microsoft / jsanity Goto Github PK
View Code? Open in Web Editor NEWA secure-by-default, performance, cross-browser client-side HTML sanitization library
License: Other
A secure-by-default, performance, cross-browser client-side HTML sanitization library
License: Other
I realize that picture
is not in HTML5 but rather was proposed after it was finished, but it is implemented in many browsers, it is on a standards track, and it is as harmless as the img
and source
elements it's based around.
I also wonder what you think about allowing a couple old and nonstandard but still harmless elements: blink
and marquee
(even though I am aware that no modern browser even supports blink
anymore).
Another bypass was spotted based on the mutations caused by the default jSanity behavior exposed on the demo. Affected browsers are MSIE <= 11 when running in older document modes.
Example Input:
<p style="font-family:'\22\3b\62\65havior:url(/callback.json?cb=<scriptlet>...</scriptlet>)\3b'">123
Resulting Output:
<span><p style='font-family: "";behavior:url(/callback.json?cb=<scriptlet>...</scriptlet>);";'>123</p></span>
This attack can be carried out, in case the attacker has control over another same-domain resource that would be served as JSON, image, XML or anything else that wouldn't render as a document.
Note that DOMPurify protects itself against these kinds of attacks by falling back to use toStaticHTML
in dangerous document modes. It might be recommendable for jSanity to do this as well:
https://github.com/cure53/DOMPurify/blob/master/src/purify.js#L632
"list" attribute of "input" is not whitelisted - ref: https://www.w3schools.com/tags/att_input_list.asp
This is not a "dangerous" attribute type.
Hi all,
it appears that jSanity can be bypassed using multiple techniques. We have not yet sorted out which ones - but the bypassed reproduce cleanly when using the DOMPurify test cases.
Steps to reproduce:
Strangely, we don't see any errors on the console, so we are not sure yet what causes the problem. Please let us know if this description is sufficient for you or if we should have a closer look together.
Additional Info:
There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.
Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.
Here is the vector:
<form name="body" onmouseover="alert(1)" style="height:800px"><fieldset name="attributes"><form></form><form name="parentNode"><img id="attributes"></form></fieldset></form>
some more vectors can be seen here: http://www.thespanner.co.uk/2012/06/05/jslr/
The above payload was by @cgvwzq โ Pepe Vila to bypass JSLR (Gareth Heyes' old toy)
JSanity strips out text-decoration on Chrome 57+ and Firefox 36+
After those versions, the browsers switched text-decoration to be a shorthand for:
The sanitizer works by reading the computed values, so it sees these new properties, doesn't recognize them, and sets them to null.
Depending on the browser, this affects the shorthand property text-decoration differently, but in effect, it removes the property.
See also: https://developer.mozilla.org/en-US/docs/Web/CSS/text-decoration
Breaking out two issues from Koto (second comment in issue #5) to track separately:
var in Object
will let through prototype properties:
<constructor desc="element name bypass, harmless" constructor="same here">
<b style="constructor: url(//do-stuff.harmless-now)">a</b>
HTML comments should not be let through, otherwise mXSS via e.g. document.createComment('--><script>alert(1)</script>')
There is no way how to opt-out an attribute from sanitation. Ideally there should be a way like
attributeCallout(elementName, attributeName, attributeValue)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.