loofah-2.0.3/���������������������������������������������������������������������������������������0000755�0000041�0000041�00000000000�12572770001�013015� 5����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/Rakefile�������������������������������������������������������������������������������0000644�0000041�0000041�00000003461�12572770001�014466� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������require 'rubygems'
gem 'hoe', '>= 2.3.0'
require 'hoe'
Hoe.plugin :git
Hoe.plugin :gemspec
Hoe.plugin :bundler
Hoe.plugin :debugging
Hoe.spec "loofah" do
developer "Mike Dalessio", "mike.dalessio@gmail.com"
developer "Bryan Helmkamp", "bryan@brynary.com"
self.extra_rdoc_files = FileList["*.rdoc"]
self.history_file = "CHANGELOG.rdoc"
self.readme_file = "README.rdoc"
self.license "MIT"
extra_deps << ["nokogiri", ">=1.5.9"]
extra_dev_deps << ["rake", ">=0.8"]
extra_dev_deps << ["minitest", "~>2.2"]
extra_dev_deps << ["rr", "~>1.1.0"]
extra_dev_deps << ["json", ">=0"]
extra_dev_deps << ["hoe-gemspec", ">=0"]
extra_dev_deps << ["hoe-debugging", ">=0"]
extra_dev_deps << ["hoe-bundler", ">=0"]
extra_dev_deps << ["hoe-git", ">=0"]
end
task :gemspec do
system %q(rake debug_gem | grep -v "^\(in " > loofah.gemspec)
end
task :redocs => :fix_css
task :docs => :fix_css
task :fix_css do
better_css = <<-EOT
.method-description pre {
margin : 1em 0 ;
}
.method-description ul {
padding : .5em 0 .5em 2em ;
}
.method-description p {
margin-top : .5em ;
}
#main ul, div#documentation ul {
list-style-type : disc ! IMPORTANT ;
list-style-position : inside ! IMPORTANT ;
}
h2 + ul {
margin-top : 1em;
}
EOT
puts "* fixing css"
File.open("doc/rdoc.css", "a") { |f| f.write better_css }
end
desc "generate and upload docs to rubyforge"
task :doc_upload_to_rubyforge => :docs do
Dir.chdir "doc" do
system "rsync -avz --delete * rubyforge.org:/var/www/gforge-projects/loofah/loofah"
end
end
desc "generate whitelists from W3C specifications"
task :generate_whitelists do
load "tasks/generate-whitelists"
end
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/.gemtest�������������������������������������������������������������������������������0000644�0000041�0000041�00000000000�12572770001�014454� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/Manifest.txt���������������������������������������������������������������������������0000644�0000041�0000041�00000001607�12572770001�015330� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.gemtest
CHANGELOG.rdoc
Gemfile
MIT-LICENSE.txt
Manifest.txt
README.rdoc
Rakefile
benchmark/benchmark.rb
benchmark/fragment.html
benchmark/helper.rb
benchmark/www.slashdot.com.html
lib/loofah.rb
lib/loofah/elements.rb
lib/loofah/helpers.rb
lib/loofah/html/document.rb
lib/loofah/html/document_fragment.rb
lib/loofah/html5/scrub.rb
lib/loofah/html5/whitelist.rb
lib/loofah/instance_methods.rb
lib/loofah/metahelpers.rb
lib/loofah/scrubber.rb
lib/loofah/scrubbers.rb
lib/loofah/xml/document.rb
lib/loofah/xml/document_fragment.rb
test/assets/testdata_sanitizer_tests1.dat
test/helper.rb
test/html5/test_sanitizer.rb
test/integration/test_ad_hoc.rb
test/integration/test_helpers.rb
test/integration/test_html.rb
test/integration/test_scrubbers.rb
test/integration/test_xml.rb
test/unit/test_api.rb
test/unit/test_encoding.rb
test/unit/test_helpers.rb
test/unit/test_scrubber.rb
test/unit/test_scrubbers.rb
�������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/Gemfile��������������������������������������������������������������������������������0000644�0000041�0000041�00000001326�12572770001�014312� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# -*- ruby -*-
# DO NOT EDIT THIS FILE. Instead, edit Rakefile, and run `rake bundler:gemfile`.
source "https://rubygems.org/"
gem "nokogiri", ">=1.5.9"
gem "rdoc", "~>4.0", :group => [:development, :test]
gem "rake", ">=0.8", :group => [:development, :test]
gem "minitest", "~>2.2", :group => [:development, :test]
gem "rr", "~>1.1.0", :group => [:development, :test]
gem "json", ">=0", :group => [:development, :test]
gem "hoe-gemspec", ">=0", :group => [:development, :test]
gem "hoe-debugging", ">=0", :group => [:development, :test]
gem "hoe-bundler", ">=0", :group => [:development, :test]
gem "hoe-git", ">=0", :group => [:development, :test]
gem "hoe", "~>3.6", :group => [:development, :test]
# vim: syntax=ruby
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/CHANGELOG.rdoc�������������������������������������������������������������������������0000644�0000041�0000041�00000014047�12572770001�015163� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������= Changelog
== 2.0.3 / 2015-08-17
Bug fixes:
* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
== 2.0.2 / 2015-05-05
Bug fixes:
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
== 2.0.1 / 2014-08-21
Bug fixes:
* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
Notes:
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
== 2.0.0 / 2014-05-09
Compatibility notes:
* ActionView helpers now must be required explicitly: `require "loofah/helpers"`
* Support for Ruby 1.8.7 and prior has been dropped
Enhancements:
* HTML5 whitelist allows the following ...
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
* attributes: `data-*` (Thanks, Rafael Franca!)
* URI attributes: `poster` and `preload`
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
Bug fixes:
* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
== 1.2.1 (2012-04-14)
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
== 1.2.0 (2011-08-08)
Enhancements:
* Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.
* Improving ActionView integration.
== 1.1.0 (2011-08-08)
Enhancements:
* Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
* Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
* Don't explode when encountering UTF-8 URIs. (#25, #29)
== 1.0.0 (2010-10-26)
Notes:
* Moved ActiveRecord functionality into `loofah-activerecord` gem.
* Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
== 0.4.7 (2010-03-09)
Enhancements:
* New methods Loofah::HTML::Document#to_text and
Loofah::HTML::DocumentFragment#to_text do the right thing with
whitespace. Note that these methods are significantly slower than
#text. GH #12
* Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
will return unescaped HTML entities by passing :encode_special_chars => false.
== 0.4.4, 0.4.5, 0.4.6 (2010-02-01)
Enhancements:
* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
Bug fixes:
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
== 0.4.3 (2010-01-29)
Enhancements:
* All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
* Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
Miscellaneous:
* Modified documentation for bootstrapping XssFoliate in a Rails app,
since the use of Bundler breaks the previously-documented method. To
be safe, always use an initializer file.
== 0.4.2 (2010-01-22)
Enhancements:
* Implemented Node#scrub! for scrubbing subtrees.
* Implemented NodeSet#scrub! for scrubbing a set of subtrees.
* Document.text now only serializes contents (ignores )
* , and added to the HTML5lib whitelist.
Bug fixes:
* Supporting Rails apps that aren't loading ActiveRecord. GH #10
Miscellaneous:
* Mailing list is now loofah@librelist.com / http://librelist.com
* IRC channel is now \#loofah on freenode.
== 0.4.1 (2009-11-23)
Bugfix:
* Manifest fixed. Whoops.
== 0.4.0 (2009-11-21)
Enhancements:
* Scrubber class introduced, allowing development of custom scrubbers.
* Added support for XML documents and fragments.
* Added :nofollow HTML scrubber (thanks Luke Melia!)
* Built-in scrubbing methods refactored to use Scrubber.
== 0.3.1 (2009-10-12)
Bug fixes:
* Scrubbed Documents properly render html, head and body tags when serialized.
== 0.3.0 (2009-10-06)
Enhancements:
* New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master].
* Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
* Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
Deprecations:
* The methods strip_tags, whitewash, whitewash_document, sanitize, and
sanitize_document have been deprecated. See DEPRECATED.rdoc for
details on the equivalent calls with the post-0.2 API.
== 0.2.2 (2009-09-30)
Enhancements:
* ActiveRecord extension scrubs fields in a before_validation callback
(was previously in a before_save)
== 0.2.1 (2009-09-19)
Enhancements:
* when loaded in a Rails app, automatically extend ActiveRecord::Base
with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
Bugfixes:
* ActiveRecord scrubbing should generate strings instead of Document or
DocumentFragment objects. GH #5
* init.rb fixed to support installation as a Rails plugin. GH #6
(Thanks Josh Nichols!)
== 0.2.0 (2009-09-11)
* Swank new API.
* ActiveRecord extension.
* Uses Nokogiri's Document and DocumentFragment for parsing.
* Updated html5lib codes and tests to revision 1384:b9d3153d7be7.
* Deprecated the Dryopteris sanitization methods. Will be removed in 0.3.0.
* Documentation! Hey!
== 0.1.2 (2009-04-30)
* Added whitewashing -- removal of all attributes and namespaced nodes. You know, for microsofty HTML.
== 0.1.0 (2009-02-10)
* Birthday!
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/README.rdoc����������������������������������������������������������������������������0000644�0000041�0000041�00000025722�12572770001�014633� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������= Loofah {}[https://travis-ci.org/flavorjones/loofah]
* https://github.com/flavorjones/loofah
* http://rubydoc.info/github/flavorjones/loofah/master/frames
* http://librelist.com/browser/loofah
== Description
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)
ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see
https://github.com/flavorjones/loofah-activerecord).
== Features
* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists).
* Common HTML sanitizing tasks are built-in:
* _Strip_ unsafe tags, leaving behind only the inner text.
* _Prune_ unsafe tags and their subtrees, removing all traces that they ever existed.
* _Escape_ unsafe tags and their subtrees, leaving behind lots of < and > entities.
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
* Common HTML transformation tasks are built-in:
* Add the _nofollow_ attribute to all hyperlinks.
* Format markup as plain text, with or without sensible whitespace handling around block elements.
* Replace Rails's +strip_tags+ and +sanitize+ view helper methods.
== Compare and Contrast
Loofah is one of two known Ruby XSS/sanitization solutions that
guarantees well-formed and valid markup (the other is Sanitize, which
also uses Nokogiri).
Loofah works on XML, XHTML and HTML documents.
Also, it's pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
* https://gist.github.com/170193
Lastly, Loofah is extensible. It's super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don't like
the built-in scrubbers? Build your own, like a boss.
== The Basics
Loofah wraps Nokogiri[http://nokogiri.org] in a loving
embrace. Nokogiri[http://nokogiri.org] is an excellent HTML/XML
parser. If you don't know how Nokogiri[http://nokogiri.org] works, you
might want to pause for a moment and go check it out. I'll wait.
Loofah presents the following classes:
* Loofah::HTML::Document and Loofah::HTML::DocumentFragment
* Loofah::XML::Document and Loofah::XML::DocumentFragment
* Loofah::Scrubber
The documents and fragments are subclasses of the similar Nokogiri classes.
The Scrubber represents the document manipulation, either by wrapping
a block,
span2div = Loofah::Scrubber.new do |node|
node.name = "div" if node.name == "span"
end
or by implementing a method.
=== Side Note: Fragments vs Documents
Generally speaking, unless you expect to have a DOCTYPE and a single
root node, you don't have a *document*, you have a *fragment*. For
HTML, another rule of thumb is that *documents* have +html+ and +body+
tags, and *fragments* usually do not.
HTML fragments should be parsed with Loofah.fragment. The result won't
be wrapped in +html+ or +body+ tags, won't have a DOCTYPE declaration,
+head+ elements will be silently ignored, and multiple root nodes are
allowed.
XML fragments should be parsed with Loofah.xml_fragment. The result
won't have a DOCTYPE declaration, and multiple root nodes are allowed.
HTML documents should be parsed with Loofah.document. The result will
have a DOCTYPE declaration, along with +html+, +head+ and +body+ tags.
XML documents should be parsed with Loofah.xml_document. The result
will have a DOCTYPE declaration and a single root node.
