diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
index 287b435..7052b59 100644
--- a/lib/loofah/html5/safelist.rb
+++ b/lib/loofah/html5/safelist.rb
@@ -999,7 +999,6 @@ module SafeList
"image/gif",
"image/jpeg",
"image/png",
- "image/svg+xml",
"text/css",
"text/plain",
])
diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
index 662d0b3..90e0f38 100755
--- a/test/html5/test_sanitizer.rb
+++ b/test/html5/test_sanitizer.rb
@@ -155,7 +155,7 @@ def test_should_allow_contenteditable
end
end
- HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
+ ["image/gif", "image/jpeg", "image/png", "text/css", "text/plain"].each do |data_uri_type|
define_method "test_should_allow_data_#{data_uri_type}_uris" do
input = %(foo)
output = "foo"
@@ -165,9 +165,7 @@ def test_should_allow_contenteditable
output = "foo"
check_sanitization(input, output, output, output)
end
- end
- HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
define_method "test_should_allow_uppercase_data_#{data_uri_type}_uris" do
input = %(foo)
output = "foo"
@@ -187,6 +185,16 @@ def test_should_disallow_other_uri_mediatypes
input = %(foo)
output = "foo"
check_sanitization(input, output, output, output)
+
+ input = %(foo)
+ output = "foo"
+ check_sanitization(input, output, output, output)
+
+ # https://hackerone.com/bugs?report_id=1694173
+ # https://github.com/w3c/svgwg/issues/266
+ input = %()
+ output = ""
+ check_sanitization(input, output, output, output)
end
HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|