kiso-icons 0.1.0.pre → 0.2.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/kiso/icons/renderer.rb +45 -1
  3. data/lib/kiso/icons/version.rb +1 -1
  4. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6f91c4c7b067ad325b199468604b89aead98ba16f3c99469aff5e2ef836d4878
4
- data.tar.gz: d9f4b770b5081f8bbd463591710dadb8b9e198b4526bb226d60563f065b92c1e
3
+ metadata.gz: abdce35f898bcd015e68eb0fd14ec634c00f48b7c439e1937cb57ce36da1b89b
4
+ data.tar.gz: e848efc526a44648dd41a34adf83ffe7f73666eb2bb38cefd48d188670a517c1
5
5
  SHA512:
6
- metadata.gz: 2db2872c247bc11a982224eff8feb89ddc63b2ba51b96aba1783e5c9fab9dadf73b336554fb0caa13b26014028e64d0be5ad5db0656382c472650a179ba1fdd2
7
- data.tar.gz: 9633012b948ac6fb942ef2b51408dc4c1cd64f82daf61d4c3cadb4d1957bd43d377afab5cdc9f376ba38f8a307bf39608ef3d97d13bb7c4dba7e9cd0642b4194
6
+ metadata.gz: 8ad7085b951095eb5540babda7bf8b0495b2111ee70bacbfdd7f0d63f6c4443427786b11d4e114657112bab9c99750fff4bd010c00e22b72d4bfc6996a5630b9
7
+ data.tar.gz: 0d528a7c8a0d73f3f7f3a6926a148bce8152738d8c54eaffa280cdf14bd10ef3fd743b8cfb741a1a271c79b846f97dbd74cdcd41118e4e93ac41cf1dd3469812
data/lib/kiso/icons/renderer.rb CHANGED
@@ -1,11 +1,20 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "loofah"
4
+
3
5
  module Kiso
4
6
  module Icons
5
7
  class Renderer
8
+ BLOCKED_SVG_ELEMENTS = %w[
9
+ script foreignobject iframe object embed
10
+ ].freeze
11
+
12
+ EVENT_HANDLER_RE = /\Aon/i
13
+ JAVASCRIPT_URI_RE = /\A\s*javascript:/i
14
+
6
15
  class << self
7
16
  def render(icon_data, css_class: nil, **options)
8
- body = icon_data[:body]
17
+ body = sanitize_svg_body(icon_data[:body])
9
18
  width = icon_data[:width]
10
19
  height = icon_data[:height]
11
20
 
@@ -47,6 +56,12 @@ module Kiso
47
56
 
48
57
  private
49
58
 
59
+ def sanitize_svg_body(body)
60
+ return "" if body.nil? || body.empty?
61
+
62
+ Loofah.scrub_fragment(body, SVG_SCRUBBER).to_s
63
+ end
64
+
50
65
  def escape_attr(value)
51
66
  value.to_s
52
67
  .gsub("&", "&amp;")
@@ -55,6 +70,35 @@ module Kiso
55
70
  .gsub(">", "&gt;")
56
71
  end
57
72
  end
73
+
74
+ # Loofah scrubber that strips dangerous elements and event handlers
75
+ # from SVG body content while preserving legitimate SVG markup.
76
+ class SvgScrubber < Loofah::Scrubber
77
+ def initialize
78
+ @direction = :top_down
79
+ end
80
+
81
+ def scrub(node)
82
+ return CONTINUE if node.text? || node.cdata?
83
+
84
+ if BLOCKED_SVG_ELEMENTS.include?(node.name.downcase)
85
+ node.remove
86
+ return STOP
87
+ end
88
+
89
+ node.attribute_nodes.each do |attr|
90
+ if attr.name.match?(EVENT_HANDLER_RE)
91
+ attr.remove
92
+ elsif attr.name.casecmp("href").zero? || attr.name == "xlink:href"
93
+ attr.remove if attr.value.match?(JAVASCRIPT_URI_RE)
94
+ end
95
+ end
96
+
97
+ CONTINUE
98
+ end
99
+ end
100
+
101
+ SVG_SCRUBBER = SvgScrubber.new.freeze
58
102
  end
59
103
  end
60
104
  end
data/lib/kiso/icons/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Kiso
4
4
  module Icons
5
- VERSION = "0.1.0.pre"
5
+ VERSION = "0.2.0.pre"
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kiso-icons
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0.pre
4
+ version: 0.2.0.pre
5
5
  platform: ruby
6
6
  authors:
7
7
  - Steve Clarke