[ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6

Synopsis

Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).

However, Loofah::XssFoliate’s default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that the
following
input:

<script>alert(‘evil!’);</script>

would be rendered as

Fail.

Impact

Applications relying on Loofah::XssFoliate or Loofah::Helpers#strip_tags
for XSS protection are vulnerable to attacks.

Versions Affected: All version prior to 0.4.6
Not affected: Applications which do not use Loofah::XssFoliate or
Loofah::Helpers#strip_tags
Fixed Version: 0.4.6

This vulnerability was reported on 1 Feb 2010 and was fixed on 2 Feb
2010.

Releases

Loofah 0.4.6 is available on gemcutter and rubyforge now. Patch is
below.

Credits

Thanks to Mike Schubert and Sam Pierson for reporting the
vulnerability, and Aaron P. for providing the fix.

Release Notes

• http://github.com/flavorjones/loofah
• http://loofah.rubyforge.org
• http://rubyforge.org/projects/loofah

Loofah is a general library for manipulating HTML/XML documents and
fragments. It’s built on top of Nokogiri and libxml2, so it’s fast and
has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

0.4.6 (2010-02-02)

Enhancements:

• Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
  now
  escape HTML entities.

Bug fixes:

• Loofah::XssFoliate was not properly escaping HTML entities when
  implicitly scrubbing a string attribute. GH #17

Patch

diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb
index 30b8b9f…b7ffa20 100644
— a/lib/loofah/html/document.rb
+++ b/lib/loofah/html/document.rb
@@ -10,10 +10,11 @@ module Loofah
include Loofah::DocumentDecorator

   #

•  #  Returns a plain-text version of the markup contained by the
  

document

•  #  Returns a plain-text version of the markup contained by the
  

document,

•  #  with HTML entities encoded.
   #
   def text
  

•    xpath("/html/body").inner_text
  

•    encode_special_chars xpath("/html/body").inner_text
   end
   alias :inner_text :text
   alias :to_str     :text
  

diff --git a/lib/loofah/html/document_fragment.rb
b/lib/loofah/html/document_fragment.rb
index feed705…9c023af 100644
— a/lib/loofah/html/document_fragment.rb
+++ b/lib/loofah/html/document_fragment.rb
@@ -28,10 +26,11 @@ module Loofah
alias :serialize :to_s

   #

•  #  Returns a plain-text version of the markup contained by the
  

fragment

•  #  Returns a plain-text version of the markup contained by the
  

fragment,

•  #  with HTML entities encoded.
   #
   def text
  

•    serialize_roots.children.inner_text
  

•    encode_special_chars serialize_roots.children.inner_text
   end
   alias :inner_text :text
   alias :to_str     :text