Sanitize dangers


#1

I’ve noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS. For example:

sanitize( “body{background-image:url(‘javascript:window.alert(1)’)
}” )

IE will execute the javascript. Firefox will not. I haven’t tried it
with any other browsers.

This isn’t really a bug, since the documentation for sanitize doesn’t
claim to clean up CSS. The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.


#2

Jonathan Baudanza wrote:

I’ve noticed that it is possible to pass javascript unaltered through
[SNIP]
This isn’t really a bug, since the documentation for sanitize doesn’t
claim to clean up CSS. The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.

I’d call this a bug seeing that sanitize ensures “that arbitrary
Javascript cannot be executed” and suggest you file a bug report in trac

  • and ofcourse a nice test-based patch :slight_smile:

#3

Jonathan, will you let us know if you’re going to send the ticket in ?
Just want to make sure this one doesn’t slip through the cracks :slight_smile:


#4

Dylan S. wrote:

Jonathan, will you let us know if you’re going to send the ticket in ?
Just want to make sure this one doesn’t slip through the cracks :slight_smile:

http://dev.rubyonrails.org/ticket/4154

Looks like it’s already being tracked. I think what is really needed is
a sanitize_css method that sanitize can use to clean tags and
style= attributes.