Skip to content
Browse files

Tags with invalid names should also be stripped in order to prevent

XSS attacks.  Thanks Sascha Depold for the report.
  • Loading branch information...
1 parent 8a39f41 commit 586a944ddd4d03e66dea1093306147594748037a @tenderlove tenderlove committed Aug 16, 2011
2 actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
closing = ( scanner.scan(/\//) ? :close : nil )
- return, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
lardawge added a note Aug 29, 2011


This breaks passing xml: true to

xml = <<- XML
<?xml version="1.0" standalone="yes"?> 

    <QUESTION>What is the square root of 25</QUESTION>

    <QUESTION>What is the season after Summer </QUESTION>
    <ANSWER>Autumn </ANSWER>


f = xml, true, true

Resulting in:
RuntimeError: expected > (got "?>" for <?xml version="1.0" standalone="yes"?>, {"version"=>"1.0", "standalone"=>"yes"})

Also I am not sure where this is used other than testing so I am not clear where the issue was with xss attacks. Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
unless closing
7 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
@sanitizer = nil # used by assert_sanitizer
+ def test_strip_tags_with_quote
+ sanitizer =
+ string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+ assert_equal ' hi', sanitizer.sanitize(string)
+ end
def test_strip_tags
sanitizer =
assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

0 comments on commit 586a944

Please sign in to comment.
Something went wrong with that request. Please try again.