-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2018-3740] Sanitize HTML injection vulnerability #176
Comments
@rgrove Is there a CVE for this? If not, can assign one. |
There isn't. If you could assign one, that'd be great! I tried to figure out how to request one but it was taking me too long, so I figured I'd get the fix out first. |
Sure, CVE-2018-3740. Since Shopify (the reporter) is a HackerOne customer, I can assign one for you under our CNA scope. :-) |
Much appreciated! |
It looks like the root cause of this issue is being discussed in this libxml2 bug: https://bugzilla.gnome.org/show_bug.cgi?id=769760 |
@rgrove I've noted this CVE in that upstream bug report. |
Thanks @flavorjones! Also thanks for providing a good example for me to follow in terms of announcing a vuln and getting the word out to the community. First time I've done that, so it was a learning experience. 😬 |
Ha ha! Well, we have a good process for all this at my day job, so "I'm just following procedure." |
Fixes vulnerability CVE-2018-3740 rgrove/sanitize#176
This fixes CVE-2018-2740 (See: rgrove/sanitize#176) We also have to fix some tests around table tags, because as of sanitize 3.x it uses a parser more like a browser which means it will strip invalid HTML and correct it when it's less-broken. Tables are one of the things it does this for.
FYI if you're still on the Sanitize 2.x line and can't upgrade to 4.x, @dometto was kind enough to backport this fix to the 2.x line in Sanitize 2.1.1. |
This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.
Description
A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.
Affected Versions
Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2
Mitigation
Upgrade to Sanitize 4.6.3 or higher.
History of this vulnerability
The text was updated successfully, but these errors were encountered: