From 63787ef0a8bcb9633196094d725ccc240220706c Mon Sep 17 00:00:00 2001 From: Tung Nguyen Date: Fri, 20 Oct 2023 04:05:31 +0000 Subject: [PATCH 1/2] rename rails-html-sanitizer to actionview-html-sanitizer --- .rubocop.yml | 8 +- CHANGELOG.md | 4 + CONTRIBUTING.md | 22 ++--- README.md | 84 +++++++++---------- ...mspec => actionview-html-sanitizer.gemspec | 20 ++--- lib/{rails => action_view}/html/sanitizer.rb | 72 ++++++++-------- .../html/sanitizer/version.rb | 2 +- lib/{rails => action_view}/html/scrubbers.rb | 20 ++--- ...itizer.rb => actionview-html-sanitizer.rb} | 16 ++-- test/rails_api_test.rb | 72 ++++++++-------- test/sanitizer_test.rb | 20 ++--- test/scrubbers_test.rb | 14 ++-- 12 files changed, 179 insertions(+), 175 deletions(-) rename rails-html-sanitizer.gemspec => actionview-html-sanitizer.gemspec (51%) rename lib/{rails => action_view}/html/sanitizer.rb (86%) rename lib/{rails => action_view}/html/sanitizer/version.rb (85%) rename lib/{rails => action_view}/html/scrubbers.rb (89%) rename lib/{rails-html-sanitizer.rb => actionview-html-sanitizer.rb} (76%) diff --git a/.rubocop.yml b/.rubocop.yml index b96841e..f8f939a 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -24,19 +24,19 @@ Performance: - '**/test/**/*' # Prefer assert_not over assert ! -Rails/AssertNot: +ActionView/AssertNot: Include: - '**/test/**/*' # Prefer assert_not_x over refute_x -Rails/RefuteMethods: +ActionView/RefuteMethods: Include: - '**/test/**/*' -Rails/IndexBy: +ActionView/IndexBy: Enabled: true -Rails/IndexWith: +ActionView/IndexWith: Enabled: true # Prefer &&/|| over and/or. diff --git a/CHANGELOG.md b/CHANGELOG.md index fc3e49c..cf6400b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## Unreleased + +* Rename actionview-html-sanitizer. Related: https://github.com/rails/rails/pull/49643 + ## 1.6.0 / 2023-05-26 * Dependencies have been updated: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b8ece07..ca04ddf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,20 +1,20 @@ -Contributing to Rails Html Sanitizers +Contributing to ActionView Html Sanitizers ===================== -[![Build Status](https://github.com/rails/rails-html-sanitizer/actions/workflows/ci.yml/badge.svg)](https://github.com/rails/rails-html-sanitizer/actions/workflows/ci.yml) +[![Build Status](https://github.com/rails/actionview-html-sanitizer/actions/workflows/ci.yml/badge.svg)](https://github.com/rails/actionview-html-sanitizer/actions/workflows/ci.yml) -Rails Html Sanitizers is work of [many contributors](https://github.com/rails/rails-html-sanitizer/graphs/contributors). You're encouraged to submit [pull requests](https://github.com/rails/rails-html-sanitizer/pulls), [propose features and discuss issues](https://github.com/rails/rails-html-sanitizer/issues). +ActionView Html Sanitizers is work of [many contributors](https://github.com/rails/actionview-html-sanitizer/graphs/contributors). You're encouraged to submit [pull requests](https://github.com/rails/actionview-html-sanitizer/pulls), [propose features and discuss issues](https://github.com/rails/actionview-html-sanitizer/issues). ### How to submit a pull request #### Fork the Project -Fork the [project on Github](https://github.com/rails/rails-html-sanitizer) and check out your copy. +Fork the [project on Github](https://github.com/rails/actionview-html-sanitizer) and check out your copy. ``` -git clone https://github.com/contributor/rails-html-sanitizer.git -cd rails-html-sanitizer -git remote add upstream https://github.com/rails/rails-html-sanitizer.git +git clone https://github.com/contributor/actionview-html-sanitizer.git +cd actionview-html-sanitizer +git remote add upstream https://github.com/rails/actionview-html-sanitizer.git ``` #### Create a Topic Branch @@ -76,7 +76,7 @@ git push origin my-feature-branch #### Make a Pull Request -Go to https://github.com/contributor/rails-html-sanitizer and select your feature branch. Click the 'Pull Request' button and fill out the form. Pull requests are usually reviewed within a few days. +Go to https://github.com/contributor/actionview-html-sanitizer and select your feature branch. Click the 'Pull Request' button and fill out the form. Pull requests are usually reviewed within a few days. #### Rebase @@ -104,13 +104,13 @@ Please do know that we really appreciate and value your time and work. We love y A quick checklist: -- [ ] make sure CI is green! https://github.com/rails/rails-html-sanitizer/actions/workflows/ci.yml -- [ ] update `CHANGELOG.md` and `lib/rails/html/sanitizer/version.rb` +- [ ] make sure CI is green! https://github.com/rails/actionview-html-sanitizer/actions/workflows/ci.yml +- [ ] update `CHANGELOG.md` and `lib/action_view/html/sanitizer/version.rb` - [ ] run `bundle exec rake build` - [ ] create a git tag - [ ] `git push && git push --tags` - [ ] `gem push pkg/*.gem` -- [ ] create a release at https://github.com/rails/rails-html-sanitizer/releases +- [ ] create a release at https://github.com/rails/actionview-html-sanitizer/releases - if security-related, - [ ] publish the CVE - [ ] post to https://discuss.rubyonrails.org/c/security-announcements diff --git a/README.md b/README.md index 