Hello community, here is the log from the commit of package rubygem-loofah for openSUSE:Factory checked in at 2018-11-10 17:00:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old) and /work/SRC/openSUSE:Factory/.rubygem-loofah.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-loofah" Sat Nov 10 17:00:22 2018 rev:9 rq:646832 version:2.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes 2018-04-11 14:02:21.466008566 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new/rubygem-loofah.changes 2018-11-10 17:02:17.859539551 +0100 @@ -1,0 +2,21 @@ +Tue Nov 6 07:47:42 UTC 2018 - [email protected] + +- updated to version 2.2.3 + + ### Security (bsc#1113969, CVE-2018-16468) + + Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. + + This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154 + + + ## Meta / 2018-10-27 + + The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146): + + * Mail: [email protected] + * Archive: https://groups.google.com/forum/#!forum/loofah-talk + + This change was made because librelist no longer appears to be maintained. + +------------------------------------------------------------------- Old: ---- loofah-2.2.2.gem New: ---- loofah-2.2.3.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-loofah.spec ++++++ --- /var/tmp/diff_new_pack.ixcS6W/_old 2018-11-10 17:02:18.411538877 +0100 +++ /var/tmp/diff_new_pack.ixcS6W/_new 2018-11-10 17:02:18.415538872 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-loofah -Version: 2.2.2 +Version: 2.2.3 Release: 0 %define mod_name loofah %define mod_full_name %{mod_name}-%{version} ++++++ loofah-2.2.2.gem -> loofah-2.2.3.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2018-03-22 16:10:40.000000000 +0100 +++ new/CHANGELOG.md 2018-10-30 13:59:09.000000000 +0100 @@ -1,5 +1,24 @@ # Changelog +## 2.2.3 / 2018-10-30 + +### Security + +Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. + +This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154 + + +## Meta / 2018-10-27 + +The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146): + +* Mail: [email protected] +* Archive: https://groups.google.com/forum/#!forum/loofah-talk + +This change was made because librelist no longer appears to be maintained. + + ## 2.2.2 / 2018-03-22 Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, @@ -10,6 +29,8 @@ ## 2.2.1 / 2018-03-19 +### Security + Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144 @@ -17,7 +38,7 @@ ## 2.2.0 / 2018-02-11 -Features: +### Features: * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!) * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!) @@ -25,32 +46,32 @@ * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!) * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!) -Bugfixes: +### Bugfixes: * Properly handle nested `script` tags. #127. ## 2.1.1 / 2017-09-24 -Bugfixes: +### Bugfixes: * Removed warning for unused variable. #124 (Thanks, @y-yagi!) ## 2.1.0 / 2017-09-24 -Notes: +### Notes: * Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91 -Features: +### Features: * Added :noopener HTML scrubber (Thanks, @tastycode!) * Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!) -Bugfixes: +### Bugfixes: * The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124 * Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91 @@ -58,14 +79,14 @@ ## 2.0.3 / 2015-08-17 -Bug fixes: +### Bug fixes: * Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.) ## 2.0.2 / 2015-05-05 -Bug fixes: +### Bug fixes: * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75 * Allow multi-word data attributes. #84 (Thanks, @jstorimer!) @@ -74,24 +95,24 @@ ## 2.0.1 / 2014-08-21 -Bug fixes: +### Bug fixes: * Load RR correctly when running test files directly. (Thanks, @ktdreyer!) -Notes: +### Notes: * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!) ## 2.0.0 / 2014-05-09 -Compatibility notes: +### Compatibility notes: * ActionView helpers now must be required explicitly: `require "loofah/helpers"` * Support for Ruby 1.8.7 and prior has been dropped -Enhancements: +### Enhancements: * HTML5 whitelist allows the following ... * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time` @@ -101,7 +122,7 @@ * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!) * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!) -Bug fixes: +### Bug fixes: * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!) * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!) @@ -114,7 +135,7 @@ ## 1.2.0 (2011-08-08) -Enhancements: +### Enhancements: * Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper. * Improving ActionView integration. @@ -122,7 +143,7 @@ ## 1.1.0 (2011-08-08) -Enhancements: +### Enhancements: * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230). Up to date with HTML5lib ruby code as of 1723:7ee6a0331856. @@ -132,7 +153,7 @@ ## 1.0.0 (2010-10-26) -Notes: +### Notes: * Moved ActiveRecord functionality into `loofah-activerecord` gem. * Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes. @@ -140,7 +161,7 @@ ## 0.4.7 (2010-03-09) -Enhancements: +### Enhancements: * New methods Loofah::HTML::Document#to_text and Loofah::HTML::DocumentFragment#to_text do the right thing with @@ -153,23 +174,23 @@ ## 0.4.4, 0.4.5, 0.4.6 (2010-02-01) -Enhancements: +### Enhancements: * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities. -Bug fixes: +### Bug fixes: * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17 ## 0.4.3 (2010-01-29) -Enhancements: +### Enhancements: * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS -Miscellaneous: +### Miscellaneous: * Modified documentation for bootstrapping XssFoliate in a Rails app, since the use of Bundler breaks the previously-documented method. To @@ -178,18 +199,18 @@ ## 0.4.2 (2010-01-22) -Enhancements: +### Enhancements: * Implemented Node#scrub! for scrubbing subtrees. * Implemented NodeSet#scrub! for scrubbing a set of subtrees. * Document.text now only serializes <body> contents (ignores <head>) * <head>, <html> and <body> added to the HTML5lib whitelist. -Bug fixes: +### Bug fixes: * Supporting Rails apps that aren't loading ActiveRecord. GH #10 -Miscellaneous: +### Miscellaneous: * Mailing list is now [email protected] / http://librelist.com * IRC channel is now \#loofah on freenode. @@ -197,14 +218,14 @@ ## 0.4.1 (2009-11-23) -Bugfix: +### Bugfix: * Manifest fixed. Whoops. ## 0.4.0 (2009-11-21) -Enhancements: +### Enhancements: * Scrubber class introduced, allowing development of custom scrubbers. * Added support for XML documents and fragments. @@ -215,20 +236,20 @@ ## 0.3.1 (2009-10-12) -Bug fixes: +### Bug fixes: * Scrubbed Documents properly render html, head and body tags when serialized. ## 0.3.0 (2009-10-06) -Enhancements: +### Enhancements: * New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master]. * Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags. * Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2. -Deprecations: +### Deprecations: * The methods strip_tags, whitewash, whitewash_document, sanitize, and sanitize_document have been deprecated. See DEPRECATED.rdoc for @@ -237,7 +258,7 @@ ## 0.2.2 (2009-09-30) -Enhancements: +### Enhancements: * ActiveRecord extension scrubs fields in a before_validation callback (was previously in a before_save) @@ -245,12 +266,12 @@ ## 0.2.1 (2009-09-19) -Enhancements: +### Enhancements: * when loaded in a Rails app, automatically extend ActiveRecord::Base with html_fragment and html_document. GH #6 (Thanks Josh Nichols!) -Bugfixes: +### Bugfixes: * ActiveRecord scrubbing should generate strings instead of Document or DocumentFragment objects. GH #5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Manifest.txt new/Manifest.txt --- old/Manifest.txt 2018-03-22 16:10:40.000000000 +0100 +++ new/Manifest.txt 2018-10-30 13:59:09.000000000 +0100 @@ -24,6 +24,7 @@ lib/loofah/scrubbers.rb lib/loofah/xml/document.rb lib/loofah/xml/document_fragment.rb +test/assets/msword.html test/assets/testdata_sanitizer_tests1.dat test/helper.rb test/html5/test_sanitizer.rb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2018-03-22 16:10:40.000000000 +0100 +++ new/README.md 2018-10-30 13:59:09.000000000 +0100 @@ -1,8 +1,8 @@ # Loofah * https://github.com/flavorjones/loofah -* http://rubydoc.info/github/flavorjones/loofah/master/frames -* http://librelist.com/browser/loofah +* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames +* Mailing list: [[email protected]](https://groups.google.com/forum/#!forum/loofah-talk) ## Status @@ -301,9 +301,10 @@ * https://github.com/flavorjones/loofah/issues -And the mailing list is on librelist: +And the mailing list is on Google Groups: -* [email protected] / http://librelist.com +* Mail: [email protected] +* Archive: https://groups.google.com/forum/#!forum/loofah-talk And the IRC channel is \#loofah on freenode. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SECURITY.md new/SECURITY.md --- old/SECURITY.md 2018-03-22 16:10:40.000000000 +0100 +++ new/SECURITY.md 2018-10-30 13:59:09.000000000 +0100 @@ -9,7 +9,7 @@ If you have not received a reply to your submission within 48 hours, there are a few steps you can take: * Contact the current security coordinator (Mike Dalessio <[email protected]>) -* Email the Loofah user group at [email protected] (archive at http://librelist.com) +* Email the Loofah user group at [email protected] (archive at https://groups.google.com/forum/#!forum/loofah-talk) Please note, the user group list is a public area. When escalating in that venue, please do not discuss your issue. Simply say that you're trying to get a hold of someone from the core team. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah/html5/whitelist.rb new/lib/loofah/html5/whitelist.rb --- old/lib/loofah/html5/whitelist.rb 2018-03-22 16:10:40.000000000 +0100 +++ new/lib/loofah/html5/whitelist.rb 2018-10-30 13:59:09.000000000 +0100 @@ -92,7 +92,7 @@ color-interpolation-filters color-rendering content cx cy d dx dy descent display dur end fill fill-opacity fill-rule filterRes filterUnits font-family - font-size font-stretch font-style font-variant font-weight from fx fy g1 + font-size font-stretch font-style font-variant font-weight fx fy g1 g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id ideographic k keyPoints keySplines keyTimes lang marker-end marker-mid marker-start markerHeight markerUnits markerWidth diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah.rb new/lib/loofah.rb --- old/lib/loofah.rb 2018-03-22 16:10:40.000000000 +0100 +++ new/lib/loofah.rb 2018-10-30 13:59:09.000000000 +0100 @@ -28,7 +28,7 @@ # module Loofah # The version of Loofah you are using - VERSION = '2.2.2' + VERSION = '2.2.3' class << self # Shortcut for Loofah::HTML::Document.parse diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2018-03-22 16:10:40.000000000 +0100 +++ new/metadata 2018-10-30 13:59:09.000000000 +0100 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: loofah version: !ruby/object:Gem::Version - version: 2.2.2 + version: 2.2.3 platform: ruby authors: - Mike Dalessio @@ -9,7 +9,7 @@ autorequire: bindir: bin cert_chain: [] -date: 2018-03-22 00:00:00.000000000 Z +date: 2018-10-30 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nokogiri @@ -169,30 +169,36 @@ name: rdoc requirement: !ruby/object:Gem::Requirement requirements: - - - "~>" + - - ">=" - !ruby/object:Gem::Version version: '4.0' + - - "<" + - !ruby/object:Gem::Version + version: '7' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - "~>" + - - ">=" - !ruby/object:Gem::Version version: '4.0' + - - "<" + - !ruby/object:Gem::Version + version: '7' - !ruby/object:Gem::Dependency name: hoe requirement: !ruby/object:Gem::Requirement requirements: - - "~>" - !ruby/object:Gem::Version - version: '3.16' + version: '3.17' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - "~>" - !ruby/object:Gem::Version - version: '3.16' + version: '3.17' description: |- Loofah is a general library for manipulating and transforming HTML/XML documents and fragments. It's built on top of Nokogiri and libxml2, so @@ -243,6 +249,7 @@ - lib/loofah/scrubbers.rb - lib/loofah/xml/document.rb - lib/loofah/xml/document_fragment.rb +- test/assets/msword.html - test/assets/testdata_sanitizer_tests1.dat - test/helper.rb - test/html5/test_sanitizer.rb @@ -278,7 +285,7 @@ version: '0' requirements: [] rubyforge_project: -rubygems_version: 2.6.12 +rubygems_version: 2.7.7 signing_key: specification_version: 4 summary: Loofah is a general library for manipulating and transforming HTML/XML documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/assets/msword.html new/test/assets/msword.html --- old/test/assets/msword.html 1970-01-01 01:00:00.000000000 +0100 +++ new/test/assets/msword.html 2018-10-30 13:59:09.000000000 +0100 @@ -0,0 +1,63 @@ +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml> +<w:WordDocument> + <w:View>Normal</w:View> + <w:Zoom>0</w:Zoom> + <w:PunctuationKerning/> + <w:ValidateAgainstSchemas/> + <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> + <w:IgnoreMixedContent>false</w:IgnoreMixedContent> + <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> + <w:Compatibility> + <w:BreakWrappedTables/> + <w:SnapToGridInCell/> + <w:WrapTextWithPunct/> + <w:UseAsianBreakRules/> + <w:DontGrowAutofit/> + </w:Compatibility> + <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> +</w:WordDocument> +</xml><![endif]--><!