New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow time
tag and lang
attr, remove XPATHS_TO_REMOVE
, add test coverage, get JRuby green
#156
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reasons: - the "datetime" attr is allowed, but is only valid in a "time" tag. - the "xml:lang" attr is allowed, but is only valid if "lang" attr is also present. The "time" tag and "lang" attribute should be considered safe and are allowed by Loofah. Also backfill tests around the default safe lists.
This has always been an implementation detail, and is not necessary with the current default sanitizer behavior.
Xerces doesn't allow node renaming (but libxml2 does)
The use of assert_dom_equal obfuscates what we're actually testing, which in many cases is "not much". These elements already have adequate coverage in Loofah, and the allowed_tags feature is tested adequately elsewhere in this suite.
The use of both was making `assert_sanitized` very ambiguous, as you can see from the tests that have been updated. The more explicit tests allow us to be sensitive to behavioral changes upstream, so that we fully understand what we're emitting.
because Nokogiri 1.14 switched from cyberneko to nekohtml-unit and there are some parsing differences.
flavorjones
force-pushed
the
flavorjones-add-scrubber-test-coverage
branch
from
May 11, 2023 13:35
4008cbd
to
2070471
Compare
flavorjones
changed the title
add test coverage, allow
add test coverage, allow May 11, 2023
time
tag and lang
attr, and remove XPATHS_TO_REMOVE
time
tag and lang
attr, remove XPATHS_TO_REMOVE
, get JRuby green
flavorjones
changed the title
add test coverage, allow
allow May 11, 2023
time
tag and lang
attr, remove XPATHS_TO_REMOVE
, get JRuby greentime
tag and lang
attr, remove XPATHS_TO_REMOVE
, add test coverage, get JRuby green
flavorjones
force-pushed
the
flavorjones-add-scrubber-test-coverage
branch
from
May 11, 2023 14:13
27b09b1
to
2070471
Compare
Actions isn't working well, but I kicked off a manual run of CI on this PR at https://github.com/rails/rails-html-sanitizer/actions/runs/4948930151 which is green. |
rafaelfranca
approved these changes
May 11, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great clean up in the test suite. Tests are easier to understand now.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Preparing for a larger refactor related to HTML5 parsing support, this PR started as backfilling test coverage for the default safelist.
public API changes
time
tag is now allowed by default (note that thedatetime
attribute was already allowed, and that attribute is only valid in atime
tag)lang
attribute is now allowed by default (note that thexml:lang
attribute was already allowed, and that attribute is only valid if there is also a matchinglang
attribute)Rails::Html::XPATHS_TO_REMOVE
constant is removedNote that
time
tag andlang
attribute are safe and are already allowed by Loofah, DOMPurify, and other common sanitizers.The
XPATHS_TO_REMOVE
constant was public, but probably should have been a private constant (an implementation detail) all along. It's possible that removing it might break somebody who's monkeypatching the sanitizer, but really they should be usingSafeListSanitizer
'sallowed_tags
andallowed_attributes
attrs instead of changing the value of this constant.test suite changes
Within the test suite, I've also made the following changes:
assert_dom_equal
which was obfuscating what is being tested