Skip to content
Permalink
Browse files

convert CDATA nodes to TEXT nodes to avoid XSS issues

CDATA nodes will not be html escaped.  Users shouldn't be submitting
CDATA nodes in the first place, so we should convert them to text nodes
before escaping

CVE-2015-7580
  • Loading branch information
tenderlove committed Jan 22, 2016
1 parent 49dfc15 commit 63903b0eaa6d2a4e1c91bc86008256c4c8335e78
Showing with 16 additions and 1 deletion.
  1. +6 −1 lib/rails/html/scrubbers.rb
  2. +10 −0 test/sanitizer_test.rb
@@ -60,6 +60,11 @@ def attributes=(attributes)
end

def scrub(node)
if node.cdata?
text = node.document.create_text_node node.text
node.replace text
return CONTINUE
end
return CONTINUE if skip_node?(node)

unless keep_node?(node)
@@ -76,7 +81,7 @@ def allowed_node?(node)
end

def skip_node?(node)
node.text? || node.cdata?
node.text?
end

def scrub_attribute?(name)
@@ -11,6 +11,16 @@ def test_sanitizer_sanitize_raises_not_implemented_error
end
end

def test_sanitize_nested_script
sanitizer = Rails::Html::WhiteListSanitizer.new
assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
end

def test_sanitize_nested_script_in_style
sanitizer = Rails::Html::WhiteListSanitizer.new
assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
end

class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
def sanitize(html, options = {})
fragment = Loofah.fragment(html)

0 comments on commit 63903b0

Please sign in to comment.