Class: Gitlab::Sanitizers::SVG::Scrubber

Inherits:
Loofah::Scrubber
  • Object
show all
Defined in:
lib/gitlab/sanitizers/svg.rb

Constant Summary collapse

DATA_ATTR_PATTERN =
/\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u.freeze

Instance Method Summary collapse

Instance Method Details

#allows_data_attribute?(node) ⇒ Boolean

Returns:

  • (Boolean)

45
46
47
# File 'lib/gitlab/sanitizers/svg.rb', line 45

def allows_data_attribute?(node)
  Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name)
end

#attribute_name_with_namespace(attr) ⇒ Object


37
38
39
40
41
42
43
# File 'lib/gitlab/sanitizers/svg.rb', line 37

def attribute_name_with_namespace(attr)
  if attr.namespace
    "#{attr.namespace.prefix}:#{attr.name}"
  else
    attr.name
  end
end

#data_attribute?(attr) ⇒ Boolean

Returns:

  • (Boolean)

53
54
55
# File 'lib/gitlab/sanitizers/svg.rb', line 53

def data_attribute?(attr)
  attr.name.start_with?('data-') && attr.name =~ DATA_ATTR_PATTERN && attr.namespace.nil?
end

#scrub(node) ⇒ Object


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lib/gitlab/sanitizers/svg.rb', line 14

def scrub(node)
  unless Whitelist::ALLOWED_ELEMENTS.include?(node.name)
    node.unlink
    return
  end

  valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name]
  return unless valid_attributes

  node.attribute_nodes.each do |attr|
    attr_name = attribute_name_with_namespace(attr)

    if valid_attributes.include?(attr_name)
      attr.unlink if unsafe_href?(attr)
    else
      # Arbitrary data attributes are allowed.
      unless allows_data_attribute?(node) && data_attribute?(attr)
        attr.unlink
      end
    end
  end
end

#unsafe_href?(attr) ⇒ Boolean

Returns:

  • (Boolean)

49
50
51
# File 'lib/gitlab/sanitizers/svg.rb', line 49

def unsafe_href?(attr)
  attribute_name_with_namespace(attr) == 'xlink:href' && !attr.value.start_with?('#')
end