Skip to content

Commit

Permalink
fix: pass comment nodes to the scrubber
Browse files Browse the repository at this point in the history 
Some scrubbers want to allow comments through, but in v1.4.0 didn't
get the chance because only elements were passed through to
`keep_node?`.

This change allows comments and elements through, but still omits
other non-elements like processing instructions (see #115).
  • Loading branch information
@flavorjones
flavorjones committed Aug 18, 2021
1 parent 2e9ec19 commit ab16fa4
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 1 deletion.
12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
@@ -1,3 +1,15 @@
## next / unreleased

* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
passed through elements to the scrubber's `keep_node?` method.

This change once again allows the scrubber to make the decision on comment nodes, but still skips
other non-elements like processing instructions (see #115).

*Mike Dalessio*

## 1.4.0 / 2021-08-18

* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
Expand Down
2 changes: 1 addition & 1 deletion lib/rails/html/scrubbers.rb
View file
Expand Up @@ -68,7 +68,7 @@ def scrub(node)
end
return CONTINUE if skip_node?(node)

unless node.element? && keep_node?(node)
unless (node.comment? || node.element?) && keep_node?(node)
return STOP if scrub_node(node) == STOP
end

Expand Down
44 changes: 44 additions & 0 deletions test/scrubbers_test.rb
View file
Expand Up @@ -112,6 +112,50 @@ def test_attributes_accessor_validation
end
end

class PermitScrubberSubclassTest < ScrubberTest
def setup
@scrubber = Class.new(::Rails::Html::PermitScrubber) do
attr :nodes_seen

def initialize
super()
@nodes_seen = []
end

def keep_node?(node)
@nodes_seen << node.name
super(node)
end
end.new
end

def test_elements_are_checked
html = %Q("<div></div><a></a><tr></tr>")
Loofah.scrub_fragment(html, @scrubber)
assert_includes(@scrubber.nodes_seen, "div")
assert_includes(@scrubber.nodes_seen, "a")
assert_includes(@scrubber.nodes_seen, "tr")
end

def test_comments_are_checked
# this passes in v1.3.0 but fails in v1.4.0
html = %Q("<div></div><!-- ohai --><tr></tr>")
Loofah.scrub_fragment(html, @scrubber)
assert_includes(@scrubber.nodes_seen, "div")
assert_includes(@scrubber.nodes_seen, "comment")
assert_includes(@scrubber.nodes_seen, "tr")
end

def test_craftily_named_processing_instructions_are_not_checked
# this fails in v1.3.0 but passes in v1.4.0
html = %Q("<div></div><?a content><tr></tr>")
Loofah.scrub_fragment(html, @scrubber)
assert_includes(@scrubber.nodes_seen, "div")
refute_includes(@scrubber.nodes_seen, "a")
assert_includes(@scrubber.nodes_seen, "tr")
end
end

class TargetScrubberTest < ScrubberTest
def setup
@scrubber = Rails::Html::TargetScrubber.new
Expand Down

0 comments on commit ab16fa4

Please sign in to comment.