From: Dawa Ometto <dawa.ometto@phil.uu.nl>
Date: Sun, 30 Sep 2018 01:23:00 +0200
Subject: [3/6] Don't apply the fix to attribute values that contain only
 whitespace
Origin: https://github.com/rgrove/sanitize/commit/f133394874042314d7dfccf636214bcad357fac6
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-3740
Bug: https://github.com/rgrove/sanitize/issues/176
Bug-Debian: https://bugs.debian.org/893610

---
 lib/sanitize/transformers/clean_element.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/sanitize/transformers/clean_element.rb b/lib/sanitize/transformers/clean_element.rb
index c9b8fcb31b43..07ed27f3b28c 100644
--- a/lib/sanitize/transformers/clean_element.rb
+++ b/lib/sanitize/transformers/clean_element.rb
@@ -102,7 +102,8 @@ class Sanitize; module Transformers
           # Leading and trailing whitespace around URLs is ignored at parse
           # time. Stripping it here prevents it from being escaped by the
           # libxml2 workaround below.
-          attr.value = attr.value.strip
+          stripped = attr.value.strip
+          attr.value = stripped unless stripped.empty?
 
           # libxml2 >= 2.9.2 doesn't escape comments within some attributes, in an
           # attempt to preserve server-side includes. This can result in XSS since
@@ -115,8 +116,8 @@ class Sanitize; module Transformers
           #
           # The relevant libxml2 code is here:
           # <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
-          if UNSAFE_LIBXML_ATTRS_GLOBAL.include?(attr_name) ||
-              (name == 'a' && UNSAFE_LIBXML_ATTRS_A.include?(attr_name))
+          if !stripped.empty? && (UNSAFE_LIBXML_ATTRS_GLOBAL.include?(attr_name) ||
+              (name == 'a' && UNSAFE_LIBXML_ATTRS_A.include?(attr_name)))
             attr.value = attr.value.gsub(UNSAFE_LIBXML_ESCAPE_REGEX, UNSAFE_LIBXML_ESCAPE_CHARS)
           end
         end
-- 
2.20.1

