| Subject: | HTML::Sanitizer XSS vulnerability in example configuration |
HTML::Sanitizer-0.01, tested under perl-5.008 on FreeBSD:
The example configuration in the SYNOPSIS is vulnerable to cross site scripting, because the regular expression that validates an IMG SRC value is missing brackets to fix precedence, so any IMG SRC value containing the text 'ftp:' is accepted.
Demonstration:
#!/usr/local/perl-5.008/bin/perl -w
use strict;
use HTML::Sanitizer;
my $safe = new HTML::Sanitizer;
$safe->permit_only(
qw/ strong em /,
a => {
href => qr/^http:|ftp:/,
title => 1,
},
img => {
src => qr/^http:|ftp:/,
alt => 1,
},
);
my $evil_html = '<img src="javascript:alert(1)//ftp:">';
print $safe->filter_as_html_fragment($evil_html), "\n";
Suggested fix:
Change the regular expression to: qr/^(?:http|ftp):/