Diff of the two buildlogs: -- --- b1/build.log 2025-02-04 20:13:52.584725637 +0000 +++ b2/build.log 2025-02-04 20:15:58.459051276 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Mon Mar 9 14:35:07 -12 2026 -I: pbuilder-time-stamp: 1773110107 +I: Current time: Wed Feb 5 10:13:55 +14 2025 +I: pbuilder-time-stamp: 1738700035 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -22,52 +22,84 @@ dpkg-source: info: unpacking ruby-sanitize_7.0.0-1.debian.tar.xz I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/2975405/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/D01_modify_environment starting +debug: Running on codethink04-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Feb 4 20:14 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="37" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.37(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='61792e274b074a4188fbd3841e326e15' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='2975405' - PS1='# ' - PS2='> ' + INVOCATION_ID=433e800be5d8488a8c2ecdeb204427ed + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=704796 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.BkFeTd9S/pbuilderrc_UYjK --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.BkFeTd9S/b1 --logfile b1/build.log ruby-sanitize_7.0.0-1.dsc' - SUDO_GID='109' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.BkFeTd9S/pbuilderrc_Tfjc --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.BkFeTd9S/b2 --logfile b2/build.log ruby-sanitize_7.0.0-1.dsc' + SUDO_GID=109 + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink03-arm64 6.1.0-30-cloud-arm64 #1 SMP Debian 6.1.124-1 (2025-01-12) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.1.0-30-cloud-arm64 #1 SMP Debian 6.1.124-1 (2025-01-12) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Nov 22 2024 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/2975405/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Nov 22 14:40 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -256,7 +288,7 @@ Get: 141 http://deb.debian.org/debian unstable/main arm64 ruby-mini-portile2 all 2.8.7-1 [21.3 kB] Get: 142 http://deb.debian.org/debian unstable/main arm64 ruby-pkg-config all 1.5.9-1 [8584 B] Get: 143 http://deb.debian.org/debian unstable/main arm64 ruby-nokogiri arm64 1.18.2+dfsg-1 [256 kB] -Fetched 54.6 MB in 0s (128 MB/s) +Fetched 54.6 MB in 1s (86.3 MB/s) Preconfiguring packages ... Selecting previously unselected package libpython3.13-minimal:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19920 files and directories currently installed.) @@ -733,8 +765,8 @@ Setting up tzdata (2025a-1) ... Current default time zone: 'Etc/UTC' -Local time is now: Tue Mar 10 02:35:56 UTC 2026. -Universal Time is now: Tue Mar 10 02:35:56 UTC 2026. +Local time is now: Tue Feb 4 20:14:53 UTC 2025. +Universal Time is now: Tue Feb 4 20:14:53 UTC 2025. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up ruby-minitest (5.25.4-1) ... @@ -863,7 +895,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-sanitize-7.0.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-sanitize_7.0.0-1_source.changes +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-sanitize-7.0.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-sanitize_7.0.0-1_source.changes dpkg-buildpackage: info: source package ruby-sanitize dpkg-buildpackage: info: source version 7.0.0-1 dpkg-buildpackage: info: source distribution unstable @@ -896,7 +932,7 @@ │ ruby-sanitize: Installing files and building extensions for ruby3.3 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20260309-2986252-qh3hfw/gemspec +/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20250205-716835-1dgq3w/gemspec WARNING: expected RubyGems version 3.6.3, was 3.3.15 WARNING: open-ended dependency on nokogiri (>= 1.16.8) is not recommended if nokogiri is semantically versioned, use: @@ -906,7 +942,7 @@ Name: sanitize Version: 7.0.0 File: sanitize-7.0.0.gem -/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-sanitize/usr/share/rubygems-integration/all /tmp/d20260309-2986252-qh3hfw/sanitize-7.0.0.gem +/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-sanitize/usr/share/rubygems-integration/all /tmp/d20250205-716835-1dgq3w/sanitize-7.0.0.gem /build/reproducible-path/ruby-sanitize-7.0.0/debian/ruby-sanitize/usr/share/rubygems-integration/all/gems/sanitize-7.0.0/lib/sanitize.rb /build/reproducible-path/ruby-sanitize-7.0.0/debian/ruby-sanitize/usr/share/rubygems-integration/all/gems/sanitize-7.0.0/lib/sanitize/config.rb /build/reproducible-path/ruby-sanitize-7.0.0/debian/ruby-sanitize/usr/share/rubygems-integration/all/gems/sanitize-7.0.0/lib/sanitize/config/basic.rb @@ -950,291 +986,291 @@ RUBYLIB=. GEM_PATH=/build/reproducible-path/ruby-sanitize-7.0.0/debian/ruby-sanitize/usr/share/rubygems-integration/all:/build/reproducible-path/ruby-sanitize-7.0.0/debian/.debhelper/generated/_source/home/.local/share/gem/ruby/3.3.0:/var/lib/gems/3.3.0:/usr/local/lib/ruby/gems/3.3.0:/usr/lib/ruby/gems/3.3.0:/usr/lib/aarch64-linux-gnu/ruby/gems/3.3.0:/usr/share/rubygems-integration/3.3.0:/usr/share/rubygems-integration/all:/usr/lib/aarch64-linux-gnu/rubygems-integration/3.3.0 ruby3.3 -S rake --rakelibdir /gem2deb-nonexistent -f debian/ruby-tests.rake /usr/bin/ruby3.3 -w -I"test" /usr/share/rubygems-integration/all/gems/rake-13.2.1/lib/rake/rake_test_loader.rb "test/test_clean_comment.rb" "test/test_clean_css.rb" "test/test_clean_doctype.rb" "test/test_clean_element.rb" "test/test_config.rb" "test/test_malicious_css.rb" "test/test_malicious_html.rb" "test/test_parser.rb" "test/test_sanitize.rb" "test/test_sanitize_css.rb" "test/test_transformers.rb" -v -Run options: -v --seed 13955 +Run options: -v --seed 59283 # Running: -Sanitize::instance methods::#node!::when the given node is a document and <html> isn't allowlisted#test_0001_should raise a Sanitize::Error = 0.00 s = . -Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.01 s = . -Sanitize::instance methods::#node!#test_0001_should sanitize a Nokogiri::XML::Node = 0.00 s = . -Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.02 s = . -Sanitize::instance methods::#document#test_0005_should strip control characters (except ASCII whitespace) = 0.00 s = . -Sanitize::instance methods::#document#test_0001_should sanitize an HTML document = 0.00 s = . -Sanitize::instance methods::#document#test_0002_should not modify the input string = 0.00 s = . -Sanitize::instance methods::#document#test_0006_should strip non-characters = 0.00 s = . -Sanitize::instance methods::#document#test_0004_should normalize newlines = 0.00 s = . -Sanitize::instance methods::#document#test_0003_should not choke on frozen documents = 0.00 s = . Sanitize::instance methods::#fragment#test_0005_should normalize newlines = 0.00 s = . +Sanitize::instance methods::#fragment#test_0003_should not choke on fragments containing <html> or <body> = 0.00 s = . +Sanitize::instance methods::#fragment#test_0004_should not choke on frozen fragments = 0.00 s = . Sanitize::instance methods::#fragment#test_0001_should sanitize an HTML fragment = 0.00 s = . +Sanitize::instance methods::#fragment#test_0006_should strip control characters (except ASCII whitespace) = 0.00 s = . Sanitize::instance methods::#fragment#test_0002_should not modify the input string = 0.00 s = . Sanitize::instance methods::#fragment#test_0007_should strip non-characters = 0.00 s = . -Sanitize::instance methods::#fragment#test_0004_should not choke on frozen fragments = 0.00 s = . -Sanitize::instance methods::#fragment#test_0006_should strip control characters (except ASCII whitespace) = 0.00 s = . -Sanitize::instance methods::#fragment#test_0003_should not choke on fragments containing <html> or <body> = 0.00 s = . -Sanitize::class methods::.node!#test_0001_should sanitize a Nokogiri::XML::Node with the given config = 0.00 s = . -Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . Sanitize::class methods::.fragment#test_0001_should sanitize an HTML fragment with the given config = 0.00 s = . -Sanitize::initializer#test_0001_should not modify a transformers array in the given config = 0.00 s = . +Sanitize::instance methods::#node!::when the given node is a document and <html> isn't allowlisted#test_0001_should raise a Sanitize::Error = 0.00 s = . +Sanitize::class methods::.node!#test_0001_should sanitize a Nokogiri::XML::Node with the given config = 0.00 s = . +Sanitize::instance methods::#node!#test_0001_should sanitize a Nokogiri::XML::Node = 0.00 s = . Sanitize::class methods::.document#test_0001_should sanitize an HTML document with the given config = 0.00 s = . +Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.01 s = . Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0015_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0001_should clean basic HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0002_should clean malformed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0016_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0003_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0007_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0010_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0011_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CSS::CleanAttribute#test_0002_should remove the style attribute if the sanitized CSS is empty = 0.00 s = . -Sanitize::Transformers::CSS::CleanAttribute#test_0001_should sanitize CSS properties in style attributes = 0.01 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0002_should not allow doctype definitions in fragments = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0001_should remove doctype declarations = 0.00 s = . -Malicious CSS#test_0001_should not be possible to inject an expression by munging it with a comment = 0.00 s = . -Malicious CSS#test_0004_should not allow behaviors = 0.00 s = . -Malicious CSS#test_0002_should not be possible to inject an expression by munging it with a newline = 0.00 s = . -Malicious CSS#test_0003_should not allow the javascript protocol = 0.00 s = . -Transformers#test_0005_should clear the node allowlist after each fragment = 0.00 s = . -Transformers#test_0001_should receive a complete env Hash as input = 0.00 s = . -Transformers#test_0002_should traverse all node types, including the fragment itself = 0.00 s = . -Transformers#test_0006_should accept a method transformer = 0.00 s = . -Transformers#test_0004_should allowlist nodes in the node allowlist = 0.00 s = . -Transformers#test_0003_should perform top-down traversal = 0.00 s = . -Config::.freeze_config#test_0001_should deeply freeze and return a configuration Hash = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0004_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0008_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily = 0.00 s = S +Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.02 s = . +Sanitize::initializer#test_0001_should not modify a transformers array in the given config = 0.00 s = . +Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . +Sanitize::instance methods::#document#test_0005_should strip control characters (except ASCII whitespace) = 0.00 s = . +Sanitize::instance methods::#document#test_0003_should not choke on frozen documents = 0.00 s = . +Sanitize::instance methods::#document#test_0004_should normalize newlines = 0.00 s = . +Sanitize::instance methods::#document#test_0001_should sanitize an HTML document = 0.00 s = . +Sanitize::instance methods::#document#test_0006_should strip non-characters = 0.00 s = . +Sanitize::instance methods::#document#test_0002_should not modify the input string = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes = 0.00 s = S Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0014_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0002_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0016_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0010_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0012_should round-trip to the same output = 0.00 s = . Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0006_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes = 0.00 s = S -Sanitize::CSS::instance methods::#tree!#test_0001_should sanitize a Crass CSS parse tree = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0001_should allow a google fonts url = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0002_should not allow a nasty url = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0003_should not allow a blank url = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0002_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily = 0.00 s = S +Transformers::DOM modification transformer#test_0001_should allow the <b> tag to be changed to a <strong> tag = 0.00 s = . +Config#test_0001_built-in configs should be deeply frozen = 0.01 s = . +Malicious HTML::interpolation (ERB, PHP, etc.)#test_0002_should remove PHP-style tags = 0.00 s = . +Malicious HTML::interpolation (ERB, PHP, etc.)#test_0001_should escape ERB-style tags = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . +Transformers::YouTube transformer#test_0001_should allow HTTP YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0003_should allow protocol-relative YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0004_should allow privacy-enhanced YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0005_should not allow non-YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0002_should allow HTTPS YouTube video embeds = 0.00 s = . +Malicious HTML::comments#test_0001_should not allow script injection via conditional comments = 0.00 s = . Transformers::Image allowlist transformer#test_0001_should allow images with relative URLs = 0.00 s = . Transformers::Image allowlist transformer#test_0002_should allow images at the example.com domain = 0.00 s = . Transformers::Image allowlist transformer#test_0003_should not allow images at other domains = 0.00 s = . -Sanitize::CSS::functionality:::at_rules#test_0002_preserves allowlisted @container at-rules = 0.00 s = . -Sanitize::CSS::functionality:::at_rules#test_0001_should remove blockless at-rules that aren't allowlisted = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0021_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0009_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0016_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0014_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0004_should clean malformed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0005_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0017_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0006_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0019_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0020_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0008_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0003_should clean basic HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0001_should not choke on valueless attributes = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0002_should downcase attribute names = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0018_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0015_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0007_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0010_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0012_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0011_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Parser::when siblings are added after a node during traversal#test_0001_the added siblings should be traversed = 0.00 s = . -Malicious HTML::<img>#test_0005_should not be possible to inject protocol-based JS via whitespace = 0.00 s = . -Malicious HTML::<img>#test_0001_should not be possible to inject JS via an unquoted <img> src attribute = 0.00 s = . -Malicious HTML::<img>#test_0002_should not be possible to inject JS using grave accents as <img> src delimiters = 0.00 s = . -Malicious HTML::<img>#test_0006_should not be possible to inject JS using a half-open <img> tag = 0.00 s = . -Malicious HTML::<img>#test_0004_should not be possible to inject protocol-based JS = 0.01 s = . -Malicious HTML::<img>#test_0003_should not be possible to inject <script> via a malformed <img> tag = 0.00 s = . -Config#test_0001_built-in configs should be deeply frozen = 0.00 s = . -Sanitize::CSS::class methods::.tree!#test_0001_should sanitize a Crass CSS parse tree with the given config = 0.00 s = . -Malicious HTML::<body>#test_0001_should not be possible to inject JS via a malformed event attribute = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0005_should not allow expressions = 0.01 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0011_removes text content inside `<iframe>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0013_removes `<noscript>` elements in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0012_removes text content inside `<iframe>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0008_forcibly escapes text content inside `<script>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0016_removes `<style>` elements in an SVG namespace = 0.01 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0007_forcibly escapes text content inside `<script>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0003_forcibly escapes text content inside `<noframes>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0004_forcibly escapes text content inside `<noframes>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0005_forcibly escapes text content inside `<plaintext>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0009_forcibly escapes text content inside `<xmp>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0001_forcibly escapes text content inside `<noembed>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0010_forcibly escapes text content inside `<xmp>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0014_removes `<noscript>` elements in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0006_forcibly escapes text content inside `<plaintext>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0002_forcibly escapes text content inside `<noembed>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0015_removes `<style>` elements in a MathML namespace = 0.00 s = . +Sanitize::Transformers::CleanComment::when :allow_comments is false#test_0001_should remove comments = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . +Malicious HTML::<iframe>#test_0001_should not be possible to inject an iframe using an improperly closed tag = 0.00 s = . +Sanitize::CSS::instance methods::#properties#test_0005_should not allow expressions = 0.00 s = . +Sanitize::CSS::instance methods::#properties#test_0003_should not allow non-allowlisted URL protocols = 0.01 s = . +Sanitize::CSS::instance methods::#properties#test_0004_should not allow -moz-binding = 0.00 s = . Sanitize::CSS::instance methods::#properties#test_0001_should sanitize CSS properties = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0002_should allow allowlisted URL protocols = 0.01 s = . Sanitize::CSS::instance methods::#properties#test_0006_should not allow behaviors = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0004_should not allow -moz-binding = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0003_should not allow non-allowlisted URL protocols = 0.00 s = . -Malicious HTML::sanitization bypass by exploiting scripting-disabled <noscript> behavior#test_0001_is prevented by removing `<noscript>` elements regardless of the allowlist = 0.00 s = . -Malicious HTML::<iframe>#test_0001_should not be possible to inject an iframe using an improperly closed tag = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0001_should allow doctype declarations in documents = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0002_should not allow obviously invalid doctype declarations in documents = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0003_should not allow doctype definitions in fragments = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0005_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0004_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0009_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0019_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::CSS::instance methods::#properties#test_0002_should allow allowlisted URL protocols = 0.01 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with no validation proc specified#test_0001_should allow any URL value = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . +Sanitize::CSS::instance methods::#tree!#test_0001_should sanitize a Crass CSS parse tree = 0.00 s = . +Parser::when siblings are added after a node during traversal#test_0001_the added siblings should be traversed = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0011_should replace whitespace_elements with configured :before and :after values = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0013_should sanitize protocols in data attributes even if data attributes are generically allowed = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0012_should handle protocols correctly regardless of case = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0008_should remove the contents of allowlisted iframes = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0016_always removes `<noscript>` elements even if `noscript` is in the allowlist = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0007_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as symbols = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0003_should allow relative URLs containing colons when the colon is not in the first path segment = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0004_should allow relative URLs containing colons when the colon is part of an anchor = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0005_should remove the contents of filtered nodes when :remove_contents is true = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0009_should not allow arbitrary HTML5 data attributes by default = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0001_should allow attributes on all elements if allowlisted under :all = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0010_should allow arbitrary HTML5 data attributes when the :attributes config includes :data = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0014_should prevent `<meta>` tags from being used to set a non-UTF-8 charset = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0006_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as strings = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0002_should not allow relative URLs when relative URLs aren't allowlisted = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0015_should not modify `<meta>` tags that already set a UTF-8 charset = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0016_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0013_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0004_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0003_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0019_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0014_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0017_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0008_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0018_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0007_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0011_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0005_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0009_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0001_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0010_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0006_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0002_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0015_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0017_should not allow protocol-based JS injection: null char = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0014_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0006_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0004_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0003_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0016_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0020_should not allow protocol whitespace = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0018_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0008_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0016_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0019_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0007_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0011_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0005_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0009_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0001_should encode special chars in attribute values = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0010_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0006_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0002_should clean basic HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0017_should not allow protocol-based JS injection: null char = 0.00 s = . Sanitize::Transformers::CleanElement::Relaxed config#test_0015_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0003_should clean malformed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0007_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0010_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0011_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0002_should remove them if they have invalid blocks = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0001_should not remove them = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0009_should not allow arbitrary HTML5 data attributes by default = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0005_should remove the contents of filtered nodes when :remove_contents is true = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0004_should allow relative URLs containing colons when the colon is part of an anchor = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0008_should remove the contents of allowlisted iframes = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0015_should not modify `<meta>` tags that already set a UTF-8 charset = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0014_should prevent `<meta>` tags from being used to set a non-UTF-8 charset = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0001_should allow attributes on all elements if allowlisted under :all = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0002_should not allow relative URLs when relative URLs aren't allowlisted = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0016_always removes `<noscript>` elements even if `noscript` is in the allowlist = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0003_should allow relative URLs containing colons when the colon is not in the first path segment = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0013_should sanitize protocols in data attributes even if data attributes are generically allowed = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0010_should allow arbitrary HTML5 data attributes when the :attributes config includes :data = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0007_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as symbols = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0012_should handle protocols correctly regardless of case = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0006_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as strings = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0011_should replace whitespace_elements with configured :before and :after values = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with no validation proc specified#test_0001_should allow any URL value = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . -Sanitize::Transformers::CleanComment::when :allow_comments is false#test_0001_should remove comments = 0.00 s = . -Malicious CSS::sanitization bypass via CSS at-rule in HTML <style> element#test_0001_is not possible to prematurely end a <style> element = 0.00 s = . -Sanitize::CSS::functionality#test_0002_should parse @page rules properly = 0.00 s = . -Sanitize::CSS::functionality#test_0001_should parse the contents of @media rules properly = 0.00 s = . -Malicious HTML::foreign content bypass in relaxed config#test_0001_prevents a sanitization bypass via carefully crafted foreign content = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0009_forcibly escapes text content inside `<xmp>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0005_forcibly escapes text content inside `<plaintext>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0004_forcibly escapes text content inside `<noframes>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0008_forcibly escapes text content inside `<script>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0015_removes `<style>` elements in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0014_removes `<noscript>` elements in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0001_forcibly escapes text content inside `<noembed>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0002_forcibly escapes text content inside `<noembed>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0016_removes `<style>` elements in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0003_forcibly escapes text content inside `<noframes>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0013_removes `<noscript>` elements in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0010_forcibly escapes text content inside `<xmp>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0007_forcibly escapes text content inside `<script>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0012_removes text content inside `<iframe>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0006_forcibly escapes text content inside `<plaintext>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0011_removes text content inside `<iframe>` in a MathML namespace = 0.00 s = . -Malicious HTML::<script>#test_0002_should not be possible to inject <script> via extraneous open brackets = 0.00 s = . -Malicious HTML::<script>#test_0001_should not be possible to inject <script> using a malformed non-alphanumeric tag name = 0.00 s = . -Sanitize::CSS::class methods::.stylesheet#test_0001_should sanitize a CSS stylesheet with the given config = 0.00 s = . -Sanitize::Transformers::CleanComment::when :allow_comments is true#test_0001_should allow comments = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet#test_0001_should sanitize a CSS stylesheet = 0.01 s = . +Config::.merge#test_0002_should raise an ArgumentError if either argument is not a Hash = 0.00 s = . +Config::.merge#test_0001_should deeply merge a configuration Hash = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0014_should clean basic HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0009_should not preserve the content of removed `plaintext` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0025_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0013_should not preserve the content of removed `xmp` elements = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0028_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0008_should not preserve the content of removed `noscript` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0017_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0006_should not preserve the content of removed `noembed` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0020_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0013_should not preserve the content of removed `xmp` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0030_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0019_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0016_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0031_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0018_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0001_should remove non-allowlisted elements, leaving safe contents behind = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0008_should not preserve the content of removed `noscript` elements = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0024_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0026_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0025_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0027_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0018_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0003_should not choke on several instances of the same element in a row = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0005_should not preserve the content of removed `math` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0020_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0004_should not preserve the content of removed `iframe` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0030_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0021_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0023_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0032_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0026_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0001_should remove non-allowlisted elements, leaving safe contents behind = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0002_should surround the contents of :whitespace_elements with space characters when removing the element = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0021_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0029_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0015_should clean malformed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0019_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0031_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0007_should not preserve the content of removed `noframes` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0010_should not preserve the content of removed `script` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0023_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0011_should not preserve the content of removed `style` elements = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0012_should not preserve the content of removed `svg` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0005_should not preserve the content of removed `math` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0009_should not preserve the content of removed `plaintext` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0017_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0010_should not preserve the content of removed `script` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0006_should not preserve the content of removed `noembed` elements = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0022_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0011_should not preserve the content of removed `style` elements = 0.00 s = . -Config::.merge#test_0002_should raise an ArgumentError if either argument is not a Hash = 0.00 s = . -Config::.merge#test_0001_should deeply merge a configuration Hash = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . -Malicious HTML::interpolation (ERB, PHP, etc.)#test_0002_should remove PHP-style tags = 0.00 s = . -Malicious HTML::interpolation (ERB, PHP, etc.)#test_0001_should escape ERB-style tags = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0002_should surround the contents of :whitespace_elements with space characters when removing the element = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0015_should clean malformed HTML = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . +Malicious CSS::sanitization bypass via CSS at-rule in HTML <style> element#test_0001_is not possible to prematurely end a <style> element = 0.00 s = . +Malicious HTML::foreign content bypass in relaxed config#test_0001_prevents a sanitization bypass via carefully crafted foreign content = 0.01 s = . Parser#test_0001_should translate valid entities into characters = 0.00 s = . +Parser#test_0003_should not add newlines after tags when serializing a fragment = 0.00 s = . Parser#test_0004_should not have the Nokogiri 1.4.2+ unterminated script/style element bug = 0.00 s = . Parser#test_0005_ambiguous non-tag brackets like "1 > 2 and 2 < 1" should be parsed correctly = 0.00 s = . Parser#test_0002_should translate orphaned ampersands into entities = 0.00 s = . -Parser#test_0003_should not add newlines after tags when serializing a fragment = 0.00 s = . -Transformers::DOM modification transformer#test_0001_should allow the <b> tag to be changed to a <strong> tag = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0021_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0014_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0008_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0004_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0016_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0003_should clean basic HTML = 0.01 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0001_should not choke on valueless attributes = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0018_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0019_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0020_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0007_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0011_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0012_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0005_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0009_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0017_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0010_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0006_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0002_should downcase attribute names = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0015_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Malicious HTML::<script>#test_0002_should not be possible to inject <script> via extraneous open brackets = 0.00 s = . +Malicious HTML::<script>#test_0001_should not be possible to inject <script> using a malformed non-alphanumeric tag name = 0.00 s = . Sanitize::Transformers::CSS::CleanElement#test_0002_should remove the <style> element if the sanitized CSS is empty = 0.00 s = . Sanitize::Transformers::CSS::CleanElement#test_0001_should sanitize CSS stylesheets in <style> elements = 0.00 s = . -Malicious HTML::comments#test_0001_should not allow script injection via conditional comments = 0.00 s = . -Transformers::YouTube transformer#test_0001_should allow HTTP YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0004_should allow privacy-enhanced YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0005_should not allow non-YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0002_should allow HTTPS YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0003_should allow protocol-relative YouTube video embeds = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0017_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . +Sanitize::CSS::class methods::.stylesheet#test_0001_should sanitize a CSS stylesheet with the given config = 0.00 s = . +Config::.freeze_config#test_0001_should deeply freeze and return a configuration Hash = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0002_should not allow doctype definitions in fragments = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0001_should remove doctype declarations = 0.00 s = . +Malicious CSS#test_0001_should not be possible to inject an expression by munging it with a comment = 0.00 s = . +Malicious CSS#test_0004_should not allow behaviors = 0.00 s = . +Malicious CSS#test_0002_should not be possible to inject an expression by munging it with a newline = 0.00 s = . +Malicious CSS#test_0003_should not allow the javascript protocol = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . +Sanitize::CSS::functionality:::at_rules#test_0002_preserves allowlisted @container at-rules = 0.00 s = . +Sanitize::CSS::functionality:::at_rules#test_0001_should remove blockless at-rules that aren't allowlisted = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0001_should allow a google fonts url = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0002_should not allow a nasty url = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0003_should not allow a blank url = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet#test_0001_should sanitize a CSS stylesheet = 0.00 s = . +Sanitize::Transformers::CleanComment::when :allow_comments is true#test_0001_should allow comments = 0.00 s = . +Sanitize::CSS::functionality#test_0002_should parse @page rules properly = 0.00 s = . +Sanitize::CSS::functionality#test_0001_should parse the contents of @media rules properly = 0.00 s = . +Sanitize::Transformers::CSS::CleanAttribute#test_0002_should remove the style attribute if the sanitized CSS is empty = 0.00 s = . +Sanitize::Transformers::CSS::CleanAttribute#test_0001_should sanitize CSS properties in style attributes = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . +Malicious HTML::<body>#test_0001_should not be possible to inject JS via a malformed event attribute = 0.00 s = . Sanitize::CSS::class methods::.properties#test_0001_should sanitize CSS properties with the given config = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0004_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0018_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0006_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0019_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0005_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0014_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0008_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0013_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0009_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::CSS::class methods::.tree!#test_0001_should sanitize a Crass CSS parse tree with the given config = 0.00 s = . +Malicious HTML::sanitization bypass by exploiting scripting-disabled <noscript> behavior#test_0001_is prevented by removing `<noscript>` elements regardless of the allowlist = 0.00 s = . +Malicious HTML::<img>#test_0005_should not be possible to inject protocol-based JS via whitespace = 0.00 s = . +Malicious HTML::<img>#test_0003_should not be possible to inject <script> via a malformed <img> tag = 0.00 s = . +Malicious HTML::<img>#test_0004_should not be possible to inject protocol-based JS = 0.00 s = . +Malicious HTML::<img>#test_0001_should not be possible to inject JS via an unquoted <img> src attribute = 0.00 s = . +Malicious HTML::<img>#test_0006_should not be possible to inject JS using a half-open <img> tag = 0.00 s = . +Malicious HTML::<img>#test_0002_should not be possible to inject JS using grave accents as <img> src delimiters = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0002_should remove them if they have invalid blocks = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0001_should not remove them = 0.00 s = . +Transformers#test_0005_should clear the node allowlist after each fragment = 0.00 s = . +Transformers#test_0003_should perform top-down traversal = 0.00 s = . +Transformers#test_0004_should allowlist nodes in the node allowlist = 0.00 s = . +Transformers#test_0001_should receive a complete env Hash as input = 0.00 s = . +Transformers#test_0006_should accept a method transformer = 0.00 s = . +Transformers#test_0002_should traverse all node types, including the fragment itself = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0001_should allow doctype declarations in documents = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0002_should not allow obviously invalid doctype declarations in documents = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0003_should not allow doctype definitions in fragments = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0008_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0004_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0012_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0010_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0016_should round-trip to the same output = 0.00 s = . -Finished in 0.614987s, 403.2606 runs/s, 2709.0007 assertions/s. +Finished in 1.334997s, 185.7682 runs/s, 1247.9429 assertions/s. 1) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 2) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily [test/test_malicious_html.rb:199]: behavior should only exist in nokogiri's patched libxml 3) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily [test/test_malicious_html.rb:199]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 4) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 5) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 6) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 7) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 8) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 248 runs, 1666 assertions, 0 failures, 0 errors, 8 skips @@ -1252,291 +1288,291 @@ RUBYLIB=. GEM_PATH=/build/reproducible-path/ruby-sanitize-7.0.0/debian/ruby-sanitize/usr/share/rubygems-integration/all:/build/reproducible-path/ruby-sanitize-7.0.0/debian/.debhelper/generated/_source/home/.local/share/gem/ruby/3.1.0:/var/lib/gems/3.1.0:/usr/local/lib/ruby/gems/3.1.0:/usr/lib/ruby/gems/3.1.0:/usr/lib/aarch64-linux-gnu/ruby/gems/3.1.0:/usr/share/rubygems-integration/3.1.0:/usr/share/rubygems-integration/all:/usr/lib/aarch64-linux-gnu/rubygems-integration/3.1.0 ruby3.1 -S rake --rakelibdir /gem2deb-nonexistent -f debian/ruby-tests.rake /usr/bin/ruby3.1 -w -I"test" /usr/share/rubygems-integration/all/gems/rake-13.2.1/lib/rake/rake_test_loader.rb "test/test_clean_comment.rb" "test/test_clean_css.rb" "test/test_clean_doctype.rb" "test/test_clean_element.rb" "test/test_config.rb" "test/test_malicious_css.rb" "test/test_malicious_html.rb" "test/test_parser.rb" "test/test_sanitize.rb" "test/test_sanitize_css.rb" "test/test_transformers.rb" -v -Run options: -v --seed 40268 +Run options: -v --seed 44065 # Running: -Sanitize::instance methods::#node!