More SVG Sanitization
This commit is contained in:
parent
eca126f589
commit
70025a4ba3
2 changed files with 40 additions and 2 deletions
11
vendor/plugins/HTML5lib/lib/html5/sanitizer.rb
vendored
11
vendor/plugins/HTML5lib/lib/html5/sanitizer.rb
vendored
|
@ -78,8 +78,12 @@ module HTML5
|
|||
|
||||
ATTR_VAL_IS_URI = %w[href src cite action longdesc xlink:href xml:base]
|
||||
|
||||
SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path fill filter marker marker-start
|
||||
marker-mid marker-end mask stroke textpath]
|
||||
SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path color-profile cursor fill
|
||||
filter marker marker-start marker-mid marker-end mask stroke]
|
||||
|
||||
SVG_ALLOW_LOCAL_HREF = %w[altGlyph animate animateColor animateMotion
|
||||
animateTransform cursor feImage filter linearGradient pattern
|
||||
radialGradient textpath tref set use]
|
||||
|
||||
ACCEPTABLE_CSS_PROPERTIES = %w[azimuth background-color
|
||||
border-bottom-color border-collapse border-color border-left-color
|
||||
|
@ -127,6 +131,9 @@ module HTML5
|
|||
SVG_ATTR_VAL_ALLOWS_REF.each do |attr|
|
||||
attrs[attr] = attrs[attr].to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attrs[attr]
|
||||
end
|
||||
if SVG_ALLOW_LOCAL_HREF.include?(token[:name]) && attrs['xlink:href'] && attrs['xlink:href'] =~ /^\s*[^#\s].*/m
|
||||
attrs.delete 'xlink:href'
|
||||
end
|
||||
if attrs['style']
|
||||
attrs['style'] = sanitize_css(attrs['style'])
|
||||
end
|
||||
|
|
31
vendor/plugins/HTML5lib/tests/test_sanitizer.rb
vendored
31
vendor/plugins/HTML5lib/tests/test_sanitizer.rb
vendored
|
@ -110,6 +110,37 @@ class SanitizeTest < Test::Unit::TestCase
|
|||
end
|
||||
end
|
||||
|
||||
HTMLSanitizer::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
|
||||
next unless HTMLSanitizer::ALLOWED_ELEMENTS.include?(tag_name)
|
||||
define_method "test_#{tag_name}_should_allow_local_href" do
|
||||
input = %(<#{tag_name} xlink:href="#foo"/>)
|
||||
output = "<#{tag_name.downcase} xlink:href='#foo'/>"
|
||||
xhtmloutput = "<#{tag_name} xlink:href='#foo'></#{tag_name}>"
|
||||
check_sanitization(input, output, xhtmloutput, xhtmloutput)
|
||||
end
|
||||
|
||||
define_method "test_#{tag_name}_should_allow_local_href_with_newline" do
|
||||
input = %(<#{tag_name} xlink:href="\n#foo"/>)
|
||||
output = "<#{tag_name.downcase} xlink:href='\n#foo'/>"
|
||||
xhtmloutput = "<#{tag_name} xlink:href='\n#foo'></#{tag_name}>"
|
||||
check_sanitization(input, output, xhtmloutput, xhtmloutput)
|
||||
end
|
||||
|
||||
define_method "test_#{tag_name}_should_forbid_nonlocal_href" do
|
||||
input = %(<#{tag_name} xlink:href="http://bad.com/foo"/>)
|
||||
output = "<#{tag_name.downcase}/>"
|
||||
xhtmloutput = "<#{tag_name}></#{tag_name}>"
|
||||
check_sanitization(input, output, xhtmloutput, xhtmloutput)
|
||||
end
|
||||
|
||||
define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline" do
|
||||
input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo"/>)
|
||||
output = "<#{tag_name.downcase}/>"
|
||||
xhtmloutput = "<#{tag_name}></#{tag_name}>"
|
||||
check_sanitization(input, output, xhtmloutput, xhtmloutput)
|
||||
end
|
||||
end
|
||||
|
||||
def test_should_handle_astral_plane_characters
|
||||
input = "<p>𝒵 𝔸</p>"
|
||||
output = "<p>\360\235\222\265 \360\235\224\270</p>"
|
||||
|
|
Loading…
Reference in a new issue