Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Tags with invalid names should also be stripped in order to prevent

XSS attacks.  Thanks Sascha Depold for the report.
  • Loading branch information...
commit 586a944ddd4d03e66dea1093306147594748037a 1 parent 8a39f41
@tenderlove tenderlove authored
View
2  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
end
closing = ( scanner.scan(/\//) ? :close : nil )
- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)

@tenderlove

This breaks passing xml: true to HTML::Document.new

xml = <<- XML
<?xml version="1.0" standalone="yes"?> 
<TRIVIA> 

  <MATH>
    <QUESTION>What is the square root of 25</QUESTION>
    <ANSWER>5</ANSWER>
  </MATH>

  <GENERAL>
    <QUESTION>What is the season after Summer </QUESTION>
    <ANSWER>Fall</ANSWER>
    <ANSWER>Autumn </ANSWER>
  </GENERAL>

</TRIVIA>
XML

f = HTML::Document.new xml, true, true

Resulting in:
RuntimeError: expected > (got "?>" for <?xml version="1.0" standalone="yes"?>, {"version"=>"1.0", "standalone"=>"yes"})

Also I am not sure where this is used other than testing so I am not clear where the issue was with xss attacks. Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
name.downcase!
unless closing
View
7 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
@sanitizer = nil # used by assert_sanitizer
end
+ def test_strip_tags_with_quote
+ sanitizer = HTML::FullSanitizer.new
+ string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+ assert_equal ' hi', sanitizer.sanitize(string)
+ end
+
def test_strip_tags
sanitizer = HTML::FullSanitizer.new
assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
Please sign in to comment.
Something went wrong with that request. Please try again.