From ad7d5986bc1f74a4527955ecd5f124de2ea54893 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Mon, 25 Nov 2019 13:52:54 -0500 Subject: [PATCH] run `rufo` on all lib files --- lib/loofah/elements.rb | 146 ++++++++++++------------ lib/loofah/helpers.rb | 8 +- lib/loofah/html/document_fragment.rb | 5 +- lib/loofah/html5/libxml2_workarounds.rb | 14 +-- lib/loofah/html5/scrub.rb | 37 +++--- lib/loofah/instance_methods.rb | 7 +- lib/loofah/metahelpers.rb | 2 +- lib/loofah/scrubber.rb | 14 +-- lib/loofah/scrubbers.rb | 20 ++-- lib/loofah/xml/document_fragment.rb | 2 +- 10 files changed, 127 insertions(+), 128 deletions(-) diff --git a/lib/loofah/elements.rb b/lib/loofah/elements.rb index abfbe33b..d2ae4bf1 100644 --- a/lib/loofah/elements.rb +++ b/lib/loofah/elements.rb @@ -1,90 +1,90 @@ # frozen_string_literal: true -require 'set' +require "set" module Loofah module Elements STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[ - address - blockquote - center - dir - div - dl - fieldset - form - h1 - h2 - h3 - h4 - h5 - h6 - hr - isindex - menu - noframes - noscript - ol - p - pre - table - ul - ] + address + blockquote + center + dir + div + dl + fieldset + form + h1 + h2 + h3 + h4 + h5 + h6 + hr + isindex + menu + noframes + noscript + ol + p + pre + table + ul + ] # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[ - address - article - aside - blockquote - canvas - dd - div - dl - dt - fieldset - figcaption - figure - footer - form - h1 - h2 - h3 - h4 - h5 - h6 - header - hgroup - hr - li - main - nav - noscript - ol - output - p - pre - section - table - tfoot - ul - video - ] + address + article + aside + blockquote + canvas + dd + div + dl + dt + fieldset + figcaption + figure + footer + form + h1 + h2 + h3 + h4 + h5 + h6 + header + hgroup + hr + li + main + nav + noscript + ol + output + p + pre + section + table + tfoot + ul + video + ] STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5 # The following elements may also be considered block-level # elements since they may contain block-level elements LOOSE_BLOCK_LEVEL = Set.new %w[dd - dt - frameset - li - tbody - td - tfoot - th - thead - tr - ] + dt + frameset + li + tbody + td + tfoot + th + thead + tr + ] BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL end diff --git a/lib/loofah/helpers.rb b/lib/loofah/helpers.rb index d8928ded..02f1629d 100644 --- a/lib/loofah/helpers.rb +++ b/lib/loofah/helpers.rb @@ -28,7 +28,7 @@ def sanitize(string_or_io) # # Loofah::Helpers.sanitize_css("display:block;background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg)") # => "display: block;" # - def sanitize_css style_string + def sanitize_css(style_string) ::Loofah::HTML5::Scrub.scrub_css style_string end @@ -69,7 +69,7 @@ def white_list_sanitizer # Loofah::Helpers::ActionView.set_as_default_sanitizer # class FullSanitizer - def sanitize html, *args + def sanitize(html, *args) Loofah::Helpers.strip_tags html end end @@ -86,11 +86,11 @@ def sanitize html, *args # Loofah::Helpers::ActionView.set_as_default_sanitizer # class SafeListSanitizer - def sanitize html, *args + def sanitize(html, *args) Loofah::Helpers.sanitize html end - def sanitize_css style_string, *args + def sanitize_css(style_string, *args) Loofah::Helpers.sanitize_css style_string end end diff --git a/lib/loofah/html/document_fragment.rb b/lib/loofah/html/document_fragment.rb index 359dffc8..8c59ce07 100644 --- a/lib/loofah/html/document_fragment.rb +++ b/lib/loofah/html/document_fragment.rb @@ -15,10 +15,10 @@ class << self # constructor. Applications should use Loofah.fragment to # parse a fragment. # - def parse tags, encoding = nil + def parse(tags, encoding = nil) doc = Loofah::HTML::Document.new - encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : 'UTF-8' + encoding ||= tags.respond_to?(:encoding) ? tags.encoding.name : "UTF-8" doc.encoding = encoding new(doc, tags) @@ -31,6 +31,7 @@ def parse tags, encoding = nil def to_s serialize_root.children.to_s end + alias :serialize :to_s def serialize_root diff --git a/lib/loofah/html5/libxml2_workarounds.rb b/lib/loofah/html5/libxml2_workarounds.rb index a867cdd8..71297605 100644 --- a/lib/loofah/html5/libxml2_workarounds.rb +++ b/lib/loofah/html5/libxml2_workarounds.rb @@ -1,6 +1,6 @@ # coding: utf-8 # frozen_string_literal: true -require 'set' +require "set" module Loofah # @@ -17,11 +17,11 @@ module LibxmlWorkarounds # see comments about CVE-2018-8048 within the tests for more information # BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[ - href - action - src - name - ] - BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"} + href + action + src + name + ] + BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = { "name" => "a" } end end diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb index aff28009..c014169c 100644 --- a/lib/loofah/html5/scrub.rb +++ b/lib/loofah/html5/scrub.rb @@ -1,23 +1,21 @@ # frozen_string_literal: true -require 'cgi' -require 'crass' +require "cgi" +require "crass" module Loofah module HTML5 # :nodoc: module Scrub - CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/ CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(cm|r?em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ - CRASS_SEMICOLON = {:node => :semicolon, :raw => ";"} + CRASS_SEMICOLON = { :node => :semicolon, :raw => ";" } class << self - - def allowed_element? element_name + def allowed_element?(element_name) ::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include? element_name end # alternative implementation of the html5lib attribute scrubbing algorithm - def scrub_attributes node + def scrub_attributes(node) node.attribute_nodes.each do |attr_node| attr_name = if attr_node.namespace "#{attr_node.namespace.prefix}:#{attr_node.node_name}" @@ -36,14 +34,14 @@ def scrub_attributes node if SafeList::ATTR_VAL_IS_URI.include?(attr_name) # this block lifted nearly verbatim from HTML5 sanitization - val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase - if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0]) + val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS, "").downcase + if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && !SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0]) attr_node.remove next - elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == 'data' + elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == "data" # permit only allowed data mediatypes mediatype = val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1] - mediatype, _ = mediatype.split(';')[0..1] if mediatype + mediatype, _ = mediatype.split(";")[0..1] if mediatype if mediatype && !SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype) attr_node.remove next @@ -51,9 +49,9 @@ def scrub_attributes node end end if SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name) - attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value + attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, " ") if attr_node.value end - if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m + if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m attr_node.remove next end @@ -68,12 +66,12 @@ def scrub_attributes node force_correct_attribute_escaping! node end - def scrub_css_attribute node - style = node.attributes['style'] + def scrub_css_attribute(node) + style = node.attributes["style"] style.value = scrub_css(style.value) if style end - def scrub_css style + def scrub_css(style) style_tree = Crass.parse_properties style sanitized_tree = [] @@ -85,7 +83,7 @@ def scrub_css style name = node[:name].downcase if SafeList::ALLOWED_CSS_PROPERTIES.include?(name) || SafeList::ALLOWED_SVG_PROPERTIES.include?(name) sanitized_tree << node << CRASS_SEMICOLON - elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split('-').first) + elsif SafeList::SHORTHAND_CSS_PROPERTIES.include?(name.split("-").first) value = node[:value].split.map do |keyword| if SafeList::ALLOWED_CSS_KEYWORDS.include?(keyword) || keyword =~ CSS_KEYWORDISH keyword @@ -107,7 +105,7 @@ def scrub_css style # # see comments about CVE-2018-8048 within the tests for more information # - def force_correct_attribute_escaping! node + def force_correct_attribute_escaping!(node) return unless Nokogiri::VersionInfo.instance.libxml2? node.attribute_nodes.each do |attr_node| @@ -123,11 +121,10 @@ def force_correct_attribute_escaping! node # encoding = attr_node.value.encoding attr_node.value = attr_node.value.gsub(/[ "]/) do |m| - '%' + m.unpack('H2' * m.bytesize).join('%').upcase + "%" + m.unpack("H2" * m.bytesize).join("%").upcase end.force_encoding(encoding) end end - end end end diff --git a/lib/loofah/instance_methods.rb b/lib/loofah/instance_methods.rb index 1a3249d0..8b49dbb6 100644 --- a/lib/loofah/instance_methods.rb +++ b/lib/loofah/instance_methods.rb @@ -92,7 +92,7 @@ module TextBehavior # # decidedly not ok for browser: # frag.text(:encode_special_chars => false) # => "" # - def text(options={}) + def text(options = {}) result = serialize_root.children.inner_text rescue "" if options[:encode_special_chars] == false result # possibly dangerous if rendered in a browser @@ -100,8 +100,9 @@ def text(options={}) encode_special_chars result end end + alias :inner_text :text - alias :to_str :text + alias :to_str :text # # Returns a plain-text version of the markup contained by the @@ -113,7 +114,7 @@ def text(options={}) # Loofah.document("

Title

Content
