sanitize 5.2.0 → 5.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sanitize might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +36 -0
- data/README.md +11 -0
- data/lib/sanitize/config/default.rb +1 -1
- data/lib/sanitize/version.rb +1 -1
- data/test/test_clean_element.rb +20 -10
- data/test/test_malicious_html.rb +13 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3d1290690a9d32db9e06b8fb19c7e285c94a1d91ed51a4eb7e96389e427348d9
|
4
|
+
data.tar.gz: 5131063daf1763c83978954bed9ee3a783099e40aa71e50de26d06b8ae0c1054
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bfcb7cda6aa70590f642583b41936bc09d8929210046cebdd0d0ff452ccb3213844b4c40d4e205e79c0cd64a2a0d56e16790e38f4c8f247b8abfa32dbec22297
|
7
|
+
data.tar.gz: 0ea5a6d6848f9a125f17e4e23145adff4d3c4ccfe30a3407466fae074ed33cbd4b1869eb5a9f0a72b808449b8cf166a3695c2a6d63b16a83b047fd260bfe50bd
|
data/HISTORY.md
CHANGED
@@ -1,5 +1,41 @@
|
|
1
1
|
# Sanitize History
|
2
2
|
|
3
|
+
## 5.2.1 (2020-06-16)
|
4
|
+
|
5
|
+
### Bug Fixes
|
6
|
+
|
7
|
+
* Fixed an HTML sanitization bypass that could allow XSS. This issue affects
|
8
|
+
Sanitize versions 3.0.0 through 5.2.0.
|
9
|
+
|
10
|
+
When HTML was sanitized using the "relaxed" config or a custom config that
|
11
|
+
allows certain elements, some content in a `<math>` or `<svg>` element may not
|
12
|
+
have beeen sanitized correctly even if `math` and `svg` were not in the
|
13
|
+
allowlist. This could allow carefully crafted input to sneak arbitrary HTML
|
14
|
+
through Sanitize, potentially enabling an XSS (cross-site scripting) attack.
|
15
|
+
|
16
|
+
You are likely to be vulnerable to this issue if you use Sanitize's relaxed
|
17
|
+
config or a custom config that allows one or more of the following HTML
|
18
|
+
elements:
|
19
|
+
|
20
|
+
- `iframe`
|
21
|
+
- `math`
|
22
|
+
- `noembed`
|
23
|
+
- `noframes`
|
24
|
+
- `noscript`
|
25
|
+
- `plaintext`
|
26
|
+
- `script`
|
27
|
+
- `style`
|
28
|
+
- `svg`
|
29
|
+
- `xmp`
|
30
|
+
|
31
|
+
See the security advisory for more details, including a workaround if you're
|
32
|
+
not able to upgrade: [GHSA-p4x4-rw2p-8j8m]
|
33
|
+
|
34
|
+
Many thanks to Michał Bentkowski of Securitum for reporting this issue and
|
35
|
+
helping to verify the fix.
|
36
|
+
|
37
|
+
[GHSA-p4x4-rw2p-8j8m]:https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
|
38
|
+
|
3
39
|
## 5.2.0 (2020-06-06)
|
4
40
|
|
5
41
|
### Changes
|
data/README.md
CHANGED
@@ -72,6 +72,11 @@ Sanitize can sanitize the following types of input:
|
|
72
72
|
* Standalone CSS stylesheets
|
73
73
|
* Standalone CSS properties
|
74
74
|
|
75
|
+
However, please note that Sanitize _cannot_ fully sanitize the contents of
|
76
|
+
`<math>` or `<svg>` elements, since these elements don't follow the same parsing
|
77
|
+
rules as the rest of HTML. If this is something you need, you may want to look
|
78
|
+
for another solution.
|
79
|
+
|
75
80
|
### HTML Fragments
|
76
81
|
|
77
82
|
A fragment is a snippet of HTML that doesn't contain a root-level `<html>`
|
@@ -415,6 +420,12 @@ elements not in this array will be removed.
|
|
415
420
|
]
|
416
421
|
```
|
417
422
|
|
423
|
+
**Warning:** Sanitize cannot fully sanitize the contents of `<math>` or `<svg>`
|
424
|
+
elements, since these elements don't follow the same parsing rules as the rest
|
425
|
+
of HTML. If you add `math` or `svg` to the allowlist, you must assume that any
|
426
|
+
content inside them will be allowed, even if that content would otherwise be
|
427
|
+
removed by Sanitize.
|
428
|
+
|
418
429
|
#### :parser_options (Hash)
|
419
430
|
|
420
431
|
[Parsing options](https://github.com/rubys/nokogumbo/tree/v2.0.1#parsing-options) supplied to `nokogumbo`.
