fix: replace slow regex attribute check with Loofah method

flavorjones · flavorjones · commit f0e33477a055 · 2022-12-11T14:32:37.000-05:00
which uses the Crass parser
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -145,9 +145,11 @@ def scrub_attribute(node, attr_node)
             attr_node.remove
           end
         end
+
         if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+          Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
         end
+
         if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -600,6 +600,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
     refute_includes(sanitized, "style")
   end
 
+  def test_scrubbing_svg_attr_values_that_allow_ref
+    input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
+    expected = %Q(<div fill="yellow #fff">hey</div>)
+    actual = scope_allowed_attributes %w(fill) do
+      safe_list_sanitize(input)
+    end
+
+    assert_equal(expected, actual)
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})
