From b67b6ace13f06f813e2e39ab894f990e1d735b94 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 09:35:04 -0400
Subject: [PATCH 01/10] rubocop: enable Minitest/NoAssertions

---
 .rubocop.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.rubocop.yml b/.rubocop.yml
index fa00f06..b96841e 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -343,3 +343,6 @@ Minitest/SkipEnsure:
 
 Minitest/UnreachableAssertion:
   Enabled: true
+
+Minitest/NoAssertions:
+  Enabled: true

From 1a3a812b4778426f55584fd412c559638846f82c Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 10 May 2023 16:15:46 -0400
Subject: [PATCH 02/10] style: scrubber tag and attribute arrays

---
 lib/rails/html/sanitizer.rb | 63 ++++++++++++++++++++++++++++++++++---
 1 file changed, 58 insertions(+), 5 deletions(-)

diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index dc50430..73d5468 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -2,7 +2,7 @@
 
 module Rails
   module Html
-    XPATHS_TO_REMOVE = %w{.//script .//form comment()}
+    XPATHS_TO_REMOVE = [".//script", ".//form", "comment()"]
 
     class Sanitizer # :nodoc:
       def sanitize(html, options = {})
@@ -106,10 +106,63 @@ class << self
         attr_accessor :allowed_tags
         attr_accessor :allowed_attributes
       end
-      self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub
-        sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
-        acronym a img blockquote del ins))
-      self.allowed_attributes = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
+      self.allowed_tags = Set.new([
+        "a",
+        "abbr",
+        "acronym",
+        "address",
+        "b",
+        "big",
+        "blockquote",
+        "br",
+        "cite",
+        "code",
+        "dd",
+        "del",
+        "dfn",
+        "div",
+        "dl",
+        "dt",
+        "em",
+        "h1",
+        "h2",
+        "h3",
+        "h4",
+        "h5",
+        "h6",
+        "hr",
+        "i",
+        "img",
+        "ins",
+        "kbd",
+        "li",
+        "ol",
+        "p",
+        "pre",
+        "samp",
+        "small",
+        "span",
+        "strong",
+        "sub",
+        "sup",
+        "tt",
+        "ul",
+        "var",
+      ])
+      self.allowed_attributes = Set.new([
+        "abbr",
+        "alt",
+        "cite",
+        "class",
+        "datetime",
+        "height",
+        "href",
+        "name",
+        "src",
+        "title",
+        "width",
+        "xml:lang",
+      ])
 
       def initialize(prune: false)
         @permit_scrubber = PermitScrubber.new(prune: prune)

From f3102d15883ae4c50ba66eea6a0ef1517a666e5b Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 10 May 2023 17:04:13 -0400
Subject: [PATCH 03/10] feat: SafeListSanitizer allows "time" tag and "lang"
 attr

Reasons:

- the "datetime" attr is allowed, but is only valid in a "time" tag.
- the "xml:lang" attr is allowed, but is only valid if "lang" attr is
  also present.

The "time" tag and "lang" attribute should be considered safe and are
allowed by Loofah.

Also backfill tests around the default safe lists.
---
 CHANGELOG.md                |  7 +++++++
 lib/rails/html/sanitizer.rb |  2 ++
 test/sanitizer_test.rb      | 40 +++++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9cd3b6..3bfec5c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## next / unreleased
+
+* `SafeListSanitizer` allows `time` tag and `lang` attribute by default.
+
+  *Mike Dalessio*
+
+
 ## 1.5.0 / 2023-01-20
 
 * `SafeListSanitizer`, `PermitScrubber`, and `TargetScrubber` now all support pruning of unsafe tags.
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index 73d5468..aec89e7 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -145,6 +145,7 @@ class << self
         "strong",
         "sub",
         "sup",
+        "time",
         "tt",
         "ul",
         "var",
@@ -157,6 +158,7 @@ class << self
         "datetime",
         "height",
         "href",
+        "lang",
         "name",
         "src",
         "title",
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 41b274e..6b36876 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -223,6 +223,21 @@ def test_allow_colons_in_path_component
     end
   end
 
+  def test_lang_and_xml_lang
+    # https://html.spec.whatwg.org/multipage/dom.html#the-lang-and-xml:lang-attributes
+    #
+    # 3.2.6.2 The lang and xml:lang attributes
+    #
+    # ... Authors must not use the lang attribute in the XML namespace on HTML elements in HTML
+    # documents. To ease migration to and from XML, authors may specify an attribute in no namespace
+    # with no prefix and with the literal localname "xml:lang" on HTML elements in HTML documents,
+    # but such attributes must only be specified if a lang attribute in no namespace is also
+    # specified, and both attributes must have the same value when compared in an ASCII
+    # case-insensitive manner.
+    input = expected = "<div lang=\"en\" xml:lang=\"en\">foo</div>"
+    assert_sanitized(input, expected)
+  end
+
   def test_should_handle_non_html
     assert_sanitized "abc"
   end
@@ -517,6 +532,31 @@ def test_allow_data_attribute_if_requested
     assert_equal %(<a data-foo="foo">foo</a>), safe_list_sanitize(text, attributes: ["data-foo"])
   end
 
+  # https://developer.mozilla.org/en-US/docs/Glossary/Void_element
+  VOID_ELEMENTS = %w[area base br col embed hr img input keygen link meta param source track wbr]
+
+  %w(strong em b i p code pre tt samp kbd var sub
+     sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
+     acronym a img blockquote del ins time).each do |tag_name|
+    define_method "test_default_safelist_should_allow_#{tag_name}" do
+      if VOID_ELEMENTS.include?(tag_name)
+        assert_sanitized("<#{tag_name}>")
+      else
+        assert_sanitized("<#{tag_name}>foo</#{tag_name}>")
+      end
+    end
+  end
+
+  def test_datetime_attribute
+    assert_sanitized("<time datetime=\"2023-01-01\">")
+  end
+
+  def test_abbr_attribute
+    scope_allowed_tags(%w(table tr th td)) do
+      assert_sanitized(%(<table><tr><td abbr="UK">United Kingdom</td></tr></table>))
+    end
+  end
+
   def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
     skip if RUBY_VERSION < "2.3"
 

From 4d792669559488db7c6e6669d76b3e8412c38aac Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 10 May 2023 17:11:58 -0400
Subject: [PATCH 04/10] feat: remove Rails::Html::XPATHS_TO_REMOVE

This has always been an implementation detail, and is not necessary
with the current default sanitizer behavior.
---
 CHANGELOG.md                | 5 +++++
 lib/rails/html/sanitizer.rb | 4 ----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3bfec5c..80b52e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@
 
   *Mike Dalessio*
 
+* `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the existing sanitizers,
+  and should have been a private constant all along anyway.
+
+  *Mike Dalessio*
+
 
 ## 1.5.0 / 2023-01-20
 
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index aec89e7..531ff0d 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -2,8 +2,6 @@
 
 module Rails
   module Html
-    XPATHS_TO_REMOVE = [".//script", ".//form", "comment()"]
-
     class Sanitizer # :nodoc:
       def sanitize(html, options = {})
         raise NotImplementedError, "subclasses must implement sanitize method."
@@ -33,7 +31,6 @@ def sanitize(html, options = {})
 
         loofah_fragment = Loofah.fragment(html)
 
-        remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
         loofah_fragment.scrub!(TextOnlyScrubber.new)
 
         properly_encode(loofah_fragment, encoding: "UTF-8")
@@ -184,7 +181,6 @@ def sanitize(html, options = {})
           @permit_scrubber.attributes = allowed_attributes(options)
           loofah_fragment.scrub!(@permit_scrubber)
         else
-          remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
           loofah_fragment.scrub!(:strip)
         end
 

From fe9aa6fc9387b2e2888a19c1656ffb3f6f15f82e Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 10 May 2023 17:33:06 -0400
Subject: [PATCH 05/10] test: avoid renaming nodes to avoid errors in JRuby

Xerces doesn't allow node renaming (but libxml2 does)
---
 test/sanitizer_test.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 6b36876..bec0d80 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -328,20 +328,20 @@ def scrubber.scrub(node); node.name = "h1"; end
 
   def test_should_accept_loofah_inheriting_scrubber
     scrubber = Loofah::Scrubber.new
-    def scrubber.scrub(node); node.name = "h1"; end
+    def scrubber.scrub(node); node.replace("<h1>#{node.inner_html}</h1>"); end
 
     html = "<script>hello!</script>"
     assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
   end
 
   def test_should_accept_loofah_scrubber_that_wraps_a_block
-    scrubber = Loofah::Scrubber.new { |node| node.name = "h1" }
+    scrubber = Loofah::Scrubber.new { |node| node.replace("<h1>#{node.inner_html}</h1>") }
     html = "<script>hello!</script>"
     assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber)
   end
 
   def test_custom_scrubber_takes_precedence_over_other_options
-    scrubber = Loofah::Scrubber.new { |node| node.name = "h1" }
+    scrubber = Loofah::Scrubber.new { |node| node.replace("<h1>#{node.inner_html}</h1>") }
     html = "<script>hello!</script>"
     assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ["foo"])
   end

From 37017025f131bdd3482b561203bc90cc127f19fd Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 09:00:20 -0400
Subject: [PATCH 06/10] test: update to accommodate jruby behavior

---
 test/sanitizer_test.rb | 191 +++++++++++++++++++++++++++++++++--------
 1 file changed, 154 insertions(+), 37 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index bec0d80..f8f2e5f 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -6,6 +6,21 @@
 
 puts Nokogiri::VERSION_INFO
 
+#
+#  NOTE that many of these tests contain multiple acceptable results.
+#
+#  In some cases, this is because of how the HTML4 parser's recovery behavior changed in libxml2
+#  2.9.14 and 2.10.0. For more details, see:
+#
+#  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
+#  - https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
+#
+#  In other cases, multiple acceptable results are provided because Nokogiri's vendored libxml2 is
+#  patched to entity-escape server-side includes (aks "SSI", aka `<!-- #directive param=value -->`).
+#
+#  In many other cases, it's because the parser used by Nokogiri on JRuby (xerces+nekohtml) parses
+#  slightly differently than libxml2 in edge cases.
+#
 class SanitizersTest < Minitest::Test
   include Rails::Dom::Testing::Assertions::DomAssertions
 
@@ -20,7 +35,16 @@ def test_sanitize_nested_script
   end
 
   def test_sanitize_nested_script_in_style
-    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
+    input = '<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>'
+    result = safe_list_sanitize(input, tags: %w(em))
+    acceptable_results = [
+      # libxml2
+      %{&lt;script&gt;alert("XSS");&lt;/script&gt;},
+      # xerces+neko. unavoidable double-escaping, see loofah/docs/2022-10-decision-on-cdata-nodes.md
+      %{&amp;lt;script&amp;gt;alert(\"XSS\");&amp;lt;&amp;lt;/style&amp;gt;/script&amp;gt;},
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
@@ -56,8 +80,15 @@ def test_remove_xpaths_called_with_enumerable_xpaths
 
   def test_strip_tags_with_quote
     input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
-    expected = libxml_2_9_14_recovery_lt? ? %{&lt;"  hi} : %{ hi}
-    assert_equal(expected, full_sanitize(input))
+    result = full_sanitize(input)
+    acceptable_results = [
+      # libxml2 >= 2.9.14 and xerces+neko
+      %{&lt;"  hi},
+      # other libxml2
+      %{ hi},
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_strip_invalid_html
@@ -72,27 +103,54 @@ def test_strip_nested_tags
 
   def test_strip_tags_multiline
     expected = %{This is a test.\n\n\n\nIt no longer contains any HTML.\n}
-    input = %{<title>This is <b>a <a href="" target="_blank">test</a></b>.</title>\n\n<!-- it has a comment -->\n\n<p>It no <b>longer <strong>contains <em>any <strike>HTML</strike></em>.</strong></b></p>\n}
+    input = %{<h1>This is <b>a <a href="" target="_blank">test</a></b>.</h1>\n\n<!-- it has a comment -->\n\n<p>It no <b>longer <strong>contains <em>any <strike>HTML</strike></em>.</strong></b></p>\n}
 
     assert_equal expected, full_sanitize(input)
   end
 
   def test_remove_unclosed_tags
     input = "This is <-- not\n a comment here."
-    expected = libxml_2_9_14_recovery_lt? ? %{This is &lt;-- not\n a comment here.} : %{This is }
-    assert_equal(expected, full_sanitize(input))
+    result = full_sanitize(input)
+    acceptable_results = [
+      # libxml2 >= 2.9.14 and xerces+neko
+      %{This is &lt;-- not\n a comment here.},
+      # other libxml2
+      %{This is },
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_strip_cdata
     input = "This has a <![CDATA[<section>]]> here."
-    expected = libxml_2_9_14_recovery_lt_bang? ? %{This has a &lt;![CDATA[]]&gt; here.} : %{This has a ]]&gt; here.}
-    assert_equal(expected, full_sanitize(input))
+    result = full_sanitize(input)
+    acceptable_results = [
+      # libxml2 = 2.9.14
+      %{This has a &lt;![CDATA[]]&gt; here.},
+      # other libxml2
+      %{This has a ]]&gt; here.},
+      # xerces+neko
+      %{This has a  here.},
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_strip_unclosed_cdata
     input = "This has an unclosed <![CDATA[<section>]] here..."
-    expected = libxml_2_9_14_recovery_lt_bang? ? %{This has an unclosed &lt;![CDATA[]] here...} : %{This has an unclosed ]] here...}
-    assert_equal(expected, full_sanitize(input))
+
+    result = safe_list_sanitize(input)
+
+    acceptable_results = [
+      # libxml2 = 2.9.14
+      %{This has an unclosed &lt;![CDATA[]] here...},
+      # other libxml2
+      %{This has an unclosed ]] here...},
+      # xerces+neko
+      %{This has an unclosed }
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_strip_blank_string
@@ -168,7 +226,18 @@ def test_sanitize_form
   end
 
   def test_sanitize_plaintext
-    assert_sanitized "<plaintext><span>foo</span></plaintext>", "<span>foo</span>"
+    # note that the `plaintext` tag has been deprecated since HTML 2
+    # https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext
+    input = "<plaintext><span>foo</span></plaintext>"
+    result = safe_list_sanitize(input)
+    acceptable_results = [
+      # libxml2
+      "<span>foo</span>",
+      # xerces+nekohtml
+      "&lt;span&gt;foo&lt;/span&gt;&lt;/plaintext&gt;",
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_sanitize_script
@@ -302,6 +371,7 @@ def test_should_allow_custom_tags_with_custom_attributes
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
     actual = safe_list_sanitize(input, attributes: %w(style))
+
     assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
 
@@ -381,7 +451,16 @@ def test_should_not_fall_for_xss_image_hack_with_uppercase_tags
   end
 
   def test_should_sanitize_tag_broken_up_by_null
-    assert_sanitized %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), ""
+    input = %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>)
+    result = safe_list_sanitize(input)
+    acceptable_results = [
+      # libxml2
+      "",
+      # xerces+neko
+      'alert("XSS")',
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_should_sanitize_invalid_script_tag
@@ -390,7 +469,19 @@ def test_should_sanitize_invalid_script_tag
 
   def test_should_sanitize_script_tag_with_multiple_open_brackets
     assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "&lt;alert(\"XSS\");//&lt;"
-    assert_sanitized %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), ""
+  end
+
+  def test_should_sanitize_script_tag_with_multiple_open_brackets_2
+    input = %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a)
+    result = safe_list_sanitize(input)
+    acceptable_results = [
+      # libxml2
+      "",
+      # xerces+neko
+      "&lt;a",
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_should_sanitize_unclosed_script
@@ -461,6 +552,7 @@ def test_should_allow_div_background_image_unicode_encoded_safe_functions
       convert_to_css_hex("rgb(255,0,0)", true),
     ].each do |propval|
       raw = "background-image:" + propval
+
       assert_includes(sanitize_css(raw), "background-image")
     end
   end
@@ -481,14 +573,33 @@ def test_should_sanitize_img_vbscript
 
