sanitize 6.0.1 → 6.0.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 819d713b2d4a78519e8bd4f2f853d6558d93ffd2d0481e10d012d8f74afbb555
4
- data.tar.gz: 04a48476bf940cfffc12654e71d60a95fd93c0576b6bec6870c2defb5b72fa90
3
+ metadata.gz: 93adca1e155370d138ccb7c500b618e2ed218297d21593ec8937638f4d99731b
4
+ data.tar.gz: 740b6d84113a0945928601b6cad03e36b4ee76f7c3098c72ddb1a1b01ec5d0ec
5
5
  SHA512:
6
- metadata.gz: ed59ea47cc4a620ccf61be3443ef97036a877903bbc90fa855936e57446e34b92f5b9eb41ed9a026e17779fa473ce10d066986c1dd986c58381dae22bb7c9905
7
- data.tar.gz: 27b40d2033ecd346c299bb77a7788b5325b79edd39c4767c9e5bf27486cf29bf2a5f3b34f96def645bbefd325b0e51a27182b75f187d2eb00931542769cd8c37
6
+ metadata.gz: 4d3e9852ec92ac961c2e35d4a04e7d967dd2eac364e656837b93daf95c1b653da53d4ef7f104af83887e46d08237ddca1efa945facde3efbfcfce0164c0fe334
7
+ data.tar.gz: 05a56334e5cdbbee7b165b19245b90a8acdd82bcd72bbc9f84e2780d914f8b040d19d9ff71934b0c1bd71df4b55f407f460c76dffdbd275b183ecaffb2fa6c38
data/HISTORY.md CHANGED
@@ -1,5 +1,22 @@
1
1
  # Sanitize History
2
2
 
3
+ ## 6.0.2 (2023-07-06)
4
+
5
+ ### Bug Fixes
6
+
7
+ * CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
8
+ (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
9
+ 6.0.1.
10
+
11
+ When using Sanitize's relaxed config or a custom config that allows `<style>`
12
+ elements and one or more CSS at-rules, carefully crafted input could be used
13
+ to sneak arbitrary HTML through Sanitize.
14
+
15
+ See the following security advisory for additional details:
16
+ [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
17
+
18
+ Thanks to @cure53 for finding this issue.
19
+
3
20
  ## 6.0.1 (2023-01-27)
4
21
 
5
22
  ### Bug Fixes
@@ -48,6 +48,7 @@ class CleanElement
48
48
  if css.strip.empty?
49
49
  node.unlink
50
50
  else
51
+ css.gsub!('</', '<\/')
51
52
  node.children.unlink
52
53
  node << Nokogiri::XML::Text.new(css, node.document)
53
54
  end
@@ -1,5 +1,3 @@
1
- # encoding: utf-8
2
-
3
1
  class Sanitize
4
- VERSION = '6.0.1'
2
+ VERSION = '6.0.2'
5
3
  end
@@ -39,4 +39,17 @@ describe 'Malicious CSS' do
39
39
  it 'should not allow behaviors' do
40
40
  _(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
41
41
  end
42
+
43
+ describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
44
+ before do
45
+ @s = Sanitize.new(Sanitize::Config::RELAXED)
46
+ end
47
+
48
+ it 'is not possible to prematurely end a <style> element' do
49
+ assert_equal(
50
+ %[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
51
+ @s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
52
+ )
53
+ end
54
+ end
42
55
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanitize
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.1
4
+ version: 6.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Grove
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-27 00:00:00.000000000 Z
11
+ date: 2023-07-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: crass
@@ -121,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
121
121
  - !ruby/object:Gem::Version
122
122
  version: 1.2.0
123
123
  requirements: []
124
- rubygems_version: 3.4.1
124
+ rubygems_version: 3.4.10
125
125
  signing_key:
126
126
  specification_version: 4
127
127
  summary: Allowlist-based HTML and CSS sanitizer.