fix($sanitize): sanitize xml:base attributes
On Firefox there is a XSS vulnerability if a malicious attacker can write into the `xml:base` attribute on an SVG anchor. Thanks to Masato Kinugawa at Cure23
This commit is contained in:
committed by
Martin Staffa
parent
c7bea44107
commit
b86876c4a2
@@ -269,7 +269,7 @@ function $SanitizeProvider() {
|
||||
optionalEndTagElements);
|
||||
|
||||
//Attributes that have href and hence need to be sanitized
|
||||
var uriAttrs = toMap('background,cite,href,longdesc,src,xlink:href');
|
||||
var uriAttrs = toMap('background,cite,href,longdesc,src,xlink:href,xml:base');
|
||||
|
||||
var htmlAttrs = toMap('abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,' +
|
||||
'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,' +
|
||||
|
||||
@@ -327,6 +327,15 @@ describe('HTML', function() {
|
||||
'<svg xmlns="http://www.w3.org/2000/svg"><a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://example.com"></a></svg>');
|
||||
});
|
||||
|
||||
it('should sanitize SVG xml:base attribute values', function() {
|
||||
expectHTML('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="javascript:alert(1)//" href="#"></a></svg>')
|
||||
.toEqual('<svg xmlns="http://www.w3.org/2000/svg"><a href="#"></a></svg>');
|
||||
|
||||
expectHTML('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="https://example.com" href="#"></a></svg>')
|
||||
.toEqual('<svg xmlns="http://www.w3.org/2000/svg"><a xml:base="https://example.com" href="#"></a></svg>');
|
||||
|
||||
});
|
||||
|
||||
it('should sanitize unknown namespaced SVG attributes', function() {
|
||||
expectHTML('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:foo="javascript:alert()"></a></svg>')
|
||||
.toBeOneOf('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><a></a></svg>',
|
||||
|
||||
Reference in New Issue
Block a user