diff --git a/Gemfile b/Gemfile
index fc5f6ca..12b745e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,3 +5,4 @@ gemspec
gem "nokogiri", RUBY_VERSION < "2.1" ? "~> 1.6.0" : ">= 1.7"
gem "activesupport", RUBY_VERSION < "2.2.2" ? "~> 4.2.0" : ">= 5"
+gem "loofah", git: "https://github.com/flavorjones/loofah", branch: "flavorjones-scrub-accepts-allowed-attribute-names"
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
index 13b6d6f..afe3273 100644
--- a/lib/rails/html/scrubbers.rb
+++ b/lib/rails/html/scrubbers.rb
@@ -86,10 +86,6 @@ def skip_node?(node)
node.text?
end
- def scrub_attribute?(name)
- !@attributes.include?(name)
- end
-
def keep_node?(node)
if @tags
allowed_node?(node)
@@ -105,58 +101,18 @@ def scrub_node(node)
def scrub_attributes(node)
if @attributes
- node.attribute_nodes.each do |attr|
- attr.remove if scrub_attribute?(attr.name)
- scrub_attribute(node, attr)
- end
-
- scrub_css_attribute(node)
+ Loofah::HTML5::Scrub.scrub_attributes(node, allowed_attribute_names: @attributes)
else
Loofah::HTML5::Scrub.scrub_attributes(node)
end
end
- def scrub_css_attribute(node)
- if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute)
- Loofah::HTML5::Scrub.scrub_css_attribute(node)
- else
- style = node.attributes['style']
- style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style
- end
- end
-
def validate!(var, name)
if var && !var.is_a?(Enumerable)
raise ArgumentError, "You should pass :#{name} as an Enumerable"
end
var
end
-
- def scrub_attribute(node, attr_node)
- attr_name = if attr_node.namespace
- "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
- else
- attr_node.node_name
- end
-
- if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
- # this block lifted nearly verbatim from HTML5 sanitization
- val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
- if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
- attr_node.remove
- end
- end
- if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
- attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
- end
- if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
- attr_node.remove
- end
-
- node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
-
- Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
- end
end
# === Rails::Html::TargetScrubber
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index df8e64b..9920023 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -515,6 +515,16 @@ def test_allow_data_attribute_if_requested
assert_equal %(foo), safe_list_sanitize(text, attributes: ['data-foo'])
end
+ def test_sanitize_data_protocol
+ text = "- XSS\">), safe_list_sanitize(text)
+ end
+ end
+ end
+
def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
skip if RUBY_VERSION < "2.3"