fix: replace slow regex attribute check with Loofah method

flavorjones · flavorjones · commit 56c61c0cebd1 · 2022-12-13T09:19:34.000-05:00
which uses the Crass parser
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -146,9 +146,11 @@ def scrub_attribute(node, attr_node)
             attr_node.remove
           end
         end
+
         if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+          Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
         end
+
         if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -606,6 +606,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
     refute_includes(sanitized, "style")
   end
 
+  def test_scrubbing_svg_attr_values_that_allow_ref
+    input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
+    expected = %Q(<div fill="yellow #fff">hey</div>)
+    actual = scope_allowed_attributes %w(fill) do
+      safe_list_sanitize(input)
+    end
+
+    assert_equal(expected, actual)
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})
