feat: add HTML5 variations of the sanitizers

flavorjones · flavorjones · commit ffb32dcf9348 · 2023-05-12T15:50:47.000-04:00
which use Loofah.html5_fragment.

Note that we repeat the sanitizer tests for both variations using a
module that's mixed into two test classes.
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
@@ -19,6 +19,14 @@ def safe_list_sanitizer
         def white_list_sanitizer # :nodoc:
           safe_list_sanitizer
         end
+
+        def html5_support?
+          unless @html5_support_set
+            @html5_support = Loofah.respond_to?(:html5_support?) && Loofah.html5_support?
+            @html5_support_set = true
+          end
+          @html5_support
+        end
       end
 
       def sanitize(html, options = {})
@@ -52,6 +60,12 @@ def parse_fragment(html)
             Loofah.html4_fragment(html)
           end
         end
+
+        module HTML5
+          def parse_fragment(html)
+            Loofah.html5_fragment(html)
+          end
+        end if Rails::HTML::Sanitizer.html5_support?
       end
 
       module Scrubber
@@ -286,6 +300,96 @@ class SafeListSanitizer < Rails::HTML::Sanitizer
     end
   end
 
+  module HTML5
+    # == Rails::HTML5::FullSanitizer
+    #
+    # Removes all tags from HTML5 but strips out scripts, forms and comments.
+    #
+    #   full_sanitizer = Rails::HTML5::FullSanitizer.new
+    #   full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+    #   # => "Bold no more!  See more here..."
+    #
+    class FullSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::Full
+      include HTML::Concern::Serializer::UTF8Encode
+    end
+
+    # == Rails::HTML5::LinkSanitizer
+    #
+    # Removes +a+ tags and +href+ attributes from HTML5 leaving only the link text.
+    #
+    #   link_sanitizer = Rails::HTML5::LinkSanitizer.new
+    #   link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    #   # => "Only the link text will be kept."
+    #
+    class LinkSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::Link
+      include HTML::Concern::Serializer::SimpleString
+    end
+
+    # == Rails::HTML5::SafeListSanitizer
+    #
+    # Sanitizes HTML5 and CSS from an extensive safe list.
+    #
+    # === Whitespace
+    #
+    # We can't make any guarantees about whitespace being kept or stripped.  Loofah uses Nokogiri,
+    # which wraps either a C or Java parser for the respective Ruby implementation.  Those two
+    # parsers determine how whitespace is ultimately handled.
+    #
+    # When the stripped markup will be rendered the users browser won't take whitespace into account
+    # anyway. It might be better to suggest your users wrap their whitespace sensitive content in
+    # pre tags or that you do so automatically.
+    #
+    # === Options
+    #
+    # Sanitizes both html and css via the safe lists found in
+    # Rails::HTML::Concern::Scrubber::SafeList
+    #
+    # SafeListSanitizer also accepts options to configure the safe list used when sanitizing html.
+    # There's a class level option:
+    #
+    #   Rails::HTML5::SafeListSanitizer.allowed_tags = %w(table tr td)
+    #   Rails::HTML5::SafeListSanitizer.allowed_attributes = %w(id class style)
+    #
+    # Tags and attributes can also be passed to +sanitize+.  Passed options take precedence over the
+    # class level options.
+    #
+    # === Examples
+    #
+    #   safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new
+    #
+    #   # default: sanitize via a extensive safe list of allowed elements
+    #   safe_list_sanitizer.sanitize(@article.body)
+    #
+    #   # sanitize via the supplied tags and attributes
+    #   safe_list_sanitizer.sanitize(
+    #     @article.body,
+    #     tags: %w(table tr td),
+    #     attributes: %w(id class style),
+    #   )
+    #
+    #   # sanitize via a custom Loofah scrubber
+    #   safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
+    #
+    #   # prune nodes from the tree instead of stripping tags and leaving inner content
+    #   safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)
+    #
+    #   # the sanitizer can also sanitize CSS
+    #   safe_list_sanitizer.sanitize_css('background-color: #000;')
+    #
+    class SafeListSanitizer < Rails::HTML::Sanitizer
+      include HTML::Concern::ComposedSanitize
+      include HTML::Concern::Parser::HTML5
+      include HTML::Concern::Scrubber::SafeList
+      include HTML::Concern::Serializer::UTF8Encode
+    end
+  end if Rails::HTML::Sanitizer.html5_support?
+
   module HTML
     FullSanitizer = HTML4::FullSanitizer # :nodoc:
     LinkSanitizer = HTML4::LinkSanitizer # :nodoc:
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -20,18 +20,22 @@
 #  In many other cases, it's because the parser used by Nokogiri on JRuby (xerces+nekohtml) parses
 #  slightly differently than libxml2 in edge cases.
 #
-module TestRailsSanitizers
-  class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
-    def sanitize(html, options = {})
-      fragment = Loofah.fragment(html)
-      remove_xpaths(fragment, options[:xpaths]).to_s
-    end
+module SanitizerTests
+  def self.loofah_html5_support?
+    Loofah.respond_to?(:html5_support?) && Loofah.html5_support?
   end
 
   class BaseSanitizerTest < Minitest::Test
+    class XpathRemovalTestSanitizer < Rails::HTML::Sanitizer
+      def sanitize(html, options = {})
+        fragment = Loofah.fragment(html)
+        remove_xpaths(fragment, options[:xpaths]).to_s
+      end
+    end
+
     def test_sanitizer_sanitize_raises_not_implemented_error
       assert_raises NotImplementedError do
-        Rails::Html::Sanitizer.new.sanitize("asdf")
+        Rails::HTML::Sanitizer.new.sanitize("asdf")
       end
     end
 
