents as `true` when it's an Array + * feat: Remove useless filtered element content by default + * Fix sanitization bypass in HTML foreign content (CVE-2020-4054) + (Closes: #963808) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 12 Jul 2020 15:02:54 +0200 + ruby-sanitize (4.6.6-2) unstable; urgency=medium * Team upload. diff -Nru ruby-sanitize-4.6.6/debian/patches/Fix-sanitization-bypass-in-HTML-foreign-content.patch ruby-sanitize-4.6.6/debian/patches/Fix-sanitization-bypass-in-HTML-foreign-content.patch --- ruby-sanitize-4.6.6/debian/patches/Fix-sanitization-bypass-in-HTML-foreign-content.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-sanitize-4.6.6/debian/patches/Fix-sanitization-bypass-in-HTML-foreign-content.patch 2020-07-12 15:02:31.000000000 +0200 @@ -0,0 +1,134 @@ +From: Ryan Grove <r...@wonko.com> +Date: Mon, 15 Jun 2020 14:27:07 -0700 +Subject: Fix sanitization bypass in HTML foreign content +Origin: https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9 +Bug: https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m +Bug-Debian: https://bugs.debian.org/963808 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-4054 + +https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m + +[Salvatore Bonaccorso: Backport to 4.6.6 for context changes] +--- + README.md | 11 +++++++++++ + lib/sanitize/config/default.rb | 2 +- + test/test_clean_element.rb | 30 ++++++++++++++++++++---------- + test/test_malicious_html.rb | 13 +++++++++++++ + 4 files changed, 45 insertions(+), 11 deletions(-) + +--- a/README.md ++++ b/README.md +@@ -73,6 +73,11 @@ Sanitize can sanitize the following type + * Standalone CSS stylesheets + * Standalone CSS properties + ++However, please note that Sanitize _cannot_ fully sanitize the contents of ++`<math>` or `<svg>` elements, since these elements don't follow the same parsing ++rules as the rest of HTML. If this is something you need, you may want to look ++for another solution. ++ + ### HTML Fragments + + A fragment is a snippet of HTML that doesn't contain a root-level `<html>` +@@ -417,6 +422,12 @@ elements not in this array will be remov + ] + ``` + ++**Warning:** Sanitize cannot fully sanitize the contents of `<math>` or `<svg>` ++elements, since these elements don't follow the same parsing rules as the rest ++of HTML. If you add `math` or `svg` to the allowlist, you must assume that any ++content inside them will be allowed, even if that content would otherwise be ++removed by Sanitize. ++ + #### :protocols (Hash) + + URL protocols to allow in specific attributes. If an attribute is listed here +--- a/lib/sanitize/config/default.rb ++++ b/lib/sanitize/config/default.rb +@@ -70,7 +70,7 @@ class Sanitize + # the specified elements (when filtered) will be removed, and the contents + # of all other filtered elements will be left behind. + :remove_contents => %w[ +- iframe noembed noframes noscript script style ++ iframe math noembed noframes noscript plaintext script style svg xmp + ], + + # Transformers allow you to filter or alter nodes using custom logic. See +--- a/test/test_clean_element.rb ++++ b/test/test_clean_element.rb +@@ -192,21 +192,16 @@ describe 'Sanitize::Transformers::CleanE + .must_equal '' + end + +- it 'should escape the content of removed `plaintext` elements' do +- Sanitize.fragment('<plaintext>hello! <script>alert(0)</script>') +- .must_equal 'hello! <script>alert(0)</script>' +- end +- +- it 'should escape the content of removed `xmp` elements' do +- Sanitize.fragment('<xmp>hello! <script>alert(0)</script></xmp>') +- .must_equal 'hello! <script>alert(0)</script>' +- end +- + it 'should not preserve