Fix filter_html letting through malformed script tag. [#15 state:reso…

…lved]
jgarber · Jul 17, 2008 · 4c4b52c · 4c4b52c
1 parent 8ba72f3
commit 4c4b52c
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/ext/redcloth_scan/redcloth_scan.rl b/ext/redcloth_scan/redcloth_scan.rl
@@ -107,7 +107,8 @@ int SYM_escape_preformatted;
   *|;
 
   script_tag := |*
-    script_tag_end     { CAT(block); ASET(type, ignore); ADD_BLOCK(); fgoto main; };
+    script_tag_end   { CAT(block); ASET(type, ignore); ADD_BLOCK(); fgoto main; };
+    EOF              { ASET(type, ignore); ADD_BLOCK(); fgoto main; };
     default => cat;
   *|;
 

diff --git a/test/code.yml b/test/code.yml
@@ -101,7 +101,7 @@ in: |-
   <script>
   function main(){}
 html: |-
-  <script>
+  <script><br />
   function main(){}
 valid_html: false
 ---

diff --git a/test/filter_html.yml b/test/filter_html.yml
@@ -18,6 +18,23 @@ filtered_html: |-
 in:  Just a little harmless xss <script src=http://ha.ckers.org/xss.js></script>
 filtered_html: <p>Just a little harmless xss &lt;script src=http://ha.ckers.org/xss.js&gt;&lt;/script&gt;</p>
 ---
+name: escapes partial inline script tag
+desc: The end tag is malformed, but it must be escaped since a browser would recognize it
+in:  Just a little harmless xss <script src=http://ha.ckers.org/xss.js></script
+filtered_html: <p>Just a little harmless xss &lt;script src=http://ha.ckers.org/xss.js&gt;&lt;/script</p>
+valid_html: false
+---
+name: escapes partial scanner-level script tag
+desc: The end tag is malformed, but it must be escaped since a browser would recognize it anyway.
+in: <script src=http://ha.ckers.org/xss.js></script
+filtered_html: '&lt;script src=http://ha.ckers.org/xss.js&gt;&lt;/script'
+valid_html: false
+---
+name: escapes self-closing scanner-level tag
+in: <hr />
+filtered_html: '&lt;hr /&gt;'
+valid_html: false
+---
 name: processes text beginning with space
 in: ' This should be <b>escaped</b>: <script type="text/javascript">alert("Hai. I`m in ya PC. Makin ya XSS viruzz! KThxBye");</script>'
 filtered_html: 'This should be &lt;b&gt;escaped&lt;/b&gt;: &lt;script type="text/javascript"&gt;alert("Hai. I`m in ya PC. Makin ya XSS viruzz! KThxBye");&lt;/script&gt;'