diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/ruby-sanitize-system-libxml.patch | 38 | ||||
-rw-r--r-- | gnu/packages/ruby.scm | 23 |
2 files changed, 49 insertions, 12 deletions
diff --git a/gnu/packages/patches/ruby-sanitize-system-libxml.patch b/gnu/packages/patches/ruby-sanitize-system-libxml.patch new file mode 100644 index 0000000000..d19eb07294 --- /dev/null +++ b/gnu/packages/patches/ruby-sanitize-system-libxml.patch @@ -0,0 +1,38 @@ +Fix test failures that occur when nokogiri is using system libxml: + + https://github.com/rgrove/sanitize/issues/198 + +Taken from upstream: +https://github.com/rgrove/sanitize/commit/21da9b62baf9ea659811d92e6b574130aee57eba + +diff --git a/test/test_malicious_html.rb b/test/test_malicious_html.rb +index 2c23074..0756de0 100644 +--- a/test/test_malicious_html.rb ++++ b/test/test_malicious_html.rb +@@ -135,6 +135,8 @@ + # The relevant libxml2 code is here: + # <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588> + describe 'unsafe libxml2 server-side includes in attributes' do ++ using_unpatched_libxml2 = Nokogiri::VersionInfo.instance.libxml2_using_system? ++ + tag_configs = [ + { + tag_name: 'a', +@@ -166,6 +168,8 @@ + input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>] + + it 'should escape unsafe characters in attributes' do ++ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2 ++ + # This uses Nokogumbo's HTML-compliant serializer rather than + # libxml2's. + @s.fragment(input). +@@ -191,6 +195,8 @@ + input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>] + + it 'should not escape characters unnecessarily' do ++ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2 ++ + # This uses Nokogumbo's HTML-compliant serializer rather than + # libxml2's. + @s.fragment(input). diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 396d4a021f..08c55e4e3c 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -5319,33 +5319,32 @@ access the result as a Nokogiri parsed document.") (define-public ruby-sanitize (package (name "ruby-sanitize") - (version "4.6.3") + (version "5.1.0") + (home-page "https://github.com/rgrove/sanitize") (source (origin - (method url-fetch) + (method git-fetch) ;; The gem does not include the Rakefile, so we download the - ;; release tarball from Github. - (uri (string-append "https://github.com/rgrove/" - "sanitize/archive/v" version ".tar.gz")) - (file-name (string-append name "-" version ".tar.gz")) + ;; source from Github. + (uri (git-reference + (url home-page) + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches (search-patches "ruby-sanitize-system-libxml.patch")) (sha256 (base32 - "1fmqppwif3cm8h79006jfzkdnlxxzlry9kzk03psk0d5xpg55ycc")))) + "0lj0q9yhjp0q0in5majkshnki07mw8m2vxgndx4m5na6232aszl0")))) (build-system ruby-build-system) (propagated-inputs `(("ruby-crass" ,ruby-crass) ("ruby-nokogiri" ,ruby-nokogiri) ("ruby-nokogumbo" ,ruby-nokogumbo))) (native-inputs - `(("bundler" ,bundler) - ("ruby-minitest" ,ruby-minitest) - ("ruby-redcarpet" ,ruby-redcarpet) - ("ruby-yard" ,ruby-yard))) + `(("ruby-minitest" ,ruby-minitest))) (synopsis "Whitelist-based HTML and CSS sanitizer") (description "Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable HTML and/or CSS from a string.") - (home-page "https://github.com/rgrove/sanitize/") (license license:expat))) (define-public ruby-oj |