   def test_should_sanitize_cdata_section
     input = "<![CDATA[<span>section</span>]]>"
-    expected = libxml_2_9_14_recovery_lt_bang? ? %{&lt;![CDATA[<span>section</span>]]&gt;} : %{section]]&gt;}
-    assert_sanitized(input, expected)
+    result = safe_list_sanitize(input)
+    acceptable_results = [
+      # libxml2 = 2.9.14
+      %{&lt;![CDATA[<span>section</span>]]&gt;},
+      # other libxml2
+      %{section]]&gt;},
+      # xerces+neko
+      "",
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_should_sanitize_unterminated_cdata_section
     input = "<![CDATA[<span>neverending..."
-    expected = libxml_2_9_14_recovery_lt_bang? ? %{&lt;![CDATA[<span>neverending...</span>} : %{neverending...}
-    assert_sanitized(input, expected)
+    result = safe_list_sanitize(input)
+
+    acceptable_results = [
+      # libxml2 = 2.9.14
+      %{&lt;![CDATA[<span>neverending...</span>},
+      # other libxml2
+      %{neverending...},
+      # xerces+neko
+      ""
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_should_not_mangle_urls_with_ampersand
@@ -496,7 +607,8 @@ def test_should_not_mangle_urls_with_ampersand
   end
 
   def test_should_sanitize_neverending_attribute
-    assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
+    # note that assert_dom_equal chokes in this case! so avoid using assert_sanitized
+    assert_equal("<span class=\"\\\"></span>", safe_list_sanitize("<span class=\"\\\">"))
   end
 
   [
@@ -565,11 +677,14 @@ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
     text = safe_list_sanitize(html)
 
     acceptable_results = [
-      # nokogiri w/vendored+patched libxml2
+      # nokogiri's vendored+patched libxml2 (0002-Update-entities-to-remove-handling-of-ssi.patch)
       %{<a href="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
-      # nokogiri w/ system libxml2
+      # system libxml2
       %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+      # xerces+neko
+      %{<a href="examp&lt;!--%22 unsafeattr=foo()&gt;--&gt;le.com">test</a>}
     ]
+
     assert_includes(acceptable_results, text)
   end
 
@@ -581,11 +696,14 @@ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
     text = safe_list_sanitize(html)
 
     acceptable_results = [
-      # nokogiri w/vendored+patched libxml2
+      # nokogiri's vendored+patched libxml2 (0002-Update-entities-to-remove-handling-of-ssi.patch)
       %{<a src="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
-      # nokogiri w/system libxml2
+      # system libxml2
       %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+      # xerces+neko
+      %{<a src="examp&lt;!--%22 unsafeattr=foo()&gt;--&gt;le.com">test</a>}
     ]
+
     assert_includes(acceptable_results, text)
   end
 
@@ -597,11 +715,14 @@ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
     text = safe_list_sanitize(html)
 
     acceptable_results = [
-      # nokogiri w/vendored+patched libxml2
+      # nokogiri's vendored+patched libxml2 (0002-Update-entities-to-remove-handling-of-ssi.patch)
       %{<a name="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
-      # nokogiri w/system libxml2
+      # system libxml2
       %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+      # xerces+neko
+      %{<a name="examp&lt;!--%22 unsafeattr=foo()&gt;--&gt;le.com">test</a>}
     ]
+
     assert_includes(acceptable_results, text)
   end
 
@@ -613,11 +734,14 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
     text = safe_list_sanitize(html, attributes: ["action"])
 
     acceptable_results = [
-      # nokogiri w/vendored+patched libxml2
+      # nokogiri's vendored+patched libxml2 (0002-Update-entities-to-remove-handling-of-ssi.patch)
       %{<a action="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
-      # nokogiri w/system libxml2
+      # system libxml2
       %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+      # xerces+neko
+      %{<a action="examp&lt;!--%22 unsafeattr=foo()&gt;--&gt;le.com">test</a>},
     ]
+
     assert_includes(acceptable_results, text)
   end
 
@@ -727,7 +851,9 @@ def test_combination_of_math_and_style_with_img_payload
     actual = safe_list_sanitize(input, tags: tags)
 
     assert_equal(expected, actual)
+  end
 
+  def test_combination_of_math_and_style_with_img_payload_2
     input, tags = "<math><style><img src=x onerror=alert(1)></style></math>", ["math", "style", "img"]
     expected = "<math><style>&lt;img src=x onerror=alert(1)&gt;</style></math>"
     actual = safe_list_sanitize(input, tags: tags)
@@ -741,7 +867,9 @@ def test_combination_of_svg_and_style_with_img_payload
     actual = safe_list_sanitize(input, tags: tags)
 
     assert_equal(expected, actual)
+  end
 
+  def test_combination_of_svg_and_style_with_img_payload_2
     input, tags = "<svg><style><img src=x onerror=alert(1)></style></svg>", ["svg", "style", "img"]
     expected = "<svg><style>&lt;img src=x onerror=alert(1)&gt;</style></svg>"
     actual = safe_list_sanitize(input, tags: tags)
@@ -804,15 +932,4 @@ def convert_to_css_hex(string, escape_parens = false)
       end
     end.join
   end
-
-  def libxml_2_9_14_recovery_lt?
-    # changed in 2.9.14, see https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
-    Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">= 2.9.14")
-  end
-
-  def libxml_2_9_14_recovery_lt_bang?
-    # changed in 2.9.14, see https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5
-    # then reverted in 2.10.0, see https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
-    Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("= 2.9.14")
-  end
 end

From ec893747ef38276b585de4a3d5c66449c0b1fa47 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 09:00:48 -0400
Subject: [PATCH 07/10] test: remove bulk test of all Loofah ALLOWED_ELEMENTS

The use of assert_dom_equal obfuscates what we're actually testing,
which in many cases is "not much".

These elements already have adequate coverage in Loofah, and the
allowed_tags feature is tested adequately elsewhere in this suite.
---
 test/sanitizer_test.rb | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index f8f2e5f..a02db24 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -259,15 +259,6 @@ def test_sanitize_image_src
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
 
-  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
-  tags.each do |tag_name|
-    define_method "test_should_allow_#{tag_name}_tag" do
-      scope_allowed_tags(tags) do
-        assert_sanitized "start <#{tag_name} title=\"1\" onclick=\"foo\">foo <bad>bar</bad> baz</#{tag_name}> end", %(start <#{tag_name} title="1">foo bar baz</#{tag_name}> end)
-      end
-    end
-  end
-
   def test_should_allow_anchors
     assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\">baz</a>)
   end

From c1ccd66d168f85191aff0316ca8b25d39babe8b2 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 09:14:22 -0400
Subject: [PATCH 08/10] test: don't use assert_dom_equal and be explicit about
 assert_nil

The use of both was making `assert_sanitized` very ambiguous, as you
can see from the tests that have been updated.

The more explicit tests allow us to be sensitive to behavioral changes
upstream, so that we fully understand what we're emitting.
---
 test/sanitizer_test.rb | 61 +++++++++++++++++++++++++-----------------
 1 file changed, 37 insertions(+), 24 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index a02db24..1475d8f 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -22,8 +22,6 @@
 #  slightly differently than libxml2 in edge cases.
 #
 class SanitizersTest < Minitest::Test
-  include Rails::Dom::Testing::Assertions::DomAssertions
-
   def test_sanitizer_sanitize_raises_not_implemented_error
     assert_raises NotImplementedError do
       Rails::Html::Sanitizer.new.sanitize("")
@@ -256,7 +254,7 @@ def test_sanitize_javascript_href
 
   def test_sanitize_image_src
     raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
-    assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
+    assert_sanitized raw, %{src="javascript:bang" <img width="5">foo, <span>bar</span>}
   end
 
   def test_should_allow_anchors
@@ -266,8 +264,20 @@ def test_should_allow_anchors
   def test_video_poster_sanitization
     scope_allowed_tags(%w(video)) do
       scope_allowed_attributes %w(src poster) do
-        assert_sanitized %(<video src="videofile.ogg" autoplay  poster="posterimage.jpg"></video>), %(<video src="videofile.ogg" poster="posterimage.jpg"></video>)
-        assert_sanitized %(<video src="videofile.ogg" poster=javascript:alert(1)></video>), %(<video src="videofile.ogg"></video>)
+        expected = if RUBY_PLATFORM == "java"
+          # xerces+nekohtml alphabetizes the attributes! FML.
+          %(<video poster="posterimage.jpg" src="videofile.ogg"></video>)
+        else
+          %(<video src="videofile.ogg" poster="posterimage.jpg"></video>)
+        end
+        assert_sanitized(
+          %(<video src="videofile.ogg" autoplay  poster="posterimage.jpg"></video>),
+          expected,
+        )
+        assert_sanitized(
+          %(<video src="videofile.ogg" poster=javascript:alert(1)></video>),
+          %(<video src="videofile.ogg"></video>),
+        )
       end
     end
   end
@@ -279,7 +289,7 @@ def test_allow_colons_in_path_component
 
