Hello community,
here is the log from the commit of package rubygem-rails-html-sanitizer for
openSUSE:Factory checked in at 2019-08-16 15:50:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.22127
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rails-html-sanitizer"
Fri Aug 16 15:50:00 2019 rev:6 rq:723813 version:1.2.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer/rubygem-rails-html-sanitizer.changes
2018-04-05 15:34:56.920982901 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.22127/rubygem-rails-html-sanitizer.changes
2019-08-16 15:50:57.629585363 +0200
@@ -1,0 +2,17 @@
+Thu Aug 15 18:01:28 UTC 2019 - Manuel Schnitzer <[email protected]>
+
+- updated to version 1.2.0
+
+ * Remove needless `white_list_sanitizer` deprecation.
+
+ By deprecating this, we were forcing Rails 5.2 to be updated or spew
+ deprecations that users could do nothing about.
+
+ That's pointless and I'm sorry for adding that!
+
+ Now there's no deprecation warning and Rails 5.2 works out of the box,
while
+ Rails 6 can use the updated naming.
+
+ *Kasper Timm Hansen*
+
+-------------------------------------------------------------------
Old:
----
rails-html-sanitizer-1.0.4.gem
New:
----
rails-html-sanitizer-1.2.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rails-html-sanitizer.spec ++++++
--- /var/tmp/diff_new_pack.xdRaDd/_old 2019-08-16 15:50:58.525585034 +0200
+++ /var/tmp/diff_new_pack.xdRaDd/_new 2019-08-16 15:50:58.529585033 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rails-html-sanitizer
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -24,7 +24,7 @@
#
Name: rubygem-rails-html-sanitizer
-Version: 1.0.4
+Version: 1.2.0
Release: 0
%define mod_name rails-html-sanitizer
%define mod_full_name %{mod_name}-%{version}
++++++ rails-html-sanitizer-1.0.4.gem -> rails-html-sanitizer-1.2.0.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2018-03-22 20:08:41.000000000 +0100
+++ new/CHANGELOG.md 2019-08-09 00:04:05.000000000 +0200
@@ -1,3 +1,34 @@
+## 1.2.0
+
+* Remove needless `white_list_sanitizer` deprecation.
+
+ By deprecating this, we were forcing Rails 5.2 to be updated or spew
+ deprecations that users could do nothing about.
+
+ That's pointless and I'm sorry for adding that!
+
+ Now there's no deprecation warning and Rails 5.2 works out of the box, while
+ Rails 6 can use the updated naming.
+
+ *Kasper Timm Hansen*
+
+## 1.1.0
+
+* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
+ in 1.2.0. https://github.com/rails/rails-html-sanitizer/pull/87
+
+ *Juanito Fatas*
+
+* Remove `href` from LinkScrubber's `tags` as it's not an element.
+ https://github.com/rails/rails-html-sanitizer/pull/92
+
+ *Juanito Fatas*
+
+* Explain that we don't need to bump Loofah here if there's CVEs.
+
https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b
+
+ *Kasper Timm Hansen*
+
## 1.0.1
* Added support for Rails 4.2.0.beta2 and above
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2018-03-22 20:08:41.000000000 +0100
+++ new/README.md 2019-08-09 00:04:05.000000000 +0200
@@ -41,22 +41,22 @@
# => Only the link text will be kept.
```
-#### WhiteListSanitizer
+#### SafeListSanitizer
```ruby
-white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
+safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
-# sanitize via an extensive white list of allowed elements
-white_list_sanitizer.sanitize(@article.body)
+# sanitize via an extensive safe list of allowed elements
+safe_list_sanitizer.sanitize(@article.body)
-# white list only the supplied tags and attributes
-white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
attributes: %w(id class style))
+# safe list only the supplied tags and attributes
+safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes:
%w(id class style))
-# white list via a custom scrubber
-white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+# safe list via a custom scrubber
+safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
-# white list sanitizer can also sanitize css
-white_list_sanitizer.sanitize_css('background-color: #000;')
+# safe list sanitizer can also sanitize css
+safe_list_sanitizer.sanitize_css('background-color: #000;')
```
### Scrubbers
@@ -127,7 +127,7 @@
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
The `node` argument passed to some methods in a custom scrubber is an instance
of `Nokogiri::XML::Node`.
