Data URI's get sanitized

[Qqwy]

When I sanitize a HTML string with an image whose src points to a data URI, its src attribute is removed (even when src is whitelisted):

unclean_html = "A test
<img src=\"http://placehold.it/400x300\">
<img src='data:image/gif;base64,R0lGODlhAQABAPAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=='/>"
sanitizer = Rails::Html::WhiteListSanitizer.new
clean_html = sanitizer.sanitize(unclean_html, tags: %w{img}, attributes: %w{src})
clean_html
# => "A test\n    <img src=\"http://placehold.it/400x300\">\n    <img>"

I presume that this happens because of too strict JS-prevention measures (or the data-URI is just discarded because the sanitizer does not understand the protocol?).

[Qqwy]

After testing this, it seems that the issue is also apparent inside of Loofah, so I think it is not caused by the code in rails-html-sanitizer itself.

I've created an issue at the Loofah repository.

[flavorjones]

This issue should be closed, since we have a conversation going on at flavorjones/loofah#101

[kaspth]

Thanks folks! I'll close ❤️