From f0e33477a0557dbdbefc3e470c7df3a64efb002a Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 17 Nov 2022 22:51:58 -0500
Subject: [PATCH] fix: replace slow regex attribute check with Loofah method

which uses the Crass parser
---
 lib/rails/html/scrubbers.rb |  4 +++-
 test/sanitizer_test.rb      | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
index 09cfe95..18bac0a 100644
--- a/lib/rails/html/scrubbers.rb
+++ b/lib/rails/html/scrubbers.rb
@@ -145,9 +145,11 @@ def scrub_attribute(node, attr_node)
             attr_node.remove
           end
         end
+
         if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
-          attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
+          Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node)
         end
+
         if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 9f84a4c..8a1d5ac 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -600,6 +600,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
     refute_includes(sanitized, "style")
   end
 
+  def test_scrubbing_svg_attr_values_that_allow_ref
+    input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>)
+    expected = %Q(<div fill="yellow #fff">hey</div>)
+    actual = scope_allowed_attributes %w(fill) do
+      safe_list_sanitize(input)
+    end
+
+    assert_equal(expected, actual)
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})