Handle leading spaces in protocol while sanitizing

2 files changed, 9 insertions, 2 deletions

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index af06bffa16..24ffc28710 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -171,7 +171,7 @@ module HTML
 
     def contains_bad_protocols?(attr_name, value)
       uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
     end
   end
 end
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb
index 62ad6be680..b4d751e405 100644
--- a/actionpack/test/template/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -138,7 +138,7 @@ class SanitizerTest < ActionController::TestCase
       assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
     end
   end
-  
+
   def test_should_accept_good_protocols_ignoring_case
     sanitizer = HTML::WhiteListSanitizer.new
     HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
@@ -146,6 +146,13 @@ class SanitizerTest < ActionController::TestCase
     end
   end
 
+  def test_should_accept_good_protocols_ignoring_space
+    sanitizer = HTML::WhiteListSanitizer.new
+    HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
+      assert !sanitizer.send(:contains_bad_protocols?, 'src', " #{proto}://good")
+    end
+  end
+
   def test_should_accept_good_protocols
     sanitizer = HTML::WhiteListSanitizer.new
     HTML::WhiteListSanitizer.allowed_protocols.each do |proto|