lib/loofah/html5/scrub.rb in loofah-2.11.0 vs lib/loofah/html5/scrub.rb in loofah-2.12.0
- old
+ new
@@ -8,10 +8,11 @@
CONTROL_CHARACTERS = /[`\u0000-\u0020\u007f\u0080-\u0101]/
CSS_KEYWORDISH = /\A(#[0-9a-fA-F]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|-?\d{0,3}\.?\d{0,10}(ch|cm|r?em|ex|in|lh|mm|pc|pt|px|Q|vmax|vmin|vw|vh|%|,|\))?)\z/
CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
CSS_IMPORTANT = '!important'
CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
+ DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
class << self
def allowed_element?(element_name)
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.include?(element_name)
end
@@ -23,11 +24,11 @@
"#{attr_node.namespace.prefix}:#{attr_node.node_name}"
else
attr_node.node_name
end
- if attr_name =~ /\Adata-[\w-]+\z/
+ if attr_name =~ DATA_ATTRIBUTE_NAME
next
end
unless SafeList::ALLOWED_ATTRIBUTES.include?(attr_name)
attr_node.remove
@@ -60,10 +61,12 @@
end
scrub_css_attribute(node)
node.attribute_nodes.each do |attr_node|
- node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+ if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
+ node.remove_attribute(attr_node.name)
+ end
end
force_correct_attribute_escaping!(node)
end