Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added better check for attribute based mXSS
  • Loading branch information
cure53 committed Oct 14, 2019
1 parent 7840170 commit 4e8af7b
Show file tree
Hide file tree
Showing 10 changed files with 47 additions and 11 deletions.
7 changes: 6 additions & 1 deletion dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

7 changes: 6 additions & 1 deletion dist/purify.es.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.es.js.map

Large diffs are not rendered by default.

7 changes: 6 additions & 1 deletion dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions src/purify.js
Expand Up @@ -260,6 +260,7 @@ function createDOMPurify(window = getGlobal()) {
'title',
'svg',
'video',
'xmp',
]);

/* Tags that are safe for data: URIs */
Expand Down Expand Up @@ -893,6 +894,11 @@ function createDOMPurify(window = getGlobal()) {
continue;
}

/* Take care of an mXSS pattern using namespace switches */
if (/<\/(style|textarea)/.test(value)) {
_removeAttribute(name, currentNode);
}

/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR, ' ');
Expand Down
21 changes: 18 additions & 3 deletions test/fixtures/expect.js
Expand Up @@ -206,7 +206,8 @@ module.exports = [
"payload": "<option><iframe></select><b><script>alert(1)</script>",
"expected": [
"<option><b></b></option>",
"<option>&lt;/select&gt;&lt;b&gt;&lt;script&gt;alert(1)&lt;/script&gt;</option>"
"<option>&lt;/select&gt;&lt;b&gt;&lt;script&gt;alert(1)&lt;/script&gt;</option>",
"<option></option>"
]
}, {
"title": "Closing Iframe and option",
Expand Down Expand Up @@ -834,7 +835,8 @@ module.exports = [
"payload": "<div id=\"121\"><html xmlns=\"http://www.w3.org/1999/xhtml\"\nxmlns:svg=\"http://www.w3.org/2000/svg\">\n<body style=\"background:gray\">\n<iframe src=\"http://example.com/\" style=\"width:800px; height:350px; border:none; mask: url(#maskForClickjacking);\"/>\n<svg:svg>\n<svg:mask id=\"maskForClickjacking\" maskUnits=\"objectBoundingBox\" maskContentUnits=\"objectBoundingBox\">\n <svg:rect x=\"0.0\" y=\"0.0\" width=\"0.373\" height=\"0.3\" fill=\"white\"/>\n <svg:circle cx=\"0.45\" cy=\"0.7\" r=\"0.075\" fill=\"white\"/>\n</svg:mask>\n</svg:svg>\n</body>\n</html>//[\"'`-->]]>]</div>",
"expected": [
"<div id=\"121\">\n\n\n\n\n \n \n\n\n\n//[\"'`--&gt;]]&gt;]</div>",
"<div id=\"121\">\n\n\n&lt;svg:svg&gt;\n&lt;svg:mask id=\"maskForClickjacking\" maskUnits=\"objectBoundingBox\" maskContentUnits=\"objectBoundingBox\"&gt;\n &lt;svg:rect x=\"0.0\" y=\"0.0\" width=\"0.373\" height=\"0.3\" fill=\"white\"/&gt;\n &lt;svg:circle cx=\"0.45\" cy=\"0.7\" r=\"0.075\" fill=\"white\"/&gt;\n&lt;/svg:mask&gt;\n&lt;/svg:svg&gt;\n&lt;/body&gt;\n&lt;/html&gt;//[\"'`--&gt;]]&gt;]&lt;/div&gt;</div>"
"<div id=\"121\">\n\n\n&lt;svg:svg&gt;\n&lt;svg:mask id=\"maskForClickjacking\" maskUnits=\"objectBoundingBox\" maskContentUnits=\"objectBoundingBox\"&gt;\n &lt;svg:rect x=\"0.0\" y=\"0.0\" width=\"0.373\" height=\"0.3\" fill=\"white\"/&gt;\n &lt;svg:circle cx=\"0.45\" cy=\"0.7\" r=\"0.075\" fill=\"white\"/&gt;\n&lt;/svg:mask&gt;\n&lt;/svg:svg&gt;\n&lt;/body&gt;\n&lt;/html&gt;//[\"'`--&gt;]]&gt;]&lt;/div&gt;</div>",
"<div id=\"121\">\n\n</div>"
]
}, {
"title": "iframe (sandboxed)",
Expand Down Expand Up @@ -926,7 +928,8 @@ module.exports = [
"expected": [
"<div id=\"134\">\n&lt;%\n\n<img alt=\"%></xmp><img src=xx onerror=alert(134)//\">\n\n %&gt;/\nalert(2)\n\n\nXXX\n<style>\n*['<!--']{}\n</style>\n--&gt;{}\n*{color:red}//[\"'`--&gt;]]&gt;]</div>",
"<div id=\"134\">\n&lt;%\n\n<img alt=\"%&gt;&lt;/xmp&gt;&lt;img src=xx onerror=alert(134)//\">\n\n %&gt;/\nalert(2)\n\n\nXXX\n<style>\n*['<!--']{}\n</style>\n--&gt;{}\n*{color:red}//[\"'`--&gt;]]&gt;]</div>",
"<div id=\"134\">\n&lt;%\n\n\n\n %&gt;/\nalert(2)\n\n\nXXX\n<style>\n*['<!--']{}\n</style>\n--&gt;{}\n*{color:red}//[\"'`--&gt;]]&gt;]</div>"
"<div id=\"134\">\n&lt;%\n\n\n\n %&gt;/\nalert(2)\n\n\nXXX\n<style>\n*['<!--']{}\n</style>\n--&gt;{}\n*{color:red}//[\"'`--&gt;]]&gt;]</div>",
"<div id=\"134\">\n<img alt=\"%></xmp><img src=xx onerror=alert(134)//\">\n\n %&gt;/\nalert(2)\n\n\nXXX\n<style>\n*['<!--']{}\n</style>\n--&gt;{}\n*{color:red}//[\"'`--&gt;]]&gt;]</div>"
]
}, {
"title": "SVG",
Expand Down Expand Up @@ -1053,5 +1056,17 @@ module.exports = [
"expected": [
""
]
}, {
"title": "Tests against removal-based mXSS behavior 1/2",
"payload": "<xmp><svg><b><style><b title='</style><img>'>",
"expected": [
""
]
}, {
"title": "Tests against removal-based mXSS behavior 2/2",
"payload": "<noembed><svg><b><style><b title='</style><img>'>",
"expected": [
""
]
}
];

0 comments on commit 4e8af7b

Please sign in to comment.