lib/loofah/html5/scrub.rb in loofah-2.1.0.rc2 vs lib/loofah/html5/scrub.rb in loofah-2.1.0
- old
+ new
@@ -39,9 +39,17 @@
# this block lifted nearly verbatim from HTML5 sanitization
val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[0])
attr_node.remove
next
+ elsif val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[0] == 'data'
+ # permit only allowed data mediatypes
+ mediatype = val_unescaped.split(WhiteList::PROTOCOL_SEPARATOR)[1]
+ mediatype, base64 = mediatype.split(';')[0..1] if mediatype
+ if mediatype && !WhiteList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
+ attr_node.remove
+ next
+ end
end
end
if WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
end