Skip to content

Commit

Permalink
fix: do not allow "image/svg+xml" in data URIs
Browse files Browse the repository at this point in the history
  • Loading branch information
flavorjones committed Dec 11, 2022
1 parent 84ca20c commit 415677f
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 4 deletions.
1 change: 0 additions & 1 deletion lib/loofah/html5/safelist.rb
Original file line number Diff line number Diff line change
Expand Up @@ -999,7 +999,6 @@ module SafeList
"image/gif",
"image/jpeg",
"image/png",
"image/svg+xml",
"text/css",
"text/plain",
])
Expand Down
14 changes: 11 additions & 3 deletions test/html5/test_sanitizer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ def test_should_allow_contenteditable
end
end

HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
["image/gif", "image/jpeg", "image/png", "text/css", "text/plain"].each do |data_uri_type|
define_method "test_should_allow_data_#{data_uri_type}_uris" do
input = %(<a href="data:#{data_uri_type}">foo</a>)
output = "<a href='data:#{data_uri_type}'>foo</a>"
Expand All @@ -165,9 +165,7 @@ def test_should_allow_contenteditable
output = "<a href='data:#{data_uri_type};base64,R0lGODlhAQABA'>foo</a>"
check_sanitization(input, output, output, output)
end
end

HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
define_method "test_should_allow_uppercase_data_#{data_uri_type}_uris" do
input = %(<a href="DATA:#{data_uri_type.upcase}">foo</a>)
output = "<a href='DATA:#{data_uri_type.upcase}'>foo</a>"
Expand All @@ -187,6 +185,16 @@ def test_should_disallow_other_uri_mediatypes
input = %(<a href="data:image/xxx;base64,R0lGODlhAQABA">foo</a>)
output = "<a>foo</a>"
check_sanitization(input, output, output, output)

input = %(<a href="data:text/html;base64,R0lGODlhAQABA">foo</a>)
output = "<a>foo</a>"
check_sanitization(input, output, output, output)

# https://hackerone.com/bugs?report_id=1694173
# https://github.com/w3c/svgwg/issues/266
input = %(<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1s"/></svg>)
output = "<svg><use></use></svg>"
check_sanitization(input, output, output, output)
end

HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
Expand Down

0 comments on commit 415677f

Please # to comment.