From bacae2c468ef4e7aa5cfc441e816551502f5a586 Mon Sep 17 00:00:00 2001 From: Jacques Distler Date: Thu, 22 Feb 2007 01:06:53 -0600 Subject: [PATCH] Finally! XSS-protection, done right. If you want something done right, ... --- lib/chunks/engines.rb | 43 ++++------ lib/sanitize.rb | 188 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 203 insertions(+), 28 deletions(-) create mode 100644 lib/sanitize.rb diff --git a/lib/chunks/engines.rb b/lib/chunks/engines.rb index 526dcb9d..e3d4bc4b 100644 --- a/lib/chunks/engines.rb +++ b/lib/chunks/engines.rb @@ -23,75 +23,62 @@ module Engines end - MY_VERBOTEN_TAGS = %w(form script plaintext object embed applet iframe frameset frame link meta body style html) - MY_VERBOTEN_ATTRS = /^on/i - class Textile < AbstractEngine - require_dependency 'action_view/helpers/text_helper' - ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS - ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS - include ActionView::Helpers::TextHelper + require_dependency 'sanitize' + include Sanitize def mask require_dependency 'redcloth' redcloth = RedCloth.new(@content, [:hard_breaks] + @content.options[:engine_opts]) redcloth.filter_html = false redcloth.no_span_caps = false html = redcloth.to_html(:textile) - sanitize(html) + sanitize_html(html) end end class Markdown < AbstractEngine - require_dependency 'action_view/helpers/text_helper' - ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS - ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS - include ActionView::Helpers::TextHelper + require_dependency 'sanitize' + include Sanitize def mask require_dependency 'maruku' require_dependency 'maruku/ext/math' html = Maruku.new(@content.delete("\r\x01-\x08\x0B\x0C\x0E-\x1F"), {:math_enabled => false}).to_html - sanitize(html) + sanitize_html(html) end end class MarkdownMML < AbstractEngine - require_dependency 'action_view/helpers/text_helper' - ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS - ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS - include ActionView::Helpers::TextHelper + require_dependency 'sanitize' + include Sanitize def mask require_dependency 'maruku' require_dependency 'maruku/ext/math' html = Maruku.new(@content.delete("\r\x01-\x08\x0B\x0C\x0E-\x1F"), {:math_enabled => true, :math_numbered => ['\\[','\\begin{equation}']}).to_html - sanitize(html) + sanitize_html(html) end end class Mixed < AbstractEngine - require_dependency 'action_view/helpers/text_helper' - ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS - ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS - include ActionView::Helpers::TextHelper + require_dependency 'sanitize' + include Sanitize def mask require_dependency 'redcloth' redcloth = RedCloth.new(@content, @content.options[:engine_opts]) redcloth.filter_html = false redcloth.no_span_caps = false html = redcloth.to_html - sanitize(html) + sanitize_html(html) end end class RDoc < AbstractEngine - require_dependency 'action_view/helpers/text_helper' - ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS - ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS - include ActionView::Helpers::TextHelper + require_dependency 'sanitize' + include Sanitize def mask require_dependency 'rdocsupport' html = RDocSupport::RDocFormatter.new(@content).to_html - sanitize(html) + sanitize_html(html) end end diff --git a/lib/sanitize.rb b/lib/sanitize.rb new file mode 100644 index 00000000..551831ff --- /dev/null +++ b/lib/sanitize.rb @@ -0,0 +1,188 @@ +module Sanitize + +# This module provides sanitization of XHTML+MathML+SVG +# and of inline style attributes. +# +# Based heavily on Sam Ruby's code in the Universal FeedParser. + + acceptable_elements = ['a', 'abbr', 'acronym', 'address', 'area', 'b', + 'big', 'blockquote', 'br', 'button', 'caption', 'center', 'cite', + 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', 'dt', + 'em', 'fieldset', 'font', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', + 'hr', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'map', + 'menu', 'ol', 'optgroup', 'option', 'p', 'pre', 'q', 's', 'samp', + 'select', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table', + 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', + 'ul', 'var'] + + mathml_elements = ['maction', 'math', 'merror', 'mfrac', 'mi', + 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', + 'mprescripts', 'mroot', 'mrow', 'mspace', 'msqrt', 'mstyle', 'msub', + 'msubsup', 'msup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', + 'munderover', 'none'] + + svg_elements = ['a', 'animate', 'animateColor', 'animateMotion', + 'animateTransform', 'circle', 'defs', 'desc', 'ellipse', 'font-face', + 'font-face-name', 'font-face-src', 'g', 'glyph', 'hkern', 'image', + 'linearGradient', 'line', 'metadata', 'missing-glyph', 'mpath', 'path', + 'polygon', 'polyline', 'radialGradient', 'rect', 'set', 'stop', 'svg', + 'switch', 'text', 'title', 'use'] + + acceptable_attributes = ['abbr', 'accept', 'accept-charset', 'accesskey', + 'action', 'align', 'alt', 'axis', 'border', 'cellpadding', + 'cellspacing', 'char', 'charoff', 'charset', 'checked', 'cite', 'class', + 'clear', 'cols', 'colspan', 'color', 'compact', 'coords', 'datetime', + 'dir', 'disabled', 'enctype', 'for', 'frame', 'headers', 'height', + 'href', 'hreflang', 'hspace', 'id', 'ismap', 'label', 'lang', + 'longdesc', 'maxlength', 'media', 'method', 'multiple', 'name', + 'nohref', 'noshade', 'nowrap', 'prompt', 'readonly', 'rel', 'rev', + 'rows', 'rowspan', 'rules', 'scope', 'selected', 'shape', 'size', + 'span', 'src', 'start', 'style', 'summary', 'tabindex', 'target', 'title', + 'type', 'usemap', 'valign', 'value', 'vspace', 'width', 'xml:lang'] + + + mathml_attributes = ['actiontype', 'align', 'columnalign', 'columnalign', + 'columnalign', 'columnlines', 'columnspacing', 'columnspan', 'depth', + 'display', 'displaystyle', 'equalcolumns', 'equalrows', 'fence', + 'fontstyle', 'fontweight', 'frame', 'height', 'linethickness', 'lspace', + 'mathbackground', 'mathcolor', 'mathvariant', 'mathvariant', 'maxsize', + 'minsize', 'other', 'rowalign', 'rowalign', 'rowalign', 'rowlines', + 'rowspacing', 'rowspan', 'rspace', 'scriptlevel', 'selection', + 'separator', 'stretchy', 'width', 'width', 'xlink:href', 'xlink:show', + 'xlink:type', 'xmlns', 'xmlns:xlink'] + + + svg_attributes = ['accent-height', 'accumulate', 'additive', 'alphabetic', + 'arabic-form', 'ascent', 'attributeName', 'attributeType', + 'baseProfile', 'bbox', 'begin', 'by', 'calcMode', 'cap-height', + 'class', 'color', 'color-rendering', 'content', 'cx', 'cy', 'd', + 'descent', 'display', 'dur', 'end', 'fill', 'fill-rule', 'font-family', + 'font-size', 'font-stretch', 'font-style', 'font-variant', + 'font-weight', 'from', 'fx', 'fy', 'g1', 'g2', 'glyph-name', + 'gradientUnits', 'hanging', 'height', 'horiz-adv-x', 'horiz-origin-x', + 'id', 'ideographic', 'k', 'keyPoints', 'keySplines', 'keyTimes', + 'lang', 'mathematical', 'max', 'min', 'name', 'offset', 'opacity', + 'origin', 'overline-position', 'overline-thickness', 'panose-1', + 'path', 'pathLength', 'points', 'preserveAspectRatio', 'r', + 'repeatCount', 'repeatDur', 'requiredExtensions', 'requiredFeatures', + 'restart', 'rotate', 'rx', 'ry', 'slope', 'stemh', 'stemv', + 'stop-color', 'stop-opacity', 'strikethrough-position', + 'strikethrough-thickness', 'stroke', 'stroke-dasharray', + 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', + 'stroke-miterlimit', 'stroke-width', 'systemLanguage', 'target', + 'text-anchor', 'to', 'transform', 'type', 'u1', 'u2', + 'underline-position', 'underline-thickness', 'unicode', + 'unicode-range', 'units-per-em', 'values', 'version', 'viewBox', + 'visibility', 'width', 'widths', 'x', 'x-height', 'x1', 'x2', + 'xlink:actuate', 'xlink:arcrole', 'xlink:href', 'xlink:role', + 'xlink:show', 'xlink:title', 'xlink:type', 'xml:base', 'xml:lang', + 'xml:space', 'xmlns', 'xmlns:xlink', 'y', 'y1', 'y2', 'zoomAndPan'] + + acceptable_css_properties = ['azimuth', 'background-color', + 'border-bottom-color', 'border-collapse', 'border-color', + 'border-left-color', 'border-right-color', 'border-top-color', 'clear', + 'color', 'cursor', 'direction', 'display', 'elevation', 'float', 'font', + 'font-family', 'font-size', 'font-style', 'font-variant', 'font-weight', + 'height', 'letter-spacing', 'line-height', 'overflow', 'pause', + 'pause-after', 'pause-before', 'pitch', 'pitch-range', 'richness', + 'speak', 'speak-header', 'speak-numeral', 'speak-punctuation', + 'speech-rate', 'stress', 'text-align', 'text-decoration', 'text-indent', + 'unicode-bidi', 'vertical-align', 'voice-family', 'volume', + 'white-space', 'width'] + + acceptable_css_keywords = ['auto', 'aqua', 'black', 'block', 'blue', + 'bold', 'both', 'bottom', 'brown', 'center', 'collapse', 'dashed', + 'dotted', 'fuchsia', 'gray', 'green', '!important', 'italic', 'left', + 'lime', 'maroon', 'medium', 'none', 'navy', 'normal', 'nowrap', 'olive', + 'pointer', 'purple', 'red', 'right', 'solid', 'silver', 'teal', 'top', + 'transparent', 'underline', 'white', 'yellow'] + + acceptable_svg_properties = [ 'fill', 'fill-opacity', 'fill-rule', + 'stroke', 'stroke-width', 'stroke-linecap', 'stroke-linejoin', + 'stroke-opacity'] + + ALLOWED_ELEMENTS = acceptable_elements + mathml_elements + svg_elements unless defined?(ALLOWED_ELEMENTS) + ALLOWED_ATTRIBUTES = acceptable_attributes + mathml_attributes + svg_attributes unless defined?(ALLOWED_ATTRIBUTES) + ALLOWED_CSS_PROPERTIES = acceptable_css_properties unless defined?(ALLOWED_CSS_PROPERTIES) + ALLOWED_CSS_KEYWORDS = acceptable_css_keywords unless defined?(ALLOWED_CSS_KEYWORDS) + ALLOWED_SVG_PROPERTIES = acceptable_svg_properties unless defined?(ALLOWED_SVG_PROPERTIES) + + # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and stripping out all + # attributes not in ALLOWED_ATTRIBUTES. Style attributes are parsed, and a restricted set, + # specified by ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through. + # You can adjust what gets sanitized, by defining these constant arrays before this Module is loaded. + # + # sanitize_html('') + # => <script> do_nasty_stuff() </script> + # sanitize_html('Click here for $100') + # => Click here for $100 + def sanitize_html(html) + if html.index("<") + tokenizer = HTML::Tokenizer.new(html) + new_text = "" + + while token = tokenizer.next + node = HTML::Node.parse(nil, 0, 0, token, false) + new_text << case node + when HTML::Tag + if ALLOWED_ELEMENTS.include?(node.name) + if node.closing != :close + node.attributes.delete_if { |attr,v| !ALLOWED_ATTRIBUTES.include?(attr) } + %w(href src).each do |attr| + node.attributes.delete attr if node.attributes[attr] =~ /^\s*javascript:/i + end + if node.attributes['style'] + node.attributes['style'] = sanitize_css(node.attributes['style']) + end + end + node.to_s + else + node.to_s.gsub(/