fix: do not allow "image/svg+xml" in data URIs

flavorjones · flavorjones · commit 415677f3cf7f · 2022-12-11T17:57:20.000Z
diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
@@ -999,7 +999,6 @@ module SafeList
                                                  "image/gif",
                                                  "image/jpeg",
                                                  "image/png",
-                                                 "image/svg+xml",
                                                  "text/css",
                                                  "text/plain",
                                                ])
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -155,7 +155,7 @@ def test_should_allow_contenteditable
     end
   end
 
-  HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
+  ["image/gif", "image/jpeg", "image/png", "text/css", "text/plain"].each do |data_uri_type|
     define_method "test_should_allow_data_#{data_uri_type}_uris" do
       input = %(<a href="data:#{data_uri_type}">foo</a>)
       output = "<a href='data:#{data_uri_type}'>foo</a>"
@@ -165,9 +165,7 @@ def test_should_allow_contenteditable
       output = "<a href='data:#{data_uri_type};base64,R0lGODlhAQABA'>foo</a>"
       check_sanitization(input, output, output, output)
     end
-  end
 
-  HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
     define_method "test_should_allow_uppercase_data_#{data_uri_type}_uris" do
       input = %(<a href="DATA:#{data_uri_type.upcase}">foo</a>)
       output = "<a href='DATA:#{data_uri_type.upcase}'>foo</a>"
@@ -187,6 +185,16 @@ def test_should_disallow_other_uri_mediatypes
     input = %(<a href="data:image/xxx;base64,R0lGODlhAQABA">foo</a>)
     output = "<a>foo</a>"
     check_sanitization(input, output, output, output)
+
+    input = %(<a href="data:text/html;base64,R0lGODlhAQABA">foo</a>)
+    output = "<a>foo</a>"
+    check_sanitization(input, output, output, output)
+
+    # https://hackerone.com/bugs?report_id=1694173
+    # https://github.com/w3c/svgwg/issues/266
+    input = %(<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1s"/></svg>)
+    output = "<svg><use></use></svg>"
+    check_sanitization(input, output, output, output)
   end
 
   HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