8cde5c1..de88399 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,23 @@ -# Rails HTML Sanitizers +# ActionView HTML Sanitizers -This gem is responsible for sanitizing HTML fragments in Rails applications. Specifically, this is the set of sanitizers used to implement the Action View `SanitizerHelper` methods `sanitize`, `sanitize_css`, `strip_tags` and `strip_links`. +This gem is responsible for sanitizing HTML fragments in ActionView applications. Specifically, this is the set of sanitizers used to implement the Action View `SanitizerHelper` methods `sanitize`, `sanitize_css`, `strip_tags` and `strip_links`. -Rails HTML Sanitizer is only intended to be used with Rails applications. If you need similar functionality but aren't using Rails, consider using the underlying sanitization library [Loofah](https://github.com/flavorjones/loofah) directly. +ActionView HTML Sanitizer is only intended to be used with ActionView applications. If you need similar functionality but aren't using ActionView, consider using the underlying sanitization library [Loofah](https://github.com/flavorjones/loofah) directly. ## Usage ### Sanitizers -All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively. +All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `ActionView::HTML4` and `ActionView::HTML5` namespaces, respectively. -NOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling `Rails::HTML::Sanitizer.html5_support?`. +NOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling `ActionView::HTML::Sanitizer.html5_support?`. #### FullSanitizer ```ruby -full_sanitizer = Rails::HTML5::FullSanitizer.new +full_sanitizer = ActionView::HTML5::FullSanitizer.new full_sanitizer.sanitize("Bold no more! See more here...") # => Bold no more! See more here... ``` @@ -25,7 +25,7 @@ full_sanitizer.sanitize("Bold no more! See more here or, if you insist on parsing the content as HTML4: ```ruby -full_sanitizer = Rails::HTML4::FullSanitizer.new +full_sanitizer = ActionView::HTML4::FullSanitizer.new full_sanitizer.sanitize("Bold no more! See more here...") # => Bold no more! See more here... ``` @@ -37,7 +37,7 @@ HTML5 version: #### LinkSanitizer ```ruby -link_sanitizer = Rails::HTML5::LinkSanitizer.new +link_sanitizer = ActionView::HTML5::LinkSanitizer.new link_sanitizer.sanitize('Only the link text will be kept.') # => Only the link text will be kept. ``` @@ -45,7 +45,7 @@ link_sanitizer.sanitize('Only the link text will be kept.< or, if you insist on parsing the content as HTML4: ```ruby -link_sanitizer = Rails::HTML4::LinkSanitizer.new +link_sanitizer = ActionView::HTML4::LinkSanitizer.new link_sanitizer.sanitize('Only the link text will be kept.') # => Only the link text will be kept. ``` @@ -56,7 +56,7 @@ link_sanitizer.sanitize('Only the link text will be kept.< This sanitizer is also available as an HTML4 variant, but for simplicity we'll document only the HTML5 variant below. ```ruby -safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new +safe_list_sanitizer = ActionView::HTML5::SafeListSanitizer.new # sanitize via an extensive safe list of allowed elements safe_list_sanitizer.sanitize(@article.body) @@ -68,7 +68,7 @@ safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: % safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new) # prune nodes from the tree instead of stripping tags and leaving inner content -safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true) +safe_list_sanitizer = ActionView::HTML5::SafeListSanitizer.new(prune: true) # the sanitizer can also sanitize css safe_list_sanitizer.sanitize_css('background-color: #000;') @@ -78,14 +78,14 @@ safe_list_sanitizer.sanitize_css('background-color: #000;') Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document. -This gem includes two scrubbers `Rails::HTML::PermitScrubber` and `Rails::HTML::TargetScrubber`. +This gem includes two scrubbers `ActionView::HTML::PermitScrubber` and `ActionView::HTML::TargetScrubber`. -#### `Rails::HTML::PermitScrubber` +#### `ActionView::HTML::PermitScrubber` This scrubber allows you to permit only the tags and attributes you want. ```ruby -scrubber = Rails::HTML::PermitScrubber.new +scrubber = ActionView::HTML::PermitScrubber.new scrubber.tags = ['a'] html_fragment = Loofah.fragment('') @@ -96,14 +96,14 @@ html_fragment.to_s # => "" By default, inner content is left, but it can be removed as well. ```ruby -scrubber = Rails::HTML::PermitScrubber.new +scrubber = ActionView::HTML::PermitScrubber.new scrubber.tags = ['a'] html_fragment = Loofah.fragment('text') html_fragment.scrub!(scrubber) html_fragment.to_s # => "text" -scrubber = Rails::HTML::PermitScrubber.new(prune: true) +scrubber = ActionView::HTML::PermitScrubber.new(prune: true) scrubber.tags = ['a'] html_fragment = Loofah.fragment('text') @@ -111,16 +111,16 @@ html_fragment.scrub!(scrubber) html_fragment.to_s # => "" ``` -#### `Rails::HTML::TargetScrubber` +#### `ActionView::HTML::TargetScrubber` Where `PermitScrubber` picks out tags and attributes to permit in sanitization, -`Rails::HTML::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list. +`ActionView::HTML::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list. **Note:** by default, it will scrub anything that is not part of the permitted tags from loofah `HTML5::Scrub.allowed_element?