@@ -65,7 +69,15 @@ def xpath_sanitize(input, options = {})
       end
   end
 
-  class FullSanitizerTest < Minitest::Test
+  module ModuleUnderTest
+    def module_under_test
+      self.class.instance_variable_get(:@module_under_test)
+    end
+  end
+
+  module FullSanitizerTest
+    include ModuleUnderTest
+
     def test_strip_tags_with_quote
       input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
       result = full_sanitize(input)
@@ -164,11 +176,23 @@ def test_full_sanitize_respect_html_escaping_of_the_given_string
 
     protected
       def full_sanitize(input, options = {})
-        Rails::Html::FullSanitizer.new.sanitize(input, options)
+        module_under_test::FullSanitizer.new.sanitize(input, options)
       end
   end
 
-  class LinkSanitizerTest < Minitest::Test
+  class HTML4FullSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML4
+    include FullSanitizerTest
+  end
+
+  class HTML5FullSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML5
+    include FullSanitizerTest
+  end if loofah_html5_support?
+
+  module LinkSanitizerTest
+    include ModuleUnderTest
+
     def test_strip_links_with_tags_in_tags
       expected = "&lt;a href='hello'&gt;all <b>day</b> long&lt;/a&gt;"
       input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
@@ -201,11 +225,23 @@ def test_strip_links_with_linkception
 
     protected
       def link_sanitize(input, options = {})
-        Rails::Html::LinkSanitizer.new.sanitize(input, options)
+        module_under_test::LinkSanitizer.new.sanitize(input, options)
       end
   end
 
-  class SafeListSanitizerTest < Minitest::Test
+  class HTML4LinkSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML4
+    include LinkSanitizerTest
+  end
+
+  class HTML5LinkSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML5
+    include LinkSanitizerTest
+  end if loofah_html5_support?
+
+  module SafeListSanitizerTest
+    include ModuleUnderTest
+
     def test_sanitize_nested_script
       assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
     end
@@ -369,7 +405,7 @@ def test_custom_attributes_overrides_allowed_attributes
     end
 
     def test_should_allow_prune
-      sanitizer = Rails::Html::SafeListSanitizer.new(prune: true)
+      sanitizer = module_under_test::SafeListSanitizer.new(prune: true)
       text = "<u>leave me <b>now</b></u>"
       assert_equal "<u>leave me </u>", sanitizer.sanitize(text, tags: %w(u))
     end
@@ -919,31 +955,31 @@ def test_should_sanitize_across_newlines
 
     protected
       def safe_list_sanitize(input, options = {})
-        Rails::Html::SafeListSanitizer.new.sanitize(input, options)
+        module_under_test::SafeListSanitizer.new.sanitize(input, options)
       end
 
       def assert_sanitized(input, expected = nil)
         assert_equal((expected || input), safe_list_sanitize(input))
       end
 
       def scope_allowed_tags(tags)
-        old_tags = Rails::Html::SafeListSanitizer.allowed_tags
-        Rails::Html::SafeListSanitizer.allowed_tags = tags
-        yield Rails::Html::SafeListSanitizer.new
+        old_tags = module_under_test::SafeListSanitizer.allowed_tags
+        module_under_test::SafeListSanitizer.allowed_tags = tags
+        yield module_under_test::SafeListSanitizer.new
       ensure
-        Rails::Html::SafeListSanitizer.allowed_tags = old_tags
+        module_under_test::SafeListSanitizer.allowed_tags = old_tags
       end
 
       def scope_allowed_attributes(attributes)
-        old_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
-        Rails::Html::SafeListSanitizer.allowed_attributes = attributes
-        yield Rails::Html::SafeListSanitizer.new
+        old_attributes = module_under_test::SafeListSanitizer.allowed_attributes
+        module_under_test::SafeListSanitizer.allowed_attributes = attributes
+        yield module_under_test::SafeListSanitizer.new
       ensure
-        Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
+        module_under_test::SafeListSanitizer.allowed_attributes = old_attributes
       end
 
       def sanitize_css(input)
-        Rails::HTML4::SafeListSanitizer.new.sanitize_css(input)
+        module_under_test::SafeListSanitizer.new.sanitize_css(input)
       end
 
       # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
@@ -957,4 +993,14 @@ def convert_to_css_hex(string, escape_parens = false)
         end.join
       end
   end
+
+  class HTML4SafeListSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML4
+    include SafeListSanitizerTest
+  end
+
+  class HTML5SafeListSanitizerTest < Minitest::Test
+    @module_under_test = Rails::HTML5
+    include SafeListSanitizerTest
+  end if loofah_html5_support?
 end
