-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Do not unescape already escaped HTML entities
The full sanitizer was using Loofah's #text method that automatically escapes HTML entities. That behavior caused some problems where strings that were not escaped in the older sanitizer started to be escaped. To fix these problems we used the #text's `encode_special_chars` option as `false` that not just skipped the HTML entities escaping but unescaped already escaped entities. This introduced a security bug because an attacker can pass escaped HTML tags that will not be sanitized and will be returned as unescaped HTML tags. To fix it properly we introduced a new scrubber that will remove all tags and keep just the text nodes of these tags without changing how to escape the string. CVE-2015-7579
- Loading branch information
1 parent
297161e
commit 49dfc15
Showing
4 changed files
with
50 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters