Improved removing of html comments.

app/models/concerns/checks_html_sanitized.rb

@@ -9,7 +9,7 @@ module ChecksHtmlSanitized
 
   def sanitized_html_attributes
     html_attributes = self.class.instance_variable_get(:@sanitized_html) || []
-    return true if html_attributes.empty?
+    return true if html_attributes.blank?
 
     html_attributes.each do |attribute|
       value = send(attribute)

lib/html_sanitizer.rb

@@ -19,6 +19,9 @@ satinize html string based on whiltelist
     classes_whitelist = ['js-signatureMarker']
     attributes_2_css = %w(width height)
 
+    # remove html comments
+    string.gsub!(/<!--.+?-->/m, '')
+
     scrubber_link = Loofah::Scrubber.new do |node|
 
       # check if href is different to text
@@ -64,7 +67,7 @@ satinize html string based on whiltelist
               urls.push match[1].to_s.strip
             end
           end
-          next if urls.empty?
+          next if urls.blank?
           add_link(node.content, urls, node)
         end
       end
@@ -136,7 +139,7 @@ satinize html string based on whiltelist
       # move style attributes to css attributes
       attributes_2_css.each do |key|
         next if !node[key]
-        if node['style'].empty?
+        if node['style'].blank?
           node['style'] = ''
         else
           node['style'] += ';'
@@ -343,7 +346,7 @@ cleanup html string:
   end
 
   def self.add_link(content, urls, node)
-    if urls.empty?
+    if urls.blank?
       text = Nokogiri::XML::Text.new(content, node.document)
       node.add_next_sibling(text)
       return

test/unit/html_sanitizer_test.rb

@@ -75,6 +75,37 @@ tt  p://6 6.000146.0x7.147/">XSS</A>', true), 'XSS (<a href="http://66.000146.0x
     assert_equal(HtmlSanitizer.strict('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>'), 'alert(1)')
     assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>'), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank">http://example.com</a>')
     assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', true), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank">http://example.com</a>')
+    assert_equal(HtmlSanitizer.strict('<div>
+<style type="text/css">#outlook A {
+.content { WIDTH: 100%; MAX-WIDTH: 740px }
+A { COLOR: #666666; TEXT-DECORATION: none }
+A:link { COLOR: #666666; TEXT-DECORATION: none }
+A:hover { COLOR: #666666; TEXT-DECORATION: none }
+A:active { COLOR: #666666; TEXT-DECORATION: none }
+A:focus { COLOR: #666666; TEXT-DECORATION: none }
+BODY { FONT-FAMILY: Calibri, Arial, Verdana, sans-serif }
+</style>
+<!--[if (gte mso 9)|(IE)]>
+<META name=GENERATOR content="MSHTML 9.00.8112.16800"></HEAD>
+<BODY bgColor=#ffffff>
+<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
+<BLOCKQUOTE
+style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
+  <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
+  <DIV style="FONT: 10pt arial"><B>To:</B> <A title=smith.test@example.dk
+  href="mailto:smith.test@example.dk">smith.test@example.dk</A> </DIV>
+  <DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, November 10, 2017 9:11
+  PM</DIV>
+  <DIV style="FONT: 10pt arial"><B>Subject:</B> Din bestilling hos
+  example.dk - M123 - KD1234</DIV>
+  <div>&nbsp;</div>
+<![endif]-->test 123
+<blockquote></div>'), '<div>
+
+test 123
+<blockquote></blockquote>
+</div>')
+
   end
 
 end