Unexpected WhiteListSanitizer behavior when allowed_attributes is set

[amatriain]

When sanitizing strings with WhiteListSanitizer, if neither allowed_attributes nor allowed_tags are set:

• all HTML comments are removed
• all <script> and <form> tags are removed, including their contents

> t = '<p id="harmless_p" class="important_p"><script>alert("pwned!");</script>I am totally harmless :)</p><form action="/malicious.php"><!--you are pwned, friend --><input type="submit"></form>'
> sanitize t
 => "<p id=\"harmless_p\" class=\"important_p\">I am totally harmless :)</p>"

However if allowed_attributes is set:

• HTML comments are still removed
• <script> tags are stripped, but their content remains in the document
• <form> tags and their contents are unaffected (except for attributes not present in the allowed_attributes array, which are removed)

# in application.rb:
config.action_view.sanitized_allowed_attributes = ['id']

---
> t = '<p id="harmless_p" class="important_p"><script>alert("pwned!");</script>I am totally harmless :)</p><form action="/malicious.php"><!--you are pwned, friend --><input type="submit"></form>'
> sanitize t
 => "<p id=\"harmless_p\">alert(\"pwned!\");I am totally harmless :)</p><form><input></form>"

I think this is an undesirable behavior that will surprise users. If I set allowed_attributes, I expect it to affect only the behavior regarding attributes, and the behavior regarding tags to be unaffected.

I propose changing WhiteListSanitizer so that the stripping of <script> and <form> tags and their contents is done regardless of allowed_attributes and allowed_tags being set or not. If you agree I will submit a PR.

[amatriain]

Added PR to get the ball rolling.

[kaspth]

Sorry about the slow response and thanks for the PR.

I'm okay with removing the tags if allowed_tags is not set. But if they're set, the allowed tags are only those that a user supplied.

[dgm]

I see a similar problem with allowed tags:

field
#=> "<h1>Collect and dump refuse or recyclable materials from containers into truck. May drive truck.</h1>\r\n<p>&nbsp;</p>\r\n<p>&nbsp;</p>\r\n<p>test</p>\r\n<p>&nbsp;</p>\r\n<p>&nbsp;</p>\r\n<script type=\"mce-mce-text/javascript\">// <![CDATA[\r\nalert(\"test\");\r\n// ]]></script>"
ActionController::Base.helpers.sanitize(field)
#=> "<h1>Collect and dump refuse or recyclable materials from containers into truck. May drive truck.</h1>\r\n<p> </p>\r\n<p> </p>\r\n<p>test</p>\r\n<p> </p>\r\n<p> </p>\r\n"
ActionController::Base.helpers.sanitize(field, :tags => %w(h1)  )
#=> "<h1>Collect and dump refuse or recyclable materials from containers into truck. May drive truck.</h1>\r\n \r\n \r\ntest\r\n \r\n \r\n// <![CDATA[\r\nalert(\"test\");\r\n// ]]>"

When I specify :tags it fails to clean out the CDATA and javascript code.... but at least the script tag is gone. It's inconsistent though.

[philomory]

Similarly, if you don't provide a list of allowed attributes, then it allows various attributes including href; however, in the process of allowing them, the Loofah scrubber also checks for attributes that are URIs and runs them through a protocol scrubber; so, <a href="http://google.com/">Boo!</a> is allowed, but <a href="javascript:alert('Oh no!');">Boo!</a> is not allowed.

If you provide a list of allowed attributes, though, that protocol check is skipped.

[amatriain]

There seems to be little interest in this issue from maintainers, the PR has been open for a very long time. I decided this gem doesn't work for me and switched to the sanitize gem instead, which does what I expect from a sanitizer. I suggest you take a look to it.

[chloerei]

I think allowed_attributes that skip a lot of Loofah scrub will be a problem. Now I call twice sanitizie to fix that temporary:

sanitize sanitize(body, tags: TAGS_ALLOWED, attributes: ATTRIBUTES_ALLOWED)

Considering change to https://github.com/rgrove/sanitize .

[rafaelfranca]

That should be fixed now.