File CVE-2015-7579.patch of Package rubygem-rails-html-sanitizer.1908
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index f40bf6b..68ae6d2 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -13,6 +13,10 @@ module Rails
node.xpath(*xpaths).remove
node
end
+
+ def properly_encode(fragment, options)
+ fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
+ end
end
# === Rails::Html::FullSanitizer
@@ -26,9 +30,12 @@ module Rails
return unless html
return html if html.empty?
- Loofah.fragment(html).tap do |fragment|
- remove_xpaths(fragment, XPATHS_TO_REMOVE)
- end.text(options)
+ loofah_fragment = Loofah.fragment(html)
+
+ remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
+ loofah_fragment.scrub!(TextOnlyScrubber.new)
+
+ properly_encode(loofah_fragment, encoding: 'UTF-8')
end
end
@@ -140,10 +147,6 @@ module Rails
def allowed_attributes(options)
options[:attributes] || self.class.allowed_attributes
end
-
- def properly_encode(fragment, options)
- fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options)
- end
end
end
end
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
index 7cc5591..401eab9 100644
--- a/lib/rails/html/scrubbers.rb
+++ b/lib/rails/html/scrubbers.rb
@@ -169,5 +169,25 @@ module Rails
@attributes.include?(name)
end
end
+
+ # === Rails::Html::TextOnlyScrubber
+ #
+ # Rails::Html::TextOnlyScrubber allows you to permit text nodes.
+ #
+ # Unallowed elements will be stripped, i.e. element is removed but its subtree kept.
+ class TextOnlyScrubber < Loofah::Scrubber
+ def initialize
+ @direction = :bottom_up
+ end
+
+ def scrub(node)
+ if node.text?
+ CONTINUE
+ else
+ node.before node.children
+ node.remove
+ end
+ end
+ end
end
end
