1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From: Hideki Yamane <henrich@debian.org>
Date: Mon, 31 Dec 2018 16:32:19 +0900
Subject: fix CVE-2018-16468
Taken patch from upstream commit
See https://github.com/flavorjones/loofah/commit/be0fd3ac0fad452730f10e318fa31706257fd081
and https://github.com/flavorjones/loofah/issues/154
---
lib/loofah/html5/whitelist.rb | 2 +-
test/integration/test_ad_hoc.rb | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
index 85ffe6a..0a25652 100644
--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
@@ -92,7 +92,7 @@ module Loofah
color-interpolation-filters color-rendering content cx cy d dx
dy descent display dur end fill fill-opacity fill-rule
filterRes filterUnits font-family
- font-size font-stretch font-style font-variant font-weight from fx fy g1
+ font-size font-stretch font-style font-variant font-weight fx fy g1
g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
ideographic k keyPoints keySplines keyTimes lang marker-end
marker-mid marker-start markerHeight markerUnits markerWidth
diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
index ab10581..49c04d8 100644
--- a/test/integration/test_ad_hoc.rb
+++ b/test/integration/test_ad_hoc.rb
@@ -199,4 +199,15 @@ mso-bidi-language:#0400;}
end
end
end
+
+ # see:
+ # - https://github.com/flavorjones/loofah/issues/154
+ # - https://hackerone.com/reports/429267
+ context "xss protection from svg xmlns:xlink animate attribute" do
+ it "sanitizes appropriate attributes" do
+ html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+ sanitized = Loofah.scrub_fragment(html, :escape)
+ assert_nil sanitized.at_css("animate")["from"]
+ end
+ end
end
|
