convert CDATA nodes to TEXT nodes to avoid XSS issues

CDATA nodes will not be html escaped. Users shouldn't be submitting CDATA nodes in the first place, so we should convert them to text nodes before escaping CVE-2015-7580
rails · Oct 29, 2015 · 63903b0eaa6d2a4e1c91bc86008256c4c8335e78 · 63903b0
1 parent 49dfc15
commit 63903b0eaa6d2a4e1c91bc86008256c4c8335e78
Unified Split

Showing with 16 additions and 1 deletion.

+6 −1 lib/rails/html/scrubbers.rb

+10 −0 test/sanitizer_test.rb
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
@@ -60,6 +60,11 @@ def attributes=(attributes)
      end

      def scrub(node)
+        if node.cdata?
+          text = node.document.create_text_node node.text
+          node.replace text
+          return CONTINUE
+        end
        return CONTINUE if skip_node?(node)

        unless keep_node?(node)
@@ -76,7 +81,7 @@ def allowed_node?(node)
      end

      def skip_node?(node)
-        node.text? || node.cdata?
+        node.text?
      end

      def scrub_attribute?(name)
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -11,6 +11,16 @@ def test_sanitizer_sanitize_raises_not_implemented_error
    end
  end

+  def test_sanitize_nested_script
+    sanitizer = Rails::Html::WhiteListSanitizer.new
+    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
+  end
+
+  def test_sanitize_nested_script_in_style
+    sanitizer = Rails::Html::WhiteListSanitizer.new
+    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
+  end
+
  class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
    def sanitize(html, options = {})
      fragment = Loofah.fragment(html)