Permalink
Browse files

Do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba

CVE-2012-3465
  • Loading branch information...
1 parent 6d0526d commit e91e4e8bbee12ce1496bf384c04da6be296b687a @spastorino spastorino committed Aug 8, 2012
@@ -1,5 +1,12 @@
## Rails 3.2.8 ##
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+ helper doesn't correctly handle malformed html. As a result an attacker can
+ execute arbitrary javascript through the use of specially crafted malformed
+ html.
+
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
Vulnerable code will look something like this:
@@ -80,7 +80,7 @@ def sanitize_css(style)
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# # => Welcome to my website!
def strip_tags(html)
- self.class.full_sanitizer.sanitize(html).try(:html_safe)
+ self.class.full_sanitizer.sanitize(html)
end
# Strips all link tags from +text+ leaving just the link text.
@@ -42,9 +42,9 @@ def test_strip_tags
[nil, '', ' '].each do |blank|
stripped = strip_tags(blank)
assert_equal blank, stripped
- assert stripped.html_safe? unless blank.nil?
end
- assert strip_tags("<script>").html_safe?
+ assert_equal "", strip_tags("<script>")
+ assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
end
def test_sanitize_is_marked_safe

0 comments on commit e91e4e8

Please sign in to comment.