More SVG Sanitization

2007-10-31 01:00:45 -05:00 · 2007-10-31 01:00:45 -05:00 · 70025a4ba3
parent eca126f589
commit 70025a4ba3
2 changed files with 40 additions and 2 deletions
--- a/vendor/plugins/HTML5lib/lib/html5/sanitizer.rb
+++ b/vendor/plugins/HTML5lib/lib/html5/sanitizer.rb
@ -78,8 +78,12 @@ module HTML5

    ATTR_VAL_IS_URI = %w[href src cite action longdesc xlink:href xml:base]

-    SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path fill filter marker marker-start
-      marker-mid marker-end mask stroke textpath]
+    SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path color-profile cursor fill
+      filter marker marker-start marker-mid marker-end mask stroke]
+
+    SVG_ALLOW_LOCAL_HREF = %w[altGlyph animate animateColor animateMotion
+      animateTransform cursor feImage filter linearGradient pattern
+      radialGradient textpath tref set use]

    ACCEPTABLE_CSS_PROPERTIES = %w[azimuth background-color
      border-bottom-color border-collapse border-color border-left-color
@ -127,6 +131,9 @@ module HTML5
              SVG_ATTR_VAL_ALLOWS_REF.each do |attr|
                attrs[attr] = attrs[attr].to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attrs[attr]
              end
+              if SVG_ALLOW_LOCAL_HREF.include?(token[:name]) && attrs['xlink:href'] && attrs['xlink:href'] =~ /^\s*[^#\s].*/m
+                 attrs.delete 'xlink:href'
+              end
              if attrs['style']
                attrs['style'] = sanitize_css(attrs['style'])
              end
--- a/vendor/plugins/HTML5lib/tests/test_sanitizer.rb
+++ b/vendor/plugins/HTML5lib/tests/test_sanitizer.rb
@ -110,6 +110,37 @@ class SanitizeTest < Test::Unit::TestCase
    end
  end

+  HTMLSanitizer::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
+    next unless HTMLSanitizer::ALLOWED_ELEMENTS.include?(tag_name)
+    define_method "test_#{tag_name}_should_allow_local_href" do
+      input = %(<#{tag_name} xlink:href="#foo"/>)
+      output = "<#{tag_name.downcase} xlink:href='#foo'/>"
+      xhtmloutput = "<#{tag_name} xlink:href='#foo'></#{tag_name}>"
+      check_sanitization(input, output, xhtmloutput, xhtmloutput)
+    end
+
+    define_method "test_#{tag_name}_should_allow_local_href_with_newline" do
+      input = %(<#{tag_name} xlink:href="\n#foo"/>)
+      output = "<#{tag_name.downcase} xlink:href='\n#foo'/>"
+      xhtmloutput = "<#{tag_name} xlink:href='\n#foo'></#{tag_name}>"
+      check_sanitization(input, output, xhtmloutput, xhtmloutput)
+    end
+
+    define_method "test_#{tag_name}_should_forbid_nonlocal_href" do
+      input = %(<#{tag_name} xlink:href="http://bad.com/foo"/>)
+      output = "<#{tag_name.downcase}/>"
+      xhtmloutput = "<#{tag_name}></#{tag_name}>"
+      check_sanitization(input, output, xhtmloutput, xhtmloutput)
+    end
+
+    define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline" do
+      input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo"/>)
+      output = "<#{tag_name.downcase}/>"
+      xhtmloutput = "<#{tag_name}></#{tag_name}>"
+      check_sanitization(input, output, xhtmloutput, xhtmloutput)
+    end
+  end
+
  def test_should_handle_astral_plane_characters
    input = "<p>&#x1d4b5; &#x1d538;</p>"
    output = "<p>\360\235\222\265 \360\235\224\270</p>"