packages/rubygem-rails-html-sanitizer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!13 [sync] PR-12: Upgrade to 1.4.3

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2023-08-14 07:39:47 +00:00 committed by Gitee
commit cb1e3a4671
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 97 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

266
0001-fix-test-failures.patch
View File

@ -1,266 +0,0 @@
From 4c9638008fdcfb4c71b1ed660f6ab6d120b7f02d Mon Sep 17 00:00:00 2001
From: baizg1107 <preloyalwhite@163.com>
Date: Thu, 14 Jul 2022 15:23:03 +0800
Subject: [PATCH] fix test failures
---
lib/rails/html/sanitizer.rb | 19 +++++-
test/sanitizer_test.rb | 122 +++++++++++++++++++++++++++++++-----
2 files changed, 124 insertions(+), 17 deletions(-)
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index 5633ca1..13fb963 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -141,8 +141,25 @@ module Rails
private
+ def loofah_using_html5?
+ # future-proofing, see https://github.com/flavorjones/loofah/pull/239
+ Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
+ end
+
+ def remove_safelist_tag_combinations(tags)
+ if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
+ warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
+ tags.delete("style")
+ end
+ tags
+ end
+
def allowed_tags(options)
- options[:tags] || self.class.allowed_tags
+ if options[:tags]
+ remove_safelist_tag_combinations(options[:tags])
+ else
+ self.class.allowed_tags
+ end
end
def allowed_attributes(options)
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 7938433..c6800a2 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -2,6 +2,8 @@ require "minitest/autorun"
require "rails-html-sanitizer"
require "rails/dom/testing/assertions/dom_assertions"
+puts Nokogiri::VERSION_INFO
+
class SanitizersTest < Minitest::Test
include Rails::Dom::Testing::Assertions::DomAssertions
@@ -12,13 +14,11 @@ class SanitizersTest < Minitest::Test
end
def test_sanitize_nested_script
- sanitizer = Rails::Html::SafeListSanitizer.new
- assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
+ assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
end
def test_sanitize_nested_script_in_style
- sanitizer = Rails::Html::SafeListSanitizer.new
- assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
+ assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
end
class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
@@ -54,7 +54,8 @@ class SanitizersTest < Minitest::Test
def test_strip_tags_with_quote
input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
- assert_equal ' hi', full_sanitize(input)
+ expected = libxml_2_9_14_recovery? ? %{&lt;" hi} : %{ hi}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_invalid_html
@@ -75,15 +76,21 @@ class SanitizersTest < Minitest::Test
end
def test_remove_unclosed_tags
- assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
+ input = "This is <-- not\n a comment here."
+ expected = libxml_2_9_14_recovery? ? %{This is &lt;-- not\n a comment here.} : %{This is }
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_cdata
- assert_equal "This has a ]]&gt; here.", full_sanitize("This has a <![CDATA[<section>]]> here.")
+ input = "This has a <![CDATA[<section>]]> here."
+ expected = libxml_2_9_14_recovery? ? %{This has a &lt;![CDATA[]]&gt; here.} : %{This has a ]]&gt; here.}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_unclosed_cdata
- assert_equal "This has an unclosed ]] here...", full_sanitize("This has an unclosed <![CDATA[<section>]] here...")
+ input = "This has an unclosed <![CDATA[<section>]] here..."
+ expected = libxml_2_9_14_recovery? ? %{This has an unclosed &lt;![CDATA[]] here...} : %{This has an unclosed ]] here...}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_blank_string
@@ -414,8 +421,25 @@ class SanitizersTest < Minitest::Test
end
def test_should_sanitize_div_background_image_unicode_encoded
- raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
