html sanitisation can be bypassed with malformed comments

[GoogleCodeExporter]

If I have in an atom feed something like this -->

<title type="html">@X &lt!-- --%20 &gt  
&lt;script&gt;alert(1);&lt;/script&gt;</title>

feedparser will end up with output like this ->

<!-- --%20 >  <script>alert(1);</script>

and this will mean that (at least in firefox 3.6) when viewed the user could 
get xssed.  

Original issue reported on code.google.com by db.pub.m...@gmail.com on 15 Feb 2011 at 11:00

[GoogleCodeExporter]

Excellent work! I'm attaching a very simple document that demonstrates the 
issue. I expect to look at this issue after finishing revising the unit tests.

Original comment by kurtmckee on 16 Feb 2011 at 1:59

• Changed state: Accepted
• Added labels: Component-Parser, Type-Defect

Attachments:

• demonstrate_issue_254.xml

[GoogleCodeExporter]

Booyah! Less than 24 hours to create a potential fix! (No promises that I can 
always do something like that.)

I'm attaching a candidate patch that fixes the issue, as well as two wellformed 
test files that ensure full test coverage of the patch. Please test the patch 
and see if it fixes the sgmllib comment parsing bug you're seeing. If so, I'll 
work with Ade to create a security release.

All tests pass in Python 2.4 through 3.1, so there isn't a known regression 
with this patch.

Original comment by kurtmckee on 16 Feb 2011 at 8:53

• Changed title: html sanitisation can be bypassed with malformed comments

Attachments:

• fix_issue_254.patch
• xml_malicious_comment.xml
• xml_unclosed_comment.xml

[GoogleCodeExporter]

awesome! 

Original comment by db.pub.m...@gmail.com on 16 Feb 2011 at 9:27

[GoogleCodeExporter]

This is fixed in revision 375.

Original comment by kurtmckee on 20 Feb 2011 at 8:53

• Changed state: Fixed