Allow data attributes

Closes #57
flavorjones · Oct 13, 2013 · 78c7e74 · 78c7e74
1 parent 825d715
commit 78c7e74
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/lib/loofah/html5/scrub.rb b/lib/loofah/html5/scrub.rb
@@ -22,10 +22,16 @@ def scrub_attributes node
                         else
                           attr_node.node_name
                         end
+
+            if attr_name =~ /\Adata-\w+\z/
+              next
+            end
+
             unless WhiteList::ALLOWED_ATTRIBUTES.include?(attr_name)
               attr_node.remove
               next
             end
+
             if WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
               # this block lifted nearly verbatim from HTML5 sanitization
               val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS,'').downcase

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -88,6 +88,15 @@ def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
     end
   end
 
+  def test_should_allow_data_attributes
+    input = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
+
+    output = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+    htmloutput = "<p data-foo='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
+
+    check_sanitization(input, htmloutput, output, output)
+  end
+
   ##
   ##  libxml2 downcases attributes, so this is moot.
   ##