Remove outdated elements/attrs

Closes #342 Closes #303
gjtorikian · Jan 26, 2023 · 1ff7a0b · 1ff7a0b
1 parent 993af12
commit 1ff7a0b
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/lib/html_pipeline/sanitization_filter.rb b/lib/html_pipeline/sanitization_filter.rb
@@ -15,7 +15,7 @@ class SanitizationFilter
 
     # The main sanitization allowlist. Only these elements and attributes are
     # allowed through by default.
-    DEFAULT_CONFIG = {
+    DEFAULT_CONFIG = Selma::Sanitizer::Config.freeze_config({
       elements: ["h1", "h2", "h3", "h4", "h5", "h6", "br", "b", "i", "strong", "em", "a", "pre", "code",
                  "img", "tt", "div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot",
                  "blockquote", "dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th",
@@ -31,8 +31,8 @@ class SanitizationFilter
         "ins" => ["cite"],
         "q" => ["cite"],
         all: ["abbr", "accept", "accept-charset", "accesskey", "action", "align", "alt", "aria-describedby",
-              "aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "cellpadding", "cellspacing", "char",
-              "charoff", "charset", "checked", "clear", "cols", "colspan", "color", "compact", "coords", "datetime", "dir",
+              "aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "char",
+              "charoff", "charset", "checked", "clear", "cols", "colspan", "compact", "coords", "datetime", "dir",
               "disabled", "enctype", "for", "frame", "headers", "height", "hreflang", "hspace", "id", "ismap", "label", "lang",
               "maxlength", "media", "method", "multiple", "name", "nohref", "noshade", "nowrap", "open", "progress",
               "prompt", "readonly", "rel", "rev", "role", "rows", "rowspan", "rules", "scope", "selected", "shape",
@@ -47,9 +47,9 @@ class SanitizationFilter
         "img" => {
           "src" => ["http", "https", :relative].freeze,
           "longdesc" => ["http", "https", :relative].freeze,
-        }.freeze,
+        },
       },
-    }
+    })
 
     class << self
       def call(html, config)

diff --git a/test/sanitization_filter_test.rb b/test/sanitization_filter_test.rb
@@ -93,6 +93,33 @@ def test_custom_anchor_schemes_are_not_removed
       assert_equal(stuff, html)
     end
 
+    def test_allow_svg_elements_to_be_added
+      config = DEFAULT_CONFIG.dup
+      frag  = <<~FRAG
+      <svg height="100" width="100">
+      <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
+      </svg>
+      FRAG
+
+      html = SanitizationFilter.call(frag, config)
+
+      assert_equal("\n", html)
+
+      config = { elements: ["svg", "circle"],
+      attributes: { "svg" => ["width"],
+                    "circle" => ["cx", "cy", "r"], }, }
+
+      result = <<~FRAG
+      <svg width="100">
+      <circle cx="50" cy="50" r="40" />
+      </svg>
+      FRAG
+
+      html = SanitizationFilter.call(frag, config)
+
+      assert_equal(result, html)
+    end
+
     def test_anchor_schemes_are_merged_with_other_anchor_restrictions
       stuff = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
       allowlist = {