acts_as_textiled icon indicating copy to clipboard operation
acts_as_textiled copied to clipboard

Published 20 hours ago verified publisher icon defunkt

fix html_regexp leak

Open liweinan opened this issue 12 years ago • 0 comments

acts_as_textiled is currently vulnerable to improperly closed quotes html tag. Here is an example:

<pre class='bad_quote/>a</pre>
b
<pre class="c">d</pre>

If user input the above messages to website that is using acts_as_textiled, and if the website wants to show the message in :plain format, then ruby will hit CPU usage to 100% and blocks the http thread. And the http server goes down.

The cause is because of the regexp used in lib/acts_as_textiled.rb:

    def html_regexp
        %r{<(?:[^>"']+|"(?:\\.|[^\\"]+)*"|'(?:\\.|[^\\']+)*')*>}xm
    end

It cannot deal with the dirty quotes in html properly. I've tested it on:

ruby 1.8.7 (2010-01-10 patchlevel 249) [universal-darwin11.0]

And here is the code to reproduce the problem:

str = "<pre class='bad_quote/>a</pre>\r\n<pre class=\"c\">d</pre>"

def html_regexp
        %r{<(?:[^>"']+|"(?:\\.|[^\\"]+)*"|'(?:\\.|[^\\']+)*')*>}xm
end

str.dup.gsub(html_regexp, '')

liweinan avatar Mar 07 '12 16:03 liweinan