Comments (2)
Hi @stefannibrasil! This looks like a change upstream in libxml2
- upstream issue https://gitlab.gnome.org/GNOME/libxml2/-/issues/321
- upstream commit https://gitlab.gnome.org/GNOME/libxml2/-/commit/76d6b0d768d4e60a2d2844d55def120257ab6c6e
The maintainer calls out that $
, [
, and ]
should not have been escaped, and are no longer as of libxml2 v2.11.0, which shipped in Nokogiri v1.15.0.
Unfortunately, since this is libxml2's behavior, it's not easy for nokogiri or loofah to change that behavior.
Can you help me understand why you think escaping that character is useful for security/sanitization?
from loofah.
Ahhh, thank you very much for the context, that's really helpful. So many things to learn 📚
Can you help me understand why you think escaping that character is useful for security/sanitization?
This was totally a misunderstanding on my end. I was reading OWASP cheat sheet where it mentions:
“HTML Context” refers to inserting a variable between two basic HTML tags like a <div> or <b>. For example..
<div> $varUnsafe </div>
An attacker could modify data that is rendered as $varUnsafe. This could lead to an attack being added to a webpage.. for example.
<div> <script>alert`1`</script> </div> // Example Attack
In order to add a variable to a HTML context safely, use HTML entity encoding for that variable as you add it to a web template.
However, the sanitized HTML would strip out the script
tag anyway, so <div> $varUnsafe </div>
would not be a security risk. Only if used solely without any previous sanitation.
I had a test that asserted characters with $
would be escaped but reading the docs you shared, I realize now it's not a security risk. Thank you so much for sharing. I will close this issue and move on with upgrading Nokogiri's 👀
from loofah.
Related Issues (20)
- A whitespace handling change in v2.9.0 is breaking a test in our code HOT 1
- `#text` should only render HTML elements HOT 1
- explore testing with the portswigger xss cheat sheet exploits
- `#to_text` doesn't handle `<br>` elements well. HOT 4
- Adding sms to ACCEPTABLE_PROTOCOLS HOT 3
- tests fail with latest versions of dependencies HOT 1
- Loofah removes HOT 3
- HTML5 empty attributes are being scrubbed HOT 5
- CSS Scrubber is removing the builtin extended CSS color properties in `>= v2.9.0` HOT 5
- RFC: should Loofah sanitize `<style>` tag contents HOT 2
- Preserving emails that look like tags HOT 2
- loofah issue with recent CVE release HOT 2
- unclosed html tags are also being pruned off, ideal expectation is to have only closed tags pruned HOT 12
- Getting errors using Nokogiri < 1.12 HOT 11
- pass encode_special_chars to to_s HOT 1
- Whitespace Added around "/" in CSS HOT 3
- Add scrub to append `target=_blank` to all links HOT 3
- feat: encapsulate some whitespace-handling into a scrubber (or scrubbers) HOT 3
- placeholder: when Nokogiri 1.17 is released, use the `parse_noscript_content_as_text` option by default
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loofah.