Merge pull request #216 from flavorjones/215-support-empty-data-attri…

…butes feat: support empty HTML5 data attributes
flavorjones · Aug 11, 2021 · cfd3724 · cfd3724
2 parents a8199d2 + a6922ce
commit cfd3724
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## next / unreleased
+
+### Features
+
+* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
+
+
 ## 2.11.0 / 2021-07-31
 
 ### Features

diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -10,6 +10,7 @@ module Scrub
       CRASS_SEMICOLON = { node: :semicolon, raw: ";" }
       CSS_IMPORTANT = '!important'
       CSS_PROPERTY_STRING_WITHOUT_EMBEDDED_QUOTES = /\A(["'])?[^"']+\1\z/
+      DATA_ATTRIBUTE_NAME = /\Adata-[\w-]+\z/
 
       class << self
         def allowed_element?(element_name)
@@ -25,7 +26,7 @@ def scrub_attributes(node)
               attr_node.node_name
             end
 
-            if attr_name =~ /\Adata-[\w-]+\z/
+            if attr_name =~ DATA_ATTRIBUTE_NAME
               next
             end
 
@@ -62,7 +63,9 @@ def scrub_attributes(node)
           scrub_css_attribute(node)
 
           node.attribute_nodes.each do |attr_node|
-            node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+            if attr_node.value !~ /[^[:space:]]/ && attr_node.name !~ DATA_ATTRIBUTE_NAME
+              node.remove_attribute(attr_node.name)
+            end
           end
 
           force_correct_attribute_escaping!(node)

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -102,18 +102,23 @@ def assert_completes_in_reasonable_time(&block)
 
   def test_should_allow_data_attributes
     input = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
-
     output = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-    htmloutput = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
 
-    check_sanitization(input, htmloutput, output, output)
+    check_sanitization(input, output, output, output)
   end
 
   def test_should_allow_multi_word_data_attributes
     input = "<p data-foo-bar-id='11'>foo <bad>bar</bad> baz</p>"
-    output = htmloutput = "<p data-foo-bar-id='11'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+    output = "<p data-foo-bar-id='11'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
 
-    check_sanitization(input, htmloutput, output, output)
+    check_sanitization(input, output, output, output)
+  end
+
+  def test_should_allow_empty_data_attributes
+    input = "<p data-foo data-bar="">foo <bad>bar</bad> baz</p>"
+    output = "<p data-foo data-bar=''>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+
+    check_sanitization(input, output, output, output)
   end
 
   def test_should_allow_contenteditable