Another XSS fix

Yet another interesting XSS attack from http://ha.ckers.org/xss.html
2007-06-11 00:03:51 -05:00 · 2007-06-11 00:03:51 -05:00 · c2bfdefa57
parent aac197430c
commit c2bfdefa57
2 changed files with 14 additions and 2 deletions
--- a/vendor/plugins/HTML5lib/lib/html5lib/sanitizer.rb
+++ b/vendor/plugins/HTML5lib/lib/html5lib/sanitizer.rb
@ -114,7 +114,7 @@ module HTML5lib
              attrs = Hash[*token[:data].flatten]
              attrs.delete_if { |attr,v| !ALLOWED_ATTRIBUTES.include?(attr) }
              ATTR_VAL_IS_URI.each do |attr|
-                val_unescaped = CGI.unescapeHTML(attrs[attr].to_s).gsub(/[\000-\040\177\s]+|\302[\200-\240]/,'').downcase
+                val_unescaped = CGI.unescapeHTML(attrs[attr].to_s).gsub(/`|[\000-\040\177\s]+|\302[\200-\240]/,'').downcase
                if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ and !ALLOWED_PROTOCOLS.include?(val_unescaped.split(':')[0])
                  attrs.delete attr
                end
--- a/vendor/plugins/HTML5lib/tests/test_sanitizer.rb
+++ b/vendor/plugins/HTML5lib/tests/test_sanitizer.rb
@ -398,11 +398,23 @@ class SanitizeTest < Test::Unit::TestCase
    input = %(<!--[if gte IE 4]><script>alert\('XSS'\);</script><![endif]-->)
    output = ""
    check_sanitization(input, output, output, output)
+
+    input = %(<![if !IE 5]><script>alert\('XSS'\);</script><![endif]>)
+    output = "&lt;script&gt;alert('XSS');&lt;/script&gt;"
+    rexmloutput = "Ill-formed XHTML!"
+    check_sanitization(input, output, output, rexmloutput)
  end

  def test_xml_base
-    input =%(<div xml:base="javascript:alert('XSS');//">foo</div>)
+    input = %(<div xml:base="javascript:alert('XSS');//">foo</div>)
    output = "<div>foo</div>"
    check_sanitization(input, output, output, output)
  end
+
+  def test_grave_accents
+    input =%(<img src=`javascript:alert('XSS')` />)
+    output = "<img/>"
+    rexmloutput = "Ill-formed XHTML!"
+    check_sanitization(input, output, output, rexmloutput)
+  end
 end