Description
When adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution.
This behavior is similar to the sanitization bypass described in CVE-2020-4054 (Sanitize for Ruby).
using HTMLSanitizer
user_input = "<svg><style></style><img src onerror=alert(1)>"
whitelist = deepcopy(HTMLSanitizer.WHITELIST)
append!(whitelist[:elements], ["style"])
result = sanitize(user_input, whitelist=whitelist)
print(result) # <style></style><img src onerror=alert(1)></style>
Impact
Possible XSS in any HTML that is sanitized with this library.
Patches
Users should upgrade to v0.2.1 as soon as possible. In this version, svg and math tags are removed by default.
Workarounds
Add the math and svg elements to your whitelist manually via e.g.
whitelist = deepcopy(HTMLSanitizer.WHITELIST)
append!(whitelist[:removed_elements], ["math", "svg"])
and pass this modified whitelist to sanitize:
sanitize(user_input, whitelist=whitelist)
References
PR for fix
Credits
Thanks to Chen T for finding and reporting this issue.
Description
When adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution.
This behavior is similar to the sanitization bypass described in CVE-2020-4054 (Sanitize for Ruby).
Impact
Possible XSS in any HTML that is sanitized with this library.
Patches
Users should upgrade to
v0.2.1as soon as possible. In this version,svgandmathtags are removed by default.Workarounds
Add the
mathandsvgelements to your whitelist manually via e.g.and pass this modified whitelist to
sanitize:References
PR for fix
Credits
Thanks to Chen T for finding and reporting this issue.