-- [`Nokogiri::XML::Node`](http://nokogiri.org/Nokogiri/XML/Node.html)
+- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
- [Nokogiri](http://nokogiri.org)
## Contributing to Rails Html Sanitizers
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer/version.rb
new/lib/rails/html/sanitizer/version.rb
--- old/lib/rails/html/sanitizer/version.rb 2018-03-22 20:08:41.000000000
+0100
+++ new/lib/rails/html/sanitizer/version.rb 2019-08-09 00:04:05.000000000
+0200
@@ -1,7 +1,7 @@
module Rails
module Html
class Sanitizer
- VERSION = "1.0.4"
+ VERSION = "1.2.0"
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer.rb
new/lib/rails/html/sanitizer.rb
--- old/lib/rails/html/sanitizer.rb 2018-03-22 20:08:41.000000000 +0100
+++ new/lib/rails/html/sanitizer.rb 2019-08-09 00:04:05.000000000 +0200
@@ -40,15 +40,16 @@
end
# === Rails::Html::LinkSanitizer
- # Removes a tags and href attributes leaving only the link text
+ # Removes +a+ tags and +href+ attributes leaving only the link text.
#
- # link_sanitizer = Rails::Html::LinkSanitizer.new
- # link_sanitizer.sanitize('<a href="example.com">Only the link text will
be kept.</a>')
- # # => Only the link text will be kept.
+ # link_sanitizer = Rails::Html::LinkSanitizer.new
+ # link_sanitizer.sanitize('<a href="example.com">Only the link text will
be kept.</a>')
+ #
+ # => 'Only the link text will be kept.'
class LinkSanitizer < Sanitizer
def initialize
@link_scrubber = TargetScrubber.new
- @link_scrubber.tags = %w(a href)
+ @link_scrubber.tags = %w(a)
@link_scrubber.attributes = %w(href)
end
@@ -57,8 +58,8 @@
end
end
- # === Rails::Html::WhiteListSanitizer
- # Sanitizes html and css from an extensive white list (see link further
down).
+ # === Rails::Html::SafeListSanitizer
+ # Sanitizes html and css from an extensive safe list (see link further
down).
#
# === Whitespace
# We can't make any guarantees about whitespace being kept or stripped.
@@ -72,34 +73,34 @@
# so automatically.
#
# === Options
- # Sanitizes both html and css via the white lists found here:
+ # Sanitizes both html and css via the safe lists found here:
#
https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
#
- # WhiteListSanitizer also accepts options to configure
- # the white list used when sanitizing html.
+ # SafeListSanitizer also accepts options to configure
+ # the safe list used when sanitizing html.
# There's a class level option:
- # Rails::Html::WhiteListSanitizer.allowed_tags = %w(table tr td)
- # Rails::Html::WhiteListSanitizer.allowed_attributes = %w(id class style)
+ # Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
+ # Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
#
# Tags and attributes can also be passed to +sanitize+.
# Passed options take precedence over the class level options.
#
# === Examples
- # white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
+ # safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
#
# Sanitize css doesn't take options
- # white_list_sanitizer.sanitize_css('background-color: #000;')
+ # safe_list_sanitizer.sanitize_css('background-color: #000;')
#
- # Default: sanitize via a extensive white list of allowed elements
- # white_list_sanitizer.sanitize(@article.body)
+ # Default: sanitize via a extensive safe list of allowed elements
+ # safe_list_sanitizer.sanitize(@article.body)
#
- # White list via the supplied tags and attributes
- # white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
+ # Safe list via the supplied tags and attributes
+ # safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
# attributes: %w(id class style))
#
- # White list via a custom scrubber
- # white_list_sanitizer.sanitize(@article.body, scrubber:
ArticleScrubber.new)
- class WhiteListSanitizer < Sanitizer
+ # Safe list via a custom scrubber
+ # safe_list_sanitizer.sanitize(@article.body, scrubber:
ArticleScrubber.new)
+ class SafeListSanitizer < Sanitizer
class << self
attr_accessor :allowed_tags
attr_accessor :allowed_attributes
@@ -148,5 +149,7 @@
options[:attributes] || self.class.allowed_attributes
end
end
+
+ WhiteListSanitizer = SafeListSanitizer
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/scrubbers.rb
new/lib/rails/html/scrubbers.rb
--- old/lib/rails/html/scrubbers.rb 2018-03-22 20:08:41.000000000 +0100
+++ new/lib/rails/html/scrubbers.rb 2019-08-09 00:04:05.000000000 +0200
@@ -2,9 +2,9 @@
module Html
# === Rails::Html::PermitScrubber
#
- # Rails::Html::PermitScrubber allows you to permit only your own tags
and/or attributes.
