You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because of this, a base64 encoded XSS script can be injected. I have attached a test for the same.
def test_sanitize_data_protocol
text = '- XSS><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">- XSS><iframe src="data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg=="></iframe></iframe>'
scope_allowed_tags %w(iframe) do
scope_allowed_attributes %w(src) do
assert_equal %(- XSS\"><iframe>- XSS\"><iframe></iframe></iframe>), safe_list_sanitize(text)
end
end
end
I am not well accustomed to this project or loofah, but I tried updating the corresponding code to be in sync with loofah, and that seems to solve the xss problem. Change is in PR #134
The text was updated successfully, but these errors were encountered:
In the future, though, please report vulnerabilities for Rails following the program description here: https://rubyonrails.org/security. I'll make sure the rails-html-sanitizer README states this more explicitly.
Currently in the scrub_attribute method, there is divergence between the code present in loofah
https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/scrub.rb#L38-L61
vs how it is handle in the PermitScrubber class
https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/scrubbers.rb#L142-L154
The section around safe data uri is missing
Because of this, a base64 encoded XSS script can be injected. I have attached a test for the same.
The test fails with
Unable to scrub the base64 encoded script.
I am not well accustomed to this project or loofah, but I tried updating the corresponding code to be in sync with loofah, and that seems to solve the xss problem. Change is in PR #134
The text was updated successfully, but these errors were encountered: