[Security] [ANN] Loofah has an HTML injection / XSS vulnerability,please upgrade to 0.4.6

M

Mike Dalessio

[Note: parts of this message were removed to make it a legal post.]

Synopsis
----------

Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).

However, Loofah::XssFoliate's default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that the following
input:

<script>alert('evil!');</script>

would be rendered as

<script>alert('evil!');</script>

Fail.


Impact
----------

Applications relying on Loofah::XssFoliate or Loofah::Helpers#strip_tags
for XSS protection are vulnerable to attacks.

Versions Affected: All version prior to 0.4.6
Not affected: Applications which do not use Loofah::XssFoliate or
Loofah::Helpers#strip_tags
Fixed Version: 0.4.6

This vulnerability was reported on 1 Feb 2010 and was fixed on 2 Feb 2010.


Releases
----------

Loofah 0.4.6 is available on gemcutter and rubyforge now. Patch is below.


Credits
----------

Thanks to Mike Schubert and Sam Pierson for reporting the
vulnerability, and Aaron Patterson for providing the fix.


Release Notes
----------

* <http://github.com/flavorjones/loofah>
* <http://loofah.rubyforge.org>
* <http://rubyforge.org/projects/loofah>

Loofah is a general library for manipulating HTML/XML documents and
fragments. It's built on top of Nokogiri and libxml2, so it's fast and
has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)

## 0.4.6 (2010-02-02)

Enhancements:

* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now
escape HTML entities.

Bug fixes:

* Loofah::XssFoliate was not properly escaping HTML entities when
implicitly scrubbing a string attribute. GH #17


Patch
----------

diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb
index 30b8b9f..b7ffa20 100644
--- a/lib/loofah/html/document.rb
+++ b/lib/loofah/html/document.rb
@@ -10,10 +10,11 @@ module Loofah
include Loofah::DocumentDecorator

#
- # Returns a plain-text version of the markup contained by the
document
+ # Returns a plain-text version of the markup contained by the
document,
+ # with HTML entities encoded.
#
def text
- xpath("/html/body").inner_text
+ encode_special_chars xpath("/html/body").inner_text
end
alias :inner_text :text
alias :to_str :text
diff --git a/lib/loofah/html/document_fragment.rb
b/lib/loofah/html/document_fragment.rb
index feed705..9c023af 100644
--- a/lib/loofah/html/document_fragment.rb
+++ b/lib/loofah/html/document_fragment.rb
@@ -28,10 +26,11 @@ module Loofah
alias :serialize :to_s

#
- # Returns a plain-text version of the markup contained by the
fragment
+ # Returns a plain-text version of the markup contained by the
fragment,
+ # with HTML entities encoded.
#
def text
- serialize_roots.children.inner_text
+ encode_special_chars serialize_roots.children.inner_text
end
alias :inner_text :text
alias :to_str :text
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,965
Messages
2,570,148
Members
46,710
Latest member
FredricRen

Latest Threads

Top