Merge pull request #4919 from dodona-edu/svg-attributes

extend allowed tags and attributes (svg)
dodona-edu · Aug 28, 2023 · 3af2c49 · 3af2c49
2 parents 623fe5b + 03fe6b7
commit 3af2c49
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -144,8 +144,12 @@ def markdown_unsafe(source)
   end
 
   def sanitize(html)
-    @tags ||= Rails::Html::SafeListSanitizer.allowed_tags.to_a + %w[table thead tbody tr td th colgroup col style svg circle line rect path summary details]
-    @attributes ||= Rails::Html::SafeListSanitizer.allowed_attributes.to_a + %w[style target data-bs-toggle data-parent data-tab data-line data-element id x1 y1 x2 y2 stroke stroke-width fill cx cy r]
+    @tags ||= Rails::Html::SafeListSanitizer.allowed_tags.to_a +
+              %w[table thead tbody tr td th colgroup col style summary details] +
+              %w[svg g style circle line rect path polygon text]
+    @attributes ||= Rails::Html::SafeListSanitizer.allowed_attributes.to_a +
+                    %w[style target data-bs-toggle data-parent data-tab data-line data-element id] +
+                    %w[viewbox width height version style class transform id x y rx ry x1 y1 x2 y2 d points fill stroke stroke-width cx cy r font-size font-family font-weight font-variant]
 
     # Filters allowed tags and attributes
     sanitized = ActionController::Base.helpers.sanitize html,

diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
@@ -96,6 +96,25 @@ class ApplicationHelperTest < ActiveSupport::TestCase
     assert_equal dirty_html, clean_html
   end
 
+  test 'sanitize helper should allow a selection of svg tags' do
+    dirty_html = <<~HTML
+      <svg viewbox="0 0 100 100" width="300" height="100" version="1.1">
+        <style>line,circle{stroke-width:3px;stroke:black;stroke-linecap:round}</style>
+        <style>test{stroke-width:3px;stroke:black;stroke-linecap:round}</style>
+        <g id="group1" transform="translate(50,50)">
+          <circle cx="0" cy="0" r="40" fill="none"></circle>
+          <line class="test" x1="0" y1="0" x2="0" y2="-40"></line>
+        </g>
+        <rect x="0" y="0" rx="1" ry="1" width="100" height="100" fill="none" stroke="black" stroke-width="3px"></rect>
+        <polygon points="0,0 100,0 100,100 0,100"></polygon>
+        <path d="M0,0 L100,0 L100,100 L0,100 Z"></path>
+        <text x="0" y="0" font-size="14px" font-weight="bold" font-variant="normal" font-family="serif">Hello</text>
+      </svg>
+    HTML
+    clean_html = sanitize dirty_html
+    assert_equal dirty_html, clean_html
+  end
+
   test 'language tags are used correctly' do
     def current_user
       create :user