Skip to content

Commit

Permalink
Match Loofah's API changes.
Browse files Browse the repository at this point in the history
Short term, reduces log noise due to deprecated constants.
Long term, necessary just to keep up.
  • Loading branch information
inopinatus committed Sep 29, 2019
1 parent b8ea80d commit 43a87f5
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion lib/rails/html/sanitizer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def sanitize(html, options = {})
#
# === Options
# Sanitizes both html and css via the safe lists found here:
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
# https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
#
# SafeListSanitizer also accepts options to configure
# the safe list used when sanitizing html.
Expand Down
8 changes: 4 additions & 4 deletions lib/rails/html/scrubbers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -138,17 +138,17 @@ def scrub_attribute(node, attr_node)
attr_node.node_name
end

if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
# this block lifted nearly verbatim from HTML5 sanitization
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
attr_node.remove
end
end
if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
end
if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
end

Expand Down
2 changes: 1 addition & 1 deletion rails-html-sanitizer.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Gem::Specification.new do |spec|

# NOTE: There's no need to update this dependency for Loofah CVEs
# in minor releases when users can simply run `bundle update loofah`.
spec.add_dependency "loofah", "~> 2.2", ">= 2.2.2"
spec.add_dependency "loofah", "~> 2.3"

spec.add_development_dependency "bundler", ">= 1.3"
spec.add_development_dependency "rake"
Expand Down
2 changes: 1 addition & 1 deletion test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ def test_sanitize_image_src
assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
end

tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
tags.each do |tag_name|
define_method "test_should_allow_#{tag_name}_tag" do
scope_allowed_tags(tags) do
Expand Down

2 comments on commit 43a87f5

@jpowell
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will this be published as a change to the gem?

@kaspth
Copy link
Contributor

@kaspth kaspth commented on 43a87f5 Oct 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was going to push a release today, but @georgeclaghorn beat me to it. Check out 1.3.0.

Please sign in to comment.