Merge branch 'advisory-fix-1'

mganss · mganss · commit ab29319866c0 · 2023-10-04T16:26:07.000+02:00
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -453,6 +453,10 @@ private void RemoveComments(INode context)
         {
             foreach (var comment in GetAllNodes(context).OfType<IComment>().ToList())
             {
+                var escapedText = comment.TextContent.Replace("<", "&lt;").Replace(">", "&gt;");
+                if (escapedText != comment.TextContent)
+                    comment.TextContent = escapedText;
+
                 var e = new RemovingCommentEventArgs(comment);
                 OnRemovingComment(e);
 
@@ -463,6 +467,16 @@ private void RemoveComments(INode context)
 
         private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
         {
+            // always encode text in raw data content
+            foreach (var tag in context.QuerySelectorAll("*").Where(t => t.Flags.HasFlag(NodeFlags.LiteralText) && !string.IsNullOrWhiteSpace(t.InnerHtml)))
+            {
+                var escapedHtml = tag.InnerHtml.Replace("<", "&lt;").Replace(">", "&gt;");
+                if (escapedHtml != tag.InnerHtml)
+                    tag.InnerHtml = escapedHtml;
+                if (tag.InnerHtml != escapedHtml) // setting InnerHtml does not work for noscript
+                    tag.SetInnerText(escapedHtml);
+            }
+
             // remove disallowed tags
             foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
             {
diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3248,7 +3248,7 @@ public void StyleByPassTest()
         var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
 
         // Assert
-        Assert.Equal("aaabc<style>x[x=\"\\3c/style>\\3cimg src onerror=alert(1)>\"] { }</style>", sanitized);
+        Assert.Equal("aaabc<style>x[x=\"\\3c/style&gt;\\3cimg src onerror=alert(1)&gt;\"] { }</style>", sanitized);
     }
 
     [Fact]
@@ -3497,4 +3497,59 @@ public void Number469Test()
         var sanitized = sanitizer.Sanitize(html);
         Assert.Equal(@"<div style=""height: 0; background-image: url(&quot;https://example.com/1.jpg&quot;), url(&quot;https://example.com/2.jpg&quot;), url(&quot;https://example.com/3.jpg&quot;); display: none""></div>", sanitized);
     }
+
+    [Fact]
+    public void BypassTest()
+    {
+        var sanitizer = new HtmlSanitizer();
+        sanitizer.AllowedTags.Add("svg");
+        sanitizer.AllowedTags.Add("title");
+        sanitizer.AllowedTags.Add("xmp");
+        var bypass = @"<svg></p><title><xmp></title><img src=x onerror=alert(1)></xmp></title>";
+        var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
+        var expected = @"<svg><p></p><title><xmp>&lt;/title&gt;&lt;img src=x onerror=alert(1)&gt;</xmp></title></svg>";
+        Assert.Equal(expected, sanitized);
+    }
+
+    [Fact]
+    public void Bypass2Test()
+    {
+        var sanitizer = new HtmlSanitizer();
+        sanitizer.AllowedTags.Add("form");
+        sanitizer.AllowedTags.Add("math");
+        sanitizer.AllowedTags.Add("mtext");
+        sanitizer.AllowedTags.Add("mglyph");
+        sanitizer.AllowedTags.Add("xmp");
+        var bypass = @"<form><math><mtext></form><form><mglyph><xmp></math><img src onerror=alert(1)>";
+        var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
+        var expected = @"<form><math><mtext><form><mglyph><xmp>&lt;/math&gt;&lt;img src onerror=alert(1)&gt;</xmp></mglyph></form></mtext></math></form>";
+        Assert.Equal(expected, sanitized);
+    }
+
+    [Fact]
+    public void Bypass3Test()
+    {
+        var sanitizer = new HtmlSanitizer();
+        sanitizer.AllowedTags.Add("svg");
+        sanitizer.AllowedTags.Add("title");
+        sanitizer.AllowedTags.Add("noscript");
+        var bypass = @"<svg></p><title><noscript></title><img src=x onerror=alert(1)></noscript></title>";
+        var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
+        var expected = "<svg><p></p><title><noscript>&lt;/title&gt;&lt;img src=x onerror=alert(1)&gt;</noscript></title></svg>";
+        Assert.Equal(expected, sanitized);
+    }
+
+    [Fact]
+    public void Bypass4Test()
+    {
+        var sanitizer = new HtmlSanitizer();
+        sanitizer.AllowedTags.Add("svg");
+        sanitizer.AllowedTags.Add("p");
+        sanitizer.AllowedTags.Add("style");
+        sanitizer.RemovingComment += (s, e) => e.Cancel = true;
+        var bypass = @"<svg></p><style><!--</style><img src=x onerror=alert(1)>-->";
+        var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
+        var expected = "<svg><p></p><style><!--&lt;/style&gt;&lt;img src=x onerror=alert(1)&gt;--></style></svg>";
+        Assert.Equal(expected, sanitized);
+    }
 }
