style-Attribute and no img-Tags... allowed
45 views
Skip to first unread message
Johannes Lichtenberger
May 26, 2014, 9:55:25 AM5/26/14
to owasp-java-html-...@googlegroups.com
Hello,
probably I've found another issue with the most recent version (r232) and the style=""-attribute.
With the following String and the policies (Sanitzers.FORMATTING, Sanitizers.BLOCKS, Sanitizers.LINKS, Sanitizers.STYLES):
xss<a href=\"http://www.google.de\" style=\"color:red;\" onmouseover=alert(1) onmousemove=\"alert(2)\" onclick=alert(3)>g<img src=\"http://example.org\"/>oogle</a>
The output is:
"xss<a href=\"http://www.google.de\" rel=\"nofollow\">google</a>"
But I think it should be:
"xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">google</a>".
kind regards
Johannes
probably I've found another issue with the most recent version (r232) and the style=""-attribute.
With the following String and the policies (Sanitzers.FORMATTING, Sanitizers.BLOCKS, Sanitizers.LINKS, Sanitizers.STYLES):
xss<a href=\"http://www.google.de\" style=\"color:red;\" onmouseover=alert(1) onmousemove=\"alert(2)\" onclick=alert(3)>g<img src=\"http://example.org\"/>oogle</a>
The output is:
"xss<a href=\"http://www.google.de\" rel=\"nofollow\">google</a>"
But I think it should be:
"xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">google</a>".
kind regards
Johannes
Johannes Lichtenberger
May 26, 2014, 10:24:34 AM5/26/14
to owasp-java-html-...@googlegroups.com
Sorry, the backslashes are just used in a unit test for a renderer which utilizes the HTMLSanitizer to escape the quote-characters in a simple String.
Johannes Lichtenberger
May 26, 2014, 11:40:54 AM5/26/14
to owasp-java-html-...@googlegroups.com
I'm not sure if it's my fault:
public void testImagesParam() throws RendererException, IOException
{
final String l_strUnsafeHTML;
l_strUnsafeHTML = "xss<a href=\"http://www.google.de\" style=\"color:red;\" onmouseover=alert(1) onmousemove=\"alert(2)\" onclick=alert(3)>g<img src=\"http://example.org\"/>oogle</a>";
final IPipedRenderer l_renderer;
l_renderer = new XssProtectionRenderer();
l_renderer.setParam(XssProtectionRenderer.IMAGES, true);
String l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">g<img src=\"http://example.org\" />oogle</a>", l_strOutput);
l_renderer.reset();
l_renderer.setParam(XssProtectionRenderer.IMAGES, false);
l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">google</a>", l_strOutput);
l_renderer.finish(true);
}
Sometimes the second assertion holds true (most of the times) and sometimes not. I'm however not doing something in parallel within the renderer (and I'm sure from debugging that HTMLSanitizer isn't doing something in parallel, too). Strange...
public void testImagesParam() throws RendererException, IOException
{
final String l_strUnsafeHTML;
l_strUnsafeHTML = "xss<a href=\"http://www.google.de\" style=\"color:red;\" onmouseover=alert(1) onmousemove=\"alert(2)\" onclick=alert(3)>g<img src=\"http://example.org\"/>oogle</a>";
final IPipedRenderer l_renderer;
l_renderer = new XssProtectionRenderer();
l_renderer.setParam(XssProtectionRenderer.IMAGES, true);
String l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">g<img src=\"http://example.org\" />oogle</a>", l_strOutput);
l_renderer.reset();
l_renderer.setParam(XssProtectionRenderer.IMAGES, false);
l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"http://www.google.de\" style=\"color:red\" rel=\"nofollow\">google</a>", l_strOutput);
l_renderer.finish(true);
}
Sometimes the second assertion holds true (most of the times) and sometimes not. I'm however not doing something in parallel within the renderer (and I'm sure from debugging that HTMLSanitizer isn't doing something in parallel, too). Strange...
Johannes Lichtenberger
May 30, 2014, 4:27:45 AM5/30/14
to owasp-java-html-...@googlegroups.com
I think I know what's the problem, or at least it should somehow be the order in which the policies are chained via ".and(...)".
Johannes Lichtenberger
May 30, 2014, 4:43:56 AM5/30/14
to owasp-java-html-...@googlegroups.com
Confirmed, it's always when Sanitizers.STYLES is appended (I mean "and-ed") before Sanitizers.IMAGES.
Johannes Lichtenberger
May 30, 2014, 4:47:59 AM5/30/14
to owasp-java-html-...@googlegroups.com
Sorry I mean STYLES before LINKS.
Mike Samuel
May 30, 2014, 10:55:02 AM5/30/14
to owasp-java-html-...@googlegroups.com
Odd. I'll look into it.
2014-05-30 4:47 GMT-04:00 Johannes Lichtenberger
<lichtenberg...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
2014-05-30 4:47 GMT-04:00 Johannes Lichtenberger
<lichtenberg...@gmail.com>:
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Mike Samuel
Jun 1, 2014, 11:15:59 AM6/1/14
to owasp-java-html-...@googlegroups.com
If https://code.google.com/p/owasp-java-html-sanitizer/source/detail?r=237#
looks like it fixes your problem, I'll start the push to maven.
looks like it fixes your problem, I'll start the push to maven.
Johannes Lichtenberger
Jun 2, 2014, 2:48:02 AM6/2/14
to owasp-java-html-...@googlegroups.com, mikes...@gmail.com
Thanks, I think that's the fix :-)
Reply all
Reply to author
Forward
0 new messages