Skip to content

Commit

Permalink
Merge pull request from GHSA-f5ww-cq3m-q3g7
Browse files Browse the repository at this point in the history
Escape `</` to prevent a style element from being closed prematurely
  • Loading branch information
rgrove authored Jul 6, 2023
2 parents a92f21c + 3481ac3 commit 76ed46e
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 3 deletions.
17 changes: 17 additions & 0 deletions HISTORY.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
# Sanitize History

## 6.0.2 (2023-07-06)

### Bug Fixes

* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
(cross-site scripting). This issue affects Sanitize versions 3.0.0 through
6.0.1.

When using Sanitize's relaxed config or a custom config that allows `<style>`
elements and one or more CSS at-rules, carefully crafted input could be used
to sneak arbitrary HTML through Sanitize.

See the following security advisory for additional details:
[GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)

Thanks to @cure53 for finding this issue.

## 6.0.1 (2023-01-27)

### Bug Fixes
Expand Down
1 change: 1 addition & 0 deletions lib/sanitize/transformers/clean_css.rb
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ def call(env)
if css.strip.empty?
node.unlink
else
css.gsub!('</', '<\/')
node.children.unlink
node << Nokogiri::XML::Text.new(css, node.document)
end
Expand Down
4 changes: 1 addition & 3 deletions lib/sanitize/version.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# encoding: utf-8

class Sanitize
VERSION = '6.0.1'
VERSION = '6.0.2'
end
13 changes: 13 additions & 0 deletions test/test_malicious_css.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,17 @@
it 'should not allow behaviors' do
_(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
end

describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
before do
@s = Sanitize.new(Sanitize::Config::RELAXED)
end

it 'is not possible to prematurely end a <style> element' do
assert_equal(
%[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
@s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
)
end
end
end

0 comments on commit 76ed46e

Please sign in to comment.