#test_0001_should sanitize a Nokogiri::XML::Node = 0.00 s = . -Sanitize::class methods::.document#test_0001_should sanitize an HTML document with the given config = 0.00 s = . +Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.01 s = . Sanitize::class methods::.node!#test_0001_should sanitize a Nokogiri::XML::Node with the given config = 0.00 s = . -Sanitize::class methods::.fragment#test_0001_should sanitize an HTML fragment with the given config = 0.00 s = . -Sanitize::instance methods::#node!::when the given node is a document and <html> isn't allowlisted#test_0001_should raise a Sanitize::Error = 0.00 s = . -Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . -Sanitize::initializer#test_0001_should not modify a transformers array in the given config = 0.00 s = . -Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.01 s = . -Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.02 s = . Sanitize::instance methods::#fragment#test_0006_should strip control characters (except ASCII whitespace) = 0.00 s = . Sanitize::instance methods::#fragment#test_0001_should sanitize an HTML fragment = 0.00 s = . -Sanitize::instance methods::#fragment#test_0005_should normalize newlines = 0.00 s = . -Sanitize::instance methods::#fragment#test_0004_should not choke on frozen fragments = 0.00 s = . -Sanitize::instance methods::#fragment#test_0007_should strip non-characters = 0.00 s = . Sanitize::instance methods::#fragment#test_0002_should not modify the input string = 0.00 s = . -Sanitize::instance methods::#fragment#test_0003_should not choke on fragments containing <html> or <body> = 0.00 s = . -Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . -Sanitize::instance methods::#document#test_0005_should strip control characters (except ASCII whitespace) = 0.00 s = . -Sanitize::instance methods::#document#test_0001_should sanitize an HTML document = 0.00 s = . +Sanitize::instance methods::#fragment#test_0003_should not choke on fragments containing <html> or <body> = 0.03 s = . +Sanitize::instance methods::#fragment#test_0007_should strip non-characters = 0.00 s = . +Sanitize::instance methods::#fragment#test_0004_should not choke on frozen fragments = 0.00 s = . +Sanitize::instance methods::#fragment#test_0005_should normalize newlines = 0.00 s = . +Sanitize::class methods::.document#test_0001_should sanitize an HTML document with the given config = 0.00 s = . +Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH::and :max_tree_depth of -1 is supplied in :parser_options#test_0001_does not raise an ArgumentError exception = 0.03 s = . Sanitize::instance methods::#document#test_0006_should strip non-characters = 0.00 s = . -Sanitize::instance methods::#document#test_0004_should normalize newlines = 0.00 s = . Sanitize::instance methods::#document#test_0002_should not modify the input string = 0.00 s = . Sanitize::instance methods::#document#test_0003_should not choke on frozen documents = 0.00 s = . +Sanitize::instance methods::#document#test_0001_should sanitize an HTML document = 0.00 s = . +Sanitize::instance methods::#document#test_0004_should normalize newlines = 0.00 s = . +Sanitize::instance methods::#document#test_0005_should strip control characters (except ASCII whitespace) = 0.00 s = . +Sanitize::instance methods::#node!::when the given node is a document and <html> isn't allowlisted#test_0001_should raise a Sanitize::Error = 0.00 s = . +Sanitize::instance methods::#node!#test_0001_should sanitize a Nokogiri::XML::Node = 0.00 s = . +Sanitize::initializer#test_0001_should not modify a transformers array in the given config = 0.00 s = . +Sanitize::instance methods::#fragment::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . +Sanitize::instance methods::#document::when html body exceeds Nokogiri::Gumbo::DEFAULT_MAX_TREE_DEPTH#test_0001_raises an ArgumentError exception = 0.00 s = . +Sanitize::class methods::.fragment#test_0001_should sanitize an HTML fragment with the given config = 0.00 s = . +Malicious HTML::<body>#test_0001_should not be possible to inject JS via a malformed event attribute = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0017_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0021_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0010_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0009_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0006_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0012_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0001_should not choke on valueless attributes = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0003_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0018_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0007_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0005_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0016_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Transformers::DOM modification transformer#test_0001_should allow the <b> tag to be changed to a <strong> tag = 0.00 s = . +Malicious HTML::interpolation (ERB, PHP, etc.)#test_0002_should remove PHP-style tags = Sanitize::Transformers::CleanElement::Basic config#test_0020_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Malicious HTML::interpolation (ERB, PHP, etc.)#test_0001_should escape ERB-style tags = 0.00 s = . +Malicious HTML::<img>#test_0006_should not be possible to inject JS using a half-open <img> tag = 0.00 s = . +Malicious HTML::<img>#test_0002_should not be possible to inject JS using grave accents as <img> src delimiters = Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . +Malicious HTML::<img>#test_0003_should not be possible to inject <script> via a malformed <img> tag = 0.00 s = . +Malicious HTML::<img>#test_0001_should not be possible to inject JS via an unquoted <img> src attribute = 0.00 s = . +Malicious HTML::<img>#test_0004_should not be possible to inject protocol-based JS = 0.00 s = . +Malicious HTML::<img>#test_0005_should not be possible to inject protocol-based JS via whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0016_always removes `<noscript>` elements even if `noscript` is in the allowlist = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0010_should allow arbitrary HTML5 data attributes when the :attributes config includes :data = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0009_should not allow arbitrary HTML5 data attributes by default = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0011_should replace whitespace_elements with configured :before and :after values = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0008_should remove the contents of allowlisted iframes = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0006_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as strings = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0004_should allow relative URLs containing colons when the colon is part of an anchor = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0001_should allow attributes on all elements if allowlisted under :all = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0003_should allow relative URLs containing colons when the colon is not in the first path segment = Sanitize::Transformers::CleanElement::Basic config#test_0019_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0014_should prevent `<meta>` tags from being used to set a non-UTF-8 charset = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0002_should not allow relative URLs when relative URLs aren't allowlisted = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0015_should not modify `<meta>` tags that already set a UTF-8 charset = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0005_should remove the contents of filtered nodes when :remove_contents is true = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0012_should handle protocols correctly regardless of case = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0007_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as symbols = 0.00 s = . +Sanitize::Transformers::CleanElement::Custom configs#test_0013_should sanitize protocols in data attributes even if data attributes are generically allowed = 0.00 s = . +Sanitize::CSS::class methods::.properties#test_0001_should sanitize CSS properties with the given config = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0014_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0010_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0004_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0020_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0008_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0015_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0018_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0019_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0011_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0009_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0006_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0001_should encode special chars in attribute values = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0003_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0017_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0002_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0007_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0005_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0016_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Relaxed config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . +Sanitize::CSS::class methods::.stylesheet#test_0001_should sanitize a CSS stylesheet with the given config = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0002_should not allow obviously invalid doctype declarations in documents = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0003_should not allow doctype definitions in fragments = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0001_should allow doctype declarations in documents = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0002_should remove them if they have invalid blocks = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0001_should not remove them = 0.00 s = . +Malicious CSS::sanitization bypass via CSS at-rule in HTML <style> element#test_0001_is not possible to prematurely end a <style> element = 0.00 s = . +Malicious HTML::foreign content bypass in relaxed config#test_0001_prevents a sanitization bypass via carefully crafted foreign content = 0.00 s = . +Sanitize::CSS::functionality:::at_rules#test_0002_preserves allowlisted @container at-rules = 0.00 s = . +Sanitize::CSS::functionality:::at_rules#test_0001_should remove blockless at-rules that aren't allowlisted = 0.00 s = . +Config#test_0001_built-in configs should be deeply frozen = 0.00 s = . Sanitize::Transformers::CSS::CleanElement#test_0002_should remove the <style> element if the sanitized CSS is empty = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0016_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0014_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CSS::CleanElement#test_0001_should sanitize CSS stylesheets in <style> elements = 0.00 s = . +Sanitize::CSS::functionality#test_0002_should parse @page rules properly = 0.00 s = . +Sanitize::CSS::functionality#test_0001_should parse the contents of @media rules properly = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0019_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0010_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0004_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . Sanitize::Transformers::CleanElement::Restricted config#test_0008_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0014_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0017_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . Sanitize::Transformers::CleanElement::Restricted config#test_0015_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . Sanitize::Transformers::CleanElement::Restricted config#test_0011_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0009_should not allow protocol-based JS injection: preceding colon = 0.00 s = . Sanitize::Transformers::CleanElement::Restricted config#test_0006_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0013_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0019_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0018_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0001_should clean basic HTML = 0.00 s = . Sanitize::Transformers::CleanElement::Restricted config#test_0003_should clean unclosed HTML = 0.00 s = . -Sanitize::CSS::functionality:::at_rules#test_0002_preserves allowlisted @container at-rules = Malicious HTML::interpolation (ERB, PHP, etc.)#test_0001_should escape ERB-style tags = 0.00 s = . -Sanitize::CSS::functionality:::at_rules#test_0001_should remove blockless at-rules that aren't allowlisted = Sanitize::Transformers::CleanElement::Restricted config#test_0010_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Malicious HTML::foreign content bypass in relaxed config#test_0001_prevents a sanitization bypass via carefully crafted foreign content = 0.00 s = . -Config::.merge#test_0002_should raise an ArgumentError if either argument is not a Hash = 0.00 s = . -Config::.merge#test_0001_should deeply merge a configuration Hash = 0.00 s = . -Config#test_0001_built-in configs should be deeply frozen = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0005_should not allow expressions = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0001_should sanitize CSS properties = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0018_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0002_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0007_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0005_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0016_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Restricted config#test_0013_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0016_removes `<style>` elements in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0010_forcibly escapes text content inside `<xmp>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0009_forcibly escapes text content inside `<xmp>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0011_removes text content inside `<iframe>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0008_forcibly escapes text content inside `<script>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0006_forcibly escapes text content inside `<plaintext>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0004_forcibly escapes text content inside `<noframes>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0001_forcibly escapes text content inside `<noembed>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0003_forcibly escapes text content inside `<noframes>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0014_removes `<noscript>` elements in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0002_forcibly escapes text content inside `<noembed>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0015_removes `<style>` elements in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0005_forcibly escapes text content inside `<plaintext>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0012_removes text content inside `<iframe>` in an SVG namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0007_forcibly escapes text content inside `<script>` in a MathML namespace = 0.00 s = . +Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0013_removes `<noscript>` elements in a MathML namespace = 0.00 s = . +Parser::when siblings are added after a node during traversal#test_0001_the added siblings should be traversed = 0.00 s = . +Sanitize::CSS::instance methods::#stylesheet#test_0001_should sanitize a CSS stylesheet = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0002_should not allow a nasty url = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0003_should not allow a blank url = 0.00 s = . +Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0001_should allow a google fonts url = 0.00 s = . +Sanitize::Transformers::CleanComment::when :allow_comments is true#test_0001_should allow comments = 0.00 s = . +Parser#test_0002_should translate orphaned ampersands into entities = 0.00 s = . +Parser#test_0004_should not have the Nokogiri 1.4.2+ unterminated script/style element bug = 0.00 s = . +Parser#test_0001_should translate valid entities into characters = 0.00 s = . +Parser#test_0003_should not add newlines after tags when serializing a fragment = 0.00 s = . +Parser#test_0005_ambiguous non-tag brackets like "1 > 2 and 2 < 1" should be parsed correctly = 0.00 s = . +Malicious CSS#test_0004_should not allow behaviors = 0.00 s = . +Malicious CSS#test_0002_should not be possible to inject an expression by munging it with a newline = 0.00 s = . +Malicious CSS#test_0003_should not allow the javascript protocol = 0.00 s = . +Malicious CSS#test_0001_should not be possible to inject an expression by munging it with a comment = 0.00 s = . Sanitize::CSS::instance methods::#properties#test_0006_should not allow behaviors = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0004_should not allow -moz-binding = 0.00 s = . -Sanitize::CSS::instance methods::#properties#test_0002_should allow allowlisted URL protocols = 0.01 s = . +Sanitize::CSS::instance methods::#properties#test_0002_should allow allowlisted URL protocols = 0.00 s = . Sanitize::CSS::instance methods::#properties#test_0003_should not allow non-allowlisted URL protocols = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes = 0.00 s = S +Sanitize::CSS::instance methods::#properties#test_0001_should sanitize CSS properties = 0.00 s = . +Sanitize::CSS::instance methods::#properties#test_0004_should not allow -moz-binding = 0.00 s = . +Sanitize::CSS::instance methods::#properties#test_0005_should not allow expressions = 0.00 s = . +Config::.merge#test_0002_should raise an ArgumentError if either argument is not a Hash = 0.00 s = . +Config::.merge#test_0001_should deeply merge a configuration Hash = 0.00 s = . +Sanitize::Transformers::CleanComment::when :allow_comments is false#test_0001_should remove comments = 0.00 s = . +Sanitize::CSS::instance methods::#tree!#test_0001_should sanitize a Crass CSS parse tree = 0.00 s = . +Config::.freeze_config#test_0001_should deeply freeze and return a configuration Hash = 0.00 s = . +Transformers::YouTube transformer#test_0002_should allow HTTPS YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0004_should allow privacy-enhanced YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0001_should allow HTTP YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0003_should allow protocol-relative YouTube video embeds = 0.00 s = . +Transformers::YouTube transformer#test_0005_should not allow non-YouTube video embeds = 0.00 s = . +Malicious HTML::<script>#test_0002_should not be possible to inject <script> via extraneous open brackets = 0.00 s = . +Malicious HTML::<script>#test_0001_should not be possible to inject <script> using a malformed non-alphanumeric tag name = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0016_should round-trip to the same output = 0.00 s = . Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0010_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0012_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes = 0.00 s = S Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0004_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes = 0.00 s = S -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0014_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0006_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0016_should round-trip to the same output = Sanitize::Transformers::CleanElement::Restricted config#test_0009_should not allow protocol-based JS injection: preceding colon = 0.00 s = . Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes = 0.00 s = S Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0008_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0006_should round-trip to the same output = Sanitize::Transformers::CleanElement::Basic config#test_0015_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0004_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0014_should round-trip to the same output = 0.01 s = . Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0002_should round-trip to the same output = 0.00 s = . -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes = 0.01 s = S -Sanitize::Transformers::CleanElement::Default config#test_0013_should not preserve the content of removed `xmp` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0020_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0005_should not preserve the content of removed `math` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0030_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0012_should not preserve the content of removed `svg` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0002_should surround the contents of :whitespace_elements with space characters when removing the element = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0021_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0017_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0025_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0012_should round-trip to the same output = 0.00 s = . +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes = 0.00 s = S +Malicious HTML::<iframe>#test_0001_should not be possible to inject an iframe using an improperly closed tag = 0.00 s = . +Sanitize::CSS::instance methods::#properties::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . +Transformers#test_0006_should accept a method transformer = 0.00 s = . +Transformers#test_0002_should traverse all node types, including the fragment itself = 0.00 s = . +Transformers#test_0003_should perform top-down traversal = 0.00 s = . +Transformers#test_0001_should receive a complete env Hash as input = 0.00 s = . +Transformers#test_0004_should allowlist nodes in the node allowlist = 0.00 s = . +Transformers#test_0005_should clear the node allowlist after each fragment = 0.00 s = . +Sanitize::Transformers::CSS::CleanAttribute#test_0002_should remove the style attribute if the sanitized CSS is empty = 0.00 s = . +Sanitize::Transformers::CSS::CleanAttribute#test_0001_should sanitize CSS properties in style attributes = 0.00 s = . +Transformers::Image allowlist transformer#test_0002_should allow images at the example.com domain = 0.00 s = . +Transformers::Image allowlist transformer#test_0003_should not allow images at other domains = 0.00 s = . +Transformers::Image allowlist transformer#test_0001_should allow images with relative URLs = 0.00 s = . +Malicious HTML::sanitization bypass by exploiting scripting-disabled <noscript> behavior#test_0001_is prevented by removing `<noscript>` elements regardless of the allowlist = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0002_should not allow doctype definitions in fragments = 0.00 s = . +Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0001_should remove doctype declarations = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0018_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0027_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0011_should not preserve the content of removed `style` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0014_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0008_should not preserve the content of removed `noscript` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0021_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0022_should not allow protocol-based JS injection: preceding colon = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0024_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0026_should not allow protocol-based JS injection: hex encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0014_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0003_should not choke on several instances of the same element in a row = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0025_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0004_should not preserve the content of removed `iframe` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0032_should not allow protocol whitespace = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0017_should clean malicious HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0030_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0029_should not allow protocol-based JS injection: null char = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0020_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0006_should not preserve the content of removed `noembed` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0015_should clean malformed HTML = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0010_should not preserve the content of removed `script` elements = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0009_should not preserve the content of removed `plaintext` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0023_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0016_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0012_should not preserve the content of removed `svg` elements = Sanitize::Transformers::CleanElement::Basic config#test_0004_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0001_should remove non-allowlisted elements, leaving safe contents behind = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0019_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0029_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0028_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0031_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0001_should remove non-allowlisted elements, leaving safe contents behind = 0.01 s = . -Sanitize::Transformers::CleanElement::Default config#test_0015_should clean malformed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0002_should surround the contents of :whitespace_elements with space characters when removing the element = 0.00 s = . Sanitize::Transformers::CleanElement::Default config#test_0007_should not preserve the content of removed `noframes` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0004_should not preserve the content of removed `iframe` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0006_should not preserve the content of removed `noembed` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0008_should not preserve the content of removed `noscript` elements = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0022_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0032_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0027_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0024_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0018_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Default config#test_0003_should not choke on several instances of the same element in a row = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0005_should not preserve the content of removed `math` elements = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0028_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0016_should clean unclosed HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0023_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . +Sanitize::Transformers::CleanElement::Default config#test_0013_should not preserve the content of removed `xmp` elements = 0.00 s = . Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . -Sanitize::CSS::class methods::.properties#test_0001_should sanitize CSS properties with the given config = 0.01 s = . -Malicious CSS::sanitization bypass via CSS at-rule in HTML <style> element#test_0001_is not possible to prematurely end a <style> element = 0.00 s = . -Malicious HTML::<img>#test_0005_should not be possible to inject protocol-based JS via whitespace = 0.00 s = . -Malicious HTML::<img>#test_0001_should not be possible to inject JS via an unquoted <img> src attribute = 0.01 s = . -Malicious HTML::<img>#test_0006_should not be possible to inject JS using a half-open <img> tag = 0.00 s = . -Malicious HTML::<img>#test_0004_should not be possible to inject protocol-based JS = 0.00 s = . -Malicious HTML::<img>#test_0002_should not be possible to inject JS using grave accents as <img> src delimiters = 0.01 s = . -Malicious HTML::<img>#test_0003_should not be possible to inject <script> via a malformed <img> tag = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is true#test_0001_should preserve comments = 0.00 s = . -Sanitize::Transformers::CleanComment::when :allow_comments is true#test_0001_should allow comments = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0001_should allow doctype declarations in documents = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0002_should not allow obviously invalid doctype declarations in documents = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is true#test_0003_should not allow doctype definitions in fragments = 0.00 s = . -Malicious CSS#test_0001_should not be possible to inject an expression by munging it with a comment = 0.00 s = . -Malicious CSS#test_0004_should not allow behaviors = 0.00 s = . -Sanitize::Transformers::CSS::CleanElement#test_0001_should sanitize CSS stylesheets in <style> elements = 0.00 s = . -Malicious CSS#test_0002_should not be possible to inject an expression by munging it with a newline = 0.00 s = . -Malicious CSS#test_0003_should not allow the javascript protocol = 0.00 s = . -Parser::when siblings are added after a node during traversal#test_0001_the added siblings should be traversed = 0.00 s = . -Sanitize::Transformers::CleanComment::when :allow_comments is false#test_0001_should remove comments = Sanitize::Transformers::CleanElement::Restricted config#test_0004_should clean malicious HTML = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet#test_0001_should sanitize a CSS stylesheet = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0001_should allow a google fonts url = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0002_should not allow a nasty url = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when validating @import rules::with a validation proc specified#test_0003_should not allow a blank url = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0005_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0020_should not allow protocol-based JS injection: spaces and entities = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0017_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0016_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0012_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0015_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0009_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0011_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0019_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0002_should downcase attribute names = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0001_should not choke on valueless attributes = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0007_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0014_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0004_should clean malformed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0006_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0008_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0021_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0018_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0003_should clean basic HTML = 0.00 s = . -Transformers::Image allowlist transformer#test_0001_should allow images with relative URLs = 0.00 s = . -Transformers::Image allowlist transformer#test_0002_should allow images at the example.com domain = 0.00 s = . -Transformers::Image allowlist transformer#test_0003_should not allow images at other domains = 0.00 s = . -Sanitize::Transformers::CSS::CleanAttribute#test_0002_should remove the style attribute if the sanitized CSS is empty = 0.00 s = . -Sanitize::Transformers::CSS::CleanAttribute#test_0001_should sanitize CSS properties in style attributes = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0002_should not allow doctype definitions in fragments = 0.00 s = . -Sanitize::Transformers::CleanDoctype::when :allow_doctype is false#test_0001_should remove doctype declarations = 0.00 s = . Malicious HTML::comments#test_0001_should not allow script injection via conditional comments = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0005_should remove the contents of filtered nodes when :remove_contents is true = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0007_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as symbols = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0010_should allow arbitrary HTML5 data attributes when the :attributes config includes :data = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0012_should handle protocols correctly regardless of case = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0015_should not modify `<meta>` tags that already set a UTF-8 charset = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0001_should allow attributes on all elements if allowlisted under :all = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0009_should not allow arbitrary HTML5 data attributes by default = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0004_should allow relative URLs containing colons when the colon is part of an anchor = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0013_should sanitize protocols in data attributes even if data attributes are generically allowed = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0014_should prevent `<meta>` tags from being used to set a non-UTF-8 charset = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0006_should remove the contents of specified nodes when :remove_contents is an Array or Set of element names as strings = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0016_always removes `<noscript>` elements even if `noscript` is in the allowlist = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0011_should replace whitespace_elements with configured :before and :after values = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0008_should remove the contents of allowlisted iframes = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0002_should not allow relative URLs when relative URLs aren't allowlisted = 0.00 s = . -Sanitize::Transformers::CleanElement::Custom configs#test_0003_should allow relative URLs containing colons when the colon is not in the first path segment = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_comments is false#test_0001_should strip comments = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_hacks is true#test_0001_should allow common CSS hacks = 0.00 s = . -Sanitize::CSS::functionality#test_0002_should parse @page rules properly = 0.00 s = . -Sanitize::CSS::functionality#test_0001_should parse the contents of @media rules properly = 0.00 s = . -Sanitize::CSS::instance methods::#properties::when :allow_comments is true#test_0001_should preserve comments = 0.01 s = . +0.02 s = . +0.01 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0014_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . Sanitize::CSS::functionality:::at_rules::when validating @import rules::with no validation proc specified#test_0001_should allow any URL value = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0002_should remove them if they have invalid blocks = 0.00 s = . -Sanitize::CSS::functionality:::at_rules::when blockless at-rules are allowlisted#test_0001_should not remove them = 0.00 s = . -Malicious HTML::<iframe>#test_0001_should not be possible to inject an iframe using an improperly closed tag = 0.01 s = . -Malicious HTML::sanitization bypass by exploiting scripting-disabled <noscript> behavior#test_0001_is prevented by removing `<noscript>` elements regardless of the allowlist = 0.00 s = . -Malicious HTML::<body>#test_0001_should not be possible to inject JS via a malformed event attribute = 0.00 s = . -Sanitize::CSS::class methods::.stylesheet#test_0001_should sanitize a CSS stylesheet with the given config = 0.01 s = . -Sanitize::CSS::class methods::.tree!#test_0001_should sanitize a Crass CSS parse tree with the given config = 0.00 s = . -Transformers::DOM modification transformer#test_0001_should allow the <b> tag to be changed to a <strong> tag = 0.00 s = . -Transformers::YouTube transformer#test_0004_should allow privacy-enhanced YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0001_should allow HTTP YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0005_should not allow non-YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0002_should allow HTTPS YouTube video embeds = 0.00 s = . -Transformers::YouTube transformer#test_0003_should allow protocol-relative YouTube video embeds = 0.00 s = . -Parser#test_0004_should not have the Nokogiri 1.4.2+ unterminated script/style element bug = 0.00 s = . -Parser#test_0001_should translate valid entities into characters = 0.00 s = . -Parser#test_0005_ambiguous non-tag brackets like "1 > 2 and 2 < 1" should be parsed correctly = 0.00 s = . -Parser#test_0002_should translate orphaned ampersands into entities = 0.00 s = . -Parser#test_0003_should not add newlines after tags when serializing a fragment = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0005_forcibly escapes text content inside `<plaintext>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0007_forcibly escapes text content inside `<script>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0010_forcibly escapes text content inside `<xmp>` in an SVG namespace = 0.01 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0012_removes text content inside `<iframe>` in an SVG namespace = Malicious HTML::interpolation (ERB, PHP, etc.)#test_0002_should remove PHP-style tags = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0015_removes `<style>` elements in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0001_forcibly escapes text content inside `<noembed>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0009_forcibly escapes text content inside `<xmp>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0004_forcibly escapes text content inside `<noframes>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0013_removes `<noscript>` elements in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0014_removes `<noscript>` elements in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0006_forcibly escapes text content inside `<plaintext>` in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0016_removes `<style>` elements in an SVG namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0011_removes text content inside `<iframe>` in a MathML namespace = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0008_forcibly escapes text content inside `<script>` in an SVG namespace = 0.01 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0002_forcibly escapes text content inside `<noembed>` in an SVG namespace = Sanitize::Transformers::CleanElement::Restricted config#test_0017_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Malicious HTML::foreign content bypass in unsafe custom config that allows MathML or SVG#test_0003_forcibly escapes text content inside `<noframes>` in a MathML namespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0005_should clean malicious HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0016_should not allow protocol-based JS injection: hex encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0015_should not allow protocol-based JS injection: long hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0014_should not allow protocol-based JS injection: hex encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0011_should not allow protocol-based JS injection: UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0017_should not allow protocol-based JS injection: null char = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0009_should not allow protocol-based JS injection: simple, spaces before and after = 0.01 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0012_should not allow protocol-based JS injection: long UTF-8 encoding = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0010_should not allow protocol-based JS injection: preceding colon = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0019_should not allow protocol-based JS injection: spaces and entities = 0.02 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0002_should clean basic HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0001_should encode special chars in attribute values = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0007_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0004_should clean unclosed HTML = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0006_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0013_should not allow protocol-based JS injection: long UTF-8 encoding without semicolons = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0008_should not allow protocol-based JS injection: simple, spaces after = 0.01 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0020_should not allow protocol whitespace = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0018_should not allow protocol-based JS injection: invalid URL char = 0.00 s = . -Sanitize::Transformers::CleanElement::Relaxed config#test_0003_should clean malformed HTML = 0.00 s = . -Sanitize::CSS::instance methods::#tree!#test_0001_should sanitize a Crass CSS parse tree = 0.00 s = . -Malicious HTML::<script>#test_0002_should not be possible to inject <script> via extraneous open brackets = 0.00 s = . -Malicious HTML::<script>#test_0001_should not be possible to inject <script> using a malformed non-alphanumeric tag name = 0.00 s = . -Transformers#test_0005_should clear the node allowlist after each fragment = 0.00 s = . -Transformers#test_0001_should receive a complete env Hash as input = 0.00 s = . -Transformers#test_0006_should accept a method transformer = 0.00 s = . -Transformers#test_0004_should allowlist nodes in the node allowlist = 0.00 s = . -Transformers#test_0002_should traverse all node types, including the fragment itself = 0.00 s = . -Transformers#test_0003_should perform top-down traversal = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_hacks is false#test_0001_should not allow common CSS hacks = 0.00 s = . -Sanitize::CSS::instance methods::#stylesheet::when :allow_comments is false#test_0001_should strip comments = 0.07 s = . -Config::.freeze_config#test_0001_should deeply freeze and return a configuration Hash = 0.00 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0002_should clean malformed HTML = 0.00 s = . -0.03 s = . -Sanitize::Transformers::CleanElement::Basic config#test_0010_should not allow protocol-based JS injection: simple, spaces before and after = 0.00 s = . -0.04 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0001_should clean basic HTML = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0008_should not allow protocol-based JS injection: simple, spaces before = 0.00 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0011_should not allow protocol-based JS injection: preceding colon = 0.00 s = . 0.01 s = . -0.03 s = . -0.03 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0007_should not allow protocol-based JS injection: simple, spaces after = 0.00 s = . -0.04 s = . -Sanitize::Transformers::CleanElement::Restricted config#test_0005_should not allow protocol-based JS injection: simple, no spaces = 0.00 s = . +0.01 s = . +Sanitize::Transformers::CleanElement::Basic config#test_0002_should downcase attribute names = 0.00 s = . +Sanitize::CSS::class methods::.tree!#test_0001_should sanitize a Crass CSS parse tree with the given config = 0.00 s = . +0.00 s = . -Finished in 0.689181s, 359.8473 runs/s, 2417.3614 assertions/s. +Finished in 0.637885s, 388.7850 runs/s, 2611.7574 assertions/s. 1) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 2) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 3) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily [test/test_malicious_html.rb:199]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 4) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0001_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 5) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0009_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0015_should not escape characters unnecessarily [test/test_malicious_html.rb:199]: behavior should only exist in nokogiri's patched libxml 6) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0005_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 7) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0011_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0007_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 8) Skipped: -Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0003_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: +Malicious HTML::unsafe libxml2 server-side includes in attributes#test_0013_should escape unsafe characters in attributes [test/test_malicious_html.rb:172]: behavior should only exist in nokogiri's patched libxml 248 runs, 1666 assertions, 0 failures, 0 errors, 8 skips @@ -1572,12 +1608,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/704796/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/2975405 and its subdirectories -I: Current time: Mon Mar 9 14:36:50 -12 2026 -I: pbuilder-time-stamp: 1773110210 +I: removing directory /srv/workspace/pbuilder/704796 and its subdirectories +I: Current time: Wed Feb 5 10:15:57 +14 2025 +I: pbuilder-time-stamp: 1738700157