From 784849167d19f7906be90af3fd0ab79f6f93d9b0 Mon Sep 17 00:00:00 2001
From: Terentev Aleksey <terentev555@gmail.com>
Date: Fri, 11 Aug 2023 14:21:31 +0500
Subject: [PATCH] feat: add options for sanitize outer links in css

https://jira.railsc.ru/browse/PC4-29908
---
 lib/string_tools.rb       | 12 ++++++++++--
 spec/string_tools_spec.rb | 24 ++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/lib/string_tools.rb b/lib/string_tools.rb
index b124481..30291da 100644
--- a/lib/string_tools.rb
+++ b/lib/string_tools.rb
@@ -155,6 +155,11 @@ class Base
 
       TAGS_WITHOUT_ATTRIBUTES = %w(b strong i em sup sub ul ol li blockquote br tr u caption thead s).freeze
 
+      # Public: Sanitize string
+      # str - String for sanitize
+      # attrs - Hash, custom attributes, defaults empty hash
+      #   remove_contents - Set of string, tags to be removed
+      #   protocols - Array of string, protocols using in css properties urls
       def sanitize(str, attrs = {})
         # для корректного обрезания utf строчек режем через mb_chars
         # для защиты от перегрузки парсера пропускаем максимум 1 мегабайт текста
@@ -162,6 +167,9 @@ def sanitize(str, attrs = {})
         # длина по символам с перестраховкой, т.к. латинские символы(теги, например) занимают 1 байт
         str = str.mb_chars.slice(0..(2**19)).to_s
 
+        remove_contents = attrs.delete(:remove_contents)
+        protocols = attrs.delete(:protocols) || []
+
         # Мерджим добавочные теги и атрибуты
         attributes = TAGS_WITH_ATTRIBUTES.merge(attrs)
         elements = attributes.keys | TAGS_WITHOUT_ATTRIBUTES
@@ -173,8 +181,8 @@ def sanitize(str, attrs = {})
           str,
           :attributes => attributes,
           :elements => elements,
-          :css => {:properties => Sanitize::Config::RELAXED[:css][:properties]},
-          :remove_contents => %w(style script),
+          :css => {:properties => Sanitize::Config::RELAXED[:css][:properties], protocols: protocols},
+          :remove_contents => remove_contents || Set['style', 'script'],
           :allow_comments => false,
           :transformers => transformers
         )
diff --git a/spec/string_tools_spec.rb b/spec/string_tools_spec.rb
index b99a907..1d6b7f2 100644
--- a/spec/string_tools_spec.rb
+++ b/spec/string_tools_spec.rb
@@ -56,6 +56,30 @@
         to eq('<iframe width="123" height="456" src="https://www.youtube.com/embed/abc" frameborder="0"></iframe>')
     end
 
+    it 'removes outer link from css when protocols given' do
+      origin_str = '<div style="background-image: url(http://i54.tinypic.com/4zuxif.jpg)"></div>'
+      sanitized_string = described_class.sanitize(origin_str)
+      expect(sanitized_string).to eq('<div></div>')
+    end
+
+    it 'do not removes outer link from css when protocols given' do
+      origin_str = '<div style="background-image: url(http://i54.tinypic.com/4zuxif.jpg)"></div>'
+      sanitized_string = described_class.sanitize(origin_str, protocols: %w[http https])
+      expect(sanitized_string).to eq('<div style="background-image: url(http://i54.tinypic.com/4zuxif.jpg)"></div>')
+    end
+
+    it 'removes style content' do
+      origin_str = '<style type="text/css">body{color: red;}</style>'
+      sanitized_string = described_class.sanitize(origin_str)
+      expect(sanitized_string).to eq('')
+    end
+
+    it 'do not removes style content' do
+      origin_str = '<style type="text/css">body{color: red;}</style>'
+      sanitized_string = described_class.sanitize(origin_str, 'style' => %w(type), remove_contents: Set['script'])
+      expect(sanitized_string).to eq('<style type="text/css">body{color: red;}</style>')
+    end
+
     context 'multiple invocations of the method' do
       it 'does not mess up default config' do
         origin_str = '<p style="text-align: center;" title="foobar"></p>'