loofah 1.0.0 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of loofah might be problematic. Click here for more details.

@@ -13,7 +13,9 @@ module Loofah
13
13
  # parse a fragment.
14
14
  #
15
15
  def parse tags
16
- self.new(Loofah::XML::Document.new, tags)
16
+ doc = Loofah::XML::Document.new
17
+ doc.encoding = tags.encoding.name if tags.respond_to?(:encoding)
18
+ self.new(doc, tags)
17
19
  end
18
20
  end
19
21
  end
@@ -0,0 +1,501 @@
1
+ [
2
+ {
3
+ "name": "IE_Comments",
4
+ "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
5
+ "output": "&lt;!--[if gte IE 4]&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;&lt;![endif]--&gt;"
6
+ },
7
+
8
+ {
9
+ "name": "IE_Comments_2",
10
+ "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
11
+ "output": "&lt;script&gt;alert('XSS');&lt;/script&gt;",
12
+ "rexml": "Ill-formed XHTML!"
13
+ },
14
+
15
+ {
16
+ "name": "allow_colons_in_path_component",
17
+ "input": "<a href=\"./this:that\">foo</a>",
18
+ "output": "<a href='./this:that'>foo</a>"
19
+ },
20
+
21
+ {
22
+ "name": "background_attribute",
23
+ "input": "<div background=\"javascript:alert('XSS')\"></div>",
24
+ "output": "<div/>",
25
+ "xhtml": "<div></div>",
26
+ "rexml": "<div></div>"
27
+ },
28
+
29
+ {
30
+ "name": "bgsound",
31
+ "input": "<bgsound src=\"javascript:alert('XSS');\" />",
32
+ "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;",
33
+ "rexml": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
34
+ },
35
+
36
+ {
37
+ "name": "div_background_image_unicode_encoded",
38
+ "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
39
+ "output": "<div style=''>foo</div>"
40
+ },
41
+
42
+ {
43
+ "name": "div_expression",
44
+ "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
45
+ "output": "<div style=''>foo</div>"
46
+ },
47
+
48
+ {
49
+ "name": "double_open_angle_brackets",
50
+ "input": "<img src=http://ha.ckers.org/scriptlet.html <",
51
+ "output": "<img src='http://ha.ckers.org/scriptlet.html'>",
52
+ "rexml": "Ill-formed XHTML!"
53
+ },
54
+
55
+ {
56
+ "name": "double_open_angle_brackets_2",
57
+ "input": "<script src=http://ha.ckers.org/scriptlet.html <",
58
+ "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/script&gt;",
59
+ "rexml": "Ill-formed XHTML!"
60
+ },
61
+
62
+ {
63
+ "name": "grave_accents",
64
+ "input": "<img src=`javascript:alert('XSS')` />",
65
+ "output": "<img>",
66
+ "rexml": "Ill-formed XHTML!"
67
+ },
68
+
69
+ {
70
+ "name": "img_dynsrc_lowsrc",
71
+ "input": "<img dynsrc=\"javascript:alert('XSS')\" />",
72
+ "output": "<img>",
73
+ "rexml": "<img />"
74
+ },
75
+
76
+ {
77
+ "name": "img_vbscript",
78
+ "input": "<img src='vbscript:msgbox(\"XSS\")' />",
79
+ "output": "<img>",
80
+ "rexml": "<img />"
81
+ },
82
+
83
+ {
84
+ "name": "input_image",
85
+ "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
86
+ "output": "<input type='image'>",
87
+ "rexml": "<input type='image' />"
88
+ },
89
+
90
+ {
91
+ "name": "link_stylesheets",
92
+ "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
93
+ "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"&gt;",
94
+ "rexml": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/&gt;"
95
+ },
96
+
97
+ {
98
+ "name": "link_stylesheets_2",
99
+ "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
100
+ "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"&gt;",
101
+ "rexml": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/&gt;"
102
+ },
103
+
104
+ {
105
+ "name": "list_style_image",
106
+ "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
107
+ "output": "<li style=''>foo</li>"
108
+ },
109
+
110
+ {
111
+ "name": "no_closing_script_tags",
112
+ "input": "<script src=http://ha.ckers.org/xss.js?<b>",
113
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
114
+ "rexml": "Ill-formed XHTML!"
115
+ },
116
+
117
+ {
118
+ "name": "non_alpha_non_digit",
119
+ "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
120
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
121
+ "rexml": "Ill-formed XHTML!"
122
+ },
123
+
124
+ {
125
+ "name": "non_alpha_non_digit_2",
126
+ "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
127
+ "output": "<a>foo</a>",
128
+ "rexml": "Ill-formed XHTML!"
129
+ },
130
+
131
+ {
132
+ "name": "non_alpha_non_digit_3",
133
+ "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
134
+ "output": "<img>",
135
+ "rexml": "Ill-formed XHTML!"
136
+ },
137
+
138
+ {
139
+ "name": "non_alpha_non_digit_II",
140
+ "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
141
+ "output": "<a href>foo</a>",
142
+ "rexml": "Ill-formed XHTML!"
143
+ },
144
+
145
+ {
146
+ "name": "non_alpha_non_digit_III",
147
+ "input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
148
+ "output": "<a>foo</a>",
149
+ "rexml": "Ill-formed XHTML!"
150
+ },
151
+
152
+ {
153
+ "name": "platypus",
154
+ "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
155
+ "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-repeat: repeat;'>never trust your upstream platypus</a>"
156
+ },
157
+
158
+ {
159
+ "name": "protocol_resolution_in_script_tag",
160
+ "input": "<script src=//ha.ckers.org/.j></script>",
161
+ "output": "&lt;script src=\"//ha.ckers.org/.j\"&gt;&lt;/script&gt;",
162
+ "rexml": "Ill-formed XHTML!"
163
+ },
164
+
165
+ {
166
+ "name": "should_allow_anchors",
167
+ "input": "<a href='foo' onclick='bar'><script>baz</script></a>",
168
+ "output": "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
169
+ },
170
+
171
+ {
172
+ "name": "should_allow_image_alt_attribute",
173
+ "input": "<img alt='foo' onclick='bar' />",
174
+ "output": "<img alt='foo'>",
175
+ "rexml": "<img alt='foo' />"
176
+ },
177
+
178
+ {
179
+ "name": "should_allow_image_height_attribute",
180
+ "input": "<img height='foo' onclick='bar' />",
181
+ "output": "<img height='foo'>",
182
+ "rexml": "<img height='foo' />"
183
+ },
184
+
185
+ {
186
+ "name": "should_allow_image_src_attribute",
187
+ "input": "<img src='foo' onclick='bar' />",
188
+ "output": "<img src='foo'>",
189
+ "rexml": "<img src='foo' />"
190
+ },
191
+
192
+ {
193
+ "name": "should_allow_image_width_attribute",
194
+ "input": "<img width='foo' onclick='bar' />",
195
+ "output": "<img width='foo'>",
196
+ "rexml": "<img width='foo' />"
197
+ },
198
+
199
+ {
200
+ "name": "should_handle_blank_text",
201
+ "input": "",
202
+ "output": ""
203
+ },
204
+
205
+ {
206
+ "name": "should_handle_malformed_image_tags",
207
+ "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
208
+ "output": "<img>&lt;script&gt;alert(\"XSS\")&lt;/script&gt;\"&gt;",
209
+ "rexml": "Ill-formed XHTML!"
210
+ },
211
+
212
+ {
213
+ "name": "should_handle_non_html",
214
+ "input": "abc",
215
+ "output": "abc"
216
+ },
217
+
218
+ {
219
+ "name": "should_not_fall_for_ridiculous_hack",
220
+ "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
221
+ "output": "<img>",
222
+ "rexml": "<img />"
223
+ },
224
+
225
+ {
226
+ "name": "should_not_fall_for_xss_image_hack_0",
227
+ "input": "<img src=\"javascript:alert('XSS');\" />",
228
+ "output": "<img>",
229
+ "rexml": "<img />"
230
+ },
231
+
232
+ {
233
+ "name": "should_not_fall_for_xss_image_hack_1",
234
+ "input": "<img src=javascript:alert('XSS') />",
235
+ "output": "<img>",
236
+ "rexml": "Ill-formed XHTML!"
