thr3ads.net - Rails - [Security] [ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6 [Feb 2010]

If this information is useful, please help other people find it:
Share via:

Mike Dalessio

2010-Feb-02 19:49 UTC

[Security] [ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6

Synopsis
----------

Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).

However, Loofah::XssFoliate''s default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that the following
input:

  &lt;script&gt;alert(''evil!'');&lt;/script&gt;

would be rendered as

  <script>alert(''evil!'');</script>

Fail.


Impact
----------

Applications relying on Loofah::XssFoliate or Loofah::Helpers#strip_tags
for XSS protection are vulnerable to attacks.

Versions Affected: All version prior to 0.4.6
Not affected:      Applications which do not use Loofah::XssFoliate or
Loofah::Helpers#strip_tags
Fixed Version:     0.4.6

This vulnerability was reported on 1 Feb 2010 and was fixed on 2 Feb 2010.


Releases
----------

Loofah 0.4.6 is available on gemcutter and rubyforge now. Patch is below.


Credits
----------

Thanks to Mike Schubert and Sam Pierson for reporting the
vulnerability, and Aaron Patterson for providing the fix.


Release Notes
----------

* <http://github.com/flavorjones/loofah>
* <http://loofah.rubyforge.org>
* <http://rubyforge.org/projects/loofah>

Loofah is a general library for manipulating HTML/XML documents and
fragments. It''s built on top of Nokogiri and libxml2, so it''s
fast and
has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib''s whitelist, so it
most likely won''t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

## 0.4.6 (2010-02-02)

Enhancements:

  * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now
escape HTML entities.

Bug fixes:

  * Loofah::XssFoliate was not properly escaping HTML entities when
implicitly scrubbing a string attribute. GH #17


Patch
----------

diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb
index 30b8b9f..b7ffa20 100644
--- a/lib/loofah/html/document.rb
+++ b/lib/loofah/html/document.rb
@@ -10,10 +10,11 @@ module Loofah
       include Loofah::DocumentDecorator

       #
-      #  Returns a plain-text version of the markup contained by the
document
+      #  Returns a plain-text version of the markup contained by the
document,
+      #  with HTML entities encoded.
       #
       def text
-        xpath("/html/body").inner_text
+        encode_special_chars xpath("/html/body").inner_text
       end
       alias :inner_text :text
       alias :to_str     :text
diff --git a/lib/loofah/html/document_fragment.rb
b/lib/loofah/html/document_fragment.rb
index feed705..9c023af 100644
--- a/lib/loofah/html/document_fragment.rb
+++ b/lib/loofah/html/document_fragment.rb
@@ -28,10 +26,11 @@ module Loofah
       alias :serialize :to_s

       #
-      #  Returns a plain-text version of the markup contained by the
fragment
+      #  Returns a plain-text version of the markup contained by the
fragment,
+      #  with HTML entities encoded.
       #
       def text
-        serialize_roots.children.inner_text
+        encode_special_chars serialize_roots.children.inner_text
       end
       alias :inner_text :text
       alias :to_str     :text

Maybe Matching Threads

Search for more reasonably related threads

Rails - Feb 2010 - [Security] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6

[Security] [ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6

Maybe Matching Threads

Wisdom of the Ancients