diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
index 7f6fe27..44eadf2 100644
--- a/lib/rails/html/scrubbers.rb
+++ b/lib/rails/html/scrubbers.rb
@@ -138,6 +138,19 @@ def validate!(var, name)
if var && !var.is_a?(Enumerable)
raise ArgumentError, "You should pass :#{name} as an Enumerable"
end
+
+ if var && name == :tags
+ if var.include?("mglyph")
+ warn("WARNING: 'mglyph' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+ var.delete("mglyph")
+ end
+
+ if var.include?("malignmark")
+ warn("WARNING: 'malignmark' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+ var.delete("malignmark")
+ end
+ end
+
var
end
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 42880c5..3c13d17 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -1096,6 +1096,46 @@ def test_should_sanitize_across_newlines
assert_equal "", sanitize_css(raw)
end
+ def test_should_prune_mglyph
+ # https://hackerone.com/reports/2519936
+ input = "",
+ # libgumbo
+ "",
+ ]
+
+ assert_includes(acceptable_results, actual)
+ end
+
+ def test_should_prune_malignmark
+ # https://hackerone.com/reports/2519936
+ input = "",
+ # libgumbo
+ "",
+ ]
+
+ assert_includes(acceptable_results, actual)
+ end
+
protected
def safe_list_sanitize(input, options = {})
module_under_test::SafeListSanitizer.new.sanitize(input, options)
@@ -1175,5 +1215,37 @@ def test_should_not_be_vulnerable_to_ns_confusion_2519941
assert_nil(xss)
end
+
+ def test_should_not_be_vulnerable_to_mglyph_namespace_confusion
+ # https://hackerone.com/reports/2519936
+ input = "