[ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6

Synopsis

Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).

However, Loofah::XssFoliate’s default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that the
following
input:

<script>alert(‘evil!’);</script>

would be rendered as

Fail.

Impact

Applications relying on Loofah::XssFoliate or Loofah::Helpers#strip_tags
for XSS protection are vulnerable to attacks.

Versions Affected: All version prior to 0.4.6
Not affected: Applications which do not use Loofah::XssFoliate or
Loofah::Helpers#strip_tags
Fixed Version: 0.4.6

This vulnerability was reported on 1 Feb 2010 and was fixed on 2 Feb
2010.

Releases

Loofah 0.4.6 is available on gemcutter and rubyforge now. Patch is
below.

Credits

Thanks to Mike Schubert and Sam Pierson for reporting the
vulnerability, and Aaron P. for providing the fix.

Release Notes

Loofah is a general library for manipulating HTML/XML documents and
fragments. It’s built on top of Nokogiri and libxml2, so it’s fast and
has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

0.4.6 (2010-02-02)

Enhancements:

  • Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
    now
    escape HTML entities.

Bug fixes:

  • Loofah::XssFoliate was not properly escaping HTML entities when
    implicitly scrubbing a string attribute. GH #17

Patch

diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb
index 30b8b9f…b7ffa20 100644
— a/lib/loofah/html/document.rb
+++ b/lib/loofah/html/document.rb
@@ -10,10 +10,11 @@ module Loofah
include Loofah::DocumentDecorator

   #
  •  #  Returns a plain-text version of the markup contained by the
    

document

  •  #  Returns a plain-text version of the markup contained by the
    

document,

  •  #  with HTML entities encoded.
     #
     def text
    
  •    xpath("/html/body").inner_text
    
  •    encode_special_chars xpath("/html/body").inner_text
     end
     alias :inner_text :text
     alias :to_str     :text
    

diff --git a/lib/loofah/html/document_fragment.rb
b/lib/loofah/html/document_fragment.rb
index feed705…9c023af 100644
— a/lib/loofah/html/document_fragment.rb
+++ b/lib/loofah/html/document_fragment.rb
@@ -28,10 +26,11 @@ module Loofah
alias :serialize :to_s

   #
  •  #  Returns a plain-text version of the markup contained by the
    

fragment

  •  #  Returns a plain-text version of the markup contained by the
    

fragment,

  •  #  with HTML entities encoded.
     #
     def text
    
  •    serialize_roots.children.inner_text
    
  •    encode_special_chars serialize_roots.children.inner_text
     end
     alias :inner_text :text
     alias :to_str     :text

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs