summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/patches/ruby-sanitize-system-libxml.patch38
-rw-r--r--gnu/packages/ruby.scm23
2 files changed, 49 insertions, 12 deletions
diff --git a/gnu/packages/patches/ruby-sanitize-system-libxml.patch b/gnu/packages/patches/ruby-sanitize-system-libxml.patch
new file mode 100644
index 0000000000..d19eb07294
--- /dev/null
+++ b/gnu/packages/patches/ruby-sanitize-system-libxml.patch
@@ -0,0 +1,38 @@
+Fix test failures that occur when nokogiri is using system libxml:
+
+  https://github.com/rgrove/sanitize/issues/198
+
+Taken from upstream:
+https://github.com/rgrove/sanitize/commit/21da9b62baf9ea659811d92e6b574130aee57eba
+
+diff --git a/test/test_malicious_html.rb b/test/test_malicious_html.rb
+index 2c23074..0756de0 100644
+--- a/test/test_malicious_html.rb
++++ b/test/test_malicious_html.rb
+@@ -135,6 +135,8 @@
+   # The relevant libxml2 code is here:
+   # <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
+   describe 'unsafe libxml2 server-side includes in attributes' do
++    using_unpatched_libxml2 = Nokogiri::VersionInfo.instance.libxml2_using_system?
++
+     tag_configs = [
+       {
+         tag_name: 'a',
+@@ -166,6 +168,8 @@
+         input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
+ 
+         it 'should escape unsafe characters in attributes' do
++          skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
++
+           # This uses Nokogumbo's HTML-compliant serializer rather than
+           # libxml2's.
+           @s.fragment(input).
+@@ -191,6 +195,8 @@
+         input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
+ 
+         it 'should not escape characters unnecessarily' do
++          skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
++
+           # This uses Nokogumbo's HTML-compliant serializer rather than
+           # libxml2's.
+           @s.fragment(input).
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 396d4a021f..08c55e4e3c 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -5319,33 +5319,32 @@ access the result as a Nokogiri parsed document.")
 (define-public ruby-sanitize
   (package
     (name "ruby-sanitize")
-    (version "4.6.3")
+    (version "5.1.0")
+    (home-page "https://github.com/rgrove/sanitize")
     (source (origin
-              (method url-fetch)
+              (method git-fetch)
               ;; The gem does not include the Rakefile, so we download the
-              ;; release tarball from Github.
-              (uri (string-append "https://github.com/rgrove/"
-                                  "sanitize/archive/v" version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
+              ;; source from Github.
+              (uri (git-reference
+                    (url home-page)
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches (search-patches "ruby-sanitize-system-libxml.patch"))
               (sha256
                (base32
-                "1fmqppwif3cm8h79006jfzkdnlxxzlry9kzk03psk0d5xpg55ycc"))))
+                "0lj0q9yhjp0q0in5majkshnki07mw8m2vxgndx4m5na6232aszl0"))))
     (build-system ruby-build-system)
     (propagated-inputs
      `(("ruby-crass" ,ruby-crass)
        ("ruby-nokogiri" ,ruby-nokogiri)
        ("ruby-nokogumbo" ,ruby-nokogumbo)))
     (native-inputs
-     `(("bundler" ,bundler)
-       ("ruby-minitest" ,ruby-minitest)
-       ("ruby-redcarpet" ,ruby-redcarpet)
-       ("ruby-yard" ,ruby-yard)))
+     `(("ruby-minitest" ,ruby-minitest)))
     (synopsis "Whitelist-based HTML and CSS sanitizer")
     (description
      "Sanitize is a whitelist-based HTML and CSS sanitizer.  Given a list of
 acceptable elements, attributes, and CSS properties, Sanitize will remove all
 unacceptable HTML and/or CSS from a string.")
-    (home-page "https://github.com/rgrove/sanitize/")
     (license license:expat)))
 
 (define-public ruby-oj