I'm wondering if this is a OWASP bug.
Using the following XSS, looks like OWASP sanitized didn't remove all the dangerous scripts.
<<img=""/>img src=1 onerror=alert('XSS');>
This is the result after running sanitized
<img src=1 onerror=alert('XSS');>
is that a bug? or do I need to do something else to sanitized the content? I'm thinking that I have to call the sanitized from a "loop", but this is not a good idea because it could end up in an endless loop. (I can avoid that endless loop, but this feels more like OWASP bug)
Thank you for your help!!
-- Vicente
Can you please report this on GitHub so we can track it?
Aloha, Jim
--
On Tue, Nov 7, 2017 at 9:30 PM, Jim Manico <jim.m...@owasp.org> wrote:
> Can you please report this on GitHub so we can track it?
Vicente was kind enough to report it via bugcrowd where it was
determined to be a false positive.
> Aloha, Jim
>
>
> On 11/7/17 10:57 AM, Vicente Villegas Larios wrote:
>
> I'm wondering if this is a OWASP bug.
>
>
> Using the following XSS, looks like OWASP sanitized didn't remove all the
> dangerous scripts.
>
> <<img=""/>img src=1 onerror=alert('XSS');>
>
>
> This is the result after running sanitized
>
> <img src=1 onerror=alert('XSS');>
>
>
> is that a bug? or do I need to do something else to sanitized the content?
> I'm thinking that I have to call the sanitized from a "loop", but this is
> not a good idea because it could end up in an endless loop. (I can avoid
> that endless loop, but this feels more like OWASP bug)
>
>
> Thank you for your help!!
>
>
>
> -- Vicente
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
hello all,sorry for the delay in my answers.I'm getting the same result than you, but in my case we are unescaping the HTML (which is leading to the vulnerability). It is easily fixed in my function just calling again the sanitizer, but I was thinking that the call to "Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).sanitize(XSS).trim();" should remove all the dangerous JS instead it is just escaping it, that's why I was thinking this was a OWASP bug.