From 8d183d376815eab6849eaa058ff558b6e1620292 Mon Sep 17 00:00:00 2001
From: Nick DeSteffen <nick.desteffen@gmail.com>
Date: Fri, 22 Apr 2022 16:13:16 -0500
Subject: [PATCH 1/2] Adds ARIA attributes

---
 lib/loofah/html5/safelist.rb | 55 +++++++++++++++++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
index d4f2c35..018c294 100644
--- a/lib/loofah/html5/safelist.rb
+++ b/lib/loofah/html5/safelist.rb
@@ -512,6 +512,59 @@ module SafeList
                                  "zoomAndPan",
                                ])
 
+      ARIA_ATTRIBUTES = Set.new([
+                                  "aria-activedescendant",
+                                  "aria-autocomplete",
+                                  "aria-atomic",
+                                  "aria-busy",
+                                  "aria-checked",
+                                  "aria-colcount",
+                                  "aria-colindex",
+                                  "aria-colspan",
+                                  "aria-controls",
+                                  "aria-current",
+                                  "aria-describedby",
+                                  "aria-description",
+                                  "aria-details",
+                                  "aria-disabled",
+                                  "aria-dropeffect",
+                                  "aria-errormessage",
+                                  "aria-expanded",
+                                  "aria-flowto",
+                                  "aria-grabbed",
+                                  "aria-haspopup",
+                                  "aria-hidden",
+                                  "aria-invalid",
+                                  "aria-keyshortcuts",
+                                  "aria-label",
+                                  "aria-labelledby",
+                                  "aria-level",
+                                  "aria-live",
+                                  "aria-modal",
+                                  "aria-multiline",
+                                  "aria-multiselectable",
+                                  "aria-orientation",
+                                  "aria-owns",
+                                  "aria-placeholder",
+                                  "aria-posinset",
+                                  "aria-pressed",
+                                  "aria-readonly",
+                                  "aria-relevant",
+                                  "aria-required",
+                                  "aria-roledescription",
+                                  "aria-rowcount",
+                                  "aria-rowindex",
+                                  "aria-rowspan",
+                                  "aria-selected",
+                                  "aria-setsize",
+                                  "aria-sort",
+                                  "aria-valuemax",
+                                  "aria-valuemin",
+                                  "aria-valuenow",
+                                  "aria-valuetext",
+                                  "role"
+                                ])
+
       ATTR_VAL_IS_URI = Set.new([
                                   "action",
                                   "cite",
@@ -795,7 +848,7 @@ module SafeList
 
       # subclasses may define their own versions of these constants
       ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
-      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
+      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES + ARIA_ATTRIBUTES
       ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
       ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
       ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS

From 5f58b9cd3d0d4731181e20bd589818da5a20289b Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 28 Apr 2022 07:54:11 -0400
Subject: [PATCH 2/2] feat: add the remaining aria attributes and an ad-hoc
 test

---
 lib/loofah/html5/safelist.rb    |  9 ++++++---
 test/integration/test_ad_hoc.rb | 15 +++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
index 018c294..fdacb3f 100644
--- a/lib/loofah/html5/safelist.rb
+++ b/lib/loofah/html5/safelist.rb
@@ -514,12 +514,15 @@ module SafeList
 
       ARIA_ATTRIBUTES = Set.new([
                                   "aria-activedescendant",
-                                  "aria-autocomplete",
                                   "aria-atomic",
+                                  "aria-autocomplete",
+                                  "aria-braillelabel",
+                                  "aria-brailleroledescription",
                                   "aria-busy",
                                   "aria-checked",
                                   "aria-colcount",
                                   "aria-colindex",
+                                  "aria-colindextext",
                                   "aria-colspan",
                                   "aria-controls",
                                   "aria-current",
@@ -540,7 +543,6 @@ module SafeList
                                   "aria-labelledby",
                                   "aria-level",
                                   "aria-live",
-                                  "aria-modal",
                                   "aria-multiline",
                                   "aria-multiselectable",
                                   "aria-orientation",
@@ -554,6 +556,7 @@ module SafeList
                                   "aria-roledescription",
                                   "aria-rowcount",
                                   "aria-rowindex",
+                                  "aria-rowindextext",
                                   "aria-rowspan",
                                   "aria-selected",
                                   "aria-setsize",
@@ -562,7 +565,7 @@ module SafeList
                                   "aria-valuemin",
                                   "aria-valuenow",
                                   "aria-valuetext",
-                                  "role"
+                                  "role",
                                 ])
 
       ATTR_VAL_IS_URI = Set.new([
diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
index eb96ff2..9f87187 100644
--- a/test/integration/test_ad_hoc.rb
+++ b/test/integration/test_ad_hoc.rb
@@ -195,6 +195,21 @@ def test_dont_remove_whitespace_between_tags
       end
     end
 
+    it "allows aria attributes" do
+      html = <<~HTML
+        <div role="application" aria-label="calendar"
+             aria-description="Game schedule for the Boston Red Sox 2021 Season">
+          <h1>Red Sox 2021</h1>
+        </div>
+      HTML
+
+      sanitized = Loofah.scrub_fragment(html, :escape)
+      attributes = sanitized.at_css("div").attributes
+      assert_includes(attributes.keys, "role")
+      assert_includes(attributes.keys, "aria-label")
+      assert_includes(attributes.keys, "aria-description")
+    end
+
     context "xss protection from svg animate attributes" do
       # see recommendation from https://html5sec.org/#137
       # to sanitize "to", "from", "values", and "by" attributes