Skip to content

Commit 586a944

Browse files
committed
Tags with invalid names should also be stripped in order to prevent
XSS attacks. Thanks Sascha Depold for the report.
1 parent 8a39f41 commit 586a944

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

Diff for: actionpack/lib/action_controller/vendor/html-scanner/html/node.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
156156
end
157157

158158
closing = ( scanner.scan(/\//) ? :close : nil )
159-
return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
159+
return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
160160
name.downcase!
161161

162162
unless closing

Diff for: actionpack/test/template/html-scanner/sanitizer_test.rb

+7
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,13 @@ def setup
55
@sanitizer = nil # used by assert_sanitizer
66
end
77

8+
def test_strip_tags_with_quote
9+
sanitizer = HTML::FullSanitizer.new
10+
string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
11+
12+
assert_equal ' hi', sanitizer.sanitize(string)
13+
end
14+
815
def test_strip_tags
916
sanitizer = HTML::FullSanitizer.new
1017
assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

0 commit comments

Comments
 (0)