diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb index 7f6fe27..44eadf2 100644 --- a/lib/rails/html/scrubbers.rb +++ b/lib/rails/html/scrubbers.rb @@ -138,6 +138,19 @@ def validate!(var, name) if var && !var.is_a?(Enumerable) raise ArgumentError, "You should pass :#{name} as an Enumerable" end + + if var && name == :tags + if var.include?("mglyph") + warn("WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber and will be scrubbed") + var.delete("mglyph") + end + + if var.include?("malignmark") + warn("WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber and will be scrubbed") + var.delete("malignmark") + end + end + var end diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 42880c5..3c13d17 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -1096,6 +1096,46 @@ def test_should_sanitize_across_newlines assert_equal "", sanitize_css(raw) end + def test_should_prune_mglyph + # https://hackerone.com/reports/2519936 + input = "
", + # libgumbo + "
", + ] + + assert_includes(acceptable_results, actual) + end + + def test_should_prune_malignmark + # https://hackerone.com/reports/2519936 + input = "
", + # libgumbo + "
", + ] + + assert_includes(acceptable_results, actual) + end + protected def safe_list_sanitize(input, options = {}) module_under_test::SafeListSanitizer.new.sanitize(input, options) @@ -1175,5 +1215,37 @@ def test_should_not_be_vulnerable_to_ns_confusion_2519941 assert_nil(xss) end + + def test_should_not_be_vulnerable_to_mglyph_namespace_confusion + # https://hackerone.com/reports/2519936 + input = "