From: XhmikosR <xhmikosr@gmail.com>
Date: Thu, 7 Oct 2021 14:48:36 +0000 (+0300)
Subject: Sanitizer: fix logic and add a test. (#35133)
X-Git-Tag: v5.2.0-beta1~470
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64e13162faa692aa2d12071ad9a14a3ac1b08a6f;p=thirdparty%2Fbootstrap.git

Sanitizer: fix logic and add a test. (#35133)

This was broken in 2596c97 inadvertently.
Added a test so that we don't hit this in the future.
---

diff --git a/js/src/util/sanitizer.js b/js/src/util/sanitizer.js
index f5a8287cd0..232416f3ab 100644
--- a/js/src/util/sanitizer.js
+++ b/js/src/util/sanitizer.js
@@ -45,7 +45,7 @@ const allowedAttribute = (attribute, allowedAttributeList) => {
 
   // Check if a regular expression validates the attribute.
   return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)
-    .every(regex => regex.test(attributeName))
+    .some(regex => regex.test(attributeName))
 }
 
 export const DefaultAllowlist = {
diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js
index 7379d221f4..28d624c878 100644
--- a/js/tests/unit/util/sanitizer.spec.js
+++ b/js/tests/unit/util/sanitizer.spec.js
@@ -23,6 +23,31 @@ describe('Sanitizer', () => {
       expect(result).not.toContain('href="javascript:alert(7)')
     })
 
+    it('should sanitize template and work with multiple regex', () => {
+      const template = [
+        '<div>',
+        '  <a href="javascript:alert(7)" aria-label="This is a link" data-foo="bar">Click me</a>',
+        '  <span>Some content</span>',
+        '</div>'
+      ].join('')
+
+      const myDefaultAllowList = DefaultAllowlist
+      // With the default allow list
+      let result = sanitizeHtml(template, myDefaultAllowList, null)
+
+      // `data-foo` won't be present
+      expect(result).not.toContain('data-foo="bar"')
+
+      // Add the following regex too
+      myDefaultAllowList['*'].push(/^data-foo/)
+
+      result = sanitizeHtml(template, myDefaultAllowList, null)
+
+      expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list
+      expect(result).toContain('aria-label="This is a link"') // This is in the default list
+      expect(result).toContain('data-foo="bar"') // We explicitly allow this
+    })
+
     it('should allow aria attributes and safe attributes', () => {
       const template = [
         '<div aria-pressed="true">',