From e6d52d3b6db99d07399498b1287997302d444a8d Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 24 Aug 2022 16:10:39 -0400
Subject: [PATCH] revert 45a5c10

to prepare for a better fix
---
 lib/rails/html/sanitizer.rb | 19 +------------------
 test/sanitizer_test.rb      | 23 -----------------------
 2 files changed, 1 insertion(+), 41 deletions(-)

diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index 13fb963..5633ca1 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -141,25 +141,8 @@ def sanitize_css(style_string)
 
       private
 
-      def loofah_using_html5?
-        # future-proofing, see https://github.com/flavorjones/loofah/pull/239
-        Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
-      end
-
-      def remove_safelist_tag_combinations(tags)
-        if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
-          warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
-          tags.delete("style")
-        end
-        tags
-      end
-
       def allowed_tags(options)
-        if options[:tags]
-          remove_safelist_tag_combinations(options[:tags])
-        else
-          self.class.allowed_tags
-        end
+        options[:tags] || self.class.allowed_tags
       end
 
       def allowed_attributes(options)
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 7a60956..99221db 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -581,25 +581,6 @@ def test_exclude_node_type_comment
     assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
   end
 
-  def test_disallow_the_dangerous_safelist_combination_of_select_and_style
-    input = "<select><style><script>alert(1)</script></style></select>"
-    tags = ["select", "style"]
-    warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from safelist/
-    sanitized = nil
-    invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
-
-    if html5_mode?
-      # if Loofah is using an HTML5 parser,
-      #   then "style" should be removed by the parser as an invalid child of "select"
-      assert_silent(&invocation)
-    else
-      # if Loofah is using an HTML4 parser,
-      #   then SafeListSanitizer should remove "style" from the safelist
-      assert_output(nil, warning, &invocation)
-    end
-    refute_includes(sanitized, "style")
-  end
-
   %w[text/plain text/css image/png image/gif image/jpeg].each do |mediatype|
     define_method "test_mediatype_#{mediatype}_allowed" do
       input = %Q(<img src="data:#{mediatype};base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
@@ -727,8 +708,4 @@ def libxml_2_9_14_recovery_lt_bang?
     # then reverted in 2.10.0, see https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
     Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("= 2.9.14")
   end
-
-  def html5_mode?
-    ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
-  end
 end