Overview

File 0001_CVE-2022-32209.patch of Package rubygem-rails-html-sanitizer.30520

diff --color -rubN rails-html-sanitizer-1.0.4-ori/lib/rails/html/sanitizer.rb rails-html-sanitizer-1.0.4-ori-2/lib/rails/html/sanitizer.rb
--- rails-html-sanitizer-1.0.4-ori/lib/rails/html/sanitizer.rb	2023-08-29 17:06:35.524475915 +0200
+++ rails-html-sanitizer-1.0.4-ori-2/lib/rails/html/sanitizer.rb	2023-08-30 16:29:37.894440563 +0200
@@ -140,8 +140,25 @@
 
       private
 
+      def loofah_using_html5?
+        # future-proofing, see https://github.com/flavorjones/loofah/pull/239
+        Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
+      end
+
+      def remove_safelist_tag_combinations(tags)
+        if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
+          warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
+          tags.delete("style")
+        end
+        tags
+      end
+
       def allowed_tags(options)
-        options[:tags] || self.class.allowed_tags
+        if options[:tags]
+          remove_safelist_tag_combinations(options[:tags])
+        else
+          self.class.allowed_tags
+        end
       end
 
       def allowed_attributes(options)
openSUSE Build Service is sponsored by
Places