"xss" appended to HTML output
58 views
Skip to first unread message
Daniel Yee
Mar 1, 2019, 10:52:27 AM3/1/19
to OWASP Java HTML Sanitizer Support
This is the first time I'm tying to use the sanitizer, but "xss" is being appended to the end. The script and link are sanitized so it looks like it's working. Is this behavior expected?
This is a Grails app and I've included the relevant code below.
Controller:
View:
Output:
Controller:
String html = "<script>alert('This is Daniel testing');</script><a href='javascript:alert("This is Daniel testing 2.");'>Testing</a> Testing."
PolicyFactory policy = new HtmlPolicyBuilder() // Allow http, https, mailto .allowStandardUrlProtocols() // Allow title attribute on any element .allowAttributes("title").globally() // Allow href on anchor elements .allowAttributes("href").onElements("a") // Allow the following elements .allowElements( "a", "p", "div", "i", "b", "strong", "em", "br", "ul", "ol", "li" ) .toFactory()
def courseDescription = policy.sanitize(html)render template: "sectionDetails/sectionDetailsCourseDescription", model: [courseDescription: courseDescription, section: params.first ? section : ""]View:
<g:if test="${courseDescription || courseDescription?.length() > 0}">${raw(courseDescription)} </g:if>
Output:
Testing
xss
Mike Samuel
Mar 1, 2019, 11:03:35 AM3/1/19
to OWASP Java HTML Sanitizer Support
On Fri, Mar 1, 2019 at 10:52 AM Daniel Yee <tuf3...@temple.edu> wrote:
This is the first time I'm tying to use the sanitizer, but "xss" is being appended to the end. The script and link are sanitized so it looks like it's working. Is this behavior expected?This is a Grails app and I've included the relevant code below.
Controller:
This string seems malformed. The double quotes in alert(...) should probably be escaped.
View:
Output:
The test case below passes for me:
{
String html = "<script>alert('This is Daniel testing');</script><a href='javascript:alert(\"This is Daniel testing 2.\");'>Testing</a> Testing.";
PolicyFactory policy = new HtmlPolicyBuilder()
// Allow http, https, mailto
.allowStandardUrlProtocols()
// Allow title attribute on any element
.allowAttributes("title").globally()
// Allow href on anchor elements
.allowAttributes("href").onElements("a")
// Allow the following elements
.allowElements(
"a", "p", "div", "i", "b", "strong", "em",
"br", "ul", "ol", "li"
)
.toFactory();
String courseDescription = policy.sanitize(html);
assertEquals("Testing Testing.", courseDescription);
}
Might the double quotes thing have prevented that code from compiling and the output is coming from a .class file compiled from an older version?
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.--
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Daniel Yee
Mar 1, 2019, 1:56:28 PM3/1/19
to OWASP Java HTML Sanitizer Support
The first rule of debugging is: 1) It's probably your fault. =)
I found a stray "xss" at the very end of the GSP view.
I found a stray "xss" at the very end of the GSP view.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
Mike Samuel
Mar 1, 2019, 1:58:06 PM3/1/19
to OWASP Java HTML Sanitizer Support
I'm glad you got it sorted out.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages