[!] Sanitize incoming classlist properly (#6162)
* Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespacegh/stable
parent
d319b3dbe4
commit
545095b3ce
|
@ -6,14 +6,14 @@ class Sanitize
|
||||||
|
|
||||||
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
|
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
|
||||||
node = env[:node]
|
node = env[:node]
|
||||||
class_list = node['class']&.split(' ')
|
class_list = node['class']&.split(/[\t\n\f\r ]/)
|
||||||
|
|
||||||
return unless class_list
|
return unless class_list
|
||||||
|
|
||||||
class_list.keep_if do |e|
|
class_list.keep_if do |e|
|
||||||
return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
|
next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
|
||||||
return true if e =~ /^(mention|hashtag)$/ # semantic classes
|
next true if e =~ /^(mention|hashtag)$/ # semantic classes
|
||||||
return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
|
next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
|
||||||
end
|
end
|
||||||
|
|
||||||
node['class'] = class_list.join(' ')
|
node['class'] = class_list.join(' ')
|
||||||
|
|
|
@ -332,7 +332,7 @@ RSpec.describe Formatter do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'contains malicious classes' do
|
context 'contains malicious classes' do
|
||||||
let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
|
let(:text) { '<span class="mention status__content__spoiler-link">Show more</span>' }
|
||||||
|
|
||||||
it 'strips malicious classes' do
|
it 'strips malicious classes' do
|
||||||
is_expected.to_not include 'status__content__spoiler-link'
|
is_expected.to_not include 'status__content__spoiler-link'
|
||||||
|
|
Reference in New Issue