I’ve noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS. For example:
sanitize( “body{background-image:url(‘javascript:window.alert(1)’)
}” )
IE will execute the javascript. Firefox will not. I haven’t tried it
with any other browsers.
This isn’t really a bug, since the documentation for sanitize doesn’t
claim to clean up CSS. The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.
Jonathan Baudanza wrote:
I’ve noticed that it is possible to pass javascript unaltered through
[SNIP]
This isn’t really a bug, since the documentation for sanitize doesn’t
claim to clean up CSS. The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.
I’d call this a bug seeing that sanitize ensures “that arbitrary
Javascript cannot be executed” and suggest you file a bug report in trac
- and ofcourse a nice test-based patch
Jonathan, will you let us know if you’re going to send the ticket in ?
Just want to make sure this one doesn’t slip through the cracks
Dylan S. wrote:
Jonathan, will you let us know if you’re going to send the ticket in ?
Just want to make sure this one doesn’t slip through the cracks 
http://dev.rubyonrails.org/ticket/4154
Looks like it’s already being tracked. I think what is really needed is
a sanitize_css method that sanitize can use to clean tags and
style= attributes.