New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support HTML5 #10
Comments
|
Confirmed, unfortunately! Will make a fix shortly. |
|
Any thoughts on any other attack vectors besides hiding a colon in a JavaScript URL? Although I'd love something more solid, it seems like the only choice is to effectively blacklist the substring: &colon ... because all of its containing characters are required for accepting a URL. |
|
From the HTMLSanitizer docs:
The ideal fix would be to switch to TrAX unless there are major roadblocks to doing so since that would not just fix this issue but also add support for HTML5. Blacklisting |
|
This is merged into 1.5.7 branch. |
|
This was given CVE-2017-14735. |
|
Hi, Shouldn't this issue be fixed in 1.5.7? https://nvd.nist.gov/vuln/detail/CVE-2017-14735 has it listed for 1.5.7 and previous. Best, |
|
Given the confusion in the CVE report, should we consider this issue fixed in 1.5.7? |
|
Yes. And https://nvd.nist.gov/vuln/detail/CVE-2017-14735 has been updated to say OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of |
|
Dang. What's your secret to getting NIST (or MITRE?) to respond so quickly?
It took them 6+ months to update CVE-2013-5679 as fixed in 2.1.0 and IMO,
it's still not clear the way they worded it. You really need to look at the
CPE to be sure.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Fri, Mar 29, 2019, 21:08 Dave Wichers ***@***.***> wrote:
Yes. And https://nvd.nist.gov/vuln/detail/CVE-2017-14735 has been updated
to say OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as
demonstrated by use of : to construct a javascript: URL.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#10 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB3nmzOJM5XAZpFfDTxdTBcTx9ZS25igks5vbrkQgaJpZM4OO72E>
.
|
|
It's MITRE. The official CVE is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735. And NIST just hosts a copy. If you want a CVE fixed, go to this page: https://cveform.mitre.org/ and submit your change request along with supporting info. No clue how fast they usually are, but I did notice the CVE for this issue was fixed one day after the comment above saying the CVE was wrong, which I agree is blazing fast. |
|
Thanks. Good to know. I think I ended up emailing someone at NIST that I
found on one of the there pages and after significant hoop-jumping, found
someone who said that they would update it. And some 5 months later I
noticed it was updated. Never notified me or anything. Maybe things have
improved since then.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Sat, Mar 30, 2019, 00:01 Dave Wichers ***@***.***> wrote:
It's MITRE. The official CVE is here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735. And NIST
just hosts a copy. If you want a CVE fixed, go to this page:
https://cveform.mitre.org/ and submit your change request along with
supporting info. No clue how fast they usually are, but I did notice the
CVE for this issue was fixed one day after the comment above saying the CVE
was wrong, which I agree is blazing fast.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#10 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm43RgruRPLYcx4mfewPe0jWHW34hks5vbuG1gaJpZM4OO72E>
.
|
AntiSamy uses a deprecated HTMLSerializer which does not understand newer HTML5 tags like
<figure>. While this is a minor issue, it also does not understand newer HTML5 entities like:or(. This leads to a security vulnerability where the following text does not get cleaned:The text was updated successfully, but these errors were encountered: