Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #8222 (new defect)

Opened 3 years ago

Last modified 3 years ago

[PATCH] EXPLOIT: Javascript can get past sanitize() in Internet Explorer via CSS expressions

Reported by: wkonkel Assigned to: core
Priority: high Milestone: 2.x
Component: ActionPack Version: 1.2.3
Severity: major Keywords:
Cc:

Description

Internet explorer allows "expressions" in CSS, which is javascript that gets executed. The code below shows an example of could-be-malicious javascript that will get past the sanitize function. 

>> include ActionView::Helpers::TextHelper
=> Object
>> sanitize("<div style=\"width: expression(alert('gotcha'))\">pure innocence</div>")
=> "<div style=\"width: expression(alert('gotcha'))\">pure innocence</div>"

Attachments

sanitize_ie_problems.diff (2.0 kB) - added by wycats on 06/16/07 23:48:03.
Sanitize behaviors and expressions
sanitize_ie_for_edge_cases.diff (2.4 kB) - added by wycats on 06/17/07 17:48:40.

Change History

04/30/07 16:46:31 changed by wkonkel

This would probably be bad as well: 

"<div style=\"behavior: url(http://mysite.com/evil.js)\">pure innocence</div>"

06/16/07 23:47:42 changed by wycats

  • owner changed from core to wycats.
  • status changed from new to assigned.

I have attached a patch that removes the style attribute if an expression or behavior is included in the attribute.

06/16/07 23:48:03 changed by wycats

  • attachment sanitize_ie_problems.diff added.

Sanitize behaviors and expressions

06/17/07 00:38:14 changed by wycats

  • owner changed from wycats to core.
  • status changed from assigned to new.

06/17/07 03:07:28 changed by wycats

  • summary changed from EXPLOIT: Javascript can get past sanitize() in Internet Explorer via CSS expressions to [PATCH] EXPLOIT: Javascript can get past sanitize() in Internet Explorer via CSS expressions.

06/17/07 14:20:44 changed by wkonkel

I think there's a few more edge cases that need to be covered... also your syntax for behavior isn't quite right (it's a CSS attribute just like width/height). 

def test_sanitize_some_more 
  assert_equal sanitize(%{<div style="width: ExPrEssIoN \t \n (evilJS)">foo</div>}), %{<div>foo</div>}
  assert_equal sanitize(%{<div style="BEHAvior : url (some site)">foo</div>}), %{<div>foo</div>}
  assert_equal sanitize(%{<div style="behavior:url(collapsing.htc) url(hilite.htc)">foo</div>}), %{<div>foo</div>}
end

06/17/07 16:55:44 changed by wycats

By gosh, you're right. I'll get right on an updated patch!

06/17/07 17:48:40 changed by wycats

  • attachment sanitize_ie_for_edge_cases.diff added.

06/17/07 17:50:40 changed by wycats

I have attached a patch that works for what should be all edge cases (including stuff like _BeHaViOr).

06/18/07 13:23:22 changed by wkonkel

Good catch with the leading underscores... I forgot that IE interprets those.