=== Loofah::HTML::Document and Loofah::HTML::DocumentFragment
These classes are subclasses of Nokogiri::HTML::Document and
Nokogiri::HTML::DocumentFragment, so you get all the markup
fixer-uppery and API goodness of Nokogiri.
The module methods Loofah.document and Loofah.fragment will parse an
HTML document and an HTML fragment, respectively.
Loofah.document(unsafe_html).is_a?(Nokogiri::HTML::Document) # => true
Loofah.fragment(unsafe_html).is_a?(Nokogiri::HTML::DocumentFragment) # => true
Loofah injects a +scrub!+ method, which takes either a symbol (for
built-in scrubbers) or a Loofah::Scrubber object (for custom
scrubbers), and modifies the document in-place.
Loofah overrides +to_s+ to return HTML:
unsafe_html = "ohai!
"
and +text+ to return plain text:
doc.text # => "ohai! div is safe "
Also, +to_text+ is available, which does the right thing with
whitespace around block-level elements.
doc = Loofah.fragment("
Title
Content
")
doc.text # => "TitleContent" # probably not what you want
doc.to_text # => "\nTitle\n\nContent\n" # better
=== Loofah::XML::Document and Loofah::XML::DocumentFragment
These classes are subclasses of Nokogiri::XML::Document and
Nokogiri::XML::DocumentFragment, so you get all the markup
fixer-uppery and API goodness of Nokogiri.
The module methods Loofah.xml_document and Loofah.xml_fragment will
parse an XML document and an XML fragment, respectively.
Loofah.xml_document(bad_xml).is_a?(Nokogiri::XML::Document) # => true
Loofah.xml_fragment(bad_xml).is_a?(Nokogiri::XML::DocumentFragment) # => true
=== Nodes and NodeSets
Nokogiri::XML::Node and Nokogiri::XML::NodeSet also get a +scrub!+
method, which makes it easy to scrub subtrees.
The following code will apply the +employee_scrubber+ only to the
+employee+ nodes (and their subtrees) in the document:
Loofah.xml_document(bad_xml).xpath("//employee").scrub!(employee_scrubber)
And this code will only scrub the first +employee+ node and its subtree:
Loofah.xml_document(bad_xml).at_xpath("//employee").scrub!(employee_scrubber)
=== Loofah::Scrubber
A Scrubber wraps up a block (or method) that is run on a document node:
# change all tags to
tags
span2div = Loofah::Scrubber.new do |node|
node.name = "div" if node.name == "span"
end
This can then be run on a document:
Loofah.fragment("foo
bar
").scrub!(span2div).to_s
# => "
foo
bar
"
Scrubbers can be run on a document in either a top-down traversal (the
default) or bottom-up. Top-down scrubbers can optionally return
Scrubber::STOP to terminate the traversal of a subtree. Read below and
in the Loofah::Scrubber class for more detailed usage.
Here's an XML example:
# remove all tags that have a "deceased" attribute set to true
bring_out_your_dead = Loofah::Scrubber.new do |node|
if node.name == "employee" and node["deceased"] == "true"
node.remove
Loofah::Scrubber::STOP # don't bother with the rest of the subtree
end
end
Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
=== Built-In HTML Scrubbers
Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
whitelist algorithm:
doc.scrub!(:strip) # replaces unknown/unsafe tags with their inner text
doc.scrub!(:prune) # removes unknown/unsafe tags and their children
doc.scrub!(:escape) # escapes unknown/unsafe tags, like this: <script>
doc.scrub!(:whitewash) # removes unknown/unsafe/namespaced tags and their children,
# and strips all node attributes
Loofah also comes with some common transformation tasks:
doc.scrub!(:nofollow) # adds rel="nofollow" attribute to links
doc.scrub!(:unprintable) # removes unprintable characters from text nodes
See Loofah::Scrubbers for more details and example usage.
=== Chaining Scrubbers
You can chain scrubbers:
Loofah.fragment("hello ") \
.scrub!(:prune) \
.scrub!(span2div).to_s
# => "
hello
"
=== Shorthand
The class methods Loofah.scrub_fragment and Loofah.scrub_document are
shorthand.
Loofah.scrub_fragment(unsafe_html, :prune)
Loofah.scrub_document(unsafe_html, :prune)
Loofah.scrub_xml_fragment(bad_xml, custom_scrubber)
Loofah.scrub_xml_document(bad_xml, custom_scrubber)
are the same thing as (and arguably semantically clearer than):
Loofah.fragment(unsafe_html).scrub!(:prune)
Loofah.document(unsafe_html).scrub!(:prune)
Loofah.xml_fragment(bad_xml).scrub!(custom_scrubber)
Loofah.xml_document(bad_xml).scrub!(custom_scrubber)
=== View Helpers
Loofah has two "view helpers": Loofah::Helpers.sanitize and
Loofah::Helpers.strip_tags, both of which are drop-in replacements for
the Rails ActionView helpers of the same name.
These are no longer required automatically. You must require `loofah/helpers`.
== Requirements
* Nokogiri >= 1.4.4
== Installation
Unsurprisingly:
* gem install loofah
== Support
The bug tracker is available here:
* https://github.com/flavorjones/loofah/issues
And the mailing list is on librelist:
* loofah@librelist.com / http://librelist.com
And the IRC channel is \#loofah on freenode.
== Related Links
* Nokogiri: http://nokogiri.org
* libxml2: http://xmlsoft.org
* html5lib: https://code.google.com/p/html5lib
== Authors
* {Mike Dalessio}[http://mike.daless.io] (@flavorjones[https://twitter.com/flavorjones])
* Bryan Helmkamp
Featuring code contributed by:
* Aaron Patterson
* John Barnette
* Josh Owens
* Paul Dix
* Luke Melia
And a big shout-out to Corey Innis for the name, and feedback on the API.
== Thank You
The following people have generously donated via the Pledgie[http://pledgie.com] badge on the {Loofah github page}[https://github.com/flavorjones/loofah]:
* Bill Harding
== Historical Note
This library was formerly known as Dryopteris, which was a very bad
name that nobody could spell properly.
== License
The MIT License
Copyright (c) 2009 -- 2014 by Mike Dalessio, Bryan Helmkamp
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
����������������������������������������������loofah-2.0.3/benchmark/�����������������������������������������������������������������������������0000755�0000041�0000041�00000000000�12572770001�014747� 5����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/benchmark/helper.rb��������������������������������������������������������������������0000644�0000041�0000041�00000003403�12572770001�016553� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������require 'rubygems'
require 'open-uri'
require 'hpricot'
require File.expand_path(File.dirname(__FILE__) + "/../lib/loofah")
require 'benchmark'
require "action_view"
require "action_controller/vendor/html-scanner"
require "sanitize"
require 'hitimes'
require 'htmlfilter'
unless defined?(HTMLFilter)
HTMLFilter = HtmlFilter
end
class RailsSanitize
include ActionView::Helpers::SanitizeHelper
extend ActionView::Helpers::SanitizeHelper::ClassMethods
end
class HTML5libSanitize
require 'html5/html5parser'
require 'html5/liberalxmlparser'
require 'html5/treewalkers'
require 'html5/treebuilders'
require 'html5/serializer'
require 'html5/sanitizer'
include HTML5
def sanitize(html)
HTMLParser.parse_fragment(html, {
:tokenizer => HTMLSanitizer,
:encoding => 'utf-8',
:tree => TreeBuilders::REXML::TreeBuilder
}).to_s
end
end
BIG_FILE = File.read(File.join(File.dirname(__FILE__), "www.slashdot.com.html"))
FRAGMENT = File.read(File.join(File.dirname(__FILE__), "fragment.html"))
SNIPPET = "This is typical form field input in length and content."
