From 71e4b5434fbcb2ad87643f0c9fecfc3a847943c4 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sat, 27 Oct 2018 15:10:54 -0400 Subject: [PATCH] remove the svg animate attribute `from` from the allowlist this addresses CVE-2018-16468 see #154 for more information https://github.com/flavorjones/loofah/issues/154 --- lib/loofah/html5/whitelist.rb | 2 +- test/integration/test_ad_hoc.rb | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb index 109356c1..619a81ad 100644 --- a/lib/loofah/html5/whitelist.rb +++ b/lib/loofah/html5/whitelist.rb @@ -92,7 +92,7 @@ module WhiteList color-interpolation-filters color-rendering content cx cy d dx dy descent display dur end fill fill-opacity fill-rule filterRes filterUnits font-family - font-size font-stretch font-style font-variant font-weight from fx fy g1 + font-size font-stretch font-style font-variant font-weight fx fy g1 g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id ideographic k keyPoints keySplines keyTimes lang marker-end marker-mid marker-start markerHeight markerUnits markerWidth diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb index 29af40be..ac1e28cc 100644 --- a/test/integration/test_ad_hoc.rb +++ b/test/integration/test_ad_hoc.rb @@ -188,8 +188,17 @@ def test_dont_remove_whitespace_between_tags assert_equal %{example.com}, attributes.first.value end end - end + # see: + # - https://github.com/flavorjones/loofah/issues/154 + # - https://hackerone.com/reports/429267 + context "xss protection from svg xmlns:xlink animate attribute" do + it "sanitizes appropriate attributes" do + html = %Q{} + sanitized = Loofah.scrub_fragment(html, :escape) + assert_nil sanitized.at_css("animate")["from"] + end + end end end