I''ve noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS. For example:
sanitize( "<style
type=''text/css''>body{background-image:url(''javascript:window.alert(1)'')
}</style>" )
IE will execute the javascript. Firefox will not. I haven''t tried it
with any other browsers.
This isn''t really a bug, since the documentation for sanitize
doesn''t
claim to clean up CSS. The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.
--
Posted via http://www.ruby-forum.com/.
Jonathan Baudanza wrote:> I''ve noticed that it is possible to pass javascript unaltered through[SNIP]> This isn''t really a bug, since the documentation for sanitize doesn''t > claim to clean up CSS. The docs should perhaps contain a disclaimer > that sanitize alone is not sufficient for removing javascript and > preventing XSS attacks.I''d call this a bug seeing that sanitize ensures "that arbitrary Javascript cannot be executed" and suggest you file a bug report in trac - and ofcourse a nice test-based patch :) -- Jakob Skjerning - http://mentalized.net
Jonathan, will you let us know if you''re going to send the ticket in ? Just want to make sure this one doesn''t slip through the cracks :) On 5/11/06, Jakob Skjerning <jakob@mentalized.net> wrote:> > Jonathan Baudanza wrote: > > I''ve noticed that it is possible to pass javascript unaltered through > [SNIP] > > This isn''t really a bug, since the documentation for sanitize doesn''t > > claim to clean up CSS. The docs should perhaps contain a disclaimer > > that sanitize alone is not sufficient for removing javascript and > > preventing XSS attacks. > > I''d call this a bug seeing that sanitize ensures "that arbitrary > Javascript cannot be executed" and suggest you file a bug report in trac > - and ofcourse a nice test-based patch :) > > -- > Jakob Skjerning - http://mentalized.net > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060511/7f4de43e/attachment.html
Dylan Stamat wrote:> Jonathan, will you let us know if you''re going to send the ticket in ? > Just want to make sure this one doesn''t slip through the cracks :)http://dev.rubyonrails.org/ticket/4154 Looks like it''s already being tracked. I think what is really needed is a sanitize_css method that sanitize can use to clean <style> tags and style= attributes. -- Posted via http://www.ruby-forum.com/.