Skip to content

Commit

Permalink
Bump to 1.8.2
Browse files Browse the repository at this point in the history
  • Loading branch information
joeldrapper committed Mar 11, 2024
1 parent 79d396a commit cc606f4
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 10 deletions.
13 changes: 4 additions & 9 deletions lib/phlex/sgml.rb
Original file line number Diff line number Diff line change
Expand Up @@ -364,14 +364,6 @@ def __final_attributes__(**attributes)
attributes = process_attributes(**attributes)
end

if attributes[:href]&.start_with?(/\s*javascript:/)
attributes.delete(:href)
end

if attributes["href"]&.start_with?(/\s*javascript:/)
attributes.delete("href")
end

buffer = +""
__build_attributes__(attributes, buffer: buffer)

Expand All @@ -389,8 +381,11 @@ def __build_attributes__(attributes, buffer:)
else raise ArgumentError, "Attribute keys should be Strings or Symbols."
end

lower_name = name.downcase
next if lower_name == "href" && v.start_with?(/\s*javascript:/i)

# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
if HTML::EVENT_ATTRIBUTES[name] || name.match?(/[<>&"']/)
if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/)
raise ArgumentError, "Unsafe attribute name detected: #{k}."
end

Expand Down
2 changes: 1 addition & 1 deletion lib/phlex/version.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# frozen_string_literal: true

module Phlex
VERSION = "1.8.1"
VERSION = "1.8.2"
end
30 changes: 30 additions & 0 deletions test/phlex/view/naughty_business.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,36 @@
describe Phlex::HTML do
extend ViewHelper

with "naughty javascript links" do
view do
def template
a(href: "javascript:alert(1)") { "a" }
a(href: "JAVASCRIPT:alert(1)") { "b" }
a(href: :"JAVASCRIPT:alert(1)") { "c" }
a(HREF: "javascript:alert(1)") { "d" }
end
end

it "removes the href attributes" do
expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>"
end
end

with "naughty uppercase event tag" do
view do
def template
button ONCLICK: "ALERT(1)" do
"naughty button"
end
end
end

it "raises" do
expect { output }.to raise_exception ArgumentError,
message: be == "Unsafe attribute name detected: ONCLICK."
end
end

with "naughty text" do
view do
def template
Expand Down

0 comments on commit cc606f4

Please sign in to comment.