From 8c4c58f4e671a2f9f0e1477e47ff943a3b824799 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Thu, 29 Oct 2015 12:06:26 -0700 Subject: [PATCH] convert CDATA nodes to TEXT nodes to avoid XSS issues CDATA nodes will not be html escaped. Users shouldn't be submitting CDATA nodes in the first place, so we should convert them to text nodes before escaping CVE-2015-7580 --- lib/rails/html/scrubbers.rb | 7 ++++++- test/sanitizer_test.rb | 10 ++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb index 1384a2f..6d82a20 100644 --- a/lib/rails/html/scrubbers.rb +++ b/lib/rails/html/scrubbers.rb @@ -60,6 +60,11 @@ module Rails end def scrub(node) + if node.cdata? + text = node.document.create_text_node node.text + node.replace text + return CONTINUE + end return CONTINUE if skip_node?(node) unless keep_node?(node) @@ -76,7 +81,7 @@ module Rails end def skip_node?(node) - node.text? || node.cdata? + node.text? end def scrub_attribute?(name) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 06d70e4..3bfc7cb 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -11,6 +11,16 @@ class SanitizersTest < Minitest::Test end end + def test_sanitize_nested_script + sanitizer = Rails::Html::WhiteListSanitizer.new + assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('alert("XSS");/', tags: %w(em)) + end + + def test_sanitize_nested_script_in_style + sanitizer = Rails::Html::WhiteListSanitizer.new + assert_equal '<script>alert("XSS");</script>', sanitizer.sanitize('alert("XSS");/', tags: %w(em)) + end + class XpathRemovalTestSanitizer < Rails::Html::Sanitizer def sanitize(html, options = {}) fragment = Loofah.fragment(html) -- 2.2.1