Opened 18 years ago
Closed 18 years ago
#97 closed defect (fixed)
HTMLSanitizer should strip style attributes by default
| Reported by: | jim-genshi.edgewall.org@… | Owned by: | cmlenz |
|---|---|---|---|
| Priority: | critical | Milestone: | 0.4 |
| Component: | General | Version: | devel |
| Keywords: | security | Cc: |
Description
The current filter special-cases the style attribute and attempts to strip it of dangerous properties. However the current code is easy to bypass, and implementing a proper filter is non-trivial. The style attribute should be removed from SAFE_ATTRS.
Change History (3)
comment:1 follow-up: ↓ 2 Changed 18 years ago by cmlenz
comment:2 in reply to: ↑ 1 Changed 18 years ago by jim-genshi.edgewall.org@…
Replying to cmlenz:
Can you provide examples how the style-filtering is easy to bypass?
Firstly, you can avoid straight string matches with backslashes or escaped Unicode characters. Secondly, you can do all kinds of annoying things with other properties, like black out the entire page. Thirdly it does a naïve split along semicolons to separate the declarations — with creative use of string escaping, it might be possible to get more stuff past it that way.
comment:3 Changed 18 years ago by cmlenz
- Resolution set to fixed
- Status changed from new to closed
Okay, in [523] I removed style from the default set of safe attributes. I also added handling of unicode escapes, so that attacks relying on that technique should be avoided.
If there are any other concrete examples for vulnerabilities of the sanitizer, I'd love to hear about them!
Can you provide examples how the style-filtering is easy to bypass?