2e427a0520
Application#sanitize_svg_icon already runs a Loofah scrubber on every icon upload, but the scrubber class itself was never tracked. Land it along with tests covering the four shapes that matter: - <script> elements stripped entirely - on* event handlers (onload, onclick, …) removed but the carrying element preserved - attribute values pointing at javascript:/data: URIs rejected - benign icons round-trip unchanged Writing the benign-icon test caught a real bug: the attribute allowlist holds canonical SVG case (viewBox, preserveAspectRatio, gradientUnits, …) but safe_attribute? downcases the incoming name before comparing, so legitimate icons were silently losing those attributes on upload. Fix by comparing against a precomputed lowercase lookup set; the constant stays readable as canonical SVG case for documentation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.5 KiB
1.5 KiB