fix: replace slow regex attribute check with Loofah method

which uses the Crass parser
rails · Dec 11, 2022 · f0e3347 · f0e3347
1 parent df03f2f
commit f0e3347
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -145,9 +145,11 @@ def scrub_attribute(node, attr_node)
  attr_node.remove
  end
  end
+
  if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
- attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+ Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
  end
+
  if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
  attr_node.remove
  end

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -600,6 +600,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
  refute_includes(sanitized, "style")
  end
 
+ def test_scrubbing_svg_attr_values_that_allow_ref
+ input = %Q(<div fill="yellow url(http:https://bad.com/) #fff">hey</div>)
+ expected = %Q(<div fill="yellow #fff">hey</div>)
+ actual = scope_allowed_attributes %w(fill) do
+ safe_list_sanitize(input)
+ end
+
+ assert_equal(expected, actual)
+ end
+
 protected
 
  def xpath_sanitize(input, options = {})