Address Loofah constant name changes

Require Loofah ~> 2.3 so we can rely on the new constants.
rails · Sep 29, 2019 · 93eb249 · 93eb249
2 parents b8ea80d + 43a87f5
commit 93eb249
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
@@ -74,7 +74,7 @@ def sanitize(html, options = {})
     #
     # === Options
     # Sanitizes both html and css via the safe lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
     # SafeListSanitizer also accepts options to configure
     # the safe list used when sanitizing html.

diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -138,17 +138,17 @@ def scrub_attribute(node, attr_node)
                       attr_node.node_name
                     end
 
-        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
           # this block lifted nearly verbatim from HTML5 sanitization
           val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
             attr_node.remove
           end
         end
-        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
           attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
         end
-        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
 

diff --git a/rails-html-sanitizer.gemspec b/rails-html-sanitizer.gemspec
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
 
   # NOTE: There's no need to update this dependency for Loofah CVEs
   # in minor releases when users can simply run `bundle update loofah`.
-  spec.add_dependency "loofah", "~> 2.2", ">= 2.2.2"
+  spec.add_dependency "loofah", "~> 2.3"
 
   spec.add_development_dependency "bundler", ">= 1.3"
   spec.add_development_dependency "rake"

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -181,7 +181,7 @@ def test_sanitize_image_src
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
 
-  tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
+  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
   tags.each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       scope_allowed_tags(tags) do