Skip to content

Commit

Permalink
run rufo on all lib files
Browse files Browse the repository at this point in the history
  • Loading branch information
@flavorjones
flavorjones committed Nov 25, 2019
1 parent 199be72 commit ad7d598
Show file tree
Hide file tree
Showing 10 changed files with 127 additions and 128 deletions.
146 changes: 73 additions & 73 deletions lib/loofah/elements.rb
View file
Original file line number Diff line number Diff line change
@@ -1,90 +1,90 @@
# frozen_string_literal: true
require 'set'
require "set"

module Loofah
module Elements
STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
address
blockquote
center
dir
div
dl
fieldset
form
h1
h2
h3
h4
h5
h6
hr
isindex
menu
noframes
noscript
ol
p
pre
table
ul
]
address
blockquote
center
dir
div
dl
fieldset
form
h1
h2
h3
h4
h5
h6
hr
isindex
menu
noframes
noscript
ol
p
pre
table
ul
]

# https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
address
article
aside
blockquote
canvas
dd
div
dl
dt
fieldset
figcaption
figure
footer
form
h1
h2
h3
h4
h5
h6
header
hgroup
hr
li
main
nav
noscript
ol
output
p
pre
section
table
tfoot
ul
video
]
address
article
aside
blockquote
canvas
dd
div
dl
dt
fieldset
figcaption
figure
footer
form
h1
h2
h3
h4
h5
h6
header
hgroup
hr
li
main
nav
noscript
ol
output
p
pre
section
table
tfoot
ul
video
]

STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5

# The following elements may also be considered block-level
# elements since they may contain block-level elements
LOOSE_BLOCK_LEVEL = Set.new %w[dd
dt
frameset
li
tbody
td
tfoot
th
thead
tr
]
dt
frameset
li
tbody
td
tfoot
th
thead
tr
]

BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
end
Expand Down
8 changes: 4 additions & 4 deletions lib/loofah/helpers.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def sanitize(string_or_io)
#
# Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;"
#
def sanitize_css style_string
def sanitize_css(style_string)
::Loofah::HTML5::Scrub.scrub_css style_string
end

Expand Down Expand Up @@ -69,7 +69,7 @@ def white_list_sanitizer
# Loofah::Helpers::ActionView.set_as_default_sanitizer
#
class FullSanitizer
def sanitize html, *args
def sanitize(html, *args)
Loofah::Helpers.strip_tags html
end
end
Expand All @@ -86,11 +86,11 @@ def sanitize html, *args
# Loofah::Helpers::ActionView.set_as_default_sanitizer
#
class SafeListSanitizer
def sanitize html, *args
def sanitize(html, *args)
Loofah::Helpers.sanitize html
end

def sanitize_css style_string, *args
def sanitize_css(style_string, *args)
Loofah::Helpers.sanitize_css style_string
end
end
Expand Down
5 changes: 3 additions & 2 deletions lib/loofah/html/document_fragment.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ class << self
# constructor. Applications should use Loofah.fragment to
# parse a fragment.
#
def parse tags, encoding = nil
def parse(tags, encoding = nil)
doc = Loofah::HTML::Document.new

encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8'
encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8"
doc.encoding = encoding

new(doc, tags)
Expand All @@ -31,6 +31,7 @@ def parse tags, encoding = nil
def to_s
serialize_root.children.to_s
end

alias :serialize :to_s

def serialize_root
Expand Down
14 changes: 7 additions & 7 deletions lib/loofah/html5/libxml2_workarounds.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# coding: utf-8
# frozen_string_literal: true
require 'set'
require "set"

module Loofah
#
Expand All @@ -17,11 +17,11 @@ module LibxmlWorkarounds
# see comments about CVE-2018-8048 within the tests for more information
#
BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
href
action
src
name
]
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
href
action
src
name
]
BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" }
end
end
37 changes: 17 additions & 20 deletions lib/loofah/html5/scrub.rb
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,21 @@
# frozen_string_literal: true
require 'cgi'
require 'crass'
require "cgi"
require "crass"

module Loofah
module HTML5 # :nodoc:
module Scrub

CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"}
CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" }

class << self

def allowed_element? element_name
def allowed_element?(element_name)
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name
end

# alternative implementation of the html5lib attribute scrubbing algorithm
def scrub_attributes node
def scrub_attributes(node)
node.attribute_nodes.each do |attr_node|
attr_name = if attr_node.namespace
"#{attr_node.namespace.prefix}:#{attr_node.node_name}"
Expand All @@ -36,24 +34,24 @@ def scrub_attributes node

if SafeList::ATTR_VAL_IS_URI.include?(attr_name)
# this block lifted nearly verbatim from HTML5 sanitization
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS, "").downcase
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && !SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
attr_node.remove
next
elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == 'data'
elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == "data"
# permit only allowed data mediatypes
mediatype = val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1]
mediatype, _ = mediatype.split(';')[0..1] if mediatype
mediatype, _ = mediatype.split(";")[0..1] if mediatype
if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
attr_node.remove
next
end
end
end
if SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, " ") if attr_node.value
end
if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
next
end
Expand All @@ -68,12 +66,12 @@ def scrub_attributes node
force_correct_attribute_escaping! node
end

def scrub_css_attribute node
style = node.attributes['style']
def scrub_css_attribute(node)
style = node.attributes["style"]
style.value = scrub_css(style.value) if style
end

def scrub_css style
def scrub_css(style)
style_tree = Crass.parse_properties style
sanitized_tree = []

Expand All @@ -85,7 +83,7 @@ def scrub_css style
name = node[:name].downcase
if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name)
sanitized_tree << node << CRASS_SEMICOLON
elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split('-').first)
elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first)
value = node[:value].split.map do |keyword|
if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH
keyword
Expand All @@ -107,7 +105,7 @@ def scrub_css style
#
# see comments about CVE-2018-8048 within the tests for more information
#
def force_correct_attribute_escaping! node
def force_correct_attribute_escaping!(node)
return unless Nokogiri::VersionInfo.instance.libxml2?

node.attribute_nodes.each do |attr_node|
Expand All @@ -123,11 +121,10 @@ def force_correct_attribute_escaping! node
#
encoding = attr_node.value.encoding
attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
'%' + m.unpack('H2' * m.bytesize).join('%').upcase
"%" + m.unpack("H2" * m.bytesize).join("%").upcase
end.force_encoding(encoding)
end
end

end
end
end
Expand Down
7 changes: 4 additions & 3 deletions lib/loofah/instance_methods.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,16 +92,17 @@ module TextBehavior
# # decidedly not ok for browser:
# frag.text(:encode_special_chars => false) # => "<script>alert('EVIL');</script>"
#
def text(options={})
def text(options = {})
result = serialize_root.children.inner_text rescue ""
if options[:encode_special_chars] == false
result # possibly dangerous if rendered in a browser
else
encode_special_chars result
end
end

alias :inner_text :text
alias :to_str :text
alias :to_str :text

#
# Returns a plain-text version of the markup contained by the
Expand All @@ -113,7 +114,7 @@ def text(options={})
# Loofah.document("<h1>Title</h1><div>Content</div>").to_text
# # => "\nTitle\n\nContent\n"
#
def to_text(options={})
def to_text(options = {})
Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options)
end
end
Expand Down
2 changes: 1 addition & 1 deletion lib/loofah/metahelpers.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# frozen_string_literal: true
module Loofah
module MetaHelpers # :nodoc:
def self.add_downcased_set_members_to_all_set_constants mojule
def self.add_downcased_set_members_to_all_set_constants(mojule)
mojule.constants.each do |constant_sym|
constant = mojule.const_get constant_sym
next unless Set === constant
Expand Down
Loading

0 comments on commit ad7d598

Please sign in to comment.