Skip to content

Commit

Permalink
Make distinction between boolean and empty attrs
Browse files Browse the repository at this point in the history
  • Loading branch information
@dedene
dedene committed Nov 28, 2023
1 parent a5c388e commit ebf1189
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 31 deletions.
83 changes: 54 additions & 29 deletions lib/loofah/html5/safelist.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,31 +230,70 @@ module SafeList
])

ACCEPTABLE_EMPTY_ATTRIBUTES = {
"*" => Set.new([
"title",
]),
"area" => Set.new([
"alt",
]),
"audio" => Set.new([
"src",
]),
"base" => Set.new([
"href",
]),
"img" => Set.new([
"alt",
]),
"input" => Set.new([
"value",
"placeholder",
]),
"li" => Set.new([
"value",
]),
"link" => Set.new([
"href",
]),
"meter" => Set.new([
"value",
]),
"option" => Set.new([
"value",
]),
"progress" => Set.new([
"value",
]),
"source" => Set.new([
"src",
]),
"textarea" => Set.new([
"placeholder",
]),
"track" => Set.new([
"default",
]),
}

ACCEPTABLE_BOOLEAN_ATTRIBUTES = {
"*" => Set.new([
"hidden",
"contenteditable",
"draggable",
"spellcheck",
"translate",
"title",
]),
"a" => Set.new([
"download",
]),
"area" => Set.new([
"alt",
"download",
]),
"audio" => Set.new([
"autoplay",
"controls",
"loop",
"muted",
"preload",
]),
"base" => Set.new([
"href",
"target",
]),
"button" => Set.new([
"autofocus",
Expand Down Expand Up @@ -286,17 +325,6 @@ module SafeList
"readonly",
"required",
"formnovalidate",
"value",
"placeholder",
]),
"li" => Set.new([
"value",
]),
"link" => Set.new([
"href",
]),
"meter" => Set.new([
"value",
]),
"ol" => Set.new([
"reversed",
Expand All @@ -307,20 +335,13 @@ module SafeList
"option" => Set.new([
"disabled",
"selected",
"value",
]),
"progress" => Set.new([
"value",
]),
"select" => Set.new([
"autofocus",
"disabled",
"multiple",
"required",
]),
"source" => Set.new([
"src",
]),
"style" => Set.new([
"scoped",
]),
Expand All @@ -338,7 +359,6 @@ module SafeList
"disabled",
"readonly",
"required",
"placeholder",
]),
"track" => Set.new([
"default",
Expand All @@ -348,12 +368,16 @@ module SafeList
"controls",
"loop",
"muted",
"preload",
"src",
"playsinline",
]),
}

ACCEPTABLE_BOOLEAN_OR_EMPTY_ATTRIBUTES =
ACCEPTABLE_BOOLEAN_ATTRIBUTES.merge(ACCEPTABLE_EMPTY_ATTRIBUTES) do |_, a, b|
a + b
end


ACCEPTABLE_ATTRIBUTES = Set.new([
"abbr",
"accept",
Expand Down Expand Up @@ -437,7 +461,8 @@ module SafeList
"vspace",
"width",
"xml:lang",
].concat(ACCEPTABLE_EMPTY_ATTRIBUTES.values.flat_map(&:to_a)))
].concat(ACCEPTABLE_EMPTY_ATTRIBUTES.values.flat_map(&:to_a))
.concat(ACCEPTABLE_BOOLEAN_ATTRIBUTES.values.flat_map(&:to_a)))

MATHML_ATTRIBUTES = Set.new([
"actiontype",
Expand Down
4 changes: 2 additions & 2 deletions lib/loofah/html5/scrub.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,8 @@ def scrub_attributes(node)

node.attribute_nodes.each do |attr_node|
next if attr_node.value =~ /[^[:space:]]/ || attr_node.name =~ DATA_ATTRIBUTE_NAME ||
SafeList::ACCEPTABLE_EMPTY_ATTRIBUTES["*"].include?(attr_node.name) ||
SafeList::ACCEPTABLE_EMPTY_ATTRIBUTES[node.name]&.include?(attr_node.name)
SafeList::ACCEPTABLE_BOOLEAN_OR_EMPTY_ATTRIBUTES["*"].include?(attr_node.name) ||
SafeList::ACCEPTABLE_BOOLEAN_OR_EMPTY_ATTRIBUTES[node.name]&.include?(attr_node.name)

node.remove_attribute(attr_node.name)
end
Expand Down

0 comments on commit ebf1189

Please sign in to comment.