Fix ReDoS vulnerability in PermitScrubber by optimizing regex

rails · Aug 13, 2024 · 798ea0c · 798ea0c
1 parent c5734e5
commit 798ea0c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -146,7 +146,7 @@ def scrub_attribute(node, attr_node)
             Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
           end
 
-          if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
+          if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == "xlink:href" && attr_node.value =~ /^\s*[^#].*/m
             attr_node.remove
           end