Encoded "script" Elements don't get scrubbed

[PJUllrich]

Hello there,

first of all, thank you very much for this super useful library ❤️🙏

I'm running into an "issue" (I'm unsure whether it's an issue or intended behaviour) that some elements don't get scrubbed if their < and > signs are encoded. For example:

# Works as expected
iex(1)> HtmlSanitizeEx.html5("<script>alert('xss');</script>")
"alert('xss');"

# Doesn't work as expected (the "script" tags aren't removed)
iex(2)> HtmlSanitizeEx.html5("&lt;script&gt;alert('xss');&lt;/script&gt;")
"&lt;script&gt;alert('xss');&lt;/script&gt;"

If I render the second string in my html with raw(@safe_content), it becomes <script>alert('xss');</script> again.

Now, I'm unsure about the implications of this. In my case, the string is user input and I render the content as described in my HEEX template because it can contain code snippets. What do you think? Is there a possible vulnerability here or does everything work as intended? :)

[rrrene]

Is there a possible vulnerability here or does everything work as intended? :)

Those are not necessarily mutually exclusive. But I have to be impolite and ask a question in return:

If I render the second string in my html with raw(@safe_content), it becomes <script>alert('xss');</script> again.

Is this really what Phoenix should do? I will have to check ...

[PJUllrich]

I'm not sure either, but what I can do is simply replace the < and > values with < and > again and then run the sanitizer. That should take care of that problem.

[rrrene]

@PJUllrich So, I did a quick check and the result is not consistent with I understood from your description:

Am I testing the "right" raw/1 function?

[PJUllrich]

@rrrene I DMed you on Twitter :)