Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid SafeScripting purification for non-empty <script> tag #212

Open
xemlock opened this Issue Apr 10, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@xemlock
Copy link
Contributor

xemlock commented Apr 10, 2019

Consider the following script:

<?php

require './vendor/autoload.php';

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeScripting', array('https://localhost/foo.js'));

$purifier = new HTMLPurifier($config);
echo $purifier->purify('<script type="text/javascript" src="https://localhost/bar.js">FOO</script>');

The whole <script> tag, together with its text content, should be removed as invalid - because src attribute isn't included on the whitelist.

Instead <script> contents are inserted as-is, resulting in the following output:

FOO

AFAIK self-closing <script> tags are not supported by browsers, so I guess HTMLPurifier should behave similarly, at least in HTML mode (i.e. non-XHTML).

Tested with HTMLPurifier 4.10.0, 4.9.3, 4.8.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.