Permalink
Browse files

convert CDATA nodes to TEXT nodes to avoid XSS issues

CDATA nodes will not be html escaped.  Users shouldn't be submitting
CDATA nodes in the first place, so we should convert them to text nodes
before escaping

CVE-2015-7580
  • Loading branch information...
1 parent 49dfc15 commit 63903b0eaa6d2a4e1c91bc86008256c4c8335e78 @tenderlove tenderlove committed Oct 29, 2015
Showing with 16 additions and 1 deletion.
  1. +6 −1 lib/rails/html/scrubbers.rb
  2. +10 −0 test/sanitizer_test.rb
@@ -60,6 +60,11 @@ def attributes=(attributes)
end
def scrub(node)
+ if node.cdata?
+ text = node.document.create_text_node node.text
+ node.replace text
+ return CONTINUE
+ end
return CONTINUE if skip_node?(node)
unless keep_node?(node)
@@ -76,7 +81,7 @@ def allowed_node?(node)
end
def skip_node?(node)
- node.text? || node.cdata?
+ node.text?
end
def scrub_attribute?(name)
@@ -11,6 +11,16 @@ def test_sanitizer_sanitize_raises_not_implemented_error
end
end
+ def test_sanitize_nested_script
+ sanitizer = Rails::Html::WhiteListSanitizer.new
+ assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
+ end
+
+ def test_sanitize_nested_script_in_style
+ sanitizer = Rails::Html::WhiteListSanitizer.new
+ assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
+ end
+
class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
def sanitize(html, options = {})
fragment = Loofah.fragment(html)

0 comments on commit 63903b0

Please sign in to comment.