phlex-ruby · joeldrapper · Sep 12, 2024 · Sep 12, 2024
diff --git a/lib/phlex/html.rb b/lib/phlex/html.rb
@@ -5,7 +5,7 @@ class Phlex::HTML < Phlex::SGML
 	autoload :VoidElements, "phlex/html/void_elements"
 
 	# A list of HTML attributes that have the potential to execute unsafe JavaScript.
-	EVENT_ATTRIBUTES = Set.new(%w[onabort onafterprint onbeforeprint onbeforeunload onblur oncanplay oncanplaythrough onchange onclick oncontextmenu oncopy oncuechange oncut ondblclick ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop ondurationchange onemptied onended onerror onfocus onhashchange oninput oninvalid onkeydown onkeypress onkeyup onload onloadeddata onloadedmetadata onloadstart onmessage onmousedown onmousemove onmouseout onmouseover onmouseup onmousewheel onoffline ononline onpagehide onpageshow onpaste onpause onplay onplaying onpopstate onprogress onratechange onreset onresize onscroll onsearch onseeked onseeking onselect onstalled onstorage onsubmit onsuspend ontimeupdate ontoggle onunload onvolumechange onwaiting onwheel]).freeze
+	UNSAFE_ATTRIBUTES = Set.new(%w[onabort onafterprint onbeforeprint onbeforeunload onblur oncanplay oncanplaythrough onchange onclick oncontextmenu oncopy oncuechange oncut ondblclick ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop ondurationchange onemptied onended onerror onfocus onhashchange oninput oninvalid onkeydown onkeypress onkeyup onload onloadeddata onloadedmetadata onloadstart onmessage onmousedown onmousemove onmouseout onmouseover onmouseup onmousewheel onoffline ononline onpagehide onpageshow onpaste onpause onplay onplaying onpopstate onprogress onratechange onreset onresize onscroll onsearch onseeked onseeking onselect onstalled onstorage onsubmit onsuspend ontimeupdate ontoggle onunload onvolumechange onwaiting onwheel srcdoc]).freeze
 
 	extend Phlex::Elements
 	include VoidElements, StandardElements

diff --git a/lib/phlex/sgml.rb b/lib/phlex/sgml.rb
@@ -421,7 +421,7 @@ def __attributes__(attributes, buffer = +"")
 				end
 
 				# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
-				if Phlex::HTML::EVENT_ATTRIBUTES.include?(lower_name.delete("^a-z-"))
+				if Phlex::HTML::UNSAFE_ATTRIBUTES.include?(lower_name.delete("^a-z-"))
 					raise Phlex::ArgumentError.new("Unsafe attribute name detected: #{k}.")
 				end
 			end

diff --git a/test/phlex/view/capture.rb b/test/phlex/view/capture.rb
@@ -76,7 +76,7 @@ def view_template
 				def view_template
 					srcdoc = capture { yield } if block_given?
 
-					iframe srcdoc:
+					iframe srcdoc: safe(srcdoc)
 				end
 			end
 		end

diff --git a/test/phlex/view/naughty_business.rb b/test/phlex/view/naughty_business.rb
@@ -157,7 +157,7 @@ def view_template
 		end
 	end
 
-	Phlex::HTML::EVENT_ATTRIBUTES.each do |event_attribute|
+	Phlex::HTML::UNSAFE_ATTRIBUTES.each do |event_attribute|
 		with "with naughty #{event_attribute} attribute" do
 			naughty_attributes = { event_attribute => "alert(1);" }