From cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sat, 30 Nov 2024 16:13:13 -0500
Subject: [PATCH 1/2] test: Nokogiri's HTML5 "foreign style serialization"
 issue

https://hackerone.com/reports/2503220
---
 test/sanitizer_test.rb | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 8cfb523..e743b6f 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -976,6 +976,34 @@ def test_combination_of_svg_and_style_with_img_payload_2
       assert_includes(acceptable_results, actual)
     end
 
+    def test_combination_of_svg_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<svg><style>&lt;img src onerror=alert(1)>", ["svg", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<svg><style>&amp;lt;img src onerror=alert(1)&gt;</style></svg>",
+        # libgumbo
+        "<svg><style>&lt;img src onerror=alert(1)&gt;</style></svg>",
+      ]
+
+      assert_includes(acceptable_results, actual)
+    end
+
+    def test_combination_of_math_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<math><style>&lt;img src onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&amp;lt;img src onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math><style>&lt;img src onerror=alert(1)&gt;</style></math>",
+      ]
+
+      assert_includes(acceptable_results, actual)
+    end
+
     def test_should_sanitize_illegal_style_properties
       raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
       expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
@@ -1075,5 +1103,15 @@ class HTML4SafeListSanitizerTest < Minitest::Test
   class HTML5SafeListSanitizerTest < Minitest::Test
     @module_under_test = Rails::HTML5
     include SafeListSanitizerTest
+
+    def test_should_not_be_vulnerable_to_nokogiri_foreign_style_serialization_bug
+      # https://hackerone.com/reports/2503220
+      input = "<svg><style>&lt;img src onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["svg", "style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+
+      assert_nil(xss)
+    end
   end if loofah_html5_support?
 end

From b0220b8850d52199a15f83c472d175a4122dd7b1 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sat, 30 Nov 2024 16:53:37 -0500
Subject: [PATCH 2/2] dep: bump Nokogiri dependency to address the foreign
 style issue

https://hackerone.com/reports/2503220
---
 Gemfile                      |  4 ----
 Gemfile.lock                 | 18 ++++--------------
 rails-html-sanitizer.gemspec |  8 +++++---
 3 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/Gemfile b/Gemfile
index 1b4cfbc..e388355 100644
--- a/Gemfile
+++ b/Gemfile
@@ -14,7 +14,3 @@ group :rubocop do
   gem "rubocop-performance", require: false
   gem "rubocop-rails", require: false
 end
-
-# specify gem versions for old rubies
-gem "nokogiri", ">= 1.7"
-gem "activesupport", ">= 5"
diff --git a/Gemfile.lock b/Gemfile.lock
index 8e26d75..5eac85b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -3,7 +3,7 @@ PATH
   specs:
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
 
 GEM
   remote: https://rubygems.org/
@@ -34,18 +34,10 @@ GEM
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
+    mini_portile2 (2.8.8)
     minitest (5.24.1)
-    nokogiri (1.16.7-aarch64-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-linux)
+    nokogiri (1.16.8)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     parallel (1.26.2)
     parser (3.3.4.2)
@@ -98,9 +90,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  activesupport (>= 5)
   minitest
-  nokogiri (>= 1.7)
   rails-html-sanitizer!
   rake
   rubocop (>= 1.25.1)
diff --git a/rails-html-sanitizer.gemspec b/rails-html-sanitizer.gemspec
index 8bed712..621a44a 100644
--- a/rails-html-sanitizer.gemspec
+++ b/rails-html-sanitizer.gemspec
@@ -26,8 +26,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = Dir["test/**/*"]
   spec.require_paths = ["lib"]
 
-  # NOTE: There's no need to update dependencies for CVEs in minor releases
-  # when users can simply run `bundle update loofah`.
   spec.add_dependency "loofah", "~> 2.21"
-  spec.add_dependency "nokogiri", "~> 1.14"
+
+  # A fix was shipped in nokogiri v1.15.7 and v1.16.8 without which there is a vulnerability in this gem.
+  spec.add_dependency "nokogiri", [">=1.15.7",
+                                   "!=1.16.0", "!=1.16.0.rc1", "!=1.16.1", "!=1.16.2", "!=1.16.3",
+                                   "!=1.16.4", "!=1.16.5", "!=1.16.6", "!=1.16.7"]
 end