237
+ },
238
+
239
+ {
240
+ "name": "should_not_fall_for_xss_image_hack_10",
241
+ "input": "<img src=\"jav&#x0A;ascript:alert('XSS');\" />",
242
+ "output": "<img>",
243
+ "rexml": "<img />"
244
+ },
245
+
246
+ {
247
+ "name": "should_not_fall_for_xss_image_hack_11",
248
+ "input": "<img src=\"jav&#x0D;ascript:alert('XSS');\" />",
249
+ "output": "<img>",
250
+ "rexml": "<img />"
251
+ },
252
+
253
+ {
254
+ "name": "should_not_fall_for_xss_image_hack_12",
255
+ "input": "<img src=\" &#14; javascript:alert('XSS');\" />",
256
+ "output": "<img src=''>",
257
+ "rexml": "<img />"
258
+ },
259
+
260
+ {
261
+ "name": "should_not_fall_for_xss_image_hack_13",
262
+ "input": "<img src=\"&#x20;javascript:alert('XSS');\" />",
263
+ "output": "<img>",
264
+ "rexml": "<img />"
265
+ },
266
+
267
+ {
268
+ "name": "should_not_fall_for_xss_image_hack_14",
269
+ "input": "<img src=\"&#xA0;javascript:alert('XSS');\" />",
270
+ "output": "<img>",
271
+ "rexml": "<img />"
272
+ },
273
+
274
+ {
275
+ "name": "should_not_fall_for_xss_image_hack_2",
276
+ "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
277
+ "output": "<img>",
278
+ "rexml": "<img />"
279
+ },
280
+
281
+ {
282
+ "name": "should_not_fall_for_xss_image_hack_3",
283
+ "input": "<img src='javascript:alert(&quot;XSS&quot;)' />",
284
+ "output": "<img>",
285
+ "rexml": "<img />"
286
+ },
287
+
288
+ {
289
+ "name": "should_not_fall_for_xss_image_hack_4",
290
+ "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
291
+ "output": "<img>",
292
+ "rexml": "<img />"
293
+ },
294
+
295
+ {
296
+ "name": "should_not_fall_for_xss_image_hack_5",
297
+ "input": "<img src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;' />",
298
+ "output": "<img>",
299
+ "rexml": "<img />"
300
+ },
301
+
302
+ {
303
+ "name": "should_not_fall_for_xss_image_hack_6",
304
+ "input": "<img src='&#0000106;&#0000097;&#0000118;&#0000097;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000058;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041' />",
305
+ "output": "<img>",
306
+ "rexml": "<img />"
307
+ },
308
+
309
+ {
310
+ "name": "should_not_fall_for_xss_image_hack_7",
311
+ "input": "<img src='&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29' />",
312
+ "output": "<img>",
313
+ "rexml": "<img />"
314
+ },
315
+
316
+ {
317
+ "name": "should_not_fall_for_xss_image_hack_8",
318
+ "input": "<img src=\"jav\tascript:alert('XSS');\" />",
319
+ "output": "<img>",
320
+ "rexml": "<img />"
321
+ },
322
+
323
+ {
324
+ "name": "should_not_fall_for_xss_image_hack_9",
325
+ "input": "<img src=\"jav&#x09;ascript:alert('XSS');\" />",
326
+ "output": "<img>",
327
+ "rexml": "<img />"
328
+ },
329
+
330
+ {
331
+ "name": "should_sanitize_half_open_scripts",
332
+ "input": "<img src=\"javascript:alert('XSS')\"",
333
+ "output": "<img>",
334
+ "rexml": "Ill-formed XHTML!"
335
+ },
336
+
337
+ {
338
+ "name": "should_sanitize_invalid_script_tag",
339
+ "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
340
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;",
341
+ "rexml": "Ill-formed XHTML!"
342
+ },
343
+
344
+ {
345
+ "name": "should_sanitize_script_tag_with_multiple_open_brackets",
346
+ "input": "<<script>alert(\"XSS\");//<</script>",
347
+ "output": "alert(\"XSS\");//",
348
+ "rexml": "Ill-formed XHTML!"
349
+ },
350
+
351
+ {
352
+ "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
353
+ "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
354
+ "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/iframe&gt;",
355
+ "rexml": "Ill-formed XHTML!"
356
+ },
357
+
358
+ {
359
+ "name": "should_sanitize_tag_broken_up_by_null",
360
+ "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
361
+ "output": "&lt;scr&gt;&lt;/scr&gt;",
362
+ "rexml": "Ill-formed XHTML!"
363
+ },
364
+
365
+ {
366
+ "name": "should_sanitize_unclosed_script",
367
+ "input": "<script src=http://ha.ckers.org/xss.js?<b>",
368
+ "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;",
369
+ "rexml": "Ill-formed XHTML!"
