Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use of strings.ToLower() incorrectly escapes chars and allows for insertion of scripts #56

Closed
grafana-dee opened this issue Dec 22, 2017 · 0 comments
Closed

Use of strings.ToLower() incorrectly escapes chars and allows for insertion of scripts #56

grafana-dee opened this issue Dec 22, 2017 · 0 comments

Comments

@grafana-dee
Copy link
Contributor

Reported by email:

package main

import (
	"fmt"

	"github.com/microcosm-cc/bluemonday"
)

func TestEncoding() {
	p := bluemonday.NewPolicy()

	original := "<scr\u0130pt>&lt;script>alert(/XSS/)&lt;/script>"
	html := p.Sanitize(original)

	// Output:
	// Original: <scrİpt>&lt;script>alert(/XSS/)&lt;/script>
	// Sanitized: <script>alert(/XSS/)</script>
	fmt.Printf("Original: %s\nSanitized: %s\n",
		original, html)
}

func main() {
	TestEncoding()
}

Note that this is more severe than even the original reporter realised as this works on the NewPolicy which is a blank policy.

An explanation was provided:

This one occurs because you doesn't escape script/style tag contents:
https://github.com/microcosm-cc/bluemonday/blob/master/sanitize.go#L219-L228
The trick is using symbol \u0130 (İ) that converts to i by
strings.ToLower, how to find it: https://play.golang.org/p/jDMRCSNigR7

Investigation reveals that strings.ToLower() was not even required, and could be omitted which results in the expected (safe) behaviour.

A change is coming in a moment.

Credit to Yandex and @buglloc for reporting this.
grafana-dee pushed a commit that referenced this issue Dec 22, 2017
Merge pull request #57 from microcosm-cc/buro9/56
cea7163 
Resolves #56 strings.ToLower() results in false match
@grafana-dee grafana-dee mentioned this issue Mar 27, 2021
Closed
grafana-dee pushed a commit that referenced this issue Mar 27, 2021
Resolves #111 carefully escape tag names
524f142 
A regression of #56 occurred in which the use of ToLower allowed a
Cyrillic upper-case I to be sanitised to a standard ASCII i and
this would then permit SCRIPT tags to be injected.
@grafana-dee grafana-dee mentioned this issue Mar 27, 2021
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@grafana-dee