`. ```ruby -scrubber = Rails::HTML::TargetScrubber.new +scrubber = ActionView::HTML::TargetScrubber.new scrubber.tags = ['img'] html_fragment = Loofah.fragment('') @@ -131,14 +131,14 @@ html_fragment.to_s # => "" Similarly to `PermitScrubber`, nodes can be fully pruned. ```ruby -scrubber = Rails::HTML::TargetScrubber.new +scrubber = ActionView::HTML::TargetScrubber.new scrubber.tags = ['span'] html_fragment = Loofah.fragment('text') html_fragment.scrub!(scrubber) html_fragment.to_s # => "text" -scrubber = Rails::HTML::TargetScrubber.new(prune: true) +scrubber = ActionView::HTML::TargetScrubber.new(prune: true) scrubber.tags = ['span'] html_fragment = Loofah.fragment('text') @@ -151,7 +151,7 @@ html_fragment.to_s # => "" You can also create custom scrubbers in your application if you want to. ```ruby -class CommentScrubber < Rails::HTML::PermitScrubber +class CommentScrubber < ActionView::HTML::PermitScrubber def initialize super self.tags = %w( form script comment blockquote ) @@ -164,11 +164,11 @@ class CommentScrubber < Rails::HTML::PermitScrubber end ``` -See `Rails::HTML::PermitScrubber` documentation to learn more about which methods can be overridden. +See `ActionView::HTML::PermitScrubber` documentation to learn more about which methods can be overridden. -#### Custom Scrubber in a Rails app +#### Custom Scrubber in a ActionView app -Using the `CommentScrubber` from above, you can use this in a Rails view like so: +Using the `CommentScrubber` from above, you can use this in a ActionView view like so: ```ruby <%= sanitize @comment, scrubber: CommentScrubber.new %> @@ -176,7 +176,7 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so ### A note on HTML entities -__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__ +__ActionView HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__ Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `<` to ensure that the markup is well-formed. @@ -200,30 +200,30 @@ You might simply choose to persist the untrusted string as-is (the raw input), a That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string. -If you really want to sanitize the string that's stored in your database, you may wish to look into [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers. +If you really want to sanitize the string that's stored in your database, you may wish to look into [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the ActionView HTML sanitizers. ### A note on module names -In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules: +In versions < 1.6, the only module defined by this library was `ActionView::Html`. Starting in 1.6, we define three additional modules: -- `Rails::HTML` for general functionality (replacing `Rails::Html`) -- `Rails::HTML4` containing sanitizers that parse content as HTML4 -- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported) +- `ActionView::HTML` for general functionality (replacing `ActionView::Html`) +- `ActionView::HTML4` containing sanitizers that parse content as HTML4 +- `ActionView::HTML5` containing sanitizers that parse content as HTML5 (if supported) The following aliases are maintained for backwards compatibility: -- `Rails::Html` points to `Rails::HTML` -- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer` -- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer` -- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer` +- `ActionView::Html` points to `ActionView::HTML` +- `ActionView::HTML::FullSanitizer` points to `ActionView::HTML4::FullSanitizer` +- `ActionView::HTML::LinkSanitizer` points to `ActionView::HTML4::LinkSanitizer` +- `ActionView::HTML::SafeListSanitizer` points to `ActionView::HTML4::SafeListSanitizer` ## Installation Add this line to your application's Gemfile: - gem 'rails-html-sanitizer' + gem 'actionview-html-sanitizer' And then execute: @@ -231,7 +231,7 @@ And then execute: Or install it yourself as: - $ gem install rails-html-sanitizer + $ gem install actionview-html-sanitizer ## Support matrix @@ -245,7 +245,7 @@ Or install it yourself as: ## Read more -Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer. +Loofah is what underlies the sanitizers and scrubbers of actionview-html-sanitizer. - [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah) @@ -255,17 +255,17 @@ The `node` argument passed to some methods in a custom scrubber is an instance o - [Nokogiri](http://nokogiri.org) -## Contributing to Rails HTML Sanitizers +## Contributing to ActionView HTML Sanitizers -Rails HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues. +ActionView HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues. See [CONTRIBUTING](CONTRIBUTING.md). ### Security reports -Trying to report a possible security vulnerability in this project? Please check out the [Rails project's security policy](https://rubyonrails.org/security) for instructions. +Trying to report a possible security vulnerability in this project? Please check out the [ActionView project's security policy](https://rubyonrails.org/security) for instructions. ## License -Rails HTML Sanitizers is released under the [MIT License](MIT-LICENSE). +ActionView HTML Sanitizers is released under the [MIT License](MIT-LICENSE). diff --git a/rails-html-sanitizer.gemspec b/actionview-html-sanitizer.gemspec similarity index 51% rename from rails-html-sanitizer.gemspec rename to actionview-html-sanitizer.gemspec index 8bed712..e5d4287 100644 --- a/rails-html-sanitizer.gemspec +++ b/actionview-html-sanitizer.gemspec @@ -1,25 +1,25 @@ # coding: utf-8 # frozen_string_literal: true -require_relative "lib/rails/html/sanitizer/version" +require_relative "lib/action_view/html/sanitizer/version" Gem::Specification.new do |spec| - spec.name = "rails-html-sanitizer" - spec.version = Rails::HTML::Sanitizer::VERSION + spec.name = "actionview-html-sanitizer" + spec.version = ActionView::HTML::Sanitizer::VERSION spec.authors = ["Rafael Mendonça França", "Kasper Timm Hansen", "Mike Dalessio"] spec.email = ["rafaelmfranca@gmail.com", "kaspth@gmail.com", "mike.dalessio@gmail.com"] - spec.description = "HTML sanitization for Rails applications" - spec.summary = "This gem is responsible to sanitize HTML fragments in Rails applications." - spec.homepage = "https://github.com/rails/rails-html-sanitizer" + spec.description = "HTML sanitization for ActionView applications" + spec.summary = "This gem is responsible to sanitize HTML fragments in ActionView applications." + spec.homepage = "https://github.com/rails/actionview-html-sanitizer" spec.license = "MIT" spec.required_ruby_version = ">= 2.7.0" spec.metadata = { - "bug_tracker_uri" => "https://github.com/rails/rails-html-sanitizer/issues", - "changelog_uri" => "https://github.com/rails/rails-html-sanitizer/blob/v#{spec.version}/CHANGELOG.md", - "documentation_uri" => "https://www.rubydoc.info/gems/rails-html-sanitizer/#{spec.version}", - "source_code_uri" => "https://github.com/rails/rails-html-sanitizer/tree/v#{spec.version}", + "bug_tracker_uri" => "https://github.com/rails/actionview-html-sanitizer/issues", + "changelog_uri" => "https://github.com/rails/actionview-html-sanitizer/blob/v#{spec.version}/CHANGELOG.md", + "documentation_uri" => "https://www.rubydoc.info/gems/actionview-html-sanitizer/#{spec.version}", + "source_code_uri" => "https://github.com/rails/actionview-html-sanitizer/tree/v#{spec.version}", } spec.files = Dir["lib/**/*", "README.md", "MIT-LICENSE", "CHANGELOG.md"] diff --git a/lib/rails/html/sanitizer.rb b/lib/action_view/html/sanitizer.rb similarity index 86% rename from lib/rails/html/sanitizer.rb rename to lib/action_view/html/sanitizer.rb index b3712a7..8e25ee9 100644 --- a/lib/rails/html/sanitizer.rb +++ b/lib/action_view/html/sanitizer.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -module Rails +module ActionView module HTML class Sanitizer class << self @@ -11,7 +11,7 @@ def html5_support? end def best_supported_vendor - html5_support? ? Rails::HTML5::Sanitizer : Rails::HTML4::Sanitizer + html5_support? ? ActionView::HTML5::Sanitizer : ActionView::HTML4::Sanitizer end end @@ -51,7 +51,7 @@ module HTML5 def parse_fragment(html) Loofah.html5_fragment(html) end - end if Rails::HTML::Sanitizer.html5_support? + end if ActionView::HTML::Sanitizer.html5_support? end module Scrubber @@ -194,15 +194,15 @@ module HTML4 module Sanitizer module VendorMethods def full_sanitizer - Rails::HTML4::FullSanitizer + ActionView::HTML4::FullSanitizer end def link_sanitizer - Rails::HTML4::LinkSanitizer + ActionView::HTML4::LinkSanitizer end def safe_list_sanitizer - Rails::HTML4::SafeListSanitizer + ActionView::HTML4::SafeListSanitizer end def white_list_sanitizer # :nodoc: @@ -213,37 +213,37 @@ def white_list_sanitizer # :nodoc: extend VendorMethods end - # == Rails::HTML4::FullSanitizer + # == ActionView::HTML4::FullSanitizer # # Removes all tags from HTML4 but strips out scripts, forms and comments. # - # full_sanitizer = Rails::HTML4::FullSanitizer.new + # full_sanitizer = ActionView::HTML4::FullSanitizer.new # full_sanitizer.sanitize("Bold no more! See more here...") # # => "Bold no more! See more here..." # - class FullSanitizer < Rails::HTML::Sanitizer + class FullSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML4 include HTML::Concern::Scrubber::Full include HTML::Concern::Serializer::UTF8Encode end - # == Rails::HTML4::LinkSanitizer + # == ActionView::HTML4::LinkSanitizer # # Removes +a+ tags and +href+ attributes from HTML4 leaving only the link text. # - # link_sanitizer = Rails::HTML4::LinkSanitizer.new + # link_sanitizer = ActionView::HTML4::LinkSanitizer.new # link_sanitizer.sanitize('Only the link text will be kept.') # # => "Only the link text will be kept." # - class LinkSanitizer < Rails::HTML::Sanitizer + class LinkSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML4 include HTML::Concern::Scrubber::Link include HTML::Concern::Serializer::UTF8Encode end - # == Rails::HTML4::SafeListSanitizer + # == ActionView::HTML4::SafeListSanitizer # # Sanitizes HTML4 and CSS from an extensive safe list. # @@ -260,20 +260,20 @@ class LinkSanitizer < Rails::HTML::Sanitizer # === Options # # Sanitizes both html and css via the safe lists found in - # Rails::HTML::Concern::Scrubber::SafeList + # ActionView::HTML::Concern::Scrubber::SafeList # # SafeListSanitizer also accepts options to configure the safe list used when sanitizing html. # There's a class level option: # - # Rails::HTML4::SafeListSanitizer.allowed_tags = %w(table tr td) - # Rails::HTML4::SafeListSanitizer.allowed_attributes = %w(id class style) + # ActionView::HTML4::SafeListSanitizer.allowed_tags = %w(table tr td) + # ActionView::HTML4::SafeListSanitizer.allowed_attributes = %w(id class style) # # Tags and attributes can also be passed to +sanitize+. Passed options take precedence over the # class level options. # # === Examples # - # safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new + # safe_list_sanitizer = ActionView::HTML4::SafeListSanitizer.new # # # default: sanitize via a extensive safe list of allowed elements # safe_list_sanitizer.sanitize(@article.body) @@ -289,12 +289,12 @@ class LinkSanitizer < Rails::HTML::Sanitizer # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new) # # # prune nodes from the tree instead of stripping tags and leaving inner content - # safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new(prune: true) + # safe_list_sanitizer = ActionView::HTML4::SafeListSanitizer.new(prune: true) # # # the sanitizer can also sanitize CSS # safe_list_sanitizer.sanitize_css('background-color: #000;') # - class SafeListSanitizer < Rails::HTML::Sanitizer + class SafeListSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML4 include HTML::Concern::Scrubber::SafeList @@ -306,15 +306,15 @@ module HTML5 class Sanitizer class << self def full_sanitizer - Rails::HTML5::FullSanitizer + ActionView::HTML5::FullSanitizer end def link_sanitizer - Rails::HTML5::LinkSanitizer + ActionView::HTML5::LinkSanitizer end def safe_list_sanitizer - Rails::HTML5::SafeListSanitizer + ActionView::HTML5::SafeListSanitizer end def white_list_sanitizer # :nodoc: @@ -323,37 +323,37 @@ def white_list_sanitizer # :nodoc: end end - # == Rails::HTML5::FullSanitizer + # == ActionView::HTML5::FullSanitizer # # Removes all tags from HTML5 but strips out scripts, forms and comments. # - # full_sanitizer = Rails::HTML5::FullSanitizer.new + # full_sanitizer = ActionView::HTML5::FullSanitizer.new # full_sanitizer.sanitize("Bold no more! See more here...") # # => "Bold no more! See more here..." # - class FullSanitizer < Rails::HTML::Sanitizer + class FullSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML5 include HTML::Concern::Scrubber::Full include HTML::Concern::Serializer::UTF8Encode end - # == Rails::HTML5::LinkSanitizer + # == ActionView::HTML5::LinkSanitizer # # Removes +a+ tags and +href+ attributes from HTML5 leaving only the link text. # - # link_sanitizer = Rails::HTML5::LinkSanitizer.new + # link_sanitizer = ActionView::HTML5::LinkSanitizer.new # link_sanitizer.sanitize('Only the link text will be kept.') # # => "Only the link text will be kept." # - class LinkSanitizer < Rails::HTML::Sanitizer + class LinkSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML5 include HTML::Concern::Scrubber::Link include HTML::Concern::Serializer::UTF8Encode end - # == Rails::HTML5::SafeListSanitizer + # == ActionView::HTML5::SafeListSanitizer # # Sanitizes HTML5 and CSS from an extensive safe list. # @@ -370,20 +370,20 @@ class LinkSanitizer < Rails::HTML::Sanitizer # === Options # # Sanitizes both html and css via the safe lists found in - # Rails::HTML::Concern::Scrubber::SafeList + # ActionView::HTML::Concern::Scrubber::SafeList # # SafeListSanitizer also accepts options to configure the safe list used when sanitizing html. # There's a class level option: # - # Rails::HTML5::SafeListSanitizer.allowed_tags = %w(table tr td) - # Rails::HTML5::SafeListSanitizer.allowed_attributes = %w(id class style) + # ActionView::HTML5::SafeListSanitizer.allowed_tags = %w(table tr td) + # ActionView::HTML5::SafeListSanitizer.allowed_attributes = %w(id class style) # # Tags and attributes can also be passed to +sanitize+. Passed options take precedence over the # class level options. # # === Examples # - # safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new + # safe_list_sanitizer = ActionView::HTML5::SafeListSanitizer.new # # # default: sanitize via a extensive safe list of allowed elements # safe_list_sanitizer.sanitize(@article.body) @@ -399,18 +399,18 @@ class LinkSanitizer < Rails::HTML::Sanitizer # safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new) # # # prune nodes from the tree instead of stripping tags and leaving inner content - # safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true) + # safe_list_sanitizer = ActionView::HTML5::SafeListSanitizer.new(prune: true) # # # the sanitizer can also sanitize CSS # safe_list_sanitizer.sanitize_css('background-color: #000;') # - class SafeListSanitizer < Rails::HTML::Sanitizer + class SafeListSanitizer < ActionView::HTML::Sanitizer include HTML::Concern::ComposedSanitize include HTML::Concern::Parser::HTML5 include HTML::Concern::Scrubber::SafeList include HTML::Concern::Serializer::UTF8Encode end - end if Rails::HTML::Sanitizer.html5_support? + end if ActionView::HTML::Sanitizer.html5_support? module HTML Sanitizer.extend(HTML4::Sanitizer::VendorMethods) # :nodoc: diff --git a/lib/rails/html/sanitizer/version.rb b/lib/action_view/html/sanitizer/version.rb similarity index 85% rename from lib/rails/html/sanitizer/version.rb rename to lib/action_view/html/sanitizer/version.rb index e478448..84b6b11 100644 --- a/lib/rails/html/sanitizer/version.rb +++ b/lib/action_view/html/sanitizer/version.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -module Rails +module ActionView module HTML class Sanitizer VERSION = "1.6.0" diff --git a/lib/rails/html/scrubbers.rb b/lib/action_view/html/scrubbers.rb similarity index 89% rename from lib/rails/html/scrubbers.rb rename to lib/action_view/html/scrubbers.rb index af53db4..4f36ed1 100644 --- a/lib/rails/html/scrubbers.rb +++ b/lib/action_view/html/scrubbers.rb @@ -1,12 +1,12 @@ # frozen_string_literal: true -module Rails +module ActionView module HTML - # === Rails::HTML::PermitScrubber + # === ActionView::HTML::PermitScrubber # - # +Rails::HTML::PermitScrubber+ allows you to permit only your own tags and/or attributes. + # +ActionView::HTML::PermitScrubber+ allows you to permit only your own tags and/or attributes. # - # +Rails::HTML::PermitScrubber+ can be subclassed to determine: + # +ActionView::HTML::PermitScrubber+ can be subclassed to determine: # - When a node should be skipped via +skip_node?+. # - When a node is allowed via +allowed_node?+. # - When an attribute should be scrubbed via +scrub_attribute?+. @@ -29,7 +29,7 @@ module HTML # If set, attributes excluded will be removed. # If not, attributes are removed based on Loofahs +HTML5::Scrub.scrub_attributes+. # - # class CommentScrubber < Rails::HTML::PermitScrubber + # class CommentScrubber < ActionView::HTML::PermitScrubber # def initialize # super # self.tags = %w(form script comment blockquote) @@ -158,10 +158,10 @@ def scrub_attribute(node, attr_node) end end - # === Rails::HTML::TargetScrubber + # === ActionView::HTML::TargetScrubber # - # Where +Rails::HTML::PermitScrubber+ picks out tags and attributes to permit in - # sanitization, +Rails::HTML::TargetScrubber+ targets them for removal. + # Where +ActionView::HTML::PermitScrubber+ picks out tags and attributes to permit in + # sanitization, +ActionView::HTML::TargetScrubber+ targets them for removal. # # +tags=+ # If set, elements included will be stripped. @@ -178,9 +178,9 @@ def scrub_attribute?(name) end end - # === Rails::HTML::TextOnlyScrubber + # === ActionView::HTML::TextOnlyScrubber # - # +Rails::HTML::TextOnlyScrubber+ allows you to permit text nodes. + # +ActionView::HTML::TextOnlyScrubber+ allows you to permit text nodes. # # Unallowed elements will be stripped, i.e. element is removed but its subtree kept. class TextOnlyScrubber < Loofah::Scrubber diff --git a/lib/rails-html-sanitizer.rb b/lib/actionview-html-sanitizer.rb similarity index 76% rename from lib/rails-html-sanitizer.rb rename to lib/actionview-html-sanitizer.rb index 0c48f7f..953d6eb 100644 --- a/lib/rails-html-sanitizer.rb +++ b/lib/actionview-html-sanitizer.rb @@ -1,13 +1,13 @@ # frozen_string_literal: true -require_relative "rails/html/sanitizer/version" +require_relative "action_view/html/sanitizer/version" require "loofah" -require_relative "rails/html/scrubbers" -require_relative "rails/html/sanitizer" +require_relative "action_view/html/scrubbers" +require_relative "action_view/html/sanitizer" -module Rails +module ActionView Html = HTML # :nodoc: end @@ -17,7 +17,7 @@ module SanitizeHelper module ClassMethods # Replaces the allowed tags for the +sanitize+ helper. # - # class Application < Rails::Application + # class Application < ActionView::Application # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' # end # @@ -27,7 +27,7 @@ def sanitized_allowed_tags=(tags) # Replaces the allowed HTML attributes for the +sanitize+ helper. # - # class Application < Rails::Application + # class Application < ActionView::Application # config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc'] # end # @@ -51,9 +51,9 @@ def sanitized_allowed_attributes=(attributes) private def deprecate_option(name) ActiveSupport::Deprecation.warn "The #{name} option is deprecated " \ - "and has no effect. Until Rails 5 the old behavior can still be " \ + "and has no effect. Until ActionView 5 the old behavior can still be " \ "installed. To do this add the `rails-deprecated-sanitizer` to " \ - "your Gemfile. Consult the Rails 4.2 upgrade guide for more information." + "your Gemfile. Consult the ActionView 4.2 upgrade guide for more information." end end end diff --git a/test/rails_api_test.rb b/test/rails_api_test.rb index 9bc1107..c94f1a1 100644 --- a/test/rails_api_test.rb +++ b/test/rails_api_test.rb @@ -1,88 +1,88 @@ # frozen_string_literal: true require "minitest/autorun" -require "rails-html-sanitizer" +require "actionview-html-sanitizer" -class RailsApiTest < Minitest::Test +class ActionViewApiTest < Minitest::Test def test_html_module_name_alias - assert_equal(Rails::Html, Rails::HTML) - assert_equal("Rails::HTML", Rails::Html.name) - assert_equal("Rails::HTML", Rails::HTML.name) + assert_equal(ActionView::Html, ActionView::HTML) + assert_equal("ActionView::HTML", ActionView::Html.name) + assert_equal("ActionView::HTML", ActionView::HTML.name) end def test_html_scrubber_class_names - assert(Rails::Html::PermitScrubber) - assert(Rails::Html::TargetScrubber) - assert(Rails::Html::TextOnlyScrubber) - assert(Rails::Html::Sanitizer) + assert(ActionView::Html::PermitScrubber) + assert(ActionView::Html::TargetScrubber) + assert(ActionView::Html::TextOnlyScrubber) + assert(ActionView::Html::Sanitizer) end def test_best_supported_vendor_when_html5_is_not_supported_returns_html4 - Rails::HTML::Sanitizer.stub(:html5_support?, false) do - assert_equal(Rails::HTML4::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor) + ActionView::HTML::Sanitizer.stub(:html5_support?, false) do + assert_equal(ActionView::HTML4::Sanitizer, ActionView::HTML::Sanitizer.best_supported_vendor) end end def test_best_supported_vendor_when_html5_is_supported_returns_html5 - skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support? + skip("no HTML5 support on this platform") unless ActionView::HTML::Sanitizer.html5_support? - Rails::HTML::Sanitizer.stub(:html5_support?, true) do - assert_equal(Rails::HTML5::Sanitizer, Rails::HTML::Sanitizer.best_supported_vendor) + ActionView::HTML::Sanitizer.stub(:html5_support?, true) do + assert_equal(ActionView::HTML5::Sanitizer, ActionView::HTML::Sanitizer.best_supported_vendor) end end def test_html4_sanitizer_alias_full - assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::FullSanitizer) - assert_equal("Rails::HTML4::FullSanitizer", Rails::HTML::FullSanitizer.name) + assert_equal(ActionView::HTML4::FullSanitizer, ActionView::HTML::FullSanitizer) + assert_equal("ActionView::HTML4::FullSanitizer", ActionView::HTML::FullSanitizer.name) end def test_html4_sanitizer_alias_link - assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::LinkSanitizer) - assert_equal("Rails::HTML4::LinkSanitizer", Rails::HTML::LinkSanitizer.name) + assert_equal(ActionView::HTML4::LinkSanitizer, ActionView::HTML::LinkSanitizer) + assert_equal("ActionView::HTML4::LinkSanitizer", ActionView::HTML::LinkSanitizer.name) end def test_html4_sanitizer_alias_safe_list - assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::SafeListSanitizer) - assert_equal("Rails::HTML4::SafeListSanitizer", Rails::HTML::SafeListSanitizer.name) + assert_equal(ActionView::HTML4::SafeListSanitizer, ActionView::HTML::SafeListSanitizer) + assert_equal("ActionView::HTML4::SafeListSanitizer", ActionView::HTML::SafeListSanitizer.name) end def test_html4_full_sanitizer - assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML::Sanitizer.full_sanitizer) - assert_equal(Rails::HTML4::FullSanitizer, Rails::HTML4::Sanitizer.full_sanitizer) + assert_equal(ActionView::HTML4::FullSanitizer, ActionView::HTML::Sanitizer.full_sanitizer) + assert_equal(ActionView::HTML4::FullSanitizer, ActionView::HTML4::Sanitizer.full_sanitizer) end def test_html4_link_sanitizer - assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML::Sanitizer.link_sanitizer) - assert_equal(Rails::HTML4::LinkSanitizer, Rails::HTML4::Sanitizer.link_sanitizer) + assert_equal(ActionView::HTML4::LinkSanitizer, ActionView::HTML::Sanitizer.link_sanitizer) + assert_equal(ActionView::HTML4::LinkSanitizer, ActionView::HTML4::Sanitizer.link_sanitizer) end def test_html4_safe_list_sanitizer - assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.safe_list_sanitizer) - assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.safe_list_sanitizer) + assert_equal(ActionView::HTML4::SafeListSanitizer, ActionView::HTML::Sanitizer.safe_list_sanitizer) + assert_equal(ActionView::HTML4::SafeListSanitizer, ActionView::HTML4::Sanitizer.safe_list_sanitizer) end def test_html4_white_list_sanitizer - assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML::Sanitizer.white_list_sanitizer) - assert_equal(Rails::HTML4::SafeListSanitizer, Rails::HTML4::Sanitizer.white_list_sanitizer) + assert_equal(ActionView::HTML4::SafeListSanitizer, ActionView::HTML::Sanitizer.white_list_sanitizer) + assert_equal(ActionView::HTML4::SafeListSanitizer, ActionView::HTML4::Sanitizer.white_list_sanitizer) end def test_html5_full_sanitizer - skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support? - assert_equal(Rails::HTML5::FullSanitizer, Rails::HTML5::Sanitizer.full_sanitizer) + skip("no HTML5 support on this platform") unless ActionView::HTML::Sanitizer.html5_support? + assert_equal(ActionView::HTML5::FullSanitizer, ActionView::HTML5::Sanitizer.full_sanitizer) end def test_html5_link_sanitizer - skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support? - assert_equal(Rails::HTML5::LinkSanitizer, Rails::HTML5::Sanitizer.link_sanitizer) + skip("no HTML5 support on this platform") unless ActionView::HTML::Sanitizer.html5_support? + assert_equal(ActionView::HTML5::LinkSanitizer, ActionView::HTML5::Sanitizer.link_sanitizer) end def test_html5_safe_list_sanitizer - skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support? - assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.safe_list_sanitizer) + skip("no HTML5 support on this platform") unless ActionView::HTML::Sanitizer.html5_support? + assert_equal(ActionView::HTML5::SafeListSanitizer, ActionView::HTML5::Sanitizer.safe_list_sanitizer) end def test_html5_white_list_sanitizer - skip("no HTML5 support on this platform") unless Rails::HTML::Sanitizer.html5_support? - assert_equal(Rails::HTML5::SafeListSanitizer, Rails::HTML5::Sanitizer.white_list_sanitizer) + skip("no HTML5 support on this platform") unless ActionView::HTML::Sanitizer.html5_support? + assert_equal(ActionView::HTML5::SafeListSanitizer, ActionView::HTML5::Sanitizer.white_list_sanitizer) end end diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 6af882a..330d60b 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true require "minitest/autorun" -require "rails-html-sanitizer" +require "actionview-html-sanitizer" puts "nokogiri version info: #{Nokogiri::VERSION_INFO}" -puts "html5 support: #{Rails::HTML::Sanitizer.html5_support?