html-purify icon indicating copy to clipboard operation
html-purify copied to clipboard

Published 20 hours ago verified publisher icon YahooArchive

vulnerability found in auto double quoting feature.

Open adon-at-work opened this issue 9 years ago • 5 comments

<img src="x" id='" onerror="alert(1)' /> it's not vulnerable itself. but after purification, it becomes <img src="x" id="" onerror="alert(1)" /> this boils down to the problem of always using double quote in html purifier since v1.0 https://github.com/yahoo/html-purify/blob/v1.0.0/src/html-purify.js#L66

reported here as recommended by @yukinying

adon-at-work avatar Jul 28 '15 07:07 adon-at-work

cc @maditya

yukinying avatar Jul 28 '15 07:07 yukinying

Root cause of such should be in https://github.com/yahoo/html-purify/blob/master/src/html-purify.js#L120

yukinying avatar Jul 28 '15 07:07 yukinying

plus https://github.com/yahoo/html-purify/blob/master/src/html-purify.js#L113

adon-at-work avatar Jul 28 '15 07:07 adon-at-work

Was this released in 1.1?

ramijarrar avatar Feb 12 '16 23:02 ramijarrar

We have an open PR for this - https://github.com/yahoo/html-purify/pull/22 and will merge it soon.

maditya avatar Feb 18 '16 21:02 maditya