|
@@ -74,7 +74,7 @@ class Sanitize
|
|
74
74
|
# the specified elements (when filtered) will be removed, and the contents
|
75
75
|
# of all other filtered elements will be left behind.
|
76
76
|
:remove_contents => %w[
|
77
|
-
iframe noembed noframes noscript script style
|
77
|
+
iframe math noembed noframes noscript plaintext script style svg xmp
|
78
78
|
],
|
79
79
|
|
80
80
|
# Transformers allow you to filter or alter nodes using custom logic. See
|
data/lib/sanitize/version.rb
CHANGED
data/test/test_clean_element.rb
CHANGED
@@ -192,21 +192,16 @@ describe 'Sanitize::Transformers::CleanElement' do
|
|
192
192
|
.must_equal ''
|
193
193
|
end
|
194
194
|
|
195
|
-
it 'should escape the content of removed `plaintext` elements' do
|
196
|
-
Sanitize.fragment('<plaintext>hello! <script>alert(0)</script>')
|
197
|
-
.must_equal 'hello! <script>alert(0)</script>'
|
198
|
-
end
|
199
|
-
|
200
|
-
it 'should escape the content of removed `xmp` elements' do
|
201
|
-
Sanitize.fragment('<xmp>hello! <script>alert(0)</script></xmp>')
|
202
|
-
.must_equal 'hello! <script>alert(0)</script>'
|
203
|
-
end
|
204
|
-
|
205
195
|
it 'should not preserve the content of removed `iframe` elements' do
|
206
196
|
Sanitize.fragment('<iframe>hello! <script>alert(0)</script></iframe>')
|
207
197
|
.must_equal ''
|
208
198
|
end
|
209
199
|
|
200
|
+
it 'should not preserve the content of removed `math` elements' do
|
201
|
+
Sanitize.fragment('<math>hello! <script>alert(0)</script></math>')
|
202
|
+
.must_equal ''
|
203
|
+
end
|
204
|
+
|
210
205
|
it 'should not preserve the content of removed `noembed` elements' do
|
211
206
|
Sanitize.fragment('<noembed>hello! <script>alert(0)</script></noembed>')
|
212
207
|
.must_equal ''
|
@@ -222,6 +217,11 @@ describe 'Sanitize::Transformers::CleanElement' do
|
|
222
217
|
.must_equal ''
|
223
218
|
end
|
224
219
|
|
220
|
+
it 'should not preserve the content of removed `plaintext` elements' do
|
221
|
+
Sanitize.fragment('<plaintext>hello! <script>alert(0)</script>')
|
222
|
+
.must_equal ''
|
223
|
+
end
|
224
|
+
|
225
225
|
it 'should not preserve the content of removed `script` elements' do
|
226
226
|
Sanitize.fragment('<script>hello! <script>alert(0)</script></script>')
|
227
227
|
.must_equal ''
|
@@ -232,6 +232,16 @@ describe 'Sanitize::Transformers::CleanElement' do
|
|
232
232
|
.must_equal ''
|
233
233
|
end
|
234
234
|
|
235
|
+
it 'should not preserve the content of removed `svg` elements' do
|
236
|
+
Sanitize.fragment('<svg>hello! <script>alert(0)</script></svg>')
|
237
|
+
.must_equal ''
|
238
|
+
end
|
239
|
+
|
240
|
+
it 'should not preserve the content of removed `xmp` elements' do
|
241
|
+
Sanitize.fragment('<xmp>hello! <script>alert(0)</script></xmp>')
|
242
|
+
.must_equal ''
|
243
|
+
end
|
244
|
+
|
235
245
|
strings.each do |name, data|
|
236
246
|
it "should clean #{name} HTML" do
|
237
247
|
Sanitize.fragment(data[:html]).must_equal(data[:default])
|
data/test/test_malicious_html.rb
CHANGED
@@ -219,4 +219,17 @@ describe 'Malicious HTML' do
|
|
219
219
|
end
|
220
220
|
end
|
221
221
|
end
|
222
|
+
|
223
|
+
# https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
|
224
|
+
describe 'foreign content bypass in relaxed config' do
|
225
|
+
it 'prevents a sanitization bypass via carefully crafted foreign content' do
|
226
|
+
%w[iframe noembed noframes noscript plaintext script style xmp].each do |tag_name|
|
227
|
+
@s.fragment(%[<math><#{tag_name}>/*</#{tag_name}><img src onerror=alert(1)>*/]).
|
228
|
+
must_equal ''
|
229
|
+
|
230
|
+
@s.fragment(%[<svg><#{tag_name}>/*</#{tag_name}><img src onerror=alert(1)>*/]).
|
231
|
+
must_equal ''
|
232
|
+
end
|
233
|
+
end
|
234
|
+
end
|
222
235
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sanitize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Grove
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-06-
|
11
|
+
date: 2020-06-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: crass
|
@@ -135,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
135
135
|
- !ruby/object:Gem::Version
|
136
136
|
version: 1.2.0
|
137
137
|
requirements: []
|
138
|
-
rubygems_version: 3.
|
138
|
+
rubygems_version: 3.1.2
|
139
139
|
signing_key:
|
140
140
|
specification_version: 4
|
141
141
|
summary: Allowlist-based HTML and CSS sanitizer.
|