Skip to content

Commit 1c9f72a

Browse files
joeldrapperjoeldrapper
committed
1.6.3
1 parent 470e266 commit 1c9f72a

File tree

3 files changed

+74
-2
lines changed

3 files changed

+74
-2
lines changed

lib/phlex/sgml.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -277,7 +277,7 @@ def capture(&block)
277277
end
278278

279279
lower_name = name.downcase
280-
next if lower_name == "href" && v.start_with?(/\s*javascript:/i)
280+
next if lower_name == "href" && v.to_s.downcase.tr("\t \n", "").start_with?("javascript:")
281281

282282
# Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters.
283283
if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/)

lib/phlex/version.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# frozen_string_literal: true
22

33
module Phlex
4-
VERSION = "1.6.2"
4+
VERSION = "1.6.3"
55
end

test/phlex/view/naughty_business.rb

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,78 @@ def template
8585
end
8686
end
8787

88+
with "naughty javascript link protocol with a hidden tab character" do
89+
view do
90+
def template
91+
a(href: "\tjavascript:alert(1)") { "XSS" }
92+
a(href: "j\tavascript:alert(1)") { "XSS" }
93+
a(href: "ja\tvascript:alert(1)") { "XSS" }
94+
a(href: "jav\tascript:alert(1)") { "XSS" }
95+
a(href: "java\tscript:alert(1)") { "XSS" }
96+
a(href: "javas\tcript:alert(1)") { "XSS" }
97+
a(href: "javasc\tript:alert(1)") { "XSS" }
98+
a(href: "javascr\tipt:alert(1)") { "XSS" }
99+
a(href: "javascri\tpt:alert(1)") { "XSS" }
100+
a(href: "javascrip\tt:alert(1)") { "XSS" }
101+
a(href: "javascript\t:alert(1)") { "XSS" }
102+
a(href: "javascript:\talert(1)") { "XSS" }
103+
end
104+
end
105+
106+
it "strips the javascript protocol" do
107+
expect(output.scan("<a>").size).to be == 12
108+
expect(output.scan("href").size).to be == 0
109+
end
110+
end
111+
112+
with "naughty javascript link protocol with a hidden newline character" do
113+
view do
114+
def template
115+
a(href: "\njavascript:alert(1)") { "XSS" }
116+
a(href: "j\navascript:alert(1)") { "XSS" }
117+
a(href: "ja\nvascript:alert(1)") { "XSS" }
118+
a(href: "jav\nascript:alert(1)") { "XSS" }
119+
a(href: "java\nscript:alert(1)") { "XSS" }
120+
a(href: "javas\ncript:alert(1)") { "XSS" }
121+
a(href: "javasc\nript:alert(1)") { "XSS" }
122+
a(href: "javascr\nipt:alert(1)") { "XSS" }
123+
a(href: "javascri\npt:alert(1)") { "XSS" }
124+
a(href: "javascrip\nt:alert(1)") { "XSS" }
125+
a(href: "javascript\n:alert(1)") { "XSS" }
126+
a(href: "javascript:\nalert(1)") { "XSS" }
127+
end
128+
end
129+
130+
it "strips the javascript protocol" do
131+
expect(output.scan("<a>").size).to be == 12
132+
expect(output.scan("href").size).to be == 0
133+
end
134+
end
135+
136+
with "naughty javascript link protocol with a hidden whitespace character" do
137+
view do
138+
def template
139+
a(href: " javascript:alert(1)") { "XSS" }
140+
a(href: "j avascript:alert(1)") { "XSS" }
141+
a(href: "ja vascript:alert(1)") { "XSS" }
142+
a(href: "jav ascript:alert(1)") { "XSS" }
143+
a(href: "java script:alert(1)") { "XSS" }
144+
a(href: "javas cript:alert(1)") { "XSS" }
145+
a(href: "javasc ript:alert(1)") { "XSS" }
146+
a(href: "javascr ipt:alert(1)") { "XSS" }
147+
a(href: "javascri pt:alert(1)") { "XSS" }
148+
a(href: "javascrip t:alert(1)") { "XSS" }
149+
a(href: "javascript :alert(1)") { "XSS" }
150+
a(href: "javascript: alert(1)") { "XSS" }
151+
end
152+
end
153+
154+
it "strips the javascript protocol" do
155+
expect(output.scan("<a>").size).to be == 12
156+
expect(output.scan("href").size).to be == 0
157+
end
158+
end
159+
88160
Phlex::HTML::EVENT_ATTRIBUTES.each_key do |event_attribute|
89161
with "with naughty #{event_attribute} attribute" do
90162
naughty_attributes = { event_attribute => "alert(1);" }

0 commit comments

Comments
 (0)