Open cianmce opened 6 years ago
CVE-2018-1000160 can be used to track this issue
@cianmce I am curious. Which CNA assigned this CVE?
@vdeturckheim Any CVE that is 7 digits the CNA will be DWF. You can also see the assigning CNA on CVE's web site as of earlier this year:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000160
Distributed Weakness Filing Project
@attritionorg good catch thanks.
I found multiple XSS Attack vectors that aren't caught by the
isXss
function: https://github.com/RisingStack/protect/blob/60b0c91e86686d34e5202419ce9ae7e8dc08edcd/lib/rules/xss.js#L4-L13tl;dr
Don't use regex's for sanitization of HTML but if you are, then at least strip out all tags with something like:
But with even this, I'd imagine a carefully constructed XSS vector could get around it I'd advise:
As discussed in many posts e.g.
Regular expressions are not a valid approach when dealing with a more complicated language(especially when browsers support dirty HTML)
For example, here are 26 valid XSS attack vectors that are all reported as
false
Attack Vectors
Proof Of Concept
These have been tested on the current function, the updated function to test for any tags, being escaped and being set using the text attribute. The results can be seen here: http://embed.plnkr.co/xHbhB29JWWyMUMeHsLrm
I'm sure there are many other edge cases I haven't thought of yet or that haven't been developed by browsers yet.
If you insist on using regex, here's a good list + just remove any tag https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.json