search

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.12k stars 176 forks source link

Regression of #56 - strings.ToLower allows input of SCRIPT tag #111

Closed buro9 closed 3 years ago

buro9 commented 3 years ago

Reported by @Ry0taK at 2021-03-27T01:00

I'm a security researcher who has been fuzzing famous XSS sanitizers.

While fuzzing the sanitizers, my fuzzer triggered an alert that shows bluemonday is vulnerable to bypass. After some checks, I confirmed that this is a vulnerability, so I'm reporting it here.

While checking the issues on the bluemonday repository, I realized that this is the same issue as https://github.com/microcosm-cc/bluemonday/issues/56 (Which must be resolved already as it's closed.) As there is no doubt this vulnerability occurred again in somewhere of previous commits, I decided to find it. And it was a commit that added vulnerable code again: https://github.com/microcosm-cc/bluemonday/commit/876b4780bed1f83d4556865fead6765d72178ca7#diff-c62e8d687f2dd220893e9990667b682f3261099565c254e3d236178f07729920 (It's now moved to here: https://github.com/microcosm-cc/bluemonday/blob/22ed3129fd968e326c5c15faef11b72dd7e65c95/sanitize.go#L232 )

To reproduce this, please use the following steps:

  1. Download the attached bluemonday.zip
  2. Extract it.
  3. Run test.go: "go run test.go"
  4. Sanitization bypass will be shown.

If you are going to fix this issue, please let me know. I can assign CVE to notify this issue to users.

Best regards, RyotaK

bluemonkey.zip