File CVE-2015-7578.patch of Package rubygem-rails-html-sanitizer.1899

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-7578.patch of Package rubygem-rails-html-sanitizer.1899

@@ -, +, @@ 
 <rafaelmfranca@gmail.com>
---
 lib/rails/html/sanitizer.rb |  4 ++++
 lib/rails/html/scrubbers.rb | 25 +++++++++++++++++++++++++
 test/sanitizer_test.rb      | 36 ++++++++++++++++++++++++++----------
 3 files changed, 55 insertions(+), 10 deletions(-)
--- a/lib/rails/html/sanitizer.rb   
+++ a/lib/rails/html/sanitizer.rb   
@@ -97,6 +97,10 @@ module Rails
         attr_accessor :allowed_tags
         attr_accessor :allowed_attributes
       end
+      self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub
+        sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
+        acronym a img blockquote del ins))
+      self.allowed_attributes = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
 
       def initialize
         @permit_scrubber = PermitScrubber.new
--- a/lib/rails/html/scrubbers.rb   
+++ a/lib/rails/html/scrubbers.rb   
@@ -100,6 +100,7 @@ module Rails
         if @attributes
           node.attribute_nodes.each do |attr|
             attr.remove if scrub_attribute?(attr.name)
+            scrub_attribute(node, attr)
           end
 
           scrub_css_attribute(node)
@@ -123,6 +124,30 @@ module Rails
         end
         var
       end
+
+      def scrub_attribute(node, attr_node)
+        attr_name = if attr_node.namespace
+                      "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
+                    else
+                      attr_node.node_name
+                    end
+
+        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+          # this block lifted nearly verbatim from HTML5 sanitization
+          val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+            attr_node.remove
+          end
+        end
+        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+        end
+        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+          attr_node.remove
+        end
+
+        node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+      end
     end
 
     # === Rails::Html::TargetScrubber
--

Places

File CVE-2015-7578.patch of Package rubygem-rails-html-sanitizer.1899

Places