Close sanitization-related issues

.github/workflows/lint.yml

@@ -15,7 +15,8 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.0
+          ruby-version: 3.1.0
+          rubygems: latest
           bundler-cache: true
       - run: bundle install
       - name: Rubocop

lib/html_pipeline/sanitization_filter.rb

@@ -17,24 +17,25 @@ class SanitizationFilter
 
     # The main sanitization allowlist. Only these elements and attributes are
     # allowed through by default.
-    DEFAULT_CONFIG = {
+    DEFAULT_CONFIG = Selma::Sanitizer::Config.freeze_config({
       elements: ["h1", "h2", "h3", "h4", "h5", "h6", "br", "b", "i", "strong", "em", "a", "pre", "code",
-                 "img", "tt", "div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot",
+                 "img", "tt", "div", "ins", "del", "sup", "sub", "p", "picture", "ol", "ul", "table", "thead", "tbody", "tfoot",
                  "blockquote", "dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th",
                  "s", "strike", "summary", "details", "caption", "figure", "figcaption", "abbr", "bdo", "cite",
-                 "dfn", "mark", "small", "span", "time", "wbr",],
+                 "dfn", "mark", "small", "source", "span", "time", "wbr",],
 
       attributes: {
         "a" => ["href"],
-        "img" => ["src", "longdesc"],
+        "img" => ["src", "longdesc", "loading", "alt"],
         "div" => ["itemscope", "itemtype"],
         "blockquote" => ["cite"],
         "del" => ["cite"],
         "ins" => ["cite"],
         "q" => ["cite"],
+        "source" => ["srcset"],
         all: ["abbr", "accept", "accept-charset", "accesskey", "action", "align", "alt", "aria-describedby",
-              "aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "cellpadding", "cellspacing", "char",
-              "charoff", "charset", "checked", "clear", "cols", "colspan", "color", "compact", "coords", "datetime", "dir",
+              "aria-hidden", "aria-label", "aria-labelledby", "axis", "border", "char",
+              "charoff", "charset", "checked", "clear", "cols", "colspan", "compact", "coords", "datetime", "dir",
               "disabled", "enctype", "for", "frame", "headers", "height", "hreflang", "hspace", "id", "ismap", "label", "lang",
               "maxlength", "media", "method", "multiple", "name", "nohref", "noshade", "nowrap", "open", "progress",
               "prompt", "readonly", "rel", "rev", "role", "rows", "rowspan", "rules", "scope", "selected", "shape",
@@ -49,9 +50,9 @@ class SanitizationFilter
         "img" => {
           "src" => ["http", "https", :relative].freeze,
           "longdesc" => ["http", "https", :relative].freeze,
-        }.freeze,
+        },
       },
-    }
+    })
 
     class << self
       def call(html, config)

test/sanitization_filter_test.rb

@@ -93,6 +93,33 @@ def test_custom_anchor_schemes_are_not_removed
       assert_equal(stuff, html)
     end
 
+    def test_allow_svg_elements_to_be_added
+      config = DEFAULT_CONFIG.dup
+      frag = <<~FRAG
+        <svg height="100" width="100">
+        <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
+        </svg>
+      FRAG
+
+      html = SanitizationFilter.call(frag, config)
+
+      assert_equal("\n", html)
+
+      config = { elements: ["svg", "circle"],
+                 attributes: { "svg" => ["width"],
+                               "circle" => ["cx", "cy", "r"], }, }
+
+      result = <<~FRAG
+        <svg width="100">
+        <circle cx="50" cy="50" r="40" />
+        </svg>
+      FRAG
+
+      html = SanitizationFilter.call(frag, config)
+
+      assert_equal(result, html)
+    end
+
     def test_anchor_schemes_are_merged_with_other_anchor_restrictions
       stuff = '<a href="something-weird://heyyy" ping="more-weird://hiii">Wat</a> is this'
       allowlist = {