Skip Menu |

This queue is for tickets about the HTML-Scrubber CPAN distribution.

Report information
The Basics
Id: 3008
Status: resolved
Priority: 0/
Queue: HTML-Scrubber
People
Owner: Nobody in particular
Requestors: nick [...] cleaton.net
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.03
Fixed in: (no value)

History Show all quoted text
  Tue Jul 22 14:43:53 2003 Guest - Ticket created
Subject: XSS in example configuration
HTML::Scrubber 0.03, tested under perl 5.008 on FreeBSD The sample configuration in the docs with HTML::Scrubber 0.03 is vulnerable to the following cross site scripting constructs: <br style="width: expression&#40;alert&#40;))"> ... and others, e.g. the xml* attributes that some versions of IE accept. Suggested fix: give a whitelist based example with '*' => 0 for both tags and attributes and have a list of safe tags and a list of safe attributes. <a href="javasc&#9;ript:alert(1)">asdf</a> ... because both Netscape and IE will accept whitespace characters other than space in between the letters of the word 'javascript'. <a href="vbscript:yada yada yada">asdf</a> ... there is 'about' as well as 'vbscript', and probably others. See http://www.securityfocus.com/archive/1/249779 for some more examples. Suggested fix: change the regular expression from: qr{^(?!(?:java)?script)}i to: qr{^(?:http|https|ftp)://}i
  Tue Jul 22 15:47:13 2003 PODMASTER [...] cpan.org - Correspondence added
I don't think I should. All the HTML::Scrubber documentation is supposed to do is show you how to use HTML::Scrubber. Show quoted text
> HTML::Scrubber 0.03, tested under perl 5.008 on FreeBSD > > The sample configuration in the docs with HTML::Scrubber 0.03 is > vulnerable to the following cross site scripting constructs: > > <br style="width: expression&#40;alert&#40;))"> > > ... and others, e.g. the xml* attributes that some versions of IE > accept. > > Suggested fix: give a whitelist based example with '*' => 0 for both > tags and attributes and have a list of safe tags and a list of safe > attributes. > > <a href="javasc&#9;ript:alert(1)">asdf</a> > > ... because both Netscape and IE will accept whitespace characters > other than space in between the letters of the word 'javascript'. > > <a href="vbscript:yada yada yada">asdf</a> > > ... there is 'about' as well as 'vbscript', and probably others. See > http://www.securityfocus.com/archive/1/249779 for some more examples. > > Suggested fix: change the regular expression from: > > qr{^(?!(?:java)?script)}i > > to: > > qr{^(?:http|https|ftp)://}i
  Tue Jul 22 15:47:14 2003 PODMASTER [...] cpan.org - Status changed from 'new' to 'stalled'
  Wed Apr 22 17:39:54 2009 MARKSTOS [...] cpan.org - Correspondence added
On Tue Jul 22 15:47:13 2003, PODMASTER wrote: Show quoted text
> I don't think I should. > All the HTML::Scrubber documentation is supposed to do > is show you how to use HTML::Scrubber.
I agree with the suggestion. The current example looks like it would prevent the use of JavaScript calls, but apparently it does not. The suggested update to the RegEx illustrates the API just as well, we'll demonstrating a better security practice. I see no drawbacks in making the recommended change. Mark Show quoted text
> > HTML::Scrubber 0.03, tested under perl 5.008 on FreeBSD > > > > The sample configuration in the docs with HTML::Scrubber 0.03 is > > vulnerable to the following cross site scripting constructs: > > > > <br style="width: expression&#40;alert&#40;))"> > > > > ... and others, e.g. the xml* attributes that some versions of IE > > accept. > > > > Suggested fix: give a whitelist based example with '*' => 0 for both > > tags and attributes and have a list of safe tags and a list of safe > > attributes. > > > > <a href="javasc&#9;ript:alert(1)">asdf</a> > > > > ... because both Netscape and IE will accept whitespace characters > > other than space in between the letters of the word 'javascript'. > > > > <a href="vbscript:yada yada yada">asdf</a> > > > > ... there is 'about' as well as 'vbscript', and probably others. See > > http://www.securityfocus.com/archive/1/249779 for some more examples. > > > > Suggested fix: change the regular expression from: > > > > qr{^(?!(?:java)?script)}i > > > > to: > > > > qr{^(?:http|https|ftp)://}i
> >
  Wed Apr 22 17:39:55 2009 The RT System itself - Status changed from 'stalled' to 'open'
  Tue Feb 07 16:28:25 2012 nigel.metheringham [...] gmail.com - Correspondence added
Updated documentation https://github.com/nigelm/html- scrubber/commit/e281c77e07a30ca61635b9b6672291ea25859e87
  Tue Feb 07 16:28:26 2012 nigel.metheringham [...] gmail.com - Status changed from 'open' to 'resolved'