Skip to content

Commit

Permalink
Merge pull request #45 from filedescriptor/master
Browse files Browse the repository at this point in the history 
Fixed security issues regarding the pentest results
  • Loading branch information
@cure53
cure53 committed Feb 23, 2015
2 parents 7c7aa0e + 477d1b1 commit aaa181a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 18 deletions.
28 changes: 10 additions & 18 deletions purify.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,17 +216,6 @@
dom.body.parentNode.removeChild(dom.body.parentNode.firstElementChild);
dom.body.outerHTML = dirty;

/* Cover IE9's buggy outerHTML behavior */
if (dom.body === null) {
dom = document.implementation.createHTMLDocument('');
dom.body.innerHTML = dirty;
if (dom.body.firstChild && dom.body.firstChild.nodeName
&& !WHOLE_DOCUMENT
&& dom.body.firstChild.nodeName === 'STYLE'){
dom.body.removeChild(dom.body.firstChild);
}
}

/* Work on whole document or just its body */
var body = WHOLE_DOCUMENT ? dom.body.parentNode : dom.body;
if (
Expand Down Expand Up @@ -283,6 +272,8 @@
|| typeof elm.removeAttributeNode !== 'function'
|| typeof elm.removeChild !== 'function'
|| typeof elm.attributes.item !== 'function'
|| (elm.id === 'implementation' || elm.name === 'implementation')
|| (elm.id === 'createNodeIterator' || elm.name === 'createNodeIterator')
) {
return true;
}
Expand Down Expand Up @@ -386,13 +377,10 @@
if (!tmp instanceof Attr) { continue; }

if(SANITIZE_DOM) {
if(tmp.name === 'id'
if((tmp.name === 'id' || tmp.name === 'name')
&& (tmp.value in window || tmp.value in document)) {
clobbering = true;
}
if(tmp.name === 'name' && tmp.value in document){
clobbering = true;
}
}

/* Safely handle attributes */
Expand All @@ -412,7 +400,10 @@
/* Make sure attribute cannot clobber */
&& !clobbering
) {
currentNode.setAttribute(tmp.name, tmp.value);
/* Handle invalid data attributes safely by try-catching it and do nothing */
try {
currentNode.setAttribute(tmp.name, tmp.value);
} catch (e) {}
}
}

Expand Down Expand Up @@ -469,8 +460,9 @@
};

/* Feature check and untouched opt-out return */
if (typeof document.implementation.createHTMLDocument === 'undefined') {
if (window.toStaticHTML !== 'undefined' && typeof dirty === 'string') {
if (typeof document.implementation.createHTMLDocument === 'undefined'
|| (typeof document.documentMode === 'number' && document.documentMode === 9)) {
if (typeof window.toStaticHTML === 'function' && typeof dirty === 'string') {
return window.toStaticHTML(dirty);
}
return dirty;
Expand Down
4 changes: 4 additions & 0 deletions test/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@

QUnit.test( 'Config-Flag tests: ALLOW_DATA_ATTR', function(assert) {
// ALLOW_DATA_ATTR
assert.equal( DOMPurify.sanitize( '<a href="#" data-abc\"="foo">abc</a>', {ALLOW_DATA_ATTR: true}), "<a href=\"#\">abc</a>" );
assert.equal( DOMPurify.sanitize( '<a href="#" data-abc="foo">abc</a>', {ALLOW_DATA_ATTR: false}), "<a href=\"#\">abc</a>" );
assert.contains( DOMPurify.sanitize( '<a href="#" data-abc="foo">abc</a>', {ALLOW_DATA_ATTR: true}),
["<a data-abc=\"foo\" href=\"#\">abc</a>", "<a href=\"#\" data-abc=\"foo\">abc</a>"]
Expand Down Expand Up @@ -99,6 +100,9 @@

QUnit.test( 'Config-Flag tests: SANITIZE_DOM', function(assert) {
// SANITIZE_DOM
assert.equal( DOMPurify.sanitize( '<form name="window">', {SANITIZE_DOM: true}), "<form></form>" );
assert.equal( DOMPurify.sanitize( '<img src="x" name="implementation">', {SANITIZE_DOM: false}), "" );
assert.equal( DOMPurify.sanitize( '<img src="x" name="createNodeIterator">', {SANITIZE_DOM: false}), "" );
assert.equal( DOMPurify.sanitize( '<img src="x" name="getElementById">', {SANITIZE_DOM: false}), "<img name=\"getElementById\" src=\"x\">" );
assert.equal( DOMPurify.sanitize( '<img src="x" name="getElementById">', {SANITIZE_DOM: true}), "<img src=\"x\">" );
assert.equal( DOMPurify.sanitize( '<a href="x" id="location">click</a>', {SANITIZE_DOM: true}), "<a href=\"x\">click</a>" );
Expand Down

0 comments on commit aaa181a

Please sign in to comment.