the content of removed `iframe` elements' do + Sanitize.fragment('<iframe>hello! <script>alert(0)</script></iframe>') + .must_equal '' + end + ++ it 'should not preserve the content of removed `math` elements' do ++ Sanitize.fragment('<math>hello! <script>alert(0)</script></math>') ++ .must_equal '' ++ end ++ + it 'should not preserve the content of removed `noembed` elements' do + Sanitize.fragment('<noembed>hello! <script>alert(0)</script></noembed>') + .must_equal '' +@@ -222,6 +217,11 @@ describe 'Sanitize::Transformers::CleanE + .must_equal '' + end + ++ it 'should not preserve the content of removed `plaintext` elements' do ++ Sanitize.fragment('<plaintext>hello! <script>alert(0)</script>') ++ .must_equal '' ++ end ++ + it 'should not preserve the content of removed `script` elements' do + Sanitize.fragment('<script>hello! <script>alert(0)</script></script>') + .must_equal '' +@@ -232,6 +232,16 @@ describe 'Sanitize::Transformers::CleanE + .must_equal '' + end + ++ it 'should not preserve the content of removed `svg` elements' do ++ Sanitize.fragment('<svg>hello! <script>alert(0)</script></svg>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `xmp` elements' do ++ Sanitize.fragment('<xmp>hello! <script>alert(0)</script></xmp>') ++ .must_equal '' ++ end ++ + strings.each do |name, data| + it "should clean #{name} HTML" do + Sanitize.fragment(data[:html]).must_equal(data[:default]) +--- a/test/test_malicious_html.rb ++++ b/test/test_malicious_html.rb +@@ -189,4 +189,17 @@ describe 'Malicious HTML' do + end + end + end ++ ++ # https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m ++ describe 'foreign content bypass in relaxed config' do ++ it 'prevents a sanitization bypass via carefully crafted foreign content' do ++ %w[iframe noembed noframes noscript plaintext script style xmp].each do |tag_name| ++ @s.fragment(%[<math><#{tag_name}>/*</#{tag_name}><img src onerror=alert(1)>*/]). ++ must_equal '' ++ ++ @s.fragment(%[<svg><#{tag_name}>/*</#{tag_name}><img src onerror=alert(1)>*/]). ++ must_equal '' ++ end ++ end ++ end + end diff -Nru ruby-sanitize-4.6.6/debian/patches/feat-Remove-useless-filtered-element-content-by-defa.patch ruby-sanitize-4.6.6/debian/patches/feat-Remove-useless-filtered-element-content-by-defa.patch --- ruby-sanitize-4.6.6/debian/patches/feat-Remove-useless-filtered-element-content-by-defa.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-sanitize-4.6.6/debian/patches/feat-Remove-useless-filtered-element-content-by-defa.patch 2020-07-12 14:51:40.000000000 +0200 @@ -0,0 +1,238 @@ +From: Ryan Grove <r...@wonko.com> +Date: Sat, 13 Oct 2018 17:47:21 -0700 +Subject: feat: Remove useless filtered element content by default +Origin: https://github.com/rgrove/sanitize/commit/faf9a0f432fda3cef29f0f8aad99d4dedf079d67 + +[Salvatore Bonaccorso: Backport to 4.6.6 for context changes] +--- + lib/sanitize/config/default.rb | 4 +- + lib/sanitize/transformers/clean_element.rb | 6 +- + test/test_clean_comment.rb | 6 +- + test/test_clean_element.rb | 64 +++++++++++++++++----- + test/test_malicious_html.rb | 6 +- + test/test_parser.rb | 4 +- + test/test_sanitize.rb | 6 +- + 7 files changed, 66 insertions(+), 30 deletions(-) + +--- a/lib/sanitize/config/default.rb ++++ b/lib/sanitize/config/default.rb +@@ -69,7 +69,9 @@ class Sanitize + # If this is an Array or Set of element names, then only the contents of + # the specified elements (when filtered) will be removed, and the contents + # of all other filtered elements will be left behind. +- :remove_contents => false, ++ :remove_contents => %w[ ++ iframe noembed noframes noscript script style ++ ], + + # Transformers allow you to filter or alter nodes using custom logic. See + # README.md for details and examples. +--- a/lib/sanitize/transformers/clean_element.rb ++++ b/lib/sanitize/transformers/clean_element.rb +@@ -97,8 +97,10 @@ class Sanitize; module Transformers; cla + end + end + +- unless @remove_all_contents || @remove_element_contents.include?(name) +- node.add_previous_sibling(node.children) ++ unless node.children.empty? ++ unless @remove_all_contents || @remove_element_contents.include?(name) ++ node.add_previous_sibling(node.children) ++ end + end + + node.unlink +--- a/test/test_clean_comment.rb ++++ b/test/test_clean_comment.rb +@@ -20,7 +20,7 @@ describe 'Sanitize::Transformers::CleanC + + # Special case: the comment markup is inside a <script>, which makes it + # text content and not an actual HTML comment. +- @s.fragment("<script><!-- comment --></script>").must_equal '<!-- comment -->' ++ @s.fragment("<script><!-- comment --></script>").must_equal '' + + Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => false, :elements => ['script']) + .must_equal '<script><!-- comment --></script>' +@@ -40,10 +40,6 @@ describe 'Sanitize::Transformers::CleanC + @s.fragment("foo <!-- <!-- <!-- --> --> -->bar").must_equal 'foo <!-- <!-- <!-- --> --> -->bar' + @s.fragment("foo <div <!-- comment -->>bar</div>").must_equal 'foo <div>>bar</div>' + +- # Special case: the comment markup is inside a <script>, which makes it +- # text content and not an actual HTML comment. +- @s.fragment("<script><!-- comment --></script>").must_equal '<!-- comment -->' +- + Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => true, :elements => ['script']) + .must_equal '<script><!-- comment --></script>' + end +--- a/test/test_clean_element.rb ++++ b/test/test_clean_element.rb +@@ -8,25 +8,22 @@ describe 'Sanitize::Transformers::CleanE + strings = { + :basic => { + :html => '<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <style>.foo { color: #fff; }</style> <script>alert("hello world");</script>', +- +- :default => 'Lorem ipsum dolor sit amet .foo { color: #fff; } alert("hello world");', +- :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet .foo { color: #fff; } alert("hello world");', +- :basic => '<b>Lorem</b> <a href="pants" rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet .foo { color: #fff; } alert("hello world");', +- :relaxed => '<b>Lorem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet <style>.foo { color: #fff; }</style> alert("hello world");' ++ :default => 'Lorem ipsum dolor sit amet ', ++ :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet ', ++ :basic => '<b>Lorem</b> <a href="pants" rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet ', ++ :relaxed => '<b>Lorem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet <style>.foo { color: #fff; }</style> ' + }, + + :malformed => { + :html => 'Lo<!-- comment -->rem</b> <a href=pants title="foo>ipsum <a href="http://foo.com/"><strong>dolor</a></strong> sit<br/>amet <script>alert("hello world");', +- +- :default => 'Lorem dolor sit amet alert("hello world");', +- :restricted => 'Lorem <strong>dolor</strong> sit amet alert("hello world");', +- :basic => 'Lorem <a href="pants" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");', +- :relaxed => 'Lorem <a href="pants" title="foo>ipsum <a href="><strong>dolor</strong></a> sit<br>amet alert("hello world");', ++ :default => 'Lorem dolor sit amet ', ++ :restricted => 'Lorem <strong>dolor</strong> sit amet ', ++ :basic => 'Lorem <a href="pants" rel="nofollow"><strong>dolor</strong></a> sit<br>amet ', ++ :relaxed => 'Lorem <a href="pants" title="foo>ipsum <a href="><strong>dolor</strong></a> sit<br>amet ', + }, + + :unclosed => { + :html => '<p>a</p><blockquote>b', +- + :default => ' a b ', + :restricted => ' a b ', + :basic => '<p>a</p><blockquote>b</blockquote>', +@@ -35,7 +32,6 @@ describe 'Sanitize::Transformers::CleanE + + :malicious => { + :html => '<b>Lo<!-- comment -->rem</b> <a href="javascript:pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <<foo>script>alert("hello world");</script>', +- + :default => 'Lorem ipsum dolor sit amet <script>alert("hello world");', + :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet <script>alert("hello world");', + :basic => '<b>Lorem</b> <a rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet <script>alert("hello world");', +@@ -171,10 +167,10 @@ describe 'Sanitize::Transformers::CleanE + .must_equal 'foo bar baz quux' + + Sanitize.fragment('<script>alert("<xss>");</script>') +- .must_equal 'alert("<xss>");' ++ .must_equal '' + + Sanitize.fragment('<<script>script>alert("<xss>");</<script>>') +- .must_equal '<script>alert("<xss>");</<script>>' ++ .must_equal '<' + + Sanitize.fragment('< script <>> alert("<xss>");</script>') + .must_equal '< script <>> alert("");' +@@ -196,6 +192,46 @@ describe 'Sanitize::Transformers::CleanE + .must_equal '' + end + ++ it 'should escape the content of removed `plaintext` elements' do ++ Sanitize.fragment('<plaintext>hello! <script>alert(0)</script>') ++ .must_equal 'hello! <script>alert(0)</script>' ++ end ++ ++ it 'should escape the content of removed `xmp` elements' do ++ Sanitize.fragment('<xmp>hello! <script>alert(0)</script></xmp>') ++ .must_equal 'hello! <script>alert(0)</script>' ++ end ++ ++ it 'should not preserve the content of removed `iframe` elements' do ++ Sanitize.fragment('<iframe>hello! <script>alert(0)</script></iframe>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `noembed` elements' do ++ Sanitize.fragment('<noembed>hello! <script>alert(0)</script></noembed>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `noframes` elements' do ++ Sanitize.fragment('<noframes>hello! <script>alert(0)</script></noframes>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `noscript` elements' do ++ Sanitize.fragment('<noscript>hello! <script>alert(0)</script></noscript>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `script` elements' do ++ Sanitize.fragment('<script>hello! <script>alert(0)</script></script>') ++ .must_equal '' ++ end ++ ++ it 'should not preserve the content of removed `style` elements' do ++ Sanitize.fragment('<style>hello! <script>alert(0)</script></style>') ++ .must_equal '' ++ end ++ + strings.each do |name, data| + it "should clean #{name} HTML" do + Sanitize.fragment(data[:html]).must_equal(data[:default]) +--- a/test/test_malicious_html.rb ++++ b/test/test_malicious_html.rb +@@ -65,7 +65,7 @@ describe 'Malicious HTML' do + + it 'should not be possible to inject <script> via a malformed <img> tag' do + @s.fragment('<img """><script>alert("XSS")</script>">'). +- must_equal '<img>alert("XSS")">' ++ must_equal '<img>">' + end + + it 'should not be possible to inject protocol-based JS' do +@@ -117,12 +117,12 @@ describe 'Malicious HTML' do + describe '<script>' do + it 'should not be possible to inject <script> using a malformed non-alphanumeric tag name' do + @s.fragment(%[<script/xss src="http://ha.ckers.org/xss.js">alert(1)</script>]). +- must_equal 'alert(1)' ++ must_equal '' + end + + it 'should not be possible to inject <script> via extraneous open brackets' do + @s.fragment(%[<<script>alert("XSS");//<</script>]). +- must_equal '<alert("XSS");//<' ++ must_equal '<' + end + end + +--- a/test/test_parser.rb ++++ b/test/test_parser.rb +@@ -19,8 +19,8 @@ describe 'Parser' do + end + + it 'should not have the Nokogiri 1.4.2+ unterminated script/style element bug' do +- Sanitize.fragment('foo <script>bar').must_equal 'foo bar' +- Sanitize.fragment('foo <style>bar').must_equal 'foo bar' ++ Sanitize.fragment('foo <script>bar').must_equal 'foo ' ++ Sanitize.fragment('foo <style>bar').must_equal 'foo ' + end + + it 'ambiguous non-tag brackets like "1 > 2 and 2 < 1" should be parsed correctly' do +--- a/test/test_sanitize.rb ++++ b/test/test_sanitize.rb +@@ -25,7 +25,7 @@ describe 'Sanitize' do + + it 'should sanitize an HTML document' do + @s.document('<!doctype html><html><b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script></html>') +- .must_equal "<html>Lorem ipsum dolor sit amet alert(\"hello world\");</html>\n" ++ .must_equal "<html>Lorem ipsum dolor sit amet </html>\n" + end + + it 'should not modify the input string' do +@@ -42,7 +42,7 @@ describe 'Sanitize' do + describe '#fragment' do + it 'should sanitize an HTML fragment' do + @s.fragment('<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <script>alert("hello world");</script>') +- .must_equal 'Lorem ipsum dolor sit amet alert("hello world");' ++ .must_equal 'Lorem ipsum dolor sit amet ' + end + + it 'should not modify the input string' do +@@ -71,7 +71,7 @@ describe 'Sanitize' do + doc.xpath('/html/body/node()').each {|node| frag << node } + + @s.node!(frag) +- frag.to_html.must_equal 'Lorem ipsum dolor sit amet alert("hello world");' ++ frag.to_html.must_equal 'Lorem ipsum dolor sit amet ' + end + + describe "when the given node is a document and <html> isn't whitelisted" do diff -Nru ruby-sanitize-4.6.6/debian/patches/fix-Don-t-treat-remove_contents-as-true-when-it-s-an.patch ruby-sanitize-4.6.6/debian/patches/fix-Don-t-treat-remove_contents-as-true-when-it-s-an.patch --- ruby-sanitize-4.6.6/debian/patches/fix-Don-t-treat-remove_contents-as-true-when-it-s-an.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-sanitize-4.6.6/debian/patches/fix-Don-t-treat-remove_contents-as-true-when-it-s-an.patch 2020-07-12 14:13:31.000000000 +0200 @@ -0,0 +1,102 @@ +From: Ryan Grove <r...@wonko.com> +Date: Sat, 13 Oct 2018 17:38:30 -0700 +Subject: fix: Don't treat :remove_contents as `true` when it's an Array +Origin: https://github.com/rgrove/sanitize/commit/54dcf57ff1c16a861621ccf0089d2da9b6c3e5d7 + +--- + README.md | 8 ++++---- + lib/sanitize/config/default.rb | 6 +++--- + lib/sanitize/transformers/clean_element.rb | 2 +- + test/test_clean_element.rb | 20 ++++++++++++++------ + 4 files changed, 22 insertions(+), 14 deletions(-) + +diff --git a/README.md b/README.md +index 4532a668188d..5cc3c5a19010 100644 +--- a/README.md ++++ b/README.md +@@ -441,13 +441,13 @@ include the symbol `:relative` in the protocol array: + + #### :remove_contents (boolean or Array or Set) + +-If set to `true`, Sanitize will remove the contents of any non-whitelisted ++If this is `true`, Sanitize will remove the contents of any non-whitelisted + elements in addition to the elements themselves. By default, Sanitize leaves the + safe parts of an element's contents behind when the element is removed. + +-If set to an array of element names, then only the contents of the specified +-elements (when filtered) will be removed, and the contents of all other filtered +-elements will be left behind. ++If this is an Array or Set of element names, then only the contents of the ++specified elements (when filtered) will be removed, and the contents of all ++other filtered elements will be left behind. + + The default value is `false`. + +diff --git a/lib/sanitize/config/default.rb b/lib/sanitize/config/default.rb +index 09e1348afae4..72c6557081c6 100644 +--- a/lib/sanitize/config/default.rb ++++ b/lib/sanitize/config/default.rb +@@ -66,9 +66,9 @@ class Sanitize + # leaves the safe parts of an element's contents behind when the element + # is removed. + # +- # If this is an Array of element names, then only the contents of the +- # specified elements (when filtered) will be removed, and the contents of +- # all other filtered elements will be left behind. ++ # If this is an Array or Set of element names, then only the contents of ++ # the specified elements (when filtered) will be removed, and the contents ++ # of all other filtered elements will be left behind. + :remove_contents => false, + + # Transformers allow you to filter or alter nodes using custom logic. See +diff --git a/lib/sanitize/transformers/clean_element.rb b/lib/sanitize/transformers/clean_element.rb +index fbbe9c8e8785..124384a9605c 100644 +--- a/lib/sanitize/transformers/clean_element.rb ++++ b/lib/sanitize/transformers/clean_element.rb +@@ -67,7 +67,7 @@ class Sanitize; module Transformers; class CleanElement + @whitespace_elements = config[:whitespace_elements] + end + +- if config[:remove_contents].is_a?(Set) ++ if config[:remove_contents].is_a?(Enumerable) + @remove_element_contents.merge(config[:remove_contents].map(&:to_s)) + else + @remove_all_contents = !!config[:remove_contents] +diff --git a/test/test_clean_element.rb b/test/test_clean_element.rb +index 8113cb67bcab..cf99764e604f 100644 +--- a/test/test_clean_element.rb ++++ b/test/test_clean_element.rb +@@ -344,16 +344,24 @@ describe 'Sanitize::Transformers::CleanElement' do + ).must_equal 'foo bar ' + end + +- it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as strings' do +- Sanitize.fragment('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', ++ it 'should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as strings' do ++ Sanitize.fragment('foo bar <div>baz<span>quux</span> <b>hi</b><script>alert("hello!");</script></div>', + :remove_contents => ['script', 'span'] +- ).must_equal 'foo bar baz ' ++ ).must_equal 'foo bar baz hi ' ++ ++ Sanitize.fragment('foo bar <div>baz<span>quux</span> <b>hi</b><script>alert("hello!");</script></div>', ++ :remove_contents => Set.new(['script', 'span']) ++ ).must_equal 'foo bar baz hi ' + end + +- it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as symbols' do +- Sanitize.fragment('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>', ++ it 'should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as symbols' do ++ Sanitize.fragment('foo bar <div>baz<span>quux</span> <b>hi</b><script>alert("hello!");</script></div>', + :remove_contents => [:script, :span] +- ).must_equal 'foo bar baz ' ++ ).must_equal 'foo bar baz hi ' ++ ++ Sanitize.fragment('foo bar <div>baz<span>quux</span> <b>hi</b><script>alert("hello!");</script></div>', ++ :remove_contents => Set.new([:script, :span]) ++ ).must_equal 'foo bar baz hi ' + end + + it 'should not allow arbitrary HTML5 data attributes by default' do +-- +2.27.0 + diff -Nru ruby-sanitize-4.6.6/debian/patches/series ruby-sanitize-4.6.6/debian/patches/series --- ruby-sanitize-4.6.6/debian/patches/series 2019-02-07 21:15:34.000000000 +0100 +++ ruby-sanitize-4.6.6/debian/patches/series 2020-07-12 14:57:36.000000000 +0200 @@ -1,2 +1,5 @@ no-relative-path.patch Fix-test-against-Nokogiri-1.10.patch +fix-Don-t-treat-remove_contents-as-true-when-it-s-an.patch +feat-Remove-useless-filtered-element-content-by-defa.patch +Fix-sanitization-bypass-in-HTML-foreign-content.patch