Skip to content
Browse files

Tags with invalid names should also be stripped in order to prevent

XSS attacks.  Thanks Sascha Depold for the report.
  • Loading branch information...
1 parent 8a39f41 commit 586a944ddd4d03e66dea1093306147594748037a @tenderlove tenderlove committed Aug 16, 2011
View
2 actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
end
closing = ( scanner.scan(/\//) ? :close : nil )
- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
@lardawge
lardawge added a note Aug 29, 2011

@tenderlove

This breaks passing xml: true to HTML::Document.new

xml = <<- XML
<?xml version="1.0" standalone="yes"?> 
<TRIVIA> 

  <MATH>
    <QUESTION>What is the square root of 25</QUESTION>
    <ANSWER>5</ANSWER>
  </MATH>

  <GENERAL>
    <QUESTION>What is the season after Summer </QUESTION>
    <ANSWER>Fall</ANSWER>
    <ANSWER>Autumn </ANSWER>
  </GENERAL>

</TRIVIA>
XML

f = HTML::Document.new xml, true, true

Resulting in:
RuntimeError: expected > (got "?>" for <?xml version="1.0" standalone="yes"?>, {"version"=>"1.0", "standalone"=>"yes"})

Also I am not sure where this is used other than testing so I am not clear where the issue was with xss attacks. Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
name.downcase!
unless closing
View
7 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
@sanitizer = nil # used by assert_sanitizer
end
+ def test_strip_tags_with_quote
+ sanitizer = HTML::FullSanitizer.new
+ string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+ assert_equal ' hi', sanitizer.sanitize(string)
+ end
+
def test_strip_tags
sanitizer = HTML::FullSanitizer.new
assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

0 comments on commit 586a944

Please sign in to comment.
Something went wrong with that request. Please try again.