Blacklist data:, script and other URLs from templates, incl whitespac…

…e problems
ampproject · Dec 9, 2015 · 4b534d4 · 4b534d4
1 parent 5320bf1
commit 4b534d4
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/src/sanitizer.js b/src/sanitizer.js
@@ -58,6 +58,9 @@ const WHITELISTED_FORMAT_TAGS = [
 const BLACKLISTED_ATTR_VALUES = [
   /*eslint no-script-url: 0*/ 'javascript:',
   /*eslint no-script-url: 0*/ 'vbscript:',
+  /*eslint no-script-url: 0*/ 'data:',
+  /*eslint no-script-url: 0*/ '<script',
+  /*eslint no-script-url: 0*/ '</script',
 ];
 
 
@@ -169,9 +172,9 @@ export function isValidAttr(attrName, attrValue) {
   }
 
   // No attributes with "javascript" or other blacklisted substrings in them.
-  const attrValueLowercase = attrValue.toLowerCase();
+  const attrValueNorm = attrValue.toLowerCase().replace(/[\s,\u0000]+/g, '');
   for (let i = 0; i < BLACKLISTED_ATTR_VALUES.length; i++) {
-    if (attrValueLowercase.indexOf(BLACKLISTED_ATTR_VALUES[i]) != -1) {
+    if (attrValueNorm.indexOf(BLACKLISTED_ATTR_VALUES[i]) != -1) {
       return false;
     }
   }

diff --git a/test/functional/test-sanitizer.js b/test/functional/test-sanitizer.js
@@ -83,6 +83,19 @@ describe('sanitizeHtml', () => {
         'a<a>b</a>');
     expect(sanitizeHtml('a<a href="VBSCRIPT:alert">b</a>')).to.be.equal(
         'a<a>b</a>');
+    expect(sanitizeHtml('a<a href="data:alert">b</a>')).to.be.equal(
+        'a<a>b</a>');
+    expect(sanitizeHtml('a<a href="DATA:alert">b</a>')).to.be.equal(
+        'a<a>b</a>');
+    expect(sanitizeHtml('a<a href="<script">b</a>')).to.be.equal(
+        'a<a>b</a>');
+    expect(sanitizeHtml('a<a href="</script">b</a>')).to.be.equal(
+        'a<a>b</a>');
+  });
+
+  it('should catch attribute value whitespace variations', () => {
+    expect(sanitizeHtml('a<a href=" j\na\tv\ra s&#00;cript:alert">b</a>'))
+        .to.be.equal('a<a>b</a>');
   });
 
   it('should NOT output security-sensitive attributes', () => {