Fix SVG whitelisting to allow namespaced attributes

1 files changed, 18 insertions, 5 deletions

diff --git a/lib/gitlab/sanitizers/svg.rb b/lib/gitlab/sanitizers/svg.rb
index 5e95f6c0529..a540c534dee 100644
--- a/lib/gitlab/sanitizers/svg.rb
+++ b/lib/gitlab/sanitizers/svg.rb
@@ -13,12 +13,11 @@ module Gitlab
           unless Whitelist::ALLOWED_ELEMENTS.include?(node.name)
             node.unlink
           else
-            node.attributes.each do |attr_name, attr|
-              valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name]
+            valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name]
 
-              unless valid_attributes && valid_attributes.include?(attr_name)
-                if Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) &&
-                    attr_name.start_with?('data-')
+            node.attribute_nodes.each do |attr|
+              unless valid_attributes && valid_attributes.include?(attribute_name_with_namespace(attr))
+                if Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) && data_attribute?(attr)
                   # Arbitrary data attributes are allowed. Verify that the attribute
                   # is a valid data attribute.
                   attr.unlink unless attr_name =~ DATA_ATTR_PATTERN
@@ -29,6 +28,20 @@ module Gitlab
             end
           end
         end
+
+        def attribute_name_with_namespace(attr)
+          if attr.namespace
+            "#{attr.namespace.prefix}:#{attr.name}"
+          else
+            attr.name
+          end
+        end
+
+        private
+
+        def data_attribute?(attr)
+          attr.name.start_with?('data-')
+        end
       end
     end
   end