From 0c8d658ba887ba2743e895e391d4bea54fd6cd0f Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nbianca@users.noreply.github.com>
Date: Wed, 24 Feb 2021 17:14:43 +0200
Subject: [PATCH] SECURITY: Prefer Loofah for processing cooked HTML

---
 lib/cooked_post_processor.rb                  | 2 +-
 spec/components/cooked_post_processor_spec.rb | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb
index d2d369f2904..6197c434d63 100644
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@@ -22,7 +22,7 @@ class CookedPostProcessor
     @cooking_options = @cooking_options.symbolize_keys
 
     cooked = post.cook(post.raw, @cooking_options)
-    @doc = Nokogiri::HTML5::fragment(cooked)
+    @doc = Loofah.fragment(cooked)
     @has_oneboxes = post.post_analyzer.found_oneboxes?
     @size_cache = {}
 
diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb
index 97ea38ddd7b..6117d88f231 100644
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
     end
   end
 
+  context "#html" do
+    it "escapes attributes" do
+      post = Fabricate(:post, raw: '<img alt="<something>">')
+      expect(post.cook(post.raw)).to eq('<p><img alt="&lt;something&gt;"></p>')
+      expect(CookedPostProcessor.new(post).html).to eq('<p><img alt="&lt;something&gt;"></p>')
+    end
+  end
+
 end