Fixes issue #3255 - In certain cases not all content of an html email is shown (HTML sanitizer will remove to much)

2020-10-27 08:14:20 +01:00 · 2020-10-27 08:14:20 +01:00 · 16872c3c89
parent 0b9e6676f8
commit 16872c3c89
3 changed files with 25 additions and 3 deletions
--- a/config/initializers/html_sanitizer.rb
+++ b/config/initializers/html_sanitizer.rb
@ -1,6 +1,7 @@
 # content of this tags will also be removed
 Rails.application.config.html_sanitizer_tags_remove_content = %w[
  style
+  comment
 ]

 # content of this tags will will be inserted html quoted
--- a/lib/html_sanitizer.rb
+++ b/lib/html_sanitizer.rb
@ -28,9 +28,6 @@ satinize html string based on whiltelist
      classes_whitelist = %w[js-signatureMarker yahoo_quoted]
      attributes_2_css = %w[width height]

-      # remove html comments
-      string.gsub!(/<!--.+?-->/m, '')
-
      scrubber_link = Loofah::Scrubber.new do |node|

        # wrap plain-text URLs in <a> tags
@ -200,6 +197,15 @@ satinize html string based on whiltelist
        string = new_string
      end

+      scrubber_tag_remove = Loofah::Scrubber.new do |node|
+        # remove tags with subtree
+        next if tags_remove_content.exclude?(node.name)
+
+        node.remove
+        Loofah::Scrubber::STOP
+      end
+      string = Loofah.fragment(string).scrub!(scrubber_tag_remove).to_s
+
      Loofah.fragment(string).scrub!(scrubber_link).to_s
    end
  rescue Timeout::Error
--- a/test/unit/html_sanitizer_test.rb
+++ b/test/unit/html_sanitizer_test.rb
@ -104,6 +104,21 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
 test 123
 <blockquote></blockquote>
 </div>')
+    assert_equal(HtmlSanitizer.strict('<style><!--
+/* Font Definitions */
+@font-face
+  {font-family:"Cambria Math";
+  panose-1:2 4 5 3 5 4 6 3 2 4;}
+  {page:WordSection1;}</style><!--[if gte mso 9]><xml>
+<o:shapedefaults v:ext="edit" spidmax="1026" />
+</xml><![endif]--><!--[if gte mso 9]><xml>
+<o:shapelayout v:ext="edit">
+<o:idmap v:ext="edit" data="1" />
+</o:shapelayout></xml><![endif]-->
+<div>123</div>
+<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1">abc</a></div>'), '
+<div>123</div>
+<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">abc</a>')
    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
    assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')