File CVE-2022-23514.patch of Package rubygem-loofah

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-23514.patch of Package rubygem-loofah

--- loofah-2.2.2/lib/loofah/html5/scrub.rb.old	2023-03-26 18:26:52.575978011 +0200
+++ loofah-2.2.2/lib/loofah/html5/scrub.rb	2023-03-26 18:29:45.967973641 +0200
@@ -50,7 +50,7 @@
               end
             end
             if WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-              attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+              scrub_attribute_that_allows_local_ref(attr_node)
             end
             if WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
               attr_node.remove
@@ -101,6 +101,29 @@
           Crass::Parser.stringify sanitized_tree
         end
 
+        def scrub_attribute_that_allows_local_ref(attr_node)
+          return unless attr_node.value
+
+          nodes = Crass::Parser.new(attr_node.value).parse_component_values
+
+          values = nodes.map do |node|
+            case node[:node]
+            when :url
+              if node[:value].start_with?("#")
+                node[:raw]
+              else
+                nil
+              end
+            when :hash, :ident, :string
+              node[:raw]
+            else
+              nil
+            end
+          end.compact
+
+          attr_node.value = values.join(" ")
+        end
+
         #
         #  libxml2 >= 2.9.2 fails to escape comments within some attributes.
         #

Places

File CVE-2022-23514.patch of Package rubygem-loofah

Places