loofah-2.2.2/0000755000004100000410000000000013255025670013022 5ustar www-datawww-dataloofah-2.2.2/Rakefile0000644000004100000410000000367613255025667014511 0ustar www-datawww-datarequire 'rubygems' gem 'hoe', '>= 2.3.0' require 'hoe' require 'concourse' Hoe.plugin :git Hoe.plugin :gemspec Hoe.plugin :bundler Hoe.plugin :debugging Hoe.spec "loofah" do developer "Mike Dalessio", "mike.dalessio@gmail.com" developer "Bryan Helmkamp", "bryan@brynary.com" self.extra_rdoc_files = FileList["*.md"] self.history_file = "CHANGELOG.md" self.readme_file = "README.md" self.license "MIT" extra_deps << ["nokogiri", ">=1.5.9"] extra_deps << ["crass", "~> 1.0.2"] extra_dev_deps << ["rake", ">=0.8"] extra_dev_deps << ["minitest", "~>2.2"] extra_dev_deps << ["rr", "~>1.2.0"] extra_dev_deps << ["json", ">=0"] extra_dev_deps << ["hoe-gemspec", ">=0"] extra_dev_deps << ["hoe-debugging", ">=0"] extra_dev_deps << ["hoe-bundler", ">=0"] extra_dev_deps << ["hoe-git", ">=0"] extra_dev_deps << ["concourse", ">=0.15.0"] end task :gemspec do system %q(rake debug_gem | grep -v "^\(in " > loofah.gemspec) end task :redocs => :fix_css task :docs => :fix_css task :fix_css do better_css = <<-EOT .method-description pre { margin : 1em 0 ; } .method-description ul { padding : .5em 0 .5em 2em ; } .method-description p { margin-top : .5em ; } #main ul, div#documentation ul { list-style-type : disc ! IMPORTANT ; list-style-position : inside ! IMPORTANT ; } h2 + ul { margin-top : 1em; } EOT puts "* fixing css" File.open("doc/rdoc.css", "a") { |f| f.write better_css } end desc "generate and upload docs to rubyforge" task :doc_upload_to_rubyforge => :docs do Dir.chdir "doc" do system "rsync -avz --delete * rubyforge.org:/var/www/gforge-projects/loofah/loofah" end end desc "generate whitelists from W3C specifications" task :generate_whitelists do load "tasks/generate-whitelists" end Concourse.new("loofah").create_tasks! loofah-2.2.2/.gemtest0000644000004100000410000000000013255025667014467 0ustar www-datawww-dataloofah-2.2.2/Manifest.txt0000644000004100000410000000166713255025667015351 0ustar www-datawww-data.gemtest CHANGELOG.md Gemfile MIT-LICENSE.txt Manifest.txt README.md Rakefile SECURITY.md benchmark/benchmark.rb benchmark/fragment.html benchmark/helper.rb benchmark/www.slashdot.com.html lib/loofah.rb lib/loofah/elements.rb lib/loofah/helpers.rb lib/loofah/html/document.rb lib/loofah/html/document_fragment.rb lib/loofah/html5/libxml2_workarounds.rb lib/loofah/html5/scrub.rb lib/loofah/html5/whitelist.rb lib/loofah/instance_methods.rb lib/loofah/metahelpers.rb lib/loofah/scrubber.rb lib/loofah/scrubbers.rb lib/loofah/xml/document.rb lib/loofah/xml/document_fragment.rb test/assets/testdata_sanitizer_tests1.dat test/helper.rb test/html5/test_sanitizer.rb test/integration/test_ad_hoc.rb test/integration/test_helpers.rb test/integration/test_html.rb test/integration/test_scrubbers.rb test/integration/test_xml.rb test/unit/test_api.rb test/unit/test_encoding.rb test/unit/test_helpers.rb test/unit/test_scrubber.rb test/unit/test_scrubbers.rb loofah-2.2.2/Gemfile0000644000004100000410000000145313255025667014326 0ustar www-datawww-data# -*- ruby -*- # DO NOT EDIT THIS FILE. Instead, edit Rakefile, and run `rake bundler:gemfile`. source "https://rubygems.org/" gem "nokogiri", ">=1.5.9" gem "crass", "~>1.0.2" gem "rake", ">=0.8", :group => [:development, :test] gem "minitest", "~>2.2", :group => [:development, :test] gem "rr", "~>1.2.0", :group => [:development, :test] gem "json", ">=0", :group => [:development, :test] gem "hoe-gemspec", ">=0", :group => [:development, :test] gem "hoe-debugging", ">=0", :group => [:development, :test] gem "hoe-bundler", ">=0", :group => [:development, :test] gem "hoe-git", ">=0", :group => [:development, :test] gem "concourse", ">=0.15.0", :group => [:development, :test] gem "rdoc", "~>4.0", :group => [:development, :test] gem "hoe", "~>3.16", :group => [:development, :test] # vim: syntax=ruby loofah-2.2.2/SECURITY.md0000644000004100000410000000243413255025667014624 0ustar www-datawww-data# Security and Vulnerability Reporting The Loofah core contributors take security very seriously and investigate all reported vulnerabilities. If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via HackerOne](https://hackerone.com/loofah/reports/new). Your report will be acknowledged within 24 hours, and you'll receive a more detailed response within 72 hours indicating next steps in handling your report. If you have not received a reply to your submission within 48 hours, there are a few steps you can take: * Contact the current security coordinator (Mike Dalessio ) * Email the Loofah user group at loofah@librelist.com (archive at http://librelist.com) Please note, the user group list is a public area. When escalating in that venue, please do not discuss your issue. Simply say that you're trying to get a hold of someone from the core team. The information you share with the Loofah core contributors as part of this process will be kept confidential within the team, unless or until we need to share information upstream with our dependent libraries' core teams, at which point we will notify you. If a vulnerability is first reported by you, we will credit you with the discovery in the public disclosure. loofah-2.2.2/loofah.gemspec0000644000004100000410000001122513255025670015640 0ustar www-datawww-data######################################################### # This file has been automatically generated by gem2tgz # ######################################################### # -*- encoding: utf-8 -*- Gem::Specification.new do |s| s.name = "loofah" s.version = "2.2.2" s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= s.authors = ["Mike Dalessio", "Bryan Helmkamp"] s.date = "2018-03-22" s.description = "Loofah is a general library for manipulating and transforming HTML/XML\ndocuments and fragments. It's built on top of Nokogiri and libxml2, so\nit's fast and has a nice API.\n\nLoofah excels at HTML sanitization (XSS prevention). It includes some\nnice HTML sanitizers, which are based on HTML5lib's whitelist, so it\nmost likely won't make your codes less secure. (These statements have\nnot been evaluated by Netexperts.)\n\nActiveRecord extensions for sanitization are available in the\n[`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord)." s.email = ["mike.dalessio@gmail.com", "bryan@brynary.com"] s.extra_rdoc_files = ["CHANGELOG.md", "MIT-LICENSE.txt", "Manifest.txt", "README.md", "SECURITY.md"] s.files = [".gemtest", "CHANGELOG.md", "Gemfile", "MIT-LICENSE.txt", "Manifest.txt", "README.md", "Rakefile", "SECURITY.md", "benchmark/benchmark.rb", "benchmark/fragment.html", "benchmark/helper.rb", "benchmark/www.slashdot.com.html", "lib/loofah.rb", "lib/loofah/elements.rb", "lib/loofah/helpers.rb", "lib/loofah/html/document.rb", "lib/loofah/html/document_fragment.rb", "lib/loofah/html5/libxml2_workarounds.rb", "lib/loofah/html5/scrub.rb", "lib/loofah/html5/whitelist.rb", "lib/loofah/instance_methods.rb", "lib/loofah/metahelpers.rb", "lib/loofah/scrubber.rb", "lib/loofah/scrubbers.rb", "lib/loofah/xml/document.rb", "lib/loofah/xml/document_fragment.rb", "test/assets/testdata_sanitizer_tests1.dat", "test/helper.rb", "test/html5/test_sanitizer.rb", "test/integration/test_ad_hoc.rb", "test/integration/test_helpers.rb", "test/integration/test_html.rb", "test/integration/test_scrubbers.rb", "test/integration/test_xml.rb", "test/unit/test_api.rb", "test/unit/test_encoding.rb", "test/unit/test_helpers.rb", "test/unit/test_scrubber.rb", "test/unit/test_scrubbers.rb"] s.homepage = "https://github.com/flavorjones/loofah" s.licenses = ["MIT"] s.rdoc_options = ["--main", "README.md"] s.require_paths = ["lib"] s.rubygems_version = "1.8.23" s.summary = "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments" if s.respond_to? :specification_version then s.specification_version = 4 if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then s.add_development_dependency(%q, [">= 0.15.0"]) s.add_runtime_dependency(%q, ["~> 1.0.2"]) s.add_development_dependency(%q, ["~> 3.16"]) s.add_development_dependency(%q, [">= 0"]) s.add_development_dependency(%q, [">= 0"]) s.add_development_dependency(%q, [">= 0"]) s.add_development_dependency(%q, [">= 0"]) s.add_development_dependency(%q, [">= 0"]) s.add_development_dependency(%q, ["~> 2.2"]) s.add_runtime_dependency(%q, [">= 1.5.9"]) s.add_development_dependency(%q, [">= 0.8"]) s.add_development_dependency(%q, ["~> 4.0"]) s.add_development_dependency(%q, ["~> 1.2.0"]) else s.add_dependency(%q, [">= 0.15.0"]) s.add_dependency(%q, ["~> 1.0.2"]) s.add_dependency(%q, ["~> 3.16"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, ["~> 2.2"]) s.add_dependency(%q, [">= 1.5.9"]) s.add_dependency(%q, [">= 0.8"]) s.add_dependency(%q, ["~> 4.0"]) s.add_dependency(%q, ["~> 1.2.0"]) end else s.add_dependency(%q, [">= 0.15.0"]) s.add_dependency(%q, ["~> 1.0.2"]) s.add_dependency(%q, ["~> 3.16"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, ["~> 2.2"]) s.add_dependency(%q, [">= 1.5.9"]) s.add_dependency(%q, [">= 0.8"]) s.add_dependency(%q, ["~> 4.0"]) s.add_dependency(%q, ["~> 1.2.0"]) end end loofah-2.2.2/benchmark/0000755000004100000410000000000013255025667014762 5ustar www-datawww-dataloofah-2.2.2/benchmark/helper.rb0000644000004100000410000000340313255025667016566 0ustar www-datawww-datarequire 'rubygems' require 'open-uri' require 'hpricot' require File.expand_path(File.dirname(__FILE__) + "/../lib/loofah") require 'benchmark' require "action_view" require "action_controller/vendor/html-scanner" require "sanitize" require 'hitimes' require 'htmlfilter' unless defined?(HTMLFilter) HTMLFilter = HtmlFilter end class RailsSanitize include ActionView::Helpers::SanitizeHelper extend ActionView::Helpers::SanitizeHelper::ClassMethods end class HTML5libSanitize require 'html5/html5parser' require 'html5/liberalxmlparser' require 'html5/treewalkers' require 'html5/treebuilders' require 'html5/serializer' require 'html5/sanitizer' include HTML5 def sanitize(html) HTMLParser.parse_fragment(html, { :tokenizer => HTMLSanitizer, :encoding => 'utf-8', :tree => TreeBuilders::REXML::TreeBuilder }).to_s end end BIG_FILE = File.read(File.join(File.dirname(__FILE__), "www.slashdot.com.html")) FRAGMENT = File.read(File.join(File.dirname(__FILE__), "fragment.html")) SNIPPET = "This is typical form field input in length and content." class Measure def initialize clear_measure end def clear_measure @first_time = true @baseline = nil end def measure(name, ntimes) if @first_time printf " %-30s %7s %8s %5s\n", "", "total", "single", "rel" @first_time = false end timer = Hitimes::TimedMetric.new(name) timer.start ntimes.times do |j| yield end timer.stop if @baseline printf " %30s %7.3f (%8.6f) %5.2fx\n", timer.name, timer.sum, timer.sum / ntimes, timer.sum / @baseline else @baseline = timer.sum printf " %30s %7.3f (%8.6f) %5s\n", timer.name, timer.sum, timer.sum / ntimes, "-" end timer.sum end end loofah-2.2.2/benchmark/fragment.html0000644000004100000410000000615213255025667017457 0ustar www-datawww-data