370
+ },
371
+
372
+ {
373
+ "name": "should_strip_href_attribute_in_a_with_bad_protocols",
374
+ "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
375
+ "output": "<a title='1'>boo</a>"
376
+ },
377
+
378
+ {
379
+ "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
380
+ "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
381
+ "output": "<a title='1'>boo</a>"
382
+ },
383
+
384
+ {
385
+ "name": "should_strip_src_attribute_in_img_with_bad_protocols",
386
+ "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
387
+ "output": "<img title='1'>boo",
388
+ "rexml": "<img title='1' />"
389
+ },
390
+
391
+ {
392
+ "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
393
+ "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
394
+ "output": "<img title='1'>boo",
395
+ "rexml": "<img title='1' />"
396
+ },
397
+
398
+ {
399
+ "name": "xml_base",
400
+ "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
401
+ "output": "<div>foo</div>"
402
+ },
403
+
404
+ {
405
+ "name": "xul",
406
+ "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
407
+ "output": "<p style=''>fubar</p>"
408
+ },
409
+
410
+ {
411
+ "name": "quotes_in_attributes",
412
+ "input": "<img src='foo' title='\"foo\" bar' />",
413
+ "rexml": "<img src='foo' title='\"foo\" bar' />",
414
+ "output": "<img src='foo' title='\"foo\" bar'>"
415
+ },
416
+
417
+ {
418
+ "name": "uri_refs_in_svg_attributes",
419
+ "input": "<rect fill='url(#foo)' />",
420
+ "rexml": "<rect fill='url(#foo)'></rect>",
421
+ "xhtml": "<rect fill='url(#foo)'></rect>",
422
+ "output": "<rect fill='url(#foo)'/>"
423
+ },
424
+
425
+ {
426
+ "name": "absolute_uri_refs_in_svg_attributes",
427
+ "input": "<rect fill='url(http://bad.com/) #fff' />",
428
+ "rexml": "<rect fill=' #fff'></rect>",
429
+ "xhtml": "<rect fill=' #fff'></rect>",
430
+ "output": "<rect fill=' #fff'/>"
431
+ },
432
+
433
+ {
434
+ "name": "uri_ref_with_space_in svg_attribute",
435
+ "input": "<rect fill='url(\n#foo)' />",
436
+ "rexml": "<rect fill='url(\n#foo)'></rect>",
437
+ "xhtml": "<rect fill='url(\n#foo)'></rect>",
438
+ "output": "<rect fill='url(\n#foo)'/>"
439
+ },
440
+
441
+ {
442
+ "name": "absolute_uri_ref_with_space_in svg_attribute",
443
+ "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
444
+ "rexml": "<rect fill=' '></rect>",
445
+ "xhtml": "<rect fill=' '></rect>",
446
+ "output": "<rect fill=' '/>"
447
+ },
448
+
449
+ {
450
+ "name": "allow_html5_image_tag",
451
+ "input": "<image src='foo' />",
452
+ "rexml": "&lt;image src=\"foo\"&gt;&lt;/image&gt;",
453
+ "output": "&lt;image src=\"foo\"/&gt;"
454
+ },
455
+
456
+ {
457
+ "name": "style_attr_end_with_nothing",
458
+ "input": "<div style=\"color: blue\" />",
459
+ "output": "<div style='color: blue;'/>",
460
+ "xhtml": "<div style='color: blue;'></div>",
461
+ "rexml": "<div style='color: blue;'></div>"
462
+ },
463
+
464
+ {
465
+ "name": "style_attr_end_with_space",
466
+ "input": "<div style=\"color: blue \" />",
467
+ "output": "<div style='color: blue ;'/>",
468
+ "xhtml": "<div style='color: blue ;'></div>",
469
+ "rexml": "<div style='color: blue ;'></div>"
470
+ },
471
+
472
+ {
473
+ "name": "style_attr_end_with_semicolon",
474
+ "input": "<div style=\"color: blue;\" />",
475
+ "output": "<div style='color: blue;'/>",
476
+ "xhtml": "<div style='color: blue;'></div>",
477
+ "rexml": "<div style='color: blue;'></div>"
478
+ },
479
+
480
+ {
481
+ "name": "style_attr_end_with_semicolon_space",
482
+ "input": "<div style=\"color: blue; \" />",
483
+ "output": "<div style='color: blue;'/>",
484
+ "xhtml": "<div style='color: blue;'></div>",
485
+ "rexml": "<div style='color: blue;'></div>"
486
+ },
487
+
488
+ {
489
+ "name": "attributes_with_embedded_quotes",
490
+ "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
491
+ "output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
492
+ "rexml": "Ill-formed XHTML!"
493
+ },
494
+
495
+ {
496
+ "name": "attributes_with_embedded_quotes_II",
497
+ "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
498
+ "output": "<img src='notthere.jpg%22%22onerror=%22alert(2)'>",
499
+ "rexml": "Ill-formed XHTML!"
500
+ }
501
+ ]