   %w(src width height alt).each do |img_attr|
     define_method "test_should_allow_image_#{img_attr}_attribute" do
-      assert_sanitized %(<img #{img_attr}="foo" onclick="bar" />), %(<img #{img_attr}="foo" />)
+      assert_sanitized %(<img #{img_attr}="foo" onclick="bar" />), %(<img #{img_attr}="foo">)
     end
   end
 
@@ -303,7 +313,9 @@ def test_should_handle_non_html
   end
 
   def test_should_handle_blank_text
-    [nil, "", "   "].each { |blank| assert_sanitized blank }
+    assert_nil(safe_list_sanitize(nil))
+    assert_equal("", safe_list_sanitize(""))
+    assert_equal("   ", safe_list_sanitize("   "))
   end
 
   def test_setting_allowed_tags_affects_sanitization
@@ -407,10 +419,12 @@ def test_custom_scrubber_takes_precedence_over_other_options
     assert_equal "<h1>hello!</h1>", safe_list_sanitize(html, scrubber: scrubber, tags: ["foo"])
   end
 
-  [%w(img src), %w(a href)].each do |(tag, attr)|
-    define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
-      assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>)
-    end
+  def test_should_strip_src_attribute_in_img_with_bad_protocols
+    assert_sanitized %(<img src="javascript:bang" title="1">), %(<img title="1">)
+  end
+
+  def test_should_strip_href_attribute_in_a_with_bad_protocols
+    assert_sanitized %(<a href="javascript:bang" title="1">boo</a>), %(<a title="1">boo</a>)
   end
 
   def test_should_block_script_tag
@@ -489,7 +503,10 @@ def test_should_not_fall_for_ridiculous_hack
   end
 
   def test_should_sanitize_attributes
-    assert_sanitized %(<SPAN title="'><script>alert()</script>">blah</SPAN>), %(<span title="#{CGI.escapeHTML "'><script>alert()</script>"}">blah</span>)
+    assert_sanitized(
+      %(<SPAN title="'><script>alert()</script>">blah</SPAN>),
+      %(<span title="'&gt;&lt;script&gt;alert()&lt;/script&gt;">blah</span>),
+    )
   end
 
   def test_should_sanitize_illegal_style_properties
@@ -518,11 +535,11 @@ def test_should_sanitize_non_alpha_and_non_digit_characters_in_tags
   end
 
   def test_should_sanitize_invalid_tag_names_in_single_tags
-    assert_sanitized('<img/src="http://ha.ckers.org/xss.js"/>', "<img />")
+    assert_sanitized('<img/src="http://ha.ckers.org/xss.js"/>', "<img>")
   end
 
   def test_should_sanitize_img_dynsrc_lowsrc
-    assert_sanitized(%(<img lowsrc="javascript:alert('XSS')" />), "<img />")
+    assert_sanitized(%(<img lowsrc="javascript:alert('XSS')" />), "<img>")
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
@@ -559,7 +576,7 @@ def test_should_sanitize_across_newlines
   end
 
   def test_should_sanitize_img_vbscript
-    assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), "<img />"
+    assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), "<img>"
   end
 
   def test_should_sanitize_cdata_section
@@ -609,13 +626,13 @@ def test_should_sanitize_neverending_attribute
     %(<a href="javascript&#x003A;alert('XSS');">)
   ].each_with_index do |enc_hack, i|
     define_method "test_x03a_handling_#{i + 1}" do
-      assert_sanitized enc_hack, "<a>"
+      assert_sanitized enc_hack, "<a></a>"
     end
   end
 
