Another XSS fix
Yet another interesting XSS attack from http://ha.ckers.org/xss.html
This commit is contained in:
parent
aac197430c
commit
c2bfdefa57
2 changed files with 14 additions and 2 deletions
|
@ -114,7 +114,7 @@ module HTML5lib
|
|||
attrs = Hash[*token[:data].flatten]
|
||||
attrs.delete_if { |attr,v| !ALLOWED_ATTRIBUTES.include?(attr) }
|
||||
ATTR_VAL_IS_URI.each do |attr|
|
||||
val_unescaped = CGI.unescapeHTML(attrs[attr].to_s).gsub(/[\000-\040\177\s]+|\302[\200-\240]/,'').downcase
|
||||
val_unescaped = CGI.unescapeHTML(attrs[attr].to_s).gsub(/`|[\000-\040\177\s]+|\302[\200-\240]/,'').downcase
|
||||
if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ and !ALLOWED_PROTOCOLS.include?(val_unescaped.split(':')[0])
|
||||
attrs.delete attr
|
||||
end
|
||||
|
|
14
vendor/plugins/HTML5lib/tests/test_sanitizer.rb
vendored
14
vendor/plugins/HTML5lib/tests/test_sanitizer.rb
vendored
|
@ -398,11 +398,23 @@ class SanitizeTest < Test::Unit::TestCase
|
|||
input = %(<!--[if gte IE 4]><script>alert\('XSS'\);</script><![endif]-->)
|
||||
output = ""
|
||||
check_sanitization(input, output, output, output)
|
||||
|
||||
input = %(<![if !IE 5]><script>alert\('XSS'\);</script><![endif]>)
|
||||
output = "<script>alert('XSS');</script>"
|
||||
rexmloutput = "Ill-formed XHTML!"
|
||||
check_sanitization(input, output, output, rexmloutput)
|
||||
end
|
||||
|
||||
def test_xml_base
|
||||
input =%(<div xml:base="javascript:alert('XSS');//">foo</div>)
|
||||
input = %(<div xml:base="javascript:alert('XSS');//">foo</div>)
|
||||
output = "<div>foo</div>"
|
||||
check_sanitization(input, output, output, output)
|
||||
end
|
||||
|
||||
def test_grave_accents
|
||||
input =%(<img src=`javascript:alert('XSS')` />)
|
||||
output = "<img/>"
|
||||
rexmloutput = "Ill-formed XHTML!"
|
||||
check_sanitization(input, output, output, rexmloutput)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue