New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize urls in css style sheets #5189
Conversation
532f1b7
to
a616e20
Compare
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
a616e20
to
4bdcc02
Compare
| iframeDoc | ||
| .querySelectorAll('style[data-original-content]') | ||
| .forEach((node) => { | ||
| node.innerHTML = node.getAttribute('data-original-content') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tested this, but could I use this to bypass any other kind of sanitization we may be running on the HTML?
As in: what if someone sends an email that has something like:
<span data-original-content="<img src="doesnotexist" onerror="alert(1)"">
Or don't we have any kind of sanitization anymore regardless as we sandbox the iframe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The selector only selects style elements with the attribute data-original-content so your example won't have any effect.
Nevertheless, an attacker could send a forged style tag containing some malicious content but our sanitation extracts, merges and then sanitizes all style sheets at once so theoretically this shouldn't be exploitable. The rendered html email will only have one style element right at the beginning.
|
/backport to stable1.9 |
Currently, CSS style sheets are not sanitized and allow tracker scripts to bypass our trusted senders feature. Furthermore, our style attribute sanitizer was not strict enough so I improved it to replace all
url(...)values (not just those ofbackground-*rules).I added a new PHP dependency for parsing CSS style sheets. Using regex is not sufficient to parse style sheets and could be exploited by a future attacker.
Example