- assert_equal '', sanitize_css(raw)
+ [
+ convert_to_css_hex("url(javascript:alert(1))", false),
+ convert_to_css_hex("url(javascript:alert(1))", true),
+ convert_to_css_hex("url(https://example.com)", false),
+ convert_to_css_hex("url(https://example.com)", true),
+ ].each do |propval|
+ raw = "background-image:" + propval
+ assert_empty(sanitize_css(raw))
+ end
+ end
+
+ def test_should_allow_div_background_image_unicode_encoded_safe_functions
+ [
+ convert_to_css_hex("rgb(255,0,0)", false),
+ convert_to_css_hex("rgb(255,0,0)", true),
+ ].each do |propval|
+ raw = "background-image:" + propval
+ assert_includes(sanitize_css(raw), "background-image")
+ end
end
def test_should_sanitize_div_style_expression
@@ -433,11 +457,15 @@ class SanitizersTest < Minitest::Test
end
def test_should_sanitize_cdata_section
- assert_sanitized "<![CDATA[<span>section</span>]]>", "section]]&gt;"
+ input = "<![CDATA[<span>section</span>]]>"
+ expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>section</span>]]&gt;} : %{section]]&gt;}
+ assert_sanitized(input, expected)
end
def test_should_sanitize_unterminated_cdata_section
- assert_sanitized "<![CDATA[<span>neverending...", "neverending..."
+ input = "<![CDATA[<span>neverending..."
+ expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>neverending...</span>} : %{neverending...}
+ assert_sanitized(input, expected)
end
def test_should_not_mangle_urls_with_ampersand
@@ -488,7 +516,13 @@ class SanitizersTest < Minitest::Test
text = safe_list_sanitize(html)
- assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a href="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+ # nokogiri w/ system libxml2
+ %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
@@ -498,7 +532,13 @@ class SanitizersTest < Minitest::Test
text = safe_list_sanitize(html)
- assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a src="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
@@ -508,7 +548,13 @@ class SanitizersTest < Minitest::Test
text = safe_list_sanitize(html)
- assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a name="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
@@ -518,7 +564,13 @@ class SanitizersTest < Minitest::Test
text = safe_list_sanitize(html, attributes: ['action'])
- assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a action="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_exclude_node_type_processing_instructions
@@ -529,6 +581,25 @@ class SanitizersTest < Minitest::Test
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
end
+ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
+ input = "<select><style><script>alert(1)</script></style></select>"
+ tags = ["select", "style"]
+ warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from safelist/
+ sanitized = nil
+ invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
+
+ if html5_mode?
+ # if Loofah is using an HTML5 parser,
+ # then "style" should be removed by the parser as an invalid child of "select"
+ assert_silent(&invocation)
+ else
+ # if Loofah is using an HTML4 parser,
+ # then SafeListSanitizer should remove "style" from the safelist
+ assert_output(nil, warning, &invocation)
+ end
+ refute_includes(sanitized, "style")
+ end
+
protected
def xpath_sanitize(input, options = {})
@@ -567,6 +638,25 @@ protected
Rails::Html::SafeListSanitizer.allowed_tags = old_tags
end
+ # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
+ def convert_to_css_hex(string, escape_parens=false)
+ string.chars.map do |c|
+ if !escape_parens && (c == "(" || c == ")")
+ c
+ else
+ format('\00%02X', c.ord)
+ end
+ end.join
+ end
+
+ def libxml_2_9_14_recovery?
+ Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">= 2.9.14")
+ end
+
+ def html5_mode?
+ ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
+ end
+
def scope_allowed_attributes(attributes)
old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
Rails::Html::SafeListSanitizer.allowed_attributes = attributes
--
2.27.0

BIN
rails-html-sanitizer-1.4.2.gem
View File

Binary file not shown.

BIN
rails-html-sanitizer-1.4.3.gem Normal file
View File

Binary file not shown.

85
rubygem-rails-html-sanitizer-1.4.3-tests-libxml2-2_10_0-parsing-comments-change.patch Normal file
View File

@ -0,0 +1,85 @@
From 307ecf22162f58af85d7b4fe571e3d5b8bdf44c7 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 17 Aug 2022 10:54:37 -0400
Subject: [PATCH] tests: handle libxml 2.10.0 incorrectly-opened comment
parsing
Related, see:
- https://github.com/sparklemotion/nokogiri/pull/2625
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
---
test/sanitizer_test.rb | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index e3ce218..e83c54d 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -54,7 +54,7 @@ def test_remove_xpaths_called_with_enumerable_xpaths
def test_strip_tags_with_quote
input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
- expected = libxml_2_9_14_recovery? ? %{&lt;" hi} : %{ hi}
+ expected = libxml_2_9_14_recovery_lt? ? %{&lt;" hi} : %{ hi}
assert_equal(expected, full_sanitize(input))
end
@@ -77,19 +77,19 @@ def test_strip_tags_multiline
def test_remove_unclosed_tags
input = "This is <-- not\n a comment here."
- expected = libxml_2_9_14_recovery? ? %{This is &lt;-- not\n a comment here.} : %{This is }
+ expected = libxml_2_9_14_recovery_lt? ? %{This is &lt;-- not\n a comment here.} : %{This is }
assert_equal(expected, full_sanitize(input))
end
def test_strip_cdata
input = "This has a <![CDATA[<section>]]> here."
- expected = libxml_2_9_14_recovery? ? %{This has a &lt;![CDATA[]]&gt; here.} : %{This has a ]]&gt; here.}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{This has a &lt;![CDATA[]]&gt; here.} : %{This has a ]]&gt; here.}
assert_equal(expected, full_sanitize(input))
end
def test_strip_unclosed_cdata
input = "This has an unclosed <![CDATA[<section>]] here..."
- expected = libxml_2_9_14_recovery? ? %{This has an unclosed &lt;![CDATA[]] here...} : %{This has an unclosed ]] here...}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{This has an unclosed &lt;![CDATA[]] here...} : %{This has an unclosed ]] here...}
assert_equal(expected, full_sanitize(input))
end
@@ -464,13 +464,13 @@ def test_should_sanitize_img_vbscript
def test_should_sanitize_cdata_section
input = "<![CDATA[<span>section</span>]]>"
- expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>section</span>]]&gt;} : %{section]]&gt;}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{&lt;![CDATA[<span>section</span>]]&gt;} : %{section]]&gt;}
assert_sanitized(input, expected)
end
def test_should_sanitize_unterminated_cdata_section
input = "<![CDATA[<span>neverending..."
- expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>neverending...</span>} : %{neverending...}
+ expected = libxml_2_9_14_recovery_lt_bang? ? %{&lt;![CDATA[<span>neverending...</span>} : %{neverending...}
assert_sanitized(input, expected)
end
@@ -663,10 +663,17 @@ def convert_to_css_hex(string, escape_parens=false)
end.join
end
- def libxml_2_9_14_recovery?
+ def libxml_2_9_14_recovery_lt?
+ # changed in 2.9.14, see https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">= 2.9.14")
end
+ def libxml_2_9_14_recovery_lt_bang?
+ # changed in 2.9.14, see https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
+ # then reverted in 2.10.0, see https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
+ Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("= 2.9.14")
+ end
+
def html5_mode?
::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
end

25
rubygem-rails-html-sanitizer.spec
View File

@ -1,15 +1,15 @@
%global gem_name rails-html-sanitizer
Name: rubygem-%{gem_name}
Version: 1.4.2
Release: 2
Version: 1.4.3
Release: 1
Summary: This gem is responsible to sanitize HTML fragments in Rails applications
License: MIT
URL: https://github.com/rails/rails-html-sanitizer
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
#From: https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d
Patch0: 0001-fix-test-failures.patch
# https://github.com/rails/rails-html-sanitizer/pull/143
# libxml2 2.10.x changes incorrectly opened comments parsing
Patch0: %{name}-1.4.3-tests-libxml2-2_10_0-parsing-comments-change.patch
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
BuildRequires: ruby
@ -21,6 +21,7 @@ BuildArch: noarch
%description
HTML sanitization for Rails applications.
%package doc
Summary: Documentation for %{name}
Requires: %{name} = %{version}-%{release}
@ -30,7 +31,8 @@ BuildArch: noarch
Documentation for %{name}.
%prep
%autosetup -n %{gem_name}-%{version} -p1
%setup -q -n %{gem_name}-%{version}
%patch0 -p1
%build
gem build ../%{gem_name}-%{version}.gemspec
@ -43,12 +45,6 @@ cp -a .%{gem_dir}/* \
%check
pushd .%{gem_instdir}
sed -i '/def test_uri_escaping.*_in_a_tag_in_safe_list_sanitizer/,/^ end$/ {
s/&lt;/</g
s/&gt;/>/g
}' \
test/sanitizer_test.rb
ruby -Ilib -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
popd
@ -66,6 +62,9 @@ popd
%{gem_instdir}/test
%changelog
* Mon Aug 14 2023 liqiuyu <liqiuyu@kylinos.cn> - 1.4.3-1
- Upgrade to 1.4.3
* Thu Jul 14 2022 baizhonggui <baizhonggui@h-partners.com> - 1.4.2-2
- Fix test failures
@ -73,4 +72,4 @@ popd
- Upgrade to 1.4.2
* Tue Aug 25 2020 huangyangke <huangyangke@huawei.com> - 1.0.4-1
- package init
- package init