}" +puts "html5 support: #{ActionView::HTML::Sanitizer.html5_support?}" # # NOTE that many of these tests contain multiple acceptable results. @@ -27,7 +27,7 @@ def self.loofah_html5_support? end class BaseSanitizerTest < Minitest::Test - class XpathRemovalTestSanitizer < Rails::HTML::Sanitizer + class XpathRemovalTestSanitizer < ActionView::HTML::Sanitizer def sanitize(html, options = {}) fragment = Loofah.fragment(html) remove_xpaths(fragment, options[:xpaths]).to_s @@ -36,7 +36,7 @@ def sanitize(html, options = {}) def test_sanitizer_sanitize_raises_not_implemented_error assert_raises NotImplementedError do - Rails::HTML::Sanitizer.new.sanitize("asdf") + ActionView::HTML::Sanitizer.new.sanitize("asdf") end end @@ -189,12 +189,12 @@ def full_sanitize(input, options = {}) end class HTML4FullSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML4 + @module_under_test = ActionView::HTML4 include FullSanitizerTest end class HTML5FullSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML5 + @module_under_test = ActionView::HTML5 include FullSanitizerTest end if loofah_html5_support? @@ -245,12 +245,12 @@ def link_sanitize(input, options = {}) end class HTML4LinkSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML4 + @module_under_test = ActionView::HTML4 include LinkSanitizerTest end class HTML5LinkSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML5 + @module_under_test = ActionView::HTML5 include LinkSanitizerTest end if loofah_html5_support? @@ -1076,12 +1076,12 @@ def convert_to_css_hex(string, escape_parens = false) end class HTML4SafeListSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML4 + @module_under_test = ActionView::HTML4 include SafeListSanitizerTest end class HTML5SafeListSanitizerTest < Minitest::Test - @module_under_test = Rails::HTML5 + @module_under_test = ActionView::HTML5 include SafeListSanitizerTest end if loofah_html5_support? end diff --git a/test/scrubbers_test.rb b/test/scrubbers_test.rb index 8db2d85..2b56e72 100644 --- a/test/scrubbers_test.rb +++ b/test/scrubbers_test.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require "minitest/autorun" -require "rails-html-sanitizer" +require "actionview-html-sanitizer" class ScrubberTest < Minitest::Test protected @@ -34,7 +34,7 @@ def assert_scrub_returns(return_value, text) class PermitScrubberTest < ScrubberTest def setup - @scrubber = Rails::HTML::PermitScrubber.new + @scrubber = ActionView::HTML::PermitScrubber.new end def test_responds_to_scrub @@ -80,7 +80,7 @@ def test_leaves_only_supplied_tags end def test_prunes_tags - @scrubber = Rails::HTML::PermitScrubber.new(prune: true) + @scrubber = ActionView::HTML::PermitScrubber.new(prune: true) @scrubber.tags = %w(tag) html = "leave me now" assert_scrubbed html, "leave me " @@ -150,7 +150,7 @@ def test_attributes_accessor_validation class TargetScrubberTest < ScrubberTest def setup - @scrubber = Rails::HTML::TargetScrubber.new + @scrubber = ActionView::HTML::TargetScrubber.new end def test_targeting_tags_removes_only_them @@ -179,7 +179,7 @@ def test_targeting_tags_and_attributes_removes_only_them end def test_prunes_tags - @scrubber = Rails::HTML::TargetScrubber.new(prune: true) + @scrubber = ActionView::HTML::TargetScrubber.new(prune: true) @scrubber.tags = %w(span) html = "leave me now" assert_scrubbed html, "leave me " @@ -188,7 +188,7 @@ def test_prunes_tags class TextOnlyScrubberTest < ScrubberTest def setup - @scrubber = Rails::HTML::TextOnlyScrubber.new + @scrubber = ActionView::HTML::TextOnlyScrubber.new end def test_removes_all_tags_and_keep_the_content @@ -201,7 +201,7 @@ def test_skips_text_nodes end class ReturningStopFromScrubNodeTest < ScrubberTest - class ScrubStopper < Rails::HTML::PermitScrubber + class ScrubStopper < ActionView::HTML::PermitScrubber def scrub_node(node) Loofah::Scrubber::STOP end From 5bed225762933a659a370e033d82f87cf86b065f Mon Sep 17 00:00:00 2001 From: Tung Nguyen Date: Fri, 20 Oct 2023 04:16:00 +0000 Subject: [PATCH 2/2] version bump to v2.0.0 --- lib/action_view/html/sanitizer/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/action_view/html/sanitizer/version.rb b/lib/action_view/html/sanitizer/version.rb index 84b6b11..465b7bb 100644 --- a/lib/action_view/html/sanitizer/version.rb +++ b/lib/action_view/html/sanitizer/version.rb @@ -3,7 +3,7 @@ module ActionView module HTML class Sanitizer - VERSION = "1.6.0" + VERSION = "2.0.0" end end end