Skip to content

Commit

Permalink
remove the svg animate attribute from from the allowlist
Browse files Browse the repository at this point in the history
this addresses CVE-2018-16468

see #154 for more information

#154
  • Loading branch information
flavorjones committed Oct 30, 2018
1 parent b15ea87 commit be0fd3a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
1 change: 0 additions & 1 deletion lib/loofah/html5/whitelist.rb
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,6 @@ module WhiteList
"font-style",
"font-variant",
"font-weight",
"from",
"fx",
"fy",
"g1",
Expand Down
11 changes: 10 additions & 1 deletion test/integration/test_ad_hoc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,17 @@ def test_dont_remove_whitespace_between_tags
assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
end
end

end

# see:
# - https://github.com/flavorjones/loofah/issues/154
# - https://hackerone.com/reports/429267
context "xss protection from svg xmlns:xlink animate attribute" do
it "sanitizes appropriate attributes" do
html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
sanitized = Loofah.scrub_fragment(html, :escape)
assert_nil sanitized.at_css("animate")["from"]
end
end
end
end

0 comments on commit be0fd3a

Please sign in to comment.