Recommend upgrade to 20180219.1: addresses iOS/MacOS "text bomb"
18 views
Skip to first unread message
Mike Samuel
Feb 19, 2018, 12:07:35 PM2/19/18
to owasp-java-html-s...@googlegroups.com, OWASP Java HTML Sanitizer Support
The latest release of OWASP Java HTML sanitizer addresses a denial
of service attack whereby crafted text sequences can crash an iPhone or
Mac browser.
A popular press article [1] says
> software engineers at Aloha Browser discovered two Unicode symbols
> in a non-English language that can crash any Apple device that uses
> Apple’s default San Francisco font.
Manish Goregaokar [2] (may contain payload) says
> So, ultimately, the full set of cases that cause the crash are:
> Any sequence <consonant1, virama, consonant2, ZWNJ, vowel>
> in Devanagari, Bengali, and Telugu, where: ...
The latest release [3] removes ZWNJ [4] before Bengali, Devanagari,
and Telugu vowels and vowel signs to address this problem. This should
not adversely affect legitimate uses of those languages.
> a ZWNJ before a vowel doesn’t really do anything for most Indic scripts.
[1]: https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/
[2]: https://manishearth.github.io/blog/2018/02/15/picking-apart-the-crashing-ios-string/
[3]: https://github.com/OWASP/java-html-sanitizer/commit/a7760d0ca4de99cd27f6a501c5bb31fa4ce4a0c5
[4]: https://en.wikipedia.org/wiki/Zero-width_non-joiner
of service attack whereby crafted text sequences can crash an iPhone or
Mac browser.
A popular press article [1] says
> software engineers at Aloha Browser discovered two Unicode symbols
> in a non-English language that can crash any Apple device that uses
> Apple’s default San Francisco font.
Manish Goregaokar [2] (may contain payload) says
> So, ultimately, the full set of cases that cause the crash are:
> Any sequence <consonant1, virama, consonant2, ZWNJ, vowel>
> in Devanagari, Bengali, and Telugu, where: ...
The latest release [3] removes ZWNJ [4] before Bengali, Devanagari,
and Telugu vowels and vowel signs to address this problem. This should
not adversely affect legitimate uses of those languages.
> a ZWNJ before a vowel doesn’t really do anything for most Indic scripts.
[1]: https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/
[2]: https://manishearth.github.io/blog/2018/02/15/picking-apart-the-crashing-ios-string/
[3]: https://github.com/OWASP/java-html-sanitizer/commit/a7760d0ca4de99cd27f6a501c5bb31fa4ce4a0c5
[4]: https://en.wikipedia.org/wiki/Zero-width_non-joiner
Mike Samuel
Feb 19, 2018, 12:13:38 PM2/19/18
to OWASP Java HTML Sanitizer Support
It will takes Maven's search engine some time to index new releases. In the meantime
Reply all
Reply to author
Forward
0 new messages