#455 closed defect (fixed)
An attacker can bypass HTML sanitization based on CSS
| Reported by: | jomae | Owned by: | hodgestar |
|---|---|---|---|
| Priority: | critical | Milestone: | 0.6.1 |
| Component: | General | Version: | 0.6 |
| Keywords: | Cc: |
Description
The current HTMLSanitizer has XSS vulnerabilities based on CSS. The details is in http://heideri.ch/jso/#80, http://heideri.ch/jso/#61 and http://openmya.hacker.jp/hasegawa/security/expression.txt.
The same issue in Trac has been fixed in trac:r10788 and I hope the unit tests are helpful.
Change History (2)
comment:1 Changed 13 years ago by hodgestar
- Owner changed from cmlenz to hodgestar
comment:2 Changed 13 years ago by hodgestar
- Resolution set to fixed
- Status changed from new to closed
Backported to 0.6.x in r1176.
Note: See
TracTickets for help on using
tickets.
Thank you very much! Note that Genshi was less vulnerable than Trac because Genshi does not allow the style attribute by default and its documentation warns about exactly the sorts of issues you have raised. However, Genshi does attempt to sanitize style attributes if they are allowed through and I have applied your patches and tests from trac:r10788. The Genshi commit is r1174.
If you have the time I would appreciate a quick review of the patch and Genshi's new behaviour.
Note: I have retained Genshi's existing behaviour of disallowing style tags and the position CSS property by default (so as not to surprise existing Genshi users).