| Subject: | HTML::Scrubber security: XSS vulnerability, any configuration |
HTML::Scrubber-0.02, tested under perl-5.008 on FreeBSD:
Any web application using HTML::Scrubber to clean up untrusted HTML is likely to be vulnerable to cross site scripting attacks, because HTML::Scrubber fails to escape < and > characters in text. HTML::Parser considers incomplete tags to be text, even it they contain < and/or > characters.
For example, if the input to HTML::Scrubber is:
<img src="javascript:alert(1)"
then the output is just the same, even if HTML::Scrubber is configured to reject all tags and attributes.
When a web application puts that text into an output page, you might get something like:
<hr>
<img src="javascript:alert(1)"
<hr>
and many browsers will see the > on the second <hr> as terminating the <img> tag, and run the javascript.
Patch enclosed.
diff -Nurd HTML-Scrubber-0.02.orig/Scrubber.pm HTML-Scrubber-0.02/Scrubber.pm
--- HTML-Scrubber-0.02.orig/Scrubber.pm Fri Apr 18 15:09:13 2003
+++ HTML-Scrubber-0.02/Scrubber.pm Mon Jul 21 13:24:22 2003
@@ -309,6 +309,8 @@
} elsif ( $e eq 'process' ) {
print {$s->{_out}} $text if $s->{_process};
} elsif ( $e eq 'text' or $e eq 'default') {
+ $text =~ s/</</g;
+ $text =~ s/>/>/g;
print {$s->{_out}} $text;
}
}
@@ -344,6 +346,8 @@
} elsif ( $e eq 'process' ) {
$s->{_r} .= $text if $s->{_process};
} elsif ( $e eq 'text' or $e eq 'default') {
+ $text =~ s/</</g;
+ $text =~ s/>/>/g;
$s->{_r} .= $text;
} elsif ( $e eq 'start_document' ) {
$s->{_r} = "";