Mike Dalessio
2010-Feb-02 19:49 UTC
[Security] [ANN] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6
Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that the following input: <script>alert(''evil!'');</script> would be rendered as <script>alert(''evil!'');</script> Fail. Impact ---------- Applications relying on Loofah::XssFoliate or Loofah::Helpers#strip_tags for XSS protection are vulnerable to attacks. Versions Affected: All version prior to 0.4.6 Not affected: Applications which do not use Loofah::XssFoliate or Loofah::Helpers#strip_tags Fixed Version: 0.4.6 This vulnerability was reported on 1 Feb 2010 and was fixed on 2 Feb 2010. Releases ---------- Loofah 0.4.6 is available on gemcutter and rubyforge now. Patch is below. Credits ---------- Thanks to Mike Schubert and Sam Pierson for reporting the vulnerability, and Aaron Patterson for providing the fix. Release Notes ---------- * <http://github.com/flavorjones/loofah> * <http://loofah.rubyforge.org> * <http://rubyforge.org/projects/loofah> Loofah is a general library for manipulating HTML/XML documents and fragments. It''s built on top of Nokogiri and libxml2, so it''s fast and has a nice API. Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib''s whitelist, so it most likely won''t make your codes less secure. (These statements have not been evaluated by Netexperts.) ## 0.4.6 (2010-02-02) Enhancements: * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities. Bug fixes: * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17 Patch ---------- diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb index 30b8b9f..b7ffa20 100644 --- a/lib/loofah/html/document.rb +++ b/lib/loofah/html/document.rb @@ -10,10 +10,11 @@ module Loofah include Loofah::DocumentDecorator # - # Returns a plain-text version of the markup contained by the document + # Returns a plain-text version of the markup contained by the document, + # with HTML entities encoded. # def text - xpath("/html/body").inner_text + encode_special_chars xpath("/html/body").inner_text end alias :inner_text :text alias :to_str :text diff --git a/lib/loofah/html/document_fragment.rb b/lib/loofah/html/document_fragment.rb index feed705..9c023af 100644 --- a/lib/loofah/html/document_fragment.rb +++ b/lib/loofah/html/document_fragment.rb @@ -28,10 +26,11 @@ module Loofah alias :serialize :to_s # - # Returns a plain-text version of the markup contained by the fragment + # Returns a plain-text version of the markup contained by the fragment, + # with HTML entities encoded. # def text - serialize_roots.children.inner_text + encode_special_chars serialize_roots.children.inner_text end alias :inner_text :text alias :to_str :text