remove the svg animate attribute from from the allowlist

this addresses CVE-2018-16468 see #154 for more information #154
flavorjones · Oct 30, 2018 · 71e4b54 · 71e4b54
1 parent 3556e2b
commit 71e4b54
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
@@ -92,7 +92,7 @@ module WhiteList
        color-interpolation-filters color-rendering content cx cy d dx
        dy descent display dur end fill fill-opacity fill-rule
        filterRes filterUnits font-family
-       font-size font-stretch font-style font-variant font-weight from fx fy g1
+       font-size font-stretch font-style font-variant font-weight fx fy g1
        g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
        ideographic k keyPoints keySplines keyTimes lang marker-end
        marker-mid marker-start markerHeight markerUnits markerWidth

diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
@@ -188,8 +188,17 @@ def test_dont_remove_whitespace_between_tags
           assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
         end
       end
-
     end
 
+    # see:
+    # - https://github.com/flavorjones/loofah/issues/154
+    # - https://hackerone.com/reports/429267
+    context "xss protection from svg xmlns:xlink animate attribute" do
+      it "sanitizes appropriate attributes" do
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["from"]
+      end
+    end
   end
 end