Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitization not applied recursively #29

Closed
bkimminich opened this issue Oct 14, 2014 · 3 comments

Comments

@bkimminich
Copy link

commented Oct 14, 2014

Sanitization is not applied recursively, leading to a vulnerability to certain masking attacks. Example:

I am not harmless: <<img src="csrf-attack"/>img src="csrf-attack"/> is sanitized to I am not harmless: <img src="csrf-attack"/>

Mitigation: Run sanitization recursively until the input html matches the output html.

@boutell

This comment has been minimized.

Copy link
Contributor

commented Oct 14, 2014

Well, crappity. This appears to be a bug upstream in htmlparser2:

fb55/htmlparser2#105

I will examine whether I can solve it with recursion without busting the rest of my test suite. That will be slow of course, but necessary for now.

@boutell

This comment has been minimized.

Copy link
Contributor

commented Oct 14, 2014

I published a fix based on recursion and opened an issue to get this fixed upstream.

Thanks!

@boutell boutell closed this Oct 14, 2014

@boutell

This comment has been minimized.

Copy link
Contributor

commented Jan 11, 2015

This issue has been resolved better through the use of the decodeEntities: true option of htmlparser2. Recursive invocation is no longer required to pass the test suite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.