sanitize 6.1.3 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/{HISTORY.md → CHANGELOG.md} +32 -14
- data/LICENSE +3 -1
- data/README.md +120 -238
- data/lib/sanitize/config/basic.rb +15 -15
- data/lib/sanitize/config/default.rb +45 -45
- data/lib/sanitize/config/relaxed.rb +136 -32
- data/lib/sanitize/config/restricted.rb +2 -2
- data/lib/sanitize/config.rb +12 -14
- data/lib/sanitize/css.rb +308 -308
- data/lib/sanitize/transformers/clean_cdata.rb +9 -9
- data/lib/sanitize/transformers/clean_comment.rb +9 -9
- data/lib/sanitize/transformers/clean_css.rb +59 -55
- data/lib/sanitize/transformers/clean_doctype.rb +15 -15
- data/lib/sanitize/transformers/clean_element.rb +220 -237
- data/lib/sanitize/version.rb +3 -1
- data/lib/sanitize.rb +38 -38
- data/test/common.rb +4 -3
- data/test/test_clean_comment.rb +26 -25
- data/test/test_clean_css.rb +14 -13
- data/test/test_clean_doctype.rb +21 -20
- data/test/test_clean_element.rb +258 -273
- data/test/test_config.rb +22 -21
- data/test/test_malicious_css.rb +20 -19
- data/test/test_malicious_html.rb +100 -99
- data/test/test_parser.rb +26 -25
- data/test/test_sanitize.rb +70 -69
- data/test/test_sanitize_css.rb +149 -114
- data/test/test_transformers.rb +81 -83
- metadata +14 -43
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c7ec07b16780ba818a5fdbb0570fb6c84245c60b2656388cab0b03b0d00bbc6a
|
|
4
|
+
data.tar.gz: 650c2a0c59fd4af1d305051e5488bcacee3f5a638a96960163f6677b838a9661
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ec33f841766422dda2ee1d889d2e3f42f6b3b479c2cf557cad80de0311969a4e132e02a5a33dda296af2e2a5fec8791aa6ba8eacd6ea370428cc40ff3f08a720
|
|
7
|
+
data.tar.gz: f4cf669dba8e416c38fb4b9eae30b86e9c7816718e80cc32eac1f536f1e2023c59cb74df7e701af717a157e1fe1ccc902a89b26992488a85400e4dc0c089d07a
|
data/{HISTORY.md → CHANGELOG.md}
RENAMED
|
@@ -1,4 +1,24 @@
|
|
|
1
|
-
# Sanitize
|
|
1
|
+
# Sanitize Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to Sanitize are documented in this file. The format (since version 7.0.0) is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
4
|
+
|
|
5
|
+
## 7.0.0 (2024-12-29)
|
|
6
|
+
|
|
7
|
+
Sanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!
|
|
8
|
+
|
|
9
|
+
### Added
|
|
10
|
+
|
|
11
|
+
- Added over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of "Working Draft" or better in the latest [W3C "All Properties" list](https://www.w3.org/Style/CSS/all-properties.en.html).
|
|
12
|
+
|
|
13
|
+
- Added the `@container` CSS at-rule to the relaxed config.
|
|
14
|
+
|
|
15
|
+
- Added the `-webkit-text-fill-color` CSS property to the relaxed config. [@radar - #244](https://github.com/rgrove/sanitize/pull/244)
|
|
16
|
+
|
|
17
|
+
### Changed
|
|
18
|
+
|
|
19
|
+
- Ruby 3.1.0 is now the oldest supported Ruby version.
|
|
20
|
+
|
|
21
|
+
- Sanitize now requires Nokogiri 1.16.8 or higher.
|
|
2
22
|
|
|
3
23
|
## 6.1.3 (2024-08-14)
|
|
4
24
|
|
|
@@ -279,8 +299,6 @@ review the changes below carefully.
|
|
|
279
299
|
Many thanks to the Shopify Application Security Team for responsibly reporting
|
|
280
300
|
this issue.
|
|
281
301
|
|
|
282
|
-
[176]:https://github.com/rgrove/sanitize/issues/176
|
|
283
|
-
|
|
284
302
|
## 4.6.2 (2018-03-19)
|
|
285
303
|
|
|
286
304
|
* Reduced string allocations to optimize memory usage. [@janklimo - #175][175]
|
|
@@ -618,7 +636,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
618
636
|
## 2.0.4 (2013-06-12)
|
|
619
637
|
|
|
620
638
|
* Added `Sanitize.clean_document`, which sanitizes a full HTML document rather
|
|
621
|
-
than just a fragment. [Ben Anderson]
|
|
639
|
+
than just a fragment. \[Ben Anderson]
|
|
622
640
|
|
|
623
641
|
* Nokogiri dependency bumped to 1.6.x.
|
|
624
642
|
|
|
@@ -641,7 +659,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
641
659
|
## 2.0.1 (2011-03-16)
|
|
642
660
|
|
|
643
661
|
* Updated the protocol regex to anchor at the beginning of the string rather
|
|
644
|
-
than the beginning of a line. [Eaden McKee]
|
|
662
|
+
than the beginning of a line. \[Eaden McKee]
|
|
645
663
|
|
|
646
664
|
|
|
647
665
|
## 2.0.0 (2011-01-15)
|
|
@@ -687,7 +705,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
687
705
|
remove the contents of all non-allowlisted elements in addition to the
|
|
688
706
|
elements themselves. If set to an array of element names, Sanitize will
|
|
689
707
|
remove the contents of only those elements (when filtered), and leave the
|
|
690
|
-
contents of other filtered elements. [Thanks to Rafael Souza for the array
|
|
708
|
+
contents of other filtered elements. \[Thanks to Rafael Souza for the array
|
|
691
709
|
option]
|
|
692
710
|
|
|
693
711
|
* Added an `:output_encoding` config setting to allow the character encoding
|
|
@@ -712,27 +730,27 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
712
730
|
* Added `Sanitize.clean_node!`, which sanitizes a `Nokogiri::XML::Node` and
|
|
713
731
|
all its children.
|
|
714
732
|
|
|
715
|
-
* Added elements `<h1>` through `<h6>` to the Relaxed allowlist. [Suggested by
|
|
733
|
+
* Added elements `<h1>` through `<h6>` to the Relaxed allowlist. \[Suggested by
|
|
716
734
|
David Reese]
|
|
717
735
|
|
|
718
736
|
|
|
719
737
|
## 1.1.0 (2009-10-11)
|
|
720
738
|
|
|
721
|
-
* Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 [Adam Hooper]
|
|
739
|
+
* Migrated from Hpricot to Nokogiri. Requires libxml2 >= 2.7.2 \[Adam Hooper]
|
|
722
740
|
|
|
723
741
|
* Added an `:output` config setting to allow the output format to be
|
|
724
742
|
specified. Supported formats are `:xhtml` (the default) and `:html` (which
|
|
725
743
|
outputs HTML4).
|
|
726
744
|
|
|
727
745
|
* Changed protocol regex to ensure Sanitize doesn't kill URLs with colons in
|
|
728
|
-
path segments. [Peter Cooper]
|
|
746
|
+
path segments. \[Peter Cooper]
|
|
729
747
|
|
|
730
748
|
|
|
731
749
|
## 1.0.8 (2009-04-23)
|
|
732
750
|
|
|
733
751
|
* Added a workaround for an Hpricot bug that prevents attribute names from
|
|
734
752
|
being downcased in recent versions of Hpricot. This was exploitable to
|
|
735
|
-
prevent non-allowlisted protocols from being cleaned. [Reported by Ben
|
|
753
|
+
prevent non-allowlisted protocols from being cleaned. \[Reported by Ben
|
|
736
754
|
Wanicur]
|
|
737
755
|
|
|
738
756
|
|
|
@@ -741,7 +759,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
741
759
|
* Requires Hpricot 0.8.1+, which is finally compatible with Ruby 1.9.1.
|
|
742
760
|
|
|
743
761
|
* Fixed a bug that caused named character entities containing digits (like
|
|
744
|
-
`²`) to be escaped when they shouldn't have been. [Reported by
|
|
762
|
+
`²`) to be escaped when they shouldn't have been. \[Reported by
|
|
745
763
|
Sebastian Steinmetz]
|
|
746
764
|
|
|
747
765
|
|
|
@@ -756,14 +774,14 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
756
774
|
problems in IE6.
|
|
757
775
|
|
|
758
776
|
* You can now specify the symbol `:all` in place of an element name in the
|
|
759
|
-
attributes config hash to allow certain attributes on all elements. [Thanks
|
|
777
|
+
attributes config hash to allow certain attributes on all elements. \[Thanks
|
|
760
778
|
to Mutwin Kraus]
|
|
761
779
|
|
|
762
780
|
|
|
763
781
|
## 1.0.5 (2009-02-05)
|
|
764
782
|
|
|
765
783
|
* Fixed a bug introduced in version 1.0.3 that prevented non-allowlisted
|
|
766
|
-
protocols from being cleaned when relative URLs were allowed. [Reported by
|
|
784
|
+
protocols from being cleaned when relative URLs were allowed. \[Reported by
|
|
767
785
|
Dev Purkayastha]
|
|
768
786
|
|
|
769
787
|
* Fixed "undefined method `parent='" exceptions caused by parser changes in
|
|
@@ -774,7 +792,7 @@ Sanitize.fragment(html, Sanitize::Config.merge(Sanitize::Config::BASIC,
|
|
|
774
792
|
|
|
775
793
|
* Fixed a bug that made it possible to sneak a non-allowlisted element through
|
|
776
794
|
by repeating it several times in a row. All versions of Sanitize prior to
|
|
777
|
-
1.0.4 are vulnerable. [Reported by Cristobal]
|
|
795
|
+
1.0.4 are vulnerable. \[Reported by Cristobal]
|
|
778
796
|
|
|
779
797
|
|
|
780
798
|
## 1.0.3 (2009-01-15)
|
data/LICENSE
CHANGED