Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
rubygem-loofah.28451
CVE-2022-23514.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-23514.patch of Package rubygem-loofah.28451
--- loofah-2.2.2/lib/loofah/html5/scrub.rb.old 2023-03-26 18:26:52.575978011 +0200 +++ loofah-2.2.2/lib/loofah/html5/scrub.rb 2023-03-26 18:29:45.967973641 +0200 @@ -50,7 +50,7 @@ end end if WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name) - attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value + scrub_attribute_that_allows_local_ref(attr_node) end if WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m attr_node.remove @@ -101,6 +101,29 @@ Crass::Parser.stringify sanitized_tree end + def scrub_attribute_that_allows_local_ref(attr_node) + return unless attr_node.value + + nodes = Crass::Parser.new(attr_node.value).parse_component_values + + values = nodes.map do |node| + case node[:node] + when :url + if node[:value].start_with?("#") + node[:raw] + else + nil + end + when :hash, :ident, :string + node[:raw] + else + nil + end + end.compact + + attr_node.value = values.join(" ") + end + # # libxml2 >= 2.9.2 fails to escape comments within some attributes. #
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor