WhitelistSanitizer manipulating URLs

[archonic]

I've found that a WhitelistSanitizer instance will manipulate the values of an allowed attribute.

Rails::Html::WhiteListSanitizer.new.sanitize('<img src="https://example/$/example.jpg">', tags: %w(img), attributes: %w(src))
=> "<img src=\"https://example/%24/example.jpg\">"

The conversion of $ to %24 can cause some urls to 404. Is this intentional? Is there a way to configure it to leave the values of attributes as is?

[flavorjones]

Hi @archonic, thanks for asking this question, and apologies that nobody has responded for so long.

Diagnosis

The behavior you're describing actually belongs to libxml2 via Nokogiri, and is pretty commonly reported to both the Loofah and Nokogiri projects:

Nokogiri::HTML::DocumentFragment.parse("<img src='https://example/$/example.jpg'>").to_html
# => "<img src=\"https://example/%24/example.jpg\">" 

(The dependency chain here is rails-html-sanitizer → loofah → nokogiri → libxml2.)

Here's the C code that controls URI-escaping of certain HTML attributes at serialization-time (when the document is printed):

https://gitlab.gnome.org/GNOME/libxml2/blob/v2.9.2/HTMLtree.c#L714-718

Specifically, href, action, src, and name (but only within an anchor) are always escaped when generating HTML -- basically, anything that could be a URI reference.

Prognosis

The good news is that I think we can fix this in the next few months. Check out sparklemotion/nokogiri#2204 for progress on integration HTML5 parsing into Nokogiri; the next logical step after that is introducing HTML5 support into Loofah and rails-html-sanitizer.

Unfortunately, until then, there's no easy way to deal with this. Sorry I couldn't be of more help.

[archonic]

That's a great response, thank you!