!10 [sync] PR-9: support libxml2-2.10.4 backported

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch

@@ -1,83 +0,0 @@
-From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
-From: Mike Dalessio <mike.dalessio@gmail.com>
-Date: Wed, 9 Oct 2019 15:36:32 -0400
-Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
-
-this addresses CVE-2019-15587
-
-see #171 for more information
-
-https://github.com/flavorjones/loofah/issues/171
----
- lib/loofah/html5/safelist.rb    |  3 ---
- test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
- 2 files changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
-index 8abd922..4b2b6dd 100644
---- a/lib/loofah/html5/whitelist.rb
-+++ b/lib/loofah/html5/whitelist.rb
-@@ -88,7 +88,7 @@
- 
-       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
-        arabic-form ascent attributeName attributeType baseProfile bbox begin
--       by calcMode cap-height class clip-path clip-rule color
-+       calcMode cap-height class clip-path clip-rule color
-        color-interpolation-filters color-rendering content cx cy d dx
-        dy descent display dur end fill fill-opacity fill-rule
-        filterRes filterUnits font-family
-@@ -105,9 +105,9 @@
-        stemv stop-color stop-opacity strikethrough-position
-        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
--       stroke-width systemLanguage target text-anchor to transform type u1
-+       stroke-width systemLanguage target text-anchor transform type u1
-        u2 underline-position underline-thickness unicode unicode-range
--       units-per-em values version viewBox visibility width widths x
-+       units-per-em version viewBox visibility width widths x
-        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-        xmlns:xlink y y1 y2 zoomAndPan]
-diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
-index 16fccbb..cc6fc65 100644
---- a/test/integration/test_ad_hoc.rb
-+++ b/test/integration/test_ad_hoc.rb
-@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
-       end
-     end
- 
--    # see:
--    # - https://github.com/flavorjones/loofah/issues/154
--    # - https://hackerone.com/reports/429267
--    context "xss protection from svg xmlns:xlink animate attribute" do
--      it "sanitizes appropriate attributes" do
--        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
-+    context "xss protection from svg animate attributes" do
-+      # see recommendation from https://html5sec.org/#137
-+      # to sanitize "to", "from", "values", and "by" attributes
-+
-+      it "sanitizes 'from', 'to', and 'by' attributes" do
-+        # for CVE-2018-16468
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/154
-+        # - https://hackerone.com/reports/429267
-+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
-+
-         sanitized = Loofah.scrub_fragment(html, :escape)
-         assert_nil sanitized.at_css("animate")["from"]
-+        assert_nil sanitized.at_css("animate")["to"]
-+        assert_nil sanitized.at_css("animate")["by"]
-+      end
-+
-+      it "sanitizes 'values' attribute" do
-+        # for CVE-2019-15587
-+        # see:
-+        # - https://github.com/flavorjones/loofah/issues/171
-+        # - https://hackerone.com/reports/709009
-+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
-+
-+        sanitized = Loofah.scrub_fragment(html, :escape)
-+        assert_nil sanitized.at_css("animate")["values"]
-       end
-     end
-   end

rubygem-loofah.spec

@@ -1,14 +1,18 @@
 %global gem_name loofah
+
 Name:                rubygem-%{gem_name}
-Version:             2.2.3
-Release:             1
+Version:             2.18.0
+Release:             2
 Summary:             Manipulate and transform HTML/XML documents and fragments
 License:             MIT
 URL:                 https://github.com/flavorjones/loofah
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Patch0:              rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+# git clone https://github.com/flavorjones/loofah.git && cd loofah
+# git archive -v -o loofah-2.10.0-test.tar.gz v2.10.0 test/
+Source1:             https://github.com/flavorjones/loofah/archive/refs/tags/v2.18.0.tar.gz
+Patch0:             support-libxml2-2.10.4-backported.patch
 BuildRequires:       ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
-BuildRequires:       rubygem(crass)
+BuildRequires:       rubygem(crass) rubygem(rr) ruby
 BuildArch:           noarch
 %description
 Loofah is a general library for manipulating and transforming HTML/XML
@@ -26,7 +30,7 @@ BuildArch:           noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%setup -q -n %{gem_name}-%{version} -b1
 %patch0 -p1
 
 %build
@@ -40,12 +44,12 @@ cp -a .%{gem_dir}/* \
 
 %check
 pushd .%{gem_instdir}
+cp -a %{_builddir}/%{gem_name}-%{version}/test .
 ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 popd
 
 %files
 %dir %{gem_instdir}
-%exclude %{gem_instdir}/.*
 %license %{gem_instdir}/MIT-LICENSE.txt
 %{gem_libdir}
 %exclude %{gem_cache}
@@ -54,14 +58,21 @@ popd
 %files doc
 %doc %{gem_docdir}
 %doc %{gem_instdir}/CHANGELOG.md
-%{gem_instdir}/Gemfile
-%doc %{gem_instdir}/Manifest.txt
 %doc %{gem_instdir}/README.md
-%{gem_instdir}/Rakefile
 %doc %{gem_instdir}/SECURITY.md
-%{gem_instdir}/benchmark
-%{gem_instdir}/test
 
 %changelog
+* Mon Aug 14 2023 zouzhimin <zouzhimin@kylinos.cn> - 2.18.0-2
+- support libxml2-2.10.4 backported
+
+* Thu Jul 14 2022 Ge Wang <wangge20@h-partners.com> - 2.18.0-1
+- update to 2.18.0
+
+* Thu Mar 03 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.10.0-1
+- update to 2.10.0
+
+* Sat Sep 5 2020 yanan li <liyanan032@huawei.com> - 2.2.3-2
+- Fix build fail
+
 * Tue Aug 18 2020 geyanan <geyanan2@huawei.com> - 2.2.3-1
 - package init

rubygem-loofah.yaml

@@ -1,4 +1,4 @@
-version_control:github
-src_repo:/flavorjones/loofah
-tag_prefix:"v"
-seperator:"."
+version_control: github
+src_repo: flavorjones/loofah
+tag_prefix: "v"
+seperator: "."

support-libxml2-2.10.4-backported.patch

@@ -0,0 +1,57 @@
+From 5145b0da80cceaf6413e0ede3e0f384e07e3033e Mon Sep 17 00:00:00 2001
+From: zouzhimin <zouzhimin@kylinos.cn>
+Date: Sat, 12 Aug 2023 03:38:46 +0800
+Subject: [PATCH] support libxml2 2.10.4 backported
+
+---
+ test/integration/test_ad_hoc.rb    | 4 ++--
+ test/integration/test_scrubbers.rb | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
+index 9f87187..2efc8fa 100644
+--- a/test/integration/test_ad_hoc.rb
++++ b/test/integration/test_ad_hoc.rb
+@@ -79,7 +79,7 @@ class IntegrationTestAdHoc < Loofah::TestCase
+ 
+     def test_fragment_whitewash_on_microsofty_markup
+       whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
+-      if Nokogiri.uses_libxml?("<2.9.11")
++      if Nokogiri.uses_libxml?("<2.9.11") || Nokogiri.uses_libxml?(">=2.10.4")
+         assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
+       else
+         assert_equal "<p>Foo <b>BOLD<p></p></b></p>", whitewashed.to_s.strip
+@@ -88,7 +88,7 @@ class IntegrationTestAdHoc < Loofah::TestCase
+ 
+     def test_document_whitewash_on_microsofty_markup
+       whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
+-      if Nokogiri.uses_libxml?("<2.9.11")
++      if Nokogiri.uses_libxml?("<2.9.11") || Nokogiri.uses_libxml?(">=2.10.4")
+         assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.xpath("/html/body/*").to_s
+       else
+         assert_equal "<p>Foo <b>BOLD<p></p></b></p>", whitewashed.xpath("/html/body/*").to_s
+diff --git a/test/integration/test_scrubbers.rb b/test/integration/test_scrubbers.rb
+index c8636a3..ed86b1b 100644
+--- a/test/integration/test_scrubbers.rb
++++ b/test/integration/test_scrubbers.rb
+@@ -69,7 +69,7 @@ class IntegrationTestScrubbers < Loofah::TestCase
+           doc = Loofah::HTML::Document.parse "<html><body>#{WHITEWASH_FRAGMENT}</body></html>"
+           result = doc.scrub! :whitewash
+ 
+-          ww_result = Nokogiri.uses_libxml?("<2.9.11") ? WHITEWASH_RESULT : WHITEWASH_RESULT_LIBXML2911
++          ww_result = (Nokogiri.uses_libxml?("<2.9.11") || Nokogiri.uses_libxml?(">=2.10.4")) ? WHITEWASH_RESULT : WHITEWASH_RESULT_LIBXML2911
+           assert_equal ww_result, doc.xpath("/html/body").inner_html
+           assert_equal doc, result
+         end
+@@ -248,7 +248,7 @@ class IntegrationTestScrubbers < Loofah::TestCase
+           doc = Loofah::HTML::DocumentFragment.parse "<div>#{WHITEWASH_FRAGMENT}</div>"
+           result = doc.scrub! :whitewash
+ 
+-          ww_result = Nokogiri.uses_libxml?("<2.9.11") ? WHITEWASH_RESULT : WHITEWASH_RESULT_LIBXML2911
++          ww_result = (Nokogiri.uses_libxml?("<2.9.11") || Nokogiri.uses_libxml?(">=2.10.4")) ? WHITEWASH_RESULT : WHITEWASH_RESULT_LIBXML2911
+           assert_equal ww_result, doc.xpath("./div").inner_html
+           assert_equal doc, result
+         end
+-- 
+2.39.1
+