Skip to content

Commit

Permalink
revert 45a5c10
Browse files Browse the repository at this point in the history
to prepare for a better fix
  • Loading branch information
flavorjones committed Dec 11, 2022
1 parent d1223a2 commit e6d52d3
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 41 deletions.
19 changes: 1 addition & 18 deletions lib/rails/html/sanitizer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -141,25 +141,8 @@ def sanitize_css(style_string)

private

def loofah_using_html5?
# future-proofing, see https://github.com/flavorjones/loofah/pull/239
Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
end

def remove_safelist_tag_combinations(tags)
if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
tags.delete("style")
end
tags
end

def allowed_tags(options)
if options[:tags]
remove_safelist_tag_combinations(options[:tags])
else
self.class.allowed_tags
end
options[:tags] || self.class.allowed_tags
end

def allowed_attributes(options)
Expand Down
23 changes: 0 additions & 23 deletions test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -581,25 +581,6 @@ def test_exclude_node_type_comment
assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
end

def test_disallow_the_dangerous_safelist_combination_of_select_and_style
input = "<select><style><script>alert(1)</script></style></select>"
tags = ["select", "style"]
warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from safelist/
sanitized = nil
invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }

if html5_mode?
# if Loofah is using an HTML5 parser,
# then "style" should be removed by the parser as an invalid child of "select"
assert_silent(&invocation)
else
# if Loofah is using an HTML4 parser,
# then SafeListSanitizer should remove "style" from the safelist
assert_output(nil, warning, &invocation)
end
refute_includes(sanitized, "style")
end

%w[text/plain text/css image/png image/gif image/jpeg].each do |mediatype|
define_method "test_mediatype_#{mediatype}_allowed" do
input = %Q(<img src="data:#{mediatype};base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">)
Expand Down Expand Up @@ -727,8 +708,4 @@ def libxml_2_9_14_recovery_lt_bang?
# then reverted in 2.10.0, see https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("= 2.9.14")
end

def html5_mode?
::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
end
end

0 comments on commit e6d52d3

Please sign in to comment.