   def test_x03a_legitimate
-    assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
-    assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
+    assert_sanitized %(<a href="http&#x3a;//legit">asdf</a>), %(<a href="http://legit">asdf</a>)
+    assert_sanitized %(<a href="http&#x3A;//legit">asdf</a>), %(<a href="http://legit">asdf</a>)
   end
 
   def test_sanitize_ascii_8bit_string
@@ -651,7 +668,7 @@ def test_allow_data_attribute_if_requested
   end
 
   def test_datetime_attribute
-    assert_sanitized("<time datetime=\"2023-01-01\">")
+    assert_sanitized("<time datetime=\"2023-01-01\">Today</time>")
   end
 
   def test_abbr_attribute
@@ -886,11 +903,7 @@ def safe_list_sanitize(input, options = {})
   end
 
   def assert_sanitized(input, expected = nil)
-    if input
-      assert_dom_equal expected || input, safe_list_sanitize(input)
-    else
-      assert_nil safe_list_sanitize(input)
-    end
+    assert_equal((expected || input), safe_list_sanitize(input))
   end
 
   def sanitize_css(input)

From 2070471d5ad83979edd3653d72b1b79fc4ab28d8 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 09:33:52 -0400
Subject: [PATCH 09/10] test: accommodate jruby nokogiri 1.13 behavior

because Nokogiri 1.14 switched from cyberneko to nekohtml-unit and
there are some parsing differences.
---
 test/sanitizer_test.rb | 15 +++++++++++++--
 test/scrubbers_test.rb | 19 ++++++++++++++++---
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 1475d8f..dae5001 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -231,8 +231,10 @@ def test_sanitize_plaintext
     acceptable_results = [
       # libxml2
       "<span>foo</span>",
-      # xerces+nekohtml
+      # xerces+nekohtml-unit
       "&lt;span&gt;foo&lt;/span&gt;&lt;/plaintext&gt;",
+      # xerces+cyberneko
+      "&lt;span&gt;foo&lt;/span&gt;"
     ]
 
     assert_includes(acceptable_results, result)
@@ -754,7 +756,16 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
   end
 
   def test_exclude_node_type_processing_instructions
-    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+    input = "<div>text</div><?div content><b>text</b>"
+    result = safe_list_sanitize(input)
+    acceptable_results = [
+      # jruby cyberneko (nokogiri < 1.14.0)
+      "<div>text</div>",
+      # everything else
+      "<div>text</div><b>text</b>",
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_exclude_node_type_comment
diff --git a/test/scrubbers_test.rb b/test/scrubbers_test.rb
index 279d0dd..2fc156c 100644
--- a/test/scrubbers_test.rb
+++ b/test/scrubbers_test.rb
@@ -5,8 +5,12 @@
 
 class ScrubberTest < Minitest::Test
   protected
+    def scrub_fragment(html)
+      Loofah.scrub_fragment(html, @scrubber).to_s
+    end
+
     def assert_scrubbed(html, expected = html)
-      output = Loofah.scrub_fragment(html, @scrubber).to_s
+      output = scrub_fragment(html)
       assert_equal expected, output
     end
 
@@ -47,8 +51,17 @@ def test_default_scrub_removes_comments
   end
 
   def test_default_scrub_removes_processing_instructions
-    assert_scrubbed("<div>one</div><?div two><span>three</span>",
-                    "<div>one</div><span>three</span>")
+    input = "<div>one</div><?div two><span>three</span>"
+    result = scrub_fragment(input)
+
+    acceptable_results = [
+      # jruby cyberneko (nokogiri < 1.14.0)
+      "<div>one</div>",
+      # everything else
+      "<div>one</div><span>three</span>",
+    ]
+
+    assert_includes(acceptable_results, result)
   end
 
   def test_default_attributes_removal_behavior

From 57c80153354a8dcc9bb169a48869eb36f45e2495 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 11 May 2023 10:18:08 -0400
Subject: [PATCH 10/10] ci: now that JRuby passes, let's not ignore errors

---
 .github/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 30a6faf..222b475 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,7 +47,6 @@ jobs:
       - run: bundle exec rake
 
   jruby:
-    continue-on-error: true # nokogiri on jruby has different behavior
     strategy:
       fail-fast: false
       matrix: