fix($sanitize): sanitize xml:base attributes

On Firefox there is a XSS vulnerability if a malicious attacker
can write into the `xml:base` attribute on an SVG anchor.

Thanks to Masato Kinugawa at Cure23
This commit is contained in:
Peter Bacon Darwin
2018-01-06 18:23:14 +00:00
committed by Martin Staffa
parent c7bea44107
commit b86876c4a2
2 changed files with 10 additions and 1 deletions
+1 -1
View File
@@ -269,7 +269,7 @@ function $SanitizeProvider() {
optionalEndTagElements);
//Attributes that have href and hence need to be sanitized
var uriAttrs = toMap('background,cite,href,longdesc,src,xlink:href');
var uriAttrs = toMap('background,cite,href,longdesc,src,xlink:href,xml:base');
var htmlAttrs = toMap('abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,' +
'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,' +
+9
View File
@@ -327,6 +327,15 @@ describe('HTML', function() {
'<svg xmlns="http://www.w3.org/2000/svg"><a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://example.com"></a></svg>');
});
it('should sanitize SVG xml:base attribute values', function() {
expectHTML('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="javascript:alert(1)//" href="#"></a></svg>')
.toEqual('<svg xmlns="http://www.w3.org/2000/svg"><a href="#"></a></svg>');
expectHTML('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="https://example.com" href="#"></a></svg>')
.toEqual('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="https://example.com" href="#"></a></svg>');
});
it('should sanitize unknown namespaced SVG attributes', function() {
expectHTML('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:foo="javascript:alert()"></a></svg>')
.toBeOneOf('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><a></a></svg>',