Skip to content

Commit

Permalink
fix: replace slow regex attribute check with Loofah method
Browse files Browse the repository at this point in the history
which uses the Crass parser
  • Loading branch information
flavorjones committed Dec 13, 2022
1 parent 71b5aca commit 56c61c0
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
4 changes: 3 additions & 1 deletion lib/rails/html/scrubbers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -146,9 +146,11 @@ def scrub_attribute(node, attr_node)
attr_node.remove
end
end

if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
end

if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
end
Expand Down
10 changes: 10 additions & 0 deletions test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -606,6 +606,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
refute_includes(sanitized, "style")
end

def test_scrubbing_svg_attr_values_that_allow_ref
input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
expected = %Q(<div fill="yellow #fff">hey</div>)
actual = scope_allowed_attributes %w(fill) do
safe_list_sanitize(input)
end

assert_equal(expected, actual)
end

protected

def xpath_sanitize(input, options = {})
Expand Down

0 comments on commit 56c61c0

Please sign in to comment.