Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTML5 #10

Closed
rajveerappan opened this issue Jul 5, 2017 · 11 comments
Closed

Support HTML5 #10

rajveerappan opened this issue Jul 5, 2017 · 11 comments
Assignees
Labels

Comments

@rajveerappan
Copy link

rajveerappan commented Jul 5, 2017

AntiSamy uses a deprecated HTMLSerializer which does not understand newer HTML5 tags like <figure>. While this is a minor issue, it also does not understand newer HTML5 entities like &colon; or &lpar;. This leads to a security vulnerability where the following text does not get cleaned:

<a href="javascript&colon;alert&lpar;1&rpar;">X</a>
@nahsra nahsra self-assigned this Sep 25, 2017
@nahsra nahsra added the bug label Sep 25, 2017
@nahsra
Copy link
Owner

nahsra commented Sep 25, 2017

Confirmed, unfortunately! Will make a fix shortly.

@nahsra
Copy link
Owner

nahsra commented Sep 25, 2017

Any thoughts on any other attack vectors besides hiding a colon in a JavaScript URL? Although I'd love something more solid, it seems like the only choice is to effectively blacklist the substring:

&colon

... because all of its containing characters are required for accepting a URL.

@rajveerappan
Copy link
Author

From the HTMLSanitizer docs:

This class was deprecated in Xerces 2.6.2. It is recommended that new applications use JAXP's Transformation API for XML (TrAX) for serializing HTML. See the Xerces documentation for more information.

The ideal fix would be to switch to TrAX unless there are major roadblocks to doing so since that would not just fix this issue but also add support for HTML5. Blacklisting &colon might be an ok stopgap measure in the meantime.

nahsra added a commit that referenced this issue Sep 25, 2017
* upgraded batik-css version
removed redundant regex beginning/end markers
updated policies to contain new url validation which is sensitive to
html5 colon entity

* removed test code
@nahsra
Copy link
Owner

nahsra commented Sep 25, 2017

This is merged into 1.5.7 branch.

@nahsra nahsra closed this as completed Sep 25, 2017
nahsra added a commit that referenced this issue Sep 25, 2017
* Issue #10 (#15)

* upgraded batik-css version
removed redundant regex beginning/end markers
updated policies to contain new url validation which is sensitive to
html5 colon entity

* removed test code

* Update pom.xml
@nahsra
Copy link
Owner

nahsra commented Sep 28, 2017

This was given CVE-2017-14735.

@oliviernt
Copy link

oliviernt commented Oct 5, 2017

Hi,

Shouldn't this issue be fixed in 1.5.7? https://nvd.nist.gov/vuln/detail/CVE-2017-14735 has it listed for 1.5.7 and previous.

Best,
Olivier

@tourea
Copy link

tourea commented Nov 9, 2017

Given the confusion in the CVE report, should we consider this issue fixed in 1.5.7?

@davewichers
Copy link
Collaborator

Yes. And https://nvd.nist.gov/vuln/detail/CVE-2017-14735 has been updated to say OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of &colon; to construct a javascript: URL.

@kwwall
Copy link
Contributor

kwwall commented Mar 30, 2019 via email

@davewichers
Copy link
Collaborator

It's MITRE. The official CVE is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735. And NIST just hosts a copy. If you want a CVE fixed, go to this page: https://cveform.mitre.org/ and submit your change request along with supporting info. No clue how fast they usually are, but I did notice the CVE for this issue was fixed one day after the comment above saying the CVE was wrong, which I agree is blazing fast.

@kwwall
Copy link
Contributor

kwwall commented Mar 30, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants