Skip to content

Commit

Permalink
Merge pull request #233 from flavorjones/flavorjones-aria-attributes
Browse files Browse the repository at this point in the history 
aria attributes
  • Loading branch information
@flavorjones
flavorjones committed Apr 28, 2022
2 parents 931ed84 + 5f58b9c commit 2fc3bfb
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 1 deletion.
58 changes: 57 additions & 1 deletion lib/loofah/html5/safelist.rb
View file
Expand Up @@ -512,6 +512,62 @@ module SafeList
"zoomAndPan",
])

ARIA_ATTRIBUTES = Set.new([
"aria-activedescendant",
"aria-atomic",
"aria-autocomplete",
"aria-braillelabel",
"aria-brailleroledescription",
"aria-busy",
"aria-checked",
"aria-colcount",
"aria-colindex",
"aria-colindextext",
"aria-colspan",
"aria-controls",
"aria-current",
"aria-describedby",
"aria-description",
"aria-details",
"aria-disabled",
"aria-dropeffect",
"aria-errormessage",
"aria-expanded",
"aria-flowto",
"aria-grabbed",
"aria-haspopup",
"aria-hidden",
"aria-invalid",
"aria-keyshortcuts",
"aria-label",
"aria-labelledby",
"aria-level",
"aria-live",
"aria-multiline",
"aria-multiselectable",
"aria-orientation",
"aria-owns",
"aria-placeholder",
"aria-posinset",
"aria-pressed",
"aria-readonly",
"aria-relevant",
"aria-required",
"aria-roledescription",
"aria-rowcount",
"aria-rowindex",
"aria-rowindextext",
"aria-rowspan",
"aria-selected",
"aria-setsize",
"aria-sort",
"aria-valuemax",
"aria-valuemin",
"aria-valuenow",
"aria-valuetext",
"role",
])

ATTR_VAL_IS_URI = Set.new([
"action",
"cite",
Expand Down Expand Up @@ -795,7 +851,7 @@ module SafeList

# subclasses may define their own versions of these constants
ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
Expand Down
15 changes: 15 additions & 0 deletions test/integration/test_ad_hoc.rb
View file
Expand Up @@ -195,6 +195,21 @@ def test_dont_remove_whitespace_between_tags
end
end

it "allows aria attributes" do
html = <<~HTML
<div role="application" aria-label="calendar"
aria-description="Game schedule for the Boston Red Sox 2021 Season">
<h1>Red Sox 2021</h1>
</div>
HTML

sanitized = Loofah.scrub_fragment(html, :escape)
attributes = sanitized.at_css("div").attributes
assert_includes(attributes.keys, "role")
assert_includes(attributes.keys, "aria-label")
assert_includes(attributes.keys, "aria-description")
end

context "xss protection from svg animate attributes" do
# see recommendation from https://html5sec.org/#137
# to sanitize "to", "from", "values", and "by" attributes
Expand Down

0 comments on commit 2fc3bfb

Please sign in to comment.