Skip to content
This repository
Browse code

Tags with invalid names should also be stripped in order to prevent

XSS attacks.  Thanks Sascha Depold for the report.
  • Loading branch information...
commit 3480d97b6c9f657ca1d0f11ac1e3e17baf84cdb2 1 parent fb4747b
Aaron Patterson authored August 16, 2011
2  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
156 156
           end
157 157
 
158 158
           closing = ( scanner.scan(/\//) ? :close : nil )
159  
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
  159
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
160 160
           name.downcase!
161 161
 
162 162
           unless closing
7  actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
5 5
     @sanitizer = nil # used by assert_sanitizer
6 6
   end
7 7
 
  8
+  def test_strip_tags_with_quote
  9
+    sanitizer = HTML::FullSanitizer.new
  10
+    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
  11
+
  12
+    assert_equal ' hi', sanitizer.sanitize(string)
  13
+  end
  14
+
8 15
   def test_strip_tags
9 16
     sanitizer = HTML::FullSanitizer.new
10 17
     assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

0 notes on commit 3480d97

Please sign in to comment.
Something went wrong with that request. Please try again.