+ # +Rails::Html::PermitScrubber+ allows you to permit only your own tags
and/or attributes.
#
- # Rails::Html::PermitScrubber can be subclassed to determine:
+ # +Rails::Html::PermitScrubber+ can be subclassed to determine:
# - When a node should be skipped via +skip_node?+.
# - When a node is allowed via +allowed_node?+.
# - When an attribute should be scrubbed via +scrub_attribute?+.
@@ -27,23 +27,23 @@
# If set, attributes excluded will be removed.
# If not, attributes are removed based on Loofahs
+HTML5::Scrub.scrub_attributes+.
#
- # class CommentScrubber < Html::PermitScrubber
- # def initialize
- # super
- # self.tags = %w(form script comment blockquote)
- # end
- #
- # def skip_node?(node)
- # node.text?
- # end
- #
- # def scrub_attribute?(name)
- # name == "style"
- # end
- # end
+ # class CommentScrubber < Html::PermitScrubber
+ # def initialize
+ # super
+ # self.tags = %w(form script comment blockquote)
+ # end
+ #
+ # def skip_node?(node)
+ # node.text?
+ # end
+ #
+ # def scrub_attribute?(name)
+ # name == "style"
+ # end
+ # end
#
- # See the documentation for Nokogiri::XML::Node to understand what's
possible
- # with nodes: http://nokogiri.org/Nokogiri/XML/Node.html
+ # See the documentation for +Nokogiri::XML::Node+ to understand what's
possible
+ # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
class PermitScrubber < Loofah::Scrubber
attr_reader :tags, :attributes
@@ -160,8 +160,8 @@
# === Rails::Html::TargetScrubber
#
- # Where Rails::Html::PermitScrubber picks out tags and attributes to
permit in
- # sanitization, Rails::Html::TargetScrubber targets them for removal.
+ # Where +Rails::Html::PermitScrubber+ picks out tags and attributes to
permit in
+ # sanitization, +Rails::Html::TargetScrubber+ targets them for removal.
#
# +tags=+
# If set, elements included will be stripped.
@@ -180,7 +180,7 @@
# === Rails::Html::TextOnlyScrubber
#
- # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
+ # +Rails::Html::TextOnlyScrubber+ allows you to permit text nodes.
#
# Unallowed elements will be stripped, i.e. element is removed but its
subtree kept.
class TextOnlyScrubber < Loofah::Scrubber
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails-html-sanitizer.rb
new/lib/rails-html-sanitizer.rb
--- old/lib/rails-html-sanitizer.rb 2018-03-22 20:08:41.000000000 +0100
+++ new/lib/rails-html-sanitizer.rb 2019-08-09 00:04:05.000000000 +0200
@@ -15,8 +15,12 @@
Html::LinkSanitizer
end
+ def safe_list_sanitizer
+ Html::SafeListSanitizer
+ end
+
def white_list_sanitizer
- Html::WhiteListSanitizer
+ safe_list_sanitizer
end
end
end
@@ -34,7 +38,7 @@
# end
#
def sanitized_allowed_tags=(tags)
- sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
+ sanitizer_vendor.safe_list_sanitizer.allowed_tags = tags
end
# Replaces the allowed HTML attributes for the +sanitize+ helper.
@@ -44,7 +48,7 @@
# end
#
def sanitized_allowed_attributes=(attributes)
- sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
+ sanitizer_vendor.safe_list_sanitizer.allowed_attributes = attributes
end
[:protocol_separator,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2018-03-22 20:08:41.000000000 +0100
+++ new/metadata 2019-08-09 00:04:05.000000000 +0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rails-html-sanitizer
version: !ruby/object:Gem::Version
- version: 1.0.4
+ version: 1.2.0
platform: ruby
authors:
- Rafael Mendonça França
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2018-03-22 00:00:00.000000000 Z
+date: 2019-08-08 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: loofah
@@ -35,14 +35,14 @@
name: bundler
requirement: !ruby/object:Gem::Requirement
requirements:
- - - "~>"
+ - - ">="
- !ruby/object:Gem::Version
version: '1.3'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - "~>"
+ - - ">="
- !ruby/object:Gem::Version
version: '1.3'
- !ruby/object:Gem::Dependency
@@ -123,8 +123,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 3.0.4
signing_key:
specification_version: 4
summary: This gem is responsible to sanitize HTML fragments in Rails
applications.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/sanitizer_test.rb new/test/sanitizer_test.rb
--- old/test/sanitizer_test.rb 2018-03-22 20:08:41.000000000 +0100
+++ new/test/sanitizer_test.rb 2019-08-09 00:04:05.000000000 +0200
@@ -12,12 +12,12 @@
end
def test_sanitize_nested_script
- sanitizer = Rails::Html::WhiteListSanitizer.new
+ sanitizer = Rails::Html::SafeListSanitizer.new
assert_equal '<script>alert("XSS");</script>',
sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>',
tags: %w(em))
end
def test_sanitize_nested_script_in_style
- sanitizer = Rails::Html::WhiteListSanitizer.new
+ sanitizer = Rails::Html::SafeListSanitizer.new
assert_equal '<script>alert("XSS");</script>',
sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>',
tags: %w(em))
end
@@ -154,10 +154,6 @@
assert_equal "Magic", link_sanitize("<a
href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
end
- def test_strip_links_with_a_tag_in_href
- assert_equal "FrrFox", link_sanitize("<href
onlclick='steal()'>FrrFox</a></href>")
- end
-
def test_sanitize_form
assert_sanitized "<form action=\"/foo/bar\"
method=\"post\"><input></form>", ''
end
@@ -255,38 +251,38 @@
def test_should_allow_custom_tags
text = "<u>foo</u>"
- assert_equal text, white_list_sanitize(text, tags: %w(u))
+ assert_equal text, safe_list_sanitize(text, tags: %w(u))
end
def test_should_allow_only_custom_tags
text = "<u>foo</u> with <i>bar</i>"
- assert_equal "<u>foo</u> with bar", white_list_sanitize(text, tags: %w(u))
+ assert_equal "<u>foo</u> with bar", safe_list_sanitize(text, tags: %w(u))
end
def test_should_allow_custom_tags_with_attributes
text = %(<blockquote cite="http://example.com/";>foo</blockquote>)
- assert_equal text, white_list_sanitize(text)
+ assert_equal text, safe_list_sanitize(text)
end
def test_should_allow_custom_tags_with_custom_attributes
text = %(<blockquote foo="bar">Lorem ipsum</blockquote>)
- assert_equal text, white_list_sanitize(text, attributes: ['foo'])
+ assert_equal text, safe_list_sanitize(text, attributes: ['foo'])
end
def test_scrub_style_if_style_attribute_option_is_passed
input = '<p style="color: #000; background-image:
url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
- assert_equal '<p style="color: #000;"></p>', white_list_sanitize(input,
attributes: %w(style))
+ assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input,
attributes: %w(style))
end
def test_should_raise_argument_error_if_tags_is_not_enumerable
assert_raises ArgumentError do
- white_list_sanitize('<a>some html</a>', tags: 'foo')
+ safe_list_sanitize('<a>some html</a>', tags: 'foo')
end
end
def test_should_raise_argument_error_if_attributes_is_not_enumerable
assert_raises ArgumentError do
- white_list_sanitize('<a>some html</a>', attributes: 'foo')
+ safe_list_sanitize('<a>some html</a>', attributes: 'foo')
end
end
@@ -295,7 +291,7 @@
def scrubber.scrub(node); node.name = 'h1'; end
assert_raises Loofah::ScrubberNotFound do
- white_list_sanitize('<a>some html</a>', scrubber: scrubber)
+ safe_list_sanitize('<a>some html</a>', scrubber: scrubber)
end
end
@@ -304,19 +300,19 @@
def scrubber.scrub(node); node.name = 'h1'; end
html = "<script>hello!</script>"
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber:
scrubber)
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber:
scrubber)
end
def test_should_accept_loofah_scrubber_that_wraps_a_block
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
html = "<script>hello!</script>"
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber:
scrubber)
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber:
scrubber)
end
def test_custom_scrubber_takes_precedence_over_other_options
scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
html = "<script>hello!</script>"
- assert_equal "<h1>hello!</h1>", white_list_sanitize(html, scrubber:
scrubber, tags: ['foo'])
+ assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber:
scrubber, tags: ['foo'])
end
[%w(img src), %w(a href)].each do |(tag, attr)|
@@ -468,7 +464,7 @@
end
def test_sanitize_ascii_8bit_string
- white_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
+ safe_list_sanitize('<a>hello</a>'.encode('ASCII-8BIT')).tap do |sanitized|
assert_equal '<a>hello</a>', sanitized
assert_equal Encoding::UTF_8, sanitized.encoding
end
@@ -481,39 +477,47 @@
def test_allow_data_attribute_if_requested
text = %(<a data-foo="foo">foo</a>)
- assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text,
attributes: ['data-foo'])
+ assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text,
attributes: ['data-foo'])
end
- def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
+ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
+ skip if RUBY_VERSION < "2.3"
+
html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
- text = white_list_sanitize(html)
+ text = safe_list_sanitize(html)
- assert_equal %{<a
href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ assert_equal %{<a
href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
end
- def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
+ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
+ skip if RUBY_VERSION < "2.3"
+
html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
- text = white_list_sanitize(html)
+ text = safe_list_sanitize(html)
- assert_equal %{<a
src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ assert_equal %{<a
src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
end
- def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
+ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
+ skip if RUBY_VERSION < "2.3"
+
html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
- text = white_list_sanitize(html)
+ text = safe_list_sanitize(html)
- assert_equal %{<a
name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ assert_equal %{<a
name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
end
- def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
+ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
+ skip if RUBY_VERSION < "2.3"
+
html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
- text = white_list_sanitize(html, attributes: ['action'])
+ text = safe_list_sanitize(html, attributes: ['action'])
- assert_equal %{<a
action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+ assert_equal %{<a
action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
end
protected
@@ -530,35 +534,35 @@
Rails::Html::LinkSanitizer.new.sanitize(input, options)
end
- def white_list_sanitize(input, options = {})
- Rails::Html::WhiteListSanitizer.new.sanitize(input, options)
+ def safe_list_sanitize(input, options = {})
+ Rails::Html::SafeListSanitizer.new.sanitize(input, options)
end
def assert_sanitized(input, expected = nil)
if input
- assert_dom_equal expected || input, white_list_sanitize(input)
+ assert_dom_equal expected || input, safe_list_sanitize(input)
else
- assert_nil white_list_sanitize(input)
+ assert_nil safe_list_sanitize(input)
end
end
def sanitize_css(input)
- Rails::Html::WhiteListSanitizer.new.sanitize_css(input)
+ Rails::Html::SafeListSanitizer.new.sanitize_css(input)
end
def scope_allowed_tags(tags)
- old_tags = Rails::Html::WhiteListSanitizer.allowed_tags
- Rails::Html::WhiteListSanitizer.allowed_tags = tags
- yield Rails::Html::WhiteListSanitizer.new
+ old_tags = Rails::Html::SafeListSanitizer.allowed_tags
+ Rails::Html::SafeListSanitizer.allowed_tags = tags
+ yield Rails::Html::SafeListSanitizer.new
ensure
- Rails::Html::WhiteListSanitizer.allowed_tags = old_tags
+ Rails::Html::SafeListSanitizer.allowed_tags = old_tags
end
def scope_allowed_attributes(attributes)
- old_attributes = Rails::Html::WhiteListSanitizer.allowed_attributes
- Rails::Html::WhiteListSanitizer.allowed_attributes = attributes
- yield Rails::Html::WhiteListSanitizer.new
+ old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
+ Rails::Html::SafeListSanitizer.allowed_attributes = attributes
+ yield Rails::Html::SafeListSanitizer.new
ensure
- Rails::Html::WhiteListSanitizer.allowed_attributes = old_attributes
+ Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
end
end
