Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #5616 (new defect)

Opened 2 years ago

Last modified 1 year ago

[PATCH] sanitize(html) should prohibit href and style attributes with "javascript:" even if "javascript:" contains newlines

Reported by: kamens@gmail.com Assigned to: David
Priority: normal Milestone:
Component: ActionPack Version:
Severity: normal Keywords: sanitize html javascript
Cc:

Description

IE6 will execute the following (where \n is a newline):

<a href="java\nscript:foobar();">I've made a terrible mistake.</a>

Rail's sanitize() method should get rid of these dangerous href's.

This patch makes text_helper's regexp which checks for href's containing "javascript:" match even if the string contains newlines.

Similar solution provided for inline style attributes that contain "javascript:"

See http://namb.la/popular/tech.html for a story of the hilarious consequences of not protecting these IE6 flaws.

Attachments

text_helper_strict_sanitize_patch.diff (2.7 kB) - added by kamens@gmail.com on 07/06/06 02:16:51.
Fix for Case 5615
text_helper_strict_sanitize_patch.2.diff (2.8 kB) - added by kamens@gmail.com on 07/06/06 05:18:57.
Patch for 5616

Change History

07/06/06 02:16:51 changed by kamens@gmail.com

  • attachment text_helper_strict_sanitize_patch.diff added.

Fix for Case 5615

07/06/06 05:18:57 changed by kamens@gmail.com

  • attachment text_helper_strict_sanitize_patch.2.diff added.

Patch for 5616

07/06/06 05:19:45 changed by anonymous

Ignore first patch (error in regexp). Second patch is correct.

08/05/06 21:29:15 changed by david

sanitize in its current form is somewhat deprecated. What we should do instead is replace it with a white list method where only predescribed tags are accepted. Please do look into that.

08/17/06 06:09:24 changed by anonymous

I disagree, even though it's borderline whack-a-mole, it's good to have a secure one to stay away from nasty surprises. Whitelist > Blacklist anyday, but that doesn't make this lest valid.

09/04/06 19:53:43 changed by david

  • keywords changed from sanitize html javascript to sanitize html javascript unverified.

Needs to be updated for trunk. Please remove the unverified keyword when done.

07/19/07 23:30:58 changed by lifofifo

  • keywords changed from sanitize html javascript unverified to sanitize html javascript.