Better handling of SVG attributes which admit uri refs
Just strip out the URI ref, leaving alternates.
This commit is contained in:
parent
5208bbf0af
commit
f24c60c3fb
|
@ -123,9 +123,9 @@ module HTML5
|
||||||
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ and !self.class.const_get("ALLOWED_PROTOCOLS").include?(val_unescaped.split(':')[0])
|
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ and !self.class.const_get("ALLOWED_PROTOCOLS").include?(val_unescaped.split(':')[0])
|
||||||
attrs.delete attr
|
attrs.delete attr
|
||||||
end
|
end
|
||||||
SVG_ATTR_VAL_ALLOWS_REF.each do |attr|
|
|
||||||
attrs.delete attr if attrs[attr].to_s.downcase =~ /url\(\s*[^#]/m
|
|
||||||
end
|
end
|
||||||
|
SVG_ATTR_VAL_ALLOWS_REF.each do |attr|
|
||||||
|
attrs[attr] = attrs[attr].to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attrs[attr]
|
||||||
end
|
end
|
||||||
if attrs['style']
|
if attrs['style']
|
||||||
attrs['style'] = sanitize_css(attrs['style'])
|
attrs['style'] = sanitize_css(attrs['style'])
|
||||||
|
|
|
@ -424,15 +424,15 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
"name": "absolute_uri_refs_in_svg_attributes",
|
"name": "absolute_uri_refs_in_svg_attributes",
|
||||||
"input": "<rect fill='url(http://bad.com/)' />",
|
"input": "<rect fill='url(http://bad.com/) #fff' />",
|
||||||
"rexml": "<rect></rect>",
|
"rexml": "<rect fill=' #fff'></rect>",
|
||||||
"xhtml": "<rect></rect>",
|
"xhtml": "<rect fill=' #fff'></rect>",
|
||||||
"output": "<rect/>"
|
"output": "<rect fill=' #fff'/>"
|
||||||
},
|
},
|
||||||
|
|
||||||
{
|
{
|
||||||
"name": "uri_ref_with_space_in svg_attribute",
|
"name": "uri_ref_with_space_in svg_attribute",
|
||||||
"input": "<rect fill=\"url(\n#foo)\" />",
|
"input": "<rect fill='url(\n#foo)' />",
|
||||||
"rexml": "<rect fill=\'url(\n#foo)\'></rect>",
|
"rexml": "<rect fill=\'url(\n#foo)\'></rect>",
|
||||||
"xhtml": "<rect fill=\'url(\n#foo)\'></rect>",
|
"xhtml": "<rect fill=\'url(\n#foo)\'></rect>",
|
||||||
"output": "<rect fill=\'url(\n#foo)\'/>"
|
"output": "<rect fill=\'url(\n#foo)\'/>"
|
||||||
|
@ -441,8 +441,8 @@
|
||||||
{
|
{
|
||||||
"name": "absolute_uri_ref_with_space_in svg_attribute",
|
"name": "absolute_uri_ref_with_space_in svg_attribute",
|
||||||
"input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
|
"input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
|
||||||
"rexml": "<rect></rect>",
|
"rexml": "<rect fill=' '></rect>",
|
||||||
"xhtml": "<rect></rect>",
|
"xhtml": "<rect fill=' '></rect>",
|
||||||
"output": "<rect/>"
|
"output": "<rect fill=' '/>"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in a new issue