Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow time tag and lang attr, remove XPATHS_TO_REMOVE, add test coverage, get JRuby green #156

Merged
merged 10 commits into from May 11, 2023
Merged

allow time tag and lang attr, remove XPATHS_TO_REMOVE, add test coverage, get JRuby green #156

merged 10 commits into from May 11, 2023

Conversation

flavorjones
Copy link
Member

@flavorjones flavorjones commented May 10, 2023
edited

Preparing for a larger refactor related to HTML5 parsing support, this PR started as backfilling test coverage for the default safelist.

public API changes

  • the time tag is now allowed by default (note that the datetime attribute was already allowed, and that attribute is only valid in a time tag)
  • the lang attribute is now allowed by default (note that the xml:lang attribute was already allowed, and that attribute is only valid if there is also a matching lang attribute)
  • the Rails::Html::XPATHS_TO_REMOVE constant is removed

Note that time tag and lang attribute are safe and are already allowed by Loofah, DOMPurify, and other common sanitizers.

The XPATHS_TO_REMOVE constant was public, but probably should have been a private constant (an implementation detail) all along. It's possible that removing it might break somebody who's monkeypatching the sanitizer, but really they should be using SafeListSanitizer's allowed_tags and allowed_attributes attrs instead of changing the value of this constant.

test suite changes

Within the test suite, I've also made the following changes:

  • avoid using assert_dom_equal which was obfuscating what is being tested
  • JRuby tests now pass

@flavorjones
rubocop: enable Minitest/NoAssertions
b67b6ac
@flavorjones
style: scrubber tag and attribute arrays
1a3a812
@flavorjones
feat: SafeListSanitizer allows "time" tag and "lang" attr
f3102d1 
Reasons:

- the "datetime" attr is allowed, but is only valid in a "time" tag.
- the "xml:lang" attr is allowed, but is only valid if "lang" attr is
  also present.

The "time" tag and "lang" attribute should be considered safe and are
allowed by Loofah.

Also backfill tests around the default safe lists.
@flavorjones
feat: remove Rails::Html::XPATHS_TO_REMOVE
4d79266 
This has always been an implementation detail, and is not necessary
with the current default sanitizer behavior.
@flavorjones
test: avoid renaming nodes to avoid errors in JRuby
fe9aa6f 
Xerces doesn't allow node renaming (but libxml2 does)
@flavorjones
test: update to accommodate jruby behavior
3701702
@flavorjones
test: remove bulk test of all Loofah ALLOWED_ELEMENTS
ec89374 
The use of assert_dom_equal obfuscates what we're actually testing,
which in many cases is "not much".

These elements already have adequate coverage in Loofah, and the
allowed_tags feature is tested adequately elsewhere in this suite.
@flavorjones
test: don't use assert_dom_equal and be explicit about assert_nil
c1ccd66 
The use of both was making `assert_sanitized` very ambiguous, as you
can see from the tests that have been updated.

The more explicit tests allow us to be sensitive to behavioral changes
upstream, so that we fully understand what we're emitting.
@flavorjones
test: accommodate jruby nokogiri 1.13 behavior
2070471 
because Nokogiri 1.14 switched from cyberneko to nekohtml-unit and
there are some parsing differences.
@flavorjones flavorjones force-pushed the flavorjones-add-scrubber-test-coverage branch from 4008cbd to 2070471 Compare May 11, 2023 13:35
@flavorjones flavorjones changed the title add test coverage, allow time tag and lang attr, and remove XPATHS_TO_REMOVE add test coverage, allow time tag and lang attr, remove XPATHS_TO_REMOVE, get JRuby green May 11, 2023
@flavorjones flavorjones changed the title add test coverage, allow time tag and lang attr, remove XPATHS_TO_REMOVE, get JRuby green allow time tag and lang attr, remove XPATHS_TO_REMOVE, add test coverage, get JRuby green May 11, 2023
@flavorjones flavorjones force-pushed the flavorjones-add-scrubber-test-coverage branch from 27b09b1 to 2070471 Compare May 11, 2023 14:13
@flavorjones
Copy link
Member Author

Actions isn't working well, but I kicked off a manual run of CI on this PR at https://github.com/rails/rails-html-sanitizer/actions/runs/4948930151 which is green.

rafaelfranca
rafaelfranca approved these changes May 11, 2023
View reviewed changes
Copy link
Member

@rafaelfranca rafaelfranca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great clean up in the test suite. Tests are easier to understand now.

@flavorjones flavorjones merged commit 5a1006f into main May 11, 2023
12 checks passed
@flavorjones flavorjones deleted the flavorjones-add-scrubber-test-coverage branch May 11, 2023 16:46
flavorjones added a commit that referenced this pull request May 12, 2023
@flavorjones
dep: remove rails-dom-testing
4f92553 
Usage was removed in #156
flavorjones added a commit that referenced this pull request May 12, 2023
@flavorjones
dep: remove rails-dom-testing
0a8e04b 
Usage was removed in #156
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaelfranca rafaelfranca rafaelfranca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@flavorjones @rafaelfranca @Earlopain