From 403173436d2c24ed0613a09b1e6d8f5d01ef0e22 Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 09:04:37 +0100
Subject: [PATCH 1/6] make loofah more restrictive in allowed HTML tags

---
 lib/fdroid/Package.rb               | 12 ++++++++++++
 spec/lib/fdroid/FDroidIndex_spec.rb | 17 +++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/lib/fdroid/Package.rb b/lib/fdroid/Package.rb
index e8d0c51..6ba01c6 100644
--- a/lib/fdroid/Package.rb
+++ b/lib/fdroid/Package.rb
@@ -19,6 +19,18 @@
 require 'loofah'
 require_relative './Version'
 
+# override the HTML elements loofah allows; be more restrictive
+module Loofah::HTML5::Scrub
+  OVERRIDDEN_SAFE_ELEMENTS = Set.new(
+    ["b", "big", "blockquote", "br", "cite", "em", "i", "small",
+     "strike", "strong", "sub", "sup", "tt", "u"]
+  )
+
+  def self.allowed_element?(element_name)
+    OVERRIDDEN_SAFE_ELEMENTS.include?(element_name)
+  end
+end
+
 module FDroid
   class Package
     def initialize(package, versions, locale)
diff --git a/spec/lib/fdroid/FDroidIndex_spec.rb b/spec/lib/fdroid/FDroidIndex_spec.rb
index 831617e..0f653a1 100644
--- a/spec/lib/fdroid/FDroidIndex_spec.rb
+++ b/spec/lib/fdroid/FDroidIndex_spec.rb
@@ -115,6 +115,23 @@ here"
       multi_line = Package.process_package_description(text)
       expect(multi_line).to eql(text)
     end
+
+    it 'Scrubs <img>, <video>, <svg>, <script> tags' do
+      input = <<~'END'
+        <b>bold text</b>
+        <img src="https://example.com/image.png" />
+        <video src="https://example.com/video.ogg" />
+        <svg><path d=""/><script>alert("oops")</script></svg>
+      END
+      output = <<~'END'.gsub("\n", '<br />')
+        <b>bold text</b>
+        &lt;img src="https://example.com/image.png"&gt;
+        &lt;video src="https://example.com/video.ogg"&gt;&lt;/video&gt;
+        &lt;svg&gt;&lt;path d=""&gt;&lt;/path&gt;&lt;script&gt;alert("oops")&lt;/script&gt;&lt;/svg&gt;
+      END
+      scrubbed = Package.process_package_description(input)
+      expect(scrubbed).to eql(output)
+    end
   end
 
   RSpec.describe Permission do
-- 
GitLab


From ca28589f345ab106e9481ec6048ca2587272f21f Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 09:16:08 +0100
Subject: [PATCH 2/6] allow <a> (for now) to un-break tests

---
 lib/fdroid/Package.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fdroid/Package.rb b/lib/fdroid/Package.rb
index 6ba01c6..8b4b40d 100644
--- a/lib/fdroid/Package.rb
+++ b/lib/fdroid/Package.rb
@@ -22,7 +22,7 @@ require_relative './Version'
 # override the HTML elements loofah allows; be more restrictive
 module Loofah::HTML5::Scrub
   OVERRIDDEN_SAFE_ELEMENTS = Set.new(
-    ["b", "big", "blockquote", "br", "cite", "em", "i", "small",
+    ["a", "b", "big", "blockquote", "br", "cite", "em", "i", "small",
      "strike", "strong", "sub", "sup", "tt", "u"]
   )
 
-- 
GitLab


From 5b50b5355b6316618acaeee44e22a8dae69acf4f Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 15:00:22 +0100
Subject: [PATCH 3/6] strip instead of escape when scrubbing

---
 lib/fdroid/Package.rb | 10 +++++-----
 lib/fdroid/Repo.rb    |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/fdroid/Package.rb b/lib/fdroid/Package.rb
index 8b4b40d..b995ca2 100644
--- a/lib/fdroid/Package.rb
+++ b/lib/fdroid/Package.rb
@@ -65,7 +65,7 @@ module FDroid
       n = field('name') || Package.localized(@available_locales, @package['localized'], 'name') || '~missing name~'
 
       if n != nil
-        n = Loofah.scrub_fragment(n, :escape).to_text()
+        n = Loofah.scrub_fragment(n, :strip).to_text()
       end
 
       return n
@@ -75,7 +75,7 @@ module FDroid
       s = field('summary') || Package.localized(@available_locales, @package['localized'], 'summary')
 
       if s != nil
-        s = Loofah.scrub_fragment(s, :escape).to_text()
+        s = Loofah.scrub_fragment(s, :strip).to_text()
       end
 
       return s
@@ -189,7 +189,7 @@ module FDroid
     # Ensure newlines in descriptions are preserved (converted to "<br />" tags)
     # Handles UNIX, Windows and MacOS newlines, with a one-to-one replacement
     def self.format_description_to_html(string)
-      Loofah.scrub_fragment(string, :escape).to_html(:save_with => 0).gsub(/(?:\n\r?|\r\n?)/, '<br />')
+      Loofah.scrub_fragment(string, :strip).to_html(:save_with => 0).gsub(/(?:\n\r?|\r\n?)/, '<br />')
     end
 
     # @param [string] available_locales
@@ -329,9 +329,9 @@ module FDroid
         case value
         when Float then return value
         when Integer then return value
-        when Array then return value.map { |i| Loofah.scrub_fragment(i, :escape).to_html(:save_with => 0) }
+        when Array then return value.map { |i| Loofah.scrub_fragment(i, :strip).to_html(:save_with => 0) }
         else
-          return Loofah.scrub_fragment(value, :escape).to_html(:save_with => 0)
+          return Loofah.scrub_fragment(value, :strip).to_html(:save_with => 0)
         end
       end
     end
diff --git a/lib/fdroid/Repo.rb b/lib/fdroid/Repo.rb
index 3f82367..ebacabb 100644
--- a/lib/fdroid/Repo.rb
+++ b/lib/fdroid/Repo.rb
@@ -25,7 +25,7 @@ module FDroid
     end
 
     def name
-      Loofah.scrub_fragment(@repo['name'], :escape).to_s
+      Loofah.scrub_fragment(@repo['name'], :strip).to_s
     end
 
     def address
@@ -39,7 +39,7 @@ module FDroid
     end
 
     def description
-      Loofah.scrub_fragment(@repo['description'], :escape).to_s
+      Loofah.scrub_fragment(@repo['description'], :strip).to_s
     end
 
     def timestamp
-- 
GitLab


From a21b73467d1234961e1c6429fd4d1a31e76c77e3 Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 15:08:30 +0100
Subject: [PATCH 4/6] allow <li> & <ul> as well

---
 lib/fdroid/Package.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fdroid/Package.rb b/lib/fdroid/Package.rb
index b995ca2..d05df4e 100644
--- a/lib/fdroid/Package.rb
+++ b/lib/fdroid/Package.rb
@@ -23,7 +23,7 @@ require_relative './Version'
 module Loofah::HTML5::Scrub
   OVERRIDDEN_SAFE_ELEMENTS = Set.new(
     ["a", "b", "big", "blockquote", "br", "cite", "em", "i", "small",
-     "strike", "strong", "sub", "sup", "tt", "u"]
+     "strike", "strong", "sub", "sup", "tt", "u"] + ["li", "ul"]
   )
 
   def self.allowed_element?(element_name)
-- 
GitLab


From 82eefeedceae709cca787bbe5d41314ff951ae11 Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 15:12:57 +0100
Subject: [PATCH 5/6] update tests for stripping instead of escaping

---
 spec/lib/fdroid/FDroidIndex_spec.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/spec/lib/fdroid/FDroidIndex_spec.rb b/spec/lib/fdroid/FDroidIndex_spec.rb
index 0f653a1..79f3bb2 100644
--- a/spec/lib/fdroid/FDroidIndex_spec.rb
+++ b/spec/lib/fdroid/FDroidIndex_spec.rb
@@ -125,9 +125,9 @@ here"
       END
       output = <<~'END'.gsub("\n", '<br />')
         <b>bold text</b>
-        &lt;img src="https://example.com/image.png"&gt;
-        &lt;video src="https://example.com/video.ogg"&gt;&lt;/video&gt;
-        &lt;svg&gt;&lt;path d=""&gt;&lt;/path&gt;&lt;script&gt;alert("oops")&lt;/script&gt;&lt;/svg&gt;
+
+
+        alert("oops")
       END
       scrubbed = Package.process_package_description(input)
       expect(scrubbed).to eql(output)
@@ -205,10 +205,10 @@ here"
 
     it 'Loofah runs on all text fields that can be rendered with HTML' do
       loofah_test = parse_loofah_test_from_gp().to_data
-      expect(loofah_test['description']).to eq("This is just a test that &lt;script&gt;alert('pwned!')&lt;/script&gt; loofah is stripping.")
-      expect(loofah_test['summary']).to eq("트리거 불안에 때 개인 정보를 보호하거나 상황을 패닉 앱&lt;script&gt;alert('pwned!')&lt;/script&gt;")
-      expect(loofah_test['title']).to eq("&lt;script&gt;alert('PWN!')&lt;/script&gt;")
-      expect(loofah_test['whats_new']).to eq("Feature:<br />* Add support for packs (@Rudloff)<br />&lt;script&gt;alert('pwned!')&lt;/script&gt;<br />Minor:<br />* Change name to Launcher<br />")
+      expect(loofah_test['description']).to eq("This is just a test that alert('pwned!') loofah is stripping.")
+      expect(loofah_test['summary']).to eq("트리거 불안에 때 개인 정보를 보호하거나 상황을 패닉 앱alert('pwned!')")
+      expect(loofah_test['title']).to eq("alert('PWN!')")
+      expect(loofah_test['whats_new']).to eq("Feature:<br />* Add support for packs (@Rudloff)<br />alert('pwned!')<br />Minor:<br />* Change name to Launcher<br />")
     end
 
     it 'Parses the Guardian Project repo metadata correctly' do
-- 
GitLab


From cf8b0fa1efcffcfc004bbf80569310c5f6c72481 Mon Sep 17 00:00:00 2001
From: FC Stegerman <flx@obfusk.net>
Date: Thu, 15 Dec 2022 16:08:58 +0100
Subject: [PATCH 6/6] allow <ol> as well

---
 lib/fdroid/Package.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fdroid/Package.rb b/lib/fdroid/Package.rb
index d05df4e..223d238 100644
--- a/lib/fdroid/Package.rb
+++ b/lib/fdroid/Package.rb
@@ -23,7 +23,7 @@ require_relative './Version'
 module Loofah::HTML5::Scrub
   OVERRIDDEN_SAFE_ELEMENTS = Set.new(
     ["a", "b", "big", "blockquote", "br", "cite", "em", "i", "small",
-     "strike", "strong", "sub", "sup", "tt", "u"] + ["li", "ul"]
+     "strike", "strong", "sub", "sup", "tt", "u"] + ["li", "ol", "ul"]
   )
 
   def self.allowed_element?(element_name)
-- 
GitLab