Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support html5 parsing #158

Merged
merged 13 commits into from May 12, 2023
Merged

support html5 parsing #158

merged 13 commits into from May 12, 2023

Conversation

flavorjones
Copy link
Member

@flavorjones flavorjones commented May 12, 2023
edited

This PR introduces new variations of LinkSanitizer, FullSanitizer, and SafeListSanitizer that use Loofah's (Nokogiri's) HTML5 parsing functionality.

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

It also introduces a Rails::HTML4 module which is the new canonical home for the existing sanitizers (which implicity always used the HTML4 parser). Finally, the Rails::Html module has been renamed to Rails::HTML.

The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

Miscellaneous other changes:

  • documentation cleanup
  • added an .rdoc_options file and have added or removed :nodoc: as appropriate
  • added a rubocop job to CI
  • updated tests to use assert_equal instead of assert_dom_equal to avoid obfuscation
  • removed the dev dependency on rails-dom-testing
  • added test coverage for the API used by Rails

Notably this PR does not include integration with Rails. It offers up new Sanitizer classes that provide HTML5 parsing suitable for use by Rails, but making Rails choose the sanitizer flavor will be in a subsequent PR.

@flavorjones flavorjones mentioned this pull request May 12, 2023
Closed
@flavorjones flavorjones force-pushed the flavorjones-support-html5-parsing branch 2 times, most recently from 4d48090 to 2774a3d Compare May 12, 2023 16:21
@flavorjones
ci: add rubocop
4bb772e
@flavorjones
dep: remove rails-dom-testing
0a8e04b 
Usage was removed in #156
@flavorjones
doc: set up .rdoc_options and start marking things :nodoc:
688056e
@flavorjones
test: add API coverage for Sanitizer singleton methods
cd46ff3 
These are the methods used by Rails. Also move these methods into the
Sanitizer class definition.
@flavorjones
prefactor: replace Loofah.scrub_fragment with the long form
829e74d 
because we're preparing to extract fragment parsing
@flavorjones flavorjones force-pushed the flavorjones-support-html5-parsing branch from 2774a3d to d8e3251 Compare May 12, 2023 16:47
rafaelfranca
rafaelfranca approved these changes May 12, 2023
View reviewed changes
lib/rails/html/sanitizer.rb Show resolved Hide resolved
@flavorjones
prefactor: extract orthogonal sanitizer methods
836becd 
- parse_fragment
- scrub
- serialize

These are composed in each sanitizer's `#sanitize` method.

We're preparing to make html4 and html5 variations and I'd like to use
mixins for code reuse.
@flavorjones
refactor: extract scrubber logic into composable concerns
2ada04e 
The three concerns are:

- fragment parsing
- scrubbing
- serialization

These are combined in a fourth concern which implements a `#sanitize`
method that composes the other concerns like:

  serialize(scrub(parse_fragment(html)))

This should enable us to easily add HTML5 fragment parsing in a
subsequent commit.
@flavorjones
naming: Rails::Html is now Rails::HTML
5836d1d 
but Rails::Html is an alias for backwards compatibility
@flavorjones
move the sanitizers under the Rails::HTML4 namespace
2069426 
and test that the sanitizer class names are HTML4 variations
@flavorjones
test: reorganize sanitizer tests
f03c34c 
create a new test class for each sanitizer
@flavorjones
feat: add HTML5 variations of the sanitizers
ffb32dc 
which use Loofah.html5_fragment.

Note that we repeat the sanitizer tests for both variations using a
module that's mixed into two test classes.
@flavorjones
test: fix tests to accommodate HTML5 parser behavior
53f7409 
This feels pretty good, not gonna lie. The majority of tests that
needed to change were the ones related to the CDATA node issues:

https://github.com/flavorjones/loofah/blob/main/docs/2022-10-decision-on-cdata-nodes.md

and I'm happy to see everything working as expected.
@flavorjones
doc: update README
53e9aa8
@flavorjones flavorjones force-pushed the flavorjones-support-html5-parsing branch from d8e3251 to 53e9aa8 Compare May 12, 2023 19:53
@flavorjones flavorjones merged commit 4122362 into main May 12, 2023
13 checks passed
@flavorjones flavorjones deleted the flavorjones-support-html5-parsing branch May 12, 2023 19:56
@flavorjones flavorjones mentioned this pull request May 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaelfranca rafaelfranca rafaelfranca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@flavorjones @rafaelfranca