--[if gte mso 9]><xml> +<w:LatentStyles DefLockedState="false" LatentStyleCount="156"> +</w:LatentStyles> +</xml><![endif]--><style> +<!-- +/* Style Definitions */ +p.MsoNormal, li.MsoNormal, div.MsoNormal +{mso-style-parent:""; +margin:0in; +margin-bottom:.0001pt; +mso-pagination:widow-orphan; +font-size:12.0pt; +font-family:"Times New Roman"; +mso-fareast-font-family:"Times New Roman";} +@page Section1 +{size:8.5in 11.0in; +margin:1.0in 1.25in 1.0in 1.25in; +mso-header-margin:.5in; +mso-footer-margin:.5in; +mso-paper-source:0;} +div.Section1 +{page:Section1;} +--> +</style><!--[if gte mso 10]> +<style> +/* Style Definitions */ +table.MsoNormalTable +{mso-style-name:"Table Normal"; +mso-tstyle-rowband-size:0; +mso-tstyle-colband-size:0; +mso-style-noshow:yes; +mso-style-parent:""; +mso-padding-alt:0in 5.4pt 0in 5.4pt; +mso-para-margin:0in; +mso-para-margin-bottom:.0001pt; +mso-pagination:widow-orphan; +font-size:10.0pt; +font-family:"Times New Roman"; +mso-ansi-language:#0400; +mso-fareast-language:#0400; +mso-bidi-language:#0400;} +</style> +<![endif]--> + +<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/integration/test_ad_hoc.rb new/test/integration/test_ad_hoc.rb --- old/test/integration/test_ad_hoc.rb 2018-03-22 16:10:40.000000000 +0100 +++ new/test/integration/test_ad_hoc.rb 2018-10-30 13:59:09.000000000 +0100 @@ -17,6 +17,8 @@ end context "tests" do + MSWORD_HTML = File.read(File.join(File.dirname(__FILE__), "..", "assets", "msword.html")).freeze + def test_removal_of_illegal_tag html = <<-HTML following this there should be no jim tag @@ -76,72 +78,6 @@ assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","") end - MSWORD_HTML = <<-EOHTML -<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml> -<w:WordDocument> - <w:View>Normal</w:View> - <w:Zoom>0</w:Zoom> - <w:PunctuationKerning/> - <w:ValidateAgainstSchemas/> - <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> - <w:IgnoreMixedContent>false</w:IgnoreMixedContent> - <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> - <w:Compatibility> - <w:BreakWrappedTables/> - <w:SnapToGridInCell/> - <w:WrapTextWithPunct/> - <w:UseAsianBreakRules/> - <w:DontGrowAutofit/> - </w:Compatibility> - <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> -</w:WordDocument> -</xml><![endif]--><!--[if gte mso 9]><xml> -<w:LatentStyles DefLockedState="false" LatentStyleCount="156"> -</w:LatentStyles> -</xml><![endif]--><style> -<!-- -/* Style Definitions */ -p.MsoNormal, li.MsoNormal, div.MsoNormal -{mso-style-parent:""; -margin:0in; -margin-bottom:.0001pt; -mso-pagination:widow-orphan; -font-size:12.0pt; -font-family:"Times New Roman"; -mso-fareast-font-family:"Times New Roman";} -@page Section1 -{size:8.5in 11.0in; -margin:1.0in 1.25in 1.0in 1.25in; -mso-header-margin:.5in; -mso-footer-margin:.5in; -mso-paper-source:0;} -div.Section1 -{page:Section1;} ---> -</style><!--[if gte mso 10]> -<style> -/* Style Definitions */ -table.MsoNormalTable -{mso-style-name:"Table Normal"; -mso-tstyle-rowband-size:0; -mso-tstyle-colband-size:0; -mso-style-noshow:yes; -mso-style-parent:""; -mso-padding-alt:0in 5.4pt 0in 5.4pt; -mso-para-margin:0in; -mso-para-margin-bottom:.0001pt; -mso-pagination:widow-orphan; -font-size:10.0pt; -font-family:"Times New Roman"; -mso-ansi-language:#0400; -mso-fareast-language:#0400; -mso-bidi-language:#0400;} -</style> -<![endif]--> - -<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p> - EOHTML - def test_fragment_whitewash_on_microsofty_markup whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash) assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip @@ -252,7 +188,17 @@ assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value end end + end + # see: + # - https://github.com/flavorjones/loofah/issues/154 + # - https://hackerone.com/reports/429267 + context "xss protection from svg xmlns:xlink animate attribute" do + it "sanitizes appropriate attributes" do + html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>} + sanitized = Loofah.scrub_fragment(html, :escape) + assert_nil sanitized.at_css("animate")["from"] + end end end end
