Skip to content

Commit

Permalink
fix: replace slow regex attribute check with Loofah method
Browse files Browse the repository at this point in the history
which uses the Crass parser
  • Loading branch information
flavorjones committed Dec 11, 2022
1 parent df03f2f commit f0e3347
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
4 changes: 3 additions & 1 deletion lib/rails/html/scrubbers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,11 @@ def scrub_attribute(node, attr_node)
attr_node.remove
end
end

if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
end

if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
end
Expand Down
10 changes: 10 additions & 0 deletions test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -600,6 +600,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
refute_includes(sanitized, "style")
end

def test_scrubbing_svg_attr_values_that_allow_ref
input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
expected = %Q(<div fill="yellow #fff">hey</div>)
actual = scope_allowed_attributes %w(fill) do
safe_list_sanitize(input)
end

assert_equal(expected, actual)
end

protected

def xpath_sanitize(input, options = {})
Expand Down

0 comments on commit f0e3347

Please sign in to comment.