Skip to content
Permalink
Browse files Browse the repository at this point in the history
Cleaner: Prevent "@import" from re-occurring in the CSS after replace…
…ments, e.g. "@@importimport".

Reported as GHSL-2021-1037
  • Loading branch information
scoder committed Nov 11, 2021
1 parent 24a4599 commit 12fa966
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/lxml/html/clean.py
Expand Up @@ -541,6 +541,8 @@ def _has_sneaky_javascript(self, style):
return True
if 'expression(' in style:
return True
if '@import' in style:
return True
if '</noscript' in style:
# e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
return True
Expand Down
20 changes: 20 additions & 0 deletions src/lxml/html/tests/test_clean.py
Expand Up @@ -123,6 +123,26 @@ def test_sneaky_js_in_math_style(self):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))

def test_sneaky_import_in_style(self):
# Prevent "@@importimport" -> "@import" replacement.
style_codes = [
"@@importimport(extstyle.css)",
"@ @ import import(extstyle.css)",
"@ @ importimport(extstyle.css)",
"@@ import import(extstyle.css)",
"@ @import import(extstyle.css)",
"@@importimport()",
]
for style_code in style_codes:
html = '<style>%s</style>' % style_code
s = lxml.html.fragment_fromstring(html)

cleaned = lxml.html.tostring(clean_html(s))
self.assertEqual(
b'<style>/* deleted */</style>',
cleaned,
"%s -> %s" % (style_code, cleaned))

def test_formaction_attribute_in_button_input(self):
# The formaction attribute overrides the form's action and should be
# treated as a malicious link attribute
Expand Down

0 comments on commit 12fa966

Please sign in to comment.