From 9a1e3761b42f0f7f49021a185df480dc4aabf423 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 12 Dec 2024 15:45:59 -0500 Subject: [PATCH] fix: PermitScrubber accepts frozen tags Previously, if an invalid/unsafe tag was present, the scrubber attempted to modify the tags array. Now it properly copies the tags when they are assigned. Fixes #195 --- CHANGELOG.md | 13 +++++++++++++ lib/rails/html/scrubbers.rb | 4 ++-- test/sanitizer_test.rb | 8 +++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 438e68c..1b25df4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +## next / unreleased + +* `PermitScrubber` fully supports frozen "allowed tags". + + v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which + introduced a regression for applications passing a frozen array of allowed tags. Tags and + attributes are now properly copied when they are passed to the scrubber. + + Fixes #195. + + *Mike Dalessio* + + ## 1.6.1 / 2024-12-02 This is a performance and security release which addresses several possible XSS vulnerabilities. diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb index 606b66b..882f961 100644 --- a/lib/rails/html/scrubbers.rb +++ b/lib/rails/html/scrubbers.rb @@ -56,11 +56,11 @@ def initialize(prune: false) end def tags=(tags) - @tags = validate!(tags, :tags) + @tags = validate!(tags.dup, :tags) end def attributes=(attributes) - @attributes = validate!(attributes, :attributes) + @attributes = validate!(attributes.dup, :attributes) end def scrub(node) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 148da0c..f78cd62 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -1099,7 +1099,7 @@ def test_should_sanitize_across_newlines def test_should_prune_mglyph # https://hackerone.com/reports/2519936 input = "