From be0fd3ac0fad452730f10e318fa31706257fd081 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sat, 27 Oct 2018 15:10:54 -0400
Subject: [PATCH] remove the svg animate attribute `from` from the allowlist

this addresses CVE-2018-16468

see #154 for more information

https://github.com/flavorjones/loofah/issues/154
---
 lib/loofah/html5/whitelist.rb   |  1 -
 test/integration/test_ad_hoc.rb | 11 ++++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/loofah/html5/whitelist.rb b/lib/loofah/html5/whitelist.rb
index 6a3acb8c..385cbf70 100644
--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
@@ -390,7 +390,6 @@ module WhiteList
                                  "font-style",
                                  "font-variant",
                                  "font-weight",
-                                 "from",
                                  "fx",
                                  "fy",
                                  "g1",
diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
index 29af40be..ac1e28cc 100644
--- a/test/integration/test_ad_hoc.rb
+++ b/test/integration/test_ad_hoc.rb
@@ -188,8 +188,17 @@ def test_dont_remove_whitespace_between_tags
           assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
         end
       end
-
     end
 
+    # see:
+    # - https://github.com/flavorjones/loofah/issues/154
+    # - https://hackerone.com/reports/429267
+    context "xss protection from svg xmlns:xlink animate attribute" do
+      it "sanitizes appropriate attributes" do
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["from"]
+      end
+    end
   end
 end