class Measure
def initialize
clear_measure
end
def clear_measure
@first_time = true
@baseline = nil
end
def measure(name, ntimes)
if @first_time
printf " %-30s %7s %8s %5s\n", "", "total", "single", "rel"
@first_time = false
end
timer = Hitimes::TimedMetric.new(name)
timer.start
ntimes.times do |j|
yield
end
timer.stop
if @baseline
printf " %30s %7.3f (%8.6f) %5.2fx\n", timer.name, timer.sum, timer.sum / ntimes, timer.sum / @baseline
else
@baseline = timer.sum
printf " %30s %7.3f (%8.6f) %5s\n", timer.name, timer.sum, timer.sum / ntimes, "-"
end
timer.sum
end
end
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������loofah-2.0.3/benchmark/fragment.html����������������������������������������������������������������0000644�0000041�0000041�00000006152�12572770001�017444� 0����������������������������������������������������������������������������������������������������ustar �www-data������������������������www-data���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
}[https://travis-ci.org/flavorjones/loofah]
* https://github.com/flavorjones/loofah
* http://rubydoc.info/github/flavorjones/loofah/master/frames
* http://librelist.com/browser/loofah
== Description
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)
ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see
https://github.com/flavorjones/loofah-activerecord).
== Features
* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists).
* Common HTML sanitizing tasks are built-in:
* _Strip_ unsafe tags, leaving behind only the inner text.
* _Prune_ unsafe tags and their subtrees, removing all traces that they ever existed.
* _Escape_ unsafe tags and their subtrees, leaving behind lots of < and > entities.
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
* Common HTML transformation tasks are built-in:
* Add the _nofollow_ attribute to all hyperlinks.
* Format markup as plain text, with or without sensible whitespace handling around block elements.
* Replace Rails's +strip_tags+ and +sanitize+ view helper methods.
== Compare and Contrast
Loofah is one of two known Ruby XSS/sanitization solutions that
guarantees well-formed and valid markup (the other is Sanitize, which
also uses Nokogiri).
Loofah works on XML, XHTML and HTML documents.
Also, it's pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
* https://gist.github.com/170193
Lastly, Loofah is extensible. It's super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don't like
the built-in scrubbers? Build your own, like a boss.
== The Basics
Loofah wraps Nokogiri[http://nokogiri.org] in a loving
embrace. Nokogiri[http://nokogiri.org] is an excellent HTML/XML
parser. If you don't know how Nokogiri[http://nokogiri.org] works, you
might want to pause for a moment and go check it out. I'll wait.
Loofah presents the following classes:
* Loofah::HTML::Document and Loofah::HTML::DocumentFragment
* Loofah::XML::Document and Loofah::XML::DocumentFragment
* Loofah::Scrubber
The documents and fragments are subclasses of the similar Nokogiri classes.
The Scrubber represents the document manipulation, either by wrapping
a block,
span2div = Loofah::Scrubber.new do |node|
node.name = "div" if node.name == "span"
end
or by implementing a method.
=== Side Note: Fragments vs Documents
Generally speaking, unless you expect to have a DOCTYPE and a single
root node, you don't have a *document*, you have a *fragment*. For
HTML, another rule of thumb is that *documents* have +html+ and +body+
tags, and *fragments* usually do not.
HTML fragments should be parsed with Loofah.fragment. The result won't
be wrapped in +html+ or +body+ tags, won't have a DOCTYPE declaration,
+head+ elements will be silently ignored, and multiple root nodes are
allowed.
XML fragments should be parsed with Loofah.xml_fragment. The result
won't have a DOCTYPE declaration, and multiple root nodes are allowed.
HTML documents should be parsed with Loofah.document. The result will
have a DOCTYPE declaration, along with +html+, +head+ and +body+ tags.
XML documents should be parsed with Loofah.xml_document. The result
will have a DOCTYPE declaration and a single root node.
=== Loofah::HTML::Document and Loofah::HTML::DocumentFragment
These classes are subclasses of Nokogiri::HTML::Document and
Nokogiri::HTML::DocumentFragment, so you get all the markup
fixer-uppery and API goodness of Nokogiri.
The module methods Loofah.document and Loofah.fragment will parse an
HTML document and an HTML fragment, respectively.
Loofah.document(unsafe_html).is_a?(Nokogiri::HTML::Document) # => true
Loofah.fragment(unsafe_html).is_a?(Nokogiri::HTML::DocumentFragment) # => true
Loofah injects a +scrub!+ method, which takes either a symbol (for
built-in scrubbers) or a Loofah::Scrubber object (for custom
scrubbers), and modifies the document in-place.
Loofah overrides +to_s+ to return HTML:
unsafe_html = "ohai!