microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.2k stars 175 forks source link

[invalid] UGCPolicy does not strip attributes on links #90

Closed akasandra closed 5 years ago

akasandra commented 5 years ago

I am not sure whether this behavior is intented or not, but if you try to sanitize following string UGCPolicy:

<p><a href="https://domain.xss.com/" target="_blank" onblur="alert('XSS2')">XSS<a></p><p><strong>I am bold</strong> I am regular</p>

You get a result:

<p><a href="https://domain.cssx.com/" target="_blank" onblur="alert('XSS2')">XSS<a></p><p><strong>I am bold</strong> I am regular</p>

It does add rel=nofollow to the link, but it does not strip the onblur (or onmouseover) javascript event handlers, resulting in code execution; it does not strip target attribute.

Looking at the source of func UGCPolicy(), I see there is no way to me to fix this behavior. Is this really okay?

grafana-dee commented 5 years ago

I get this:

<p><a href="https://domain.xss.com/" rel="nofollow">XSS</p><p><strong>I am bold</strong> I am regular</p>

Do you have your code to show? Just the bit where you set up the policy, call it and set the return value.

Mine in totality:

package main

import (
    "fmt"

    "github.com/microcosm-cc/bluemonday"
)

func main() {
    // Define a policy, we are using the UGC policy as a base.
    p := bluemonday.UGCPolicy()

    s := `<p><a href="https://domain.xss.com/" target="_blank" onblur="alert('XSS2')">XSS<a></p><p><strong>I am bold</strong> I am regular</p>`

    // Apply the policy and write to stdout
    fmt.Println(p.Sanitize(string(s)))
}
akasandra commented 5 years ago

Seems like I checked the wrong version of my own app. Thanks.