").to_text # # => "\nTitle\n\nContent\n" # - def to_text(options={}) + def to_text(options = {}) Loofah.remove_extraneous_whitespace self.dup.scrub!(:newline_block_elements).text(options) end end diff --git a/lib/loofah/metahelpers.rb b/lib/loofah/metahelpers.rb index 5eac24fe..c31dced0 100644 --- a/lib/loofah/metahelpers.rb +++ b/lib/loofah/metahelpers.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module Loofah module MetaHelpers # :nodoc: - def self.add_downcased_set_members_to_all_set_constants mojule + def self.add_downcased_set_members_to_all_set_constants(mojule) mojule.constants.each do |constant_sym| constant = mojule.const_get constant_sym next unless Set === constant diff --git a/lib/loofah/scrubber.rb b/lib/loofah/scrubber.rb index 962850ca..1569e44e 100644 --- a/lib/loofah/scrubber.rb +++ b/lib/loofah/scrubber.rb @@ -3,7 +3,7 @@ module Loofah # # A RuntimeError raised when Loofah could not find an appropriate scrubber. # - class ScrubberNotFound < RuntimeError ; end + class ScrubberNotFound < RuntimeError; end # # A Scrubber wraps up a block (or method) that is run on an HTML node (element): @@ -37,7 +37,7 @@ class Scrubber CONTINUE = Object.new.freeze # Top-down Scrubbers may return STOP to indicate that the subtree should not be traversed. - STOP = Object.new.freeze + STOP = Object.new.freeze # When a scrubber is initialized, the :direction may be specified # as :top_down (the default) or :bottom_up. @@ -65,7 +65,7 @@ class Scrubber def initialize(options = {}, &block) direction = options[:direction] || :top_down unless [:top_down, :bottom_up].include?(direction) - raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up" + raise ArgumentError, "direction #{direction} must be one of :top_down or :bottom_up" end @direction, @block = direction, block end @@ -92,10 +92,10 @@ def scrub(node) # If the attribute is set, don't overwrite the existing value # def append_attribute(node, attribute, value) - current_value = node.get_attribute(attribute) || '' + current_value = node.get_attribute(attribute) || "" current_values = current_value.split(/\s+/) updated_value = current_values | [value] - node.set_attribute(attribute, updated_value.join(' ')) + node.set_attribute(attribute, updated_value.join(" ")) end private @@ -119,11 +119,11 @@ def traverse_conditionally_top_down(node) else return if scrub(node) == STOP end - node.children.each {|j| traverse_conditionally_top_down(j)} + node.children.each { |j| traverse_conditionally_top_down(j) } end def traverse_conditionally_bottom_up(node) - node.children.each {|j| traverse_conditionally_bottom_up(j)} + node.children.each { |j| traverse_conditionally_bottom_up(j) } if block block.call(node) else diff --git a/lib/loofah/scrubbers.rb b/lib/loofah/scrubbers.rb index cce2fa02..14b9786a 100644 --- a/lib/loofah/scrubbers.rb +++ b/lib/loofah/scrubbers.rb @@ -206,8 +206,8 @@ def initialize end def scrub(node) - return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a') - append_attribute(node, 'rel', 'nofollow') + return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a") + append_attribute(node, "rel", "nofollow") return STOP end end @@ -227,8 +227,8 @@ def initialize end def scrub(node) - return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == 'a') - append_attribute(node, 'rel', 'noopener') + return CONTINUE unless (node.type == Nokogiri::XML::Node::ELEMENT_NODE) && (node.name == "a") + append_attribute(node, "rel", "noopener") return STOP end end @@ -268,7 +268,7 @@ def initialize def scrub(node) if node.type == Nokogiri::XML::Node::TEXT_NODE || node.type == Nokogiri::XML::Node::CDATA_SECTION_NODE - node.content = node.content.gsub(/\u2028|\u2029/, '') + node.content = node.content.gsub(/\u2028|\u2029/, "") end CONTINUE end @@ -278,14 +278,14 @@ def scrub(node) # A hash that maps a symbol (like +:prune+) to the appropriate Scrubber (Loofah::Scrubbers::Prune). # MAP = { - :escape => Escape, - :prune => Prune, + :escape => Escape, + :prune => Prune, :whitewash => Whitewash, - :strip => Strip, - :nofollow => NoFollow, + :strip => Strip, + :nofollow => NoFollow, :noopener => NoOpener, :newline_block_elements => NewlineBlockElements, - :unprintable => Unprintable + :unprintable => Unprintable, } # diff --git a/lib/loofah/xml/document_fragment.rb b/lib/loofah/xml/document_fragment.rb index 56b76731..f9c630f4 100644 --- a/lib/loofah/xml/document_fragment.rb +++ b/lib/loofah/xml/document_fragment.rb @@ -13,7 +13,7 @@ class << self # constructor. Applications should use Loofah.fragment to # parse a fragment. # - def parse tags + def parse(tags) doc = Loofah::XML::Document.new doc.encoding = tags.encoding.name if tags.respond_